Here are five practical ways to calculate ROI on compliance:
1. Engage Key Business Leaders and Personalize the Assessment
Assessing ROI first requires the active engagement of business personnel. Begin with company leaders who already acknowledge that compliance generates some value. Ask them to quantify the financial value of both the company’s brand and their personal reputations. Approaching them in this way will immediately stimulate a shift in mindset towards the business value of compliance.
Illustration: John Doe, Vice President of International Sales at Corporation X, acknowledges that it has avoided certain markets because it cannot control corruption risk. Jane Smith, the Chief Compliance Officer, proposes a program that mitigates the risk sufficiently to allow entering high-risk geographies. It is for John Doe, not Jane Smith, to quantify the value of entering those markets.
2. Assign a Financial Value to Qualitative Costs and Benefits
ROI is a ratio that compares benefit (“return”) to cost (“investment”). The formula typically applies to pursuing new business opportunities (e.g., new product or service, acquisition of a competitor, purchase of stock).
Illustration: Company X is considering a new service offering. After analyzing expected sales and direct and indirect costs, Company X determines that the service offering would yield $20 million in increased revenue against $10 million in additional costs, or a 2:1 ROI.
Compliance ROI, by contrast, considers risk and is more analogous to insurance. Companies and individuals purchase insurance to protect against all sorts of risks. The insurance analogy, however, only goes so far. COSO risk management principles offer four responses to risk: avoid, accept, reduce and share. Insurance “shares” the risk; compliance typically “reduces” the risk.
But getting executives to accept the cost of reducing the risk can be challenging. Compliance professionals must overcome an “it won’t happen to me” attitude. Business people also minimize compliance risk, in part, because quantifying the value of avoiding risk (e.g., avoiding fines and penalties) is not straightforward.
Compliance “return” comprises quantitative and qualitative elements. Quantifiable returns include increased earnings and cost savings. Qualitative benefits include brand value, professional reputation and the ability to pursue new business opportunities.
Qualitative, however, does not mean unquantifiable. Companies routinely valuate intangible assets (e.g., patents and trademarks). Similarly, management can assign financial values to qualitative costs and benefits of mitigating compliance risk, such as protecting professional reputation.
Compliance “investment” also comprises quantitative and qualitative elements. Quantitative investments include the salary of compliance officers, additional resources to perform controls and investments in technology. Qualitative costs or investments include, for example, business opportunities lost due to significant perceived risk.
Compliance leaders need to engage the first line of defense to quantify costs and benefits of compliance from business leaders’ individual perspectives. It is one thing to consider compliance risk in the abstract, it is quite another to ask individuals to assign a financial value (e.g., financial value of their professional reputation, financial impact on their careers if the organization suffers a compliance failure).
Illustration: Company X is assessing the ROI of its anti-corruption controls to mitigate bribes paid through discounts to distributors and overpayments to suppliers. Quantitative benefits and returns include reducing revenue leakage and supplier payments. Qualitative benefits and returns include being able to enter high-risk markets, avoiding investigations, and if corruption is found to have occurred, government leniency with regard to penalties. Quantitative costs and investments include additional expenses arising from compliance controls (e.g., diligence and transaction monitoring). Qualitative costs and investments include sales lost to competitors who do engage in paying bribes.
3. Evaluate ROI Risk-by-Risk
Some compliance departments seek to apply ROI to the compliance function as a whole. These assessments can be useful to justify staff appointments or spending in the annual budget-setting process, but are often not sufficient to measure the true value of compliance efforts.
Illustration: Company X’s Financial Services Compliance Department relies upon the number of identified suspicious transactions to request additional resources, which, although a critical metric, is not a financial measure.
If your organization’s compliance program is mature enough to consider ROI, it likely will have already performed a robust risk assessment of the probability and impact of fraud and other compliance breaches. Rather than trying to develop a single, comprehensive ROI metric for an entire compliance function, start with the most pressing and significant risks; then work hand-in-hand with business personnel to identify and quantify potential returns and investment for them.
4. Establish Benchmarks and Track Progress
Define the markers by which you will measure “return” and “investment.” How do you quantify whether the compliance program is yielding tangible and intangible benefits? Specifying what success looks like and tracking progress against those benchmarks are crucial elements in the process. To do this well you should do the following:
Make sure you know your audience and areas of interest. Proactively establishing areas of focus that can be benchmarked will prove more successful than trying to recreate them after the fact. Establishing these markers, in and of itself, creates significant value in terms of being able to track progress.
Employ positive benchmarks whenever possible. For example, the Chief Financial Crimes Compliance Officer at one global firm reports on the number of successful regulatory inspections. Inspectors General, which are akin to compliance departments, calculate ROI as a ratio of rewards recovered to agency costs. A Brookings Institution study reported more than a 13.4 ROI over the period 2010 – 2014 for Federal IGs.
Consider both direct and indirect benchmarks. Case in point: Some years ago, a multinational financial services firm deployed compliance experts to underperforming business units. The business units had not reported any misconduct, yet executive management reasoned that something must be amiss and measured the success of the program by comparing business results before and after the deployment of the compliance teams. The result was an outstanding 15:1 ROI.
Use technology to automate the collection and tracking of benchmarks and then employ data analytics to slice and dice the results. Once you determine how you will collect the data and which pieces of information are most crucial to collect, establish a dashboard to measure progress. You will then have significant data points to communicate the value of compliance efforts across the organization.
Forensic auditors, data analytics experts, and compliance risks and controls experts can help compliance officers to identify potential data sources, develop analytics procedures and employ statistical packages to categorize and design rational scoring methodologies to grade results.
5. Develop Plan “B”
Some risks will undoubtedly yield a negative ROI on compliance – for example, over- investment in guarding against a less-likely-to-occur risk. The exercise nonetheless is useful for business, legal and compliance personnel. Even if negative, ROI on compliance will assist first line of defense risk takers and owners in the executive ranks to develop a risk response based on the likelihood of occurrence, detection and potential losses. The second line of defense made up of compliance professionals can use the assessment to refine preventive and detective controls against the probability and impact of the risks.
If you were to visit a factory and ask the plant manager how its safety program would be affected if the government abolished safety laws, chances are no or few changes would be made, as manufacturers largely accept that safety compliance is good for business.
Can the same be said for your compliance program? Just as humans release antibodies to fight disease, corporations innately battle any perceived impediments to profit. If developed in conjunction with business personnel, ROI on compliance can go a long way in shifting a negative perception of the function.
This article for RANE in partnership with Dow Jones Risk & Compliance, was originally published March 23, 2017.