twitter icon facebook icon linkedin icon rss icon
Home / Compliance / A Case for Voluntary Regulatory Compliance

A Case for Voluntary Regulatory Compliance

March 3, 2011 by 2 Comments

Voluntarily taking on even more compliance requirements may seem counterintuitive, but doing so strategically can create real value for the company.

In an age of ever-increasing compulsory compliance requirements and reduced compliance spending, the mere thought of new regulations may cause angst for even the most experienced compliance professional. However, when companies view regulatory compliance as a potential opportunity rather than merely a requirement to be met at the least possible cost and with the least possible effort, the potential to create value results.

At the heart of every regulatory compliance requirement, there is a good idea.  The Health Insurance Portability and Accountability Act (HIPAA) aimed to increase the efficiency of healthcare claims reporting, decrease the potential for fraudulent claims, and protect people’s privacy. The Foreign Corrupt Practices Act (FCPA) sought to hold U.S. companies that act less than ethically from benefiting unfairly at the expense of companies that take the ethical high road.  The Sarbanes-Oxley Act (SOX) simply sought to increase the transparency and accountability of publicly traded companies. The initial implementation and ongoing compliance challenges associated with each of these regulatory requirements was a function of how they were implemented and enforced, not of the good ideas at their core.

There is a value case to be made for voluntary compliance with regulatory requirements such as these. For example, implementing practices compliant with HIPAA Privacy and Security requirements for all consumer or employee data (not just that considered Personally Identifiable Information – “PII” – under HIPAA) can help increase customer and employee confidence that personal information will not be lost or stolen due to actions (or failures to take action) by the company. The same processes and controls that must be implemented to support FCPA compliance can also be used to monitor for potentially bad business decisions by overseas divisions and subsidiaries as well as potentially corrupt decisions.  SOX compliance, even for companies and organizations never expected to be required to comply with SOX, can improve the quality and availability of financial reporting and increase stakeholder confidence in the reported results.

The potential return for voluntary compliance comes from three sources:

  • First, where regulatory requirements were originally intended to improve process efficiency (such as HIPAA), voluntary compliance may yield a reduction in labor or other direct costs associated with the process itself that exceeds the costs of initial implementation and ongoing compliance.
  • Second, where the regulatory requirements were intended to minimize the potential of undesirable outcomes or behaviors (such as corrupt practices in the case of FCPA, or financial misstatements in the case of SOX), voluntary compliance may increase customers’ and suppliers’ trust in the organization, which usually translates into tangible increases in top-line revenues or bottom-line margins.
  • Third, the enabling technologies required for compliance often can be leveraged elsewhere in the business to improve process efficiency or operating results — for example, using a Continuous Controls Monitoring application to flag potentially unprofitable sales orders in addition to those that don’t have the appropriate signoffs.

Potential business benefits from this approach are apparent, but where is the payoff for the compliance function?  Simply by demonstrating its ability to deliver value rather than just mitigate risk, the compliance function has an opportunity to be viewed by the business as a value center rather than a cost center. Even a subtle shift in the perception of the compliance function from the latter to the former can translate into increased budgets, improved promotion prospects and higher retention within the department.

Next steps

Companies should not start taking on new compliance requirements at random.  Rather, business and compliance executives should first work together to identify performance improvement needs or opportunities within the enterprise. Then the compliance executives should consider what regulations may be pertinent and where voluntary compliance could have a beneficial impact. Finally, business and compliance executives should work together to deploy a pilot or proof-of-concept and then charter a larger project to add those regulations to the company’s compliance roster.

Given the significant compliance burden most companies already face and the enabling technologies many companies already have implemented, the incremental effort may not be much but the benefits realized from even a pilot project enough to justify the effort.

Related content:

  1. Leveraging Regulatory Compliance Investments to Improve Contract Performance
  2. A Value Case for FCPA Compliance
  3. Making the Most of Continuous Controls Monitoring Investments
  4. Fulfilling the New Compliance Mandate – The Compliance Convergence Journey
Print Friendly Print Get a PDF version of this webpage PDF
Filed Under: Compliance, Governance, Matt Podowitz GRC Investments Column Tagged With: , , ,

Trackbacks

  1. A Case for Voluntary Regulatory Compliance | The IT Value Challenge says:
    March 7, 2011 at 7:12 am

    [...] read the article click here or visit [...]

  2. A Case for Voluntary Regulatory Compliance | Pathfinder Advisors LLC says:
    September 13, 2011 at 10:50 am

    [...] read the article click here or visit CorporateComplianceInsights.com. Tags: business process improvement, CIO Challenges, [...]

Speak Your Mind

*