In recent years, companies—public companies in particular, but private companies as well—have increasingly created standalone compliance functions to guide, monitor, and measure adherence to company ethics policies, as well as myriad laws and regulations, including those relating to fraud and corruption. As compliance offices expand globally and take on more authority, personnel, and responsibility, they also become more visible cost centers in the organization. A question that may be increasingly asked of compliance officers is how they are defining and measuring value. In short: what is the return on investment (ROI) of their departments?
Capturing this ROI in a detailed and effective manner can be elusive. It is self-evident that compliance functions exist for the purpose of preventing and detecting violations of law and company policy and promoting a culture of compliance, but how can that be measured with any degree of reliability? Specifically, there is the difficulty of proving a negative: how does a company quantify what might go wrong—or would have gone wrong—had the company not invested in compliance initiatives?
With the contributions of thought leaders in the corporate compliance space, Deloitte has aggregated nine effective practices for measuring the ROI of compliance. This list, while by no means exhaustive, represents a compilation of different quantitative and qualitative measures that some companies are using today. It also may serve as a foundation for further discussion and consensus on ways to demonstrate that investments in corporate compliance—in addition to being a widely acknowledged component of effective governance and a de facto legal requirement—also provide measureable returns that can support continued program investment and infrastructure.
No. 1: Estimate the cost of being “typical”
How much could the absence of a robust compliance program cost a “typical” company in fraud and penalties? One potential reference point here is to consider the upside of the fraud prevention opportunity, which may be as close to “proving a negative” as is possible. Here’s one way to look at it: the 2012 annual global report by the Association of Certified Fraud Examiners (ACFE) estimated that the typical organization loses 5 percent of its revenues to fraud each year. The median loss caused by an occupational fraud case was $140,000, but more than one-fifth of such cases caused losses of $1 million or more. When compared to the 2011 Gross World Product, this translates to a yearly loss of more than $3.5 trillion. In other words, by having a robust compliance program, a company may be able to prevent its undetected fraud incidents from rising to the five percent level.
Aside from fraud prevention, other studies have shown the ROI of compliance with specific regulations. In the area of data privacy and protection, for example, a report by the Ponemon Institute estimated that noncompliance costs 2.65 times what compliance costs. In dollars, the Institute found that the average cost of data privacy compliance is $3.5 million per organization, whereas the average cost of noncompliance-related problems was $9.4 million and encompassed penalties, fees, business disruption, lost productivity, and legal and non-legal settlement fees. Such studies can be cited as part of the overall value proposition of maintaining a strong data privacy compliance program.
Industry-specific compliance requirements often have their own ROI calculations. For clothing manufacturing concerns, the American Apparel and Footwear Association estimates that the costs of noncompliance fall into three categories: lost revenue, short-term crisis-mode costs, and long-term capability-building costs. For example, if a manufacturer is noncompliant with the European Union’s Restriction of Hazardous Substance (EU RoHS) regulations, a short-term crisis cost would be the expense of designing and testing new units to replace the noncompliant ones already in inventory, whereas a capability-building cost would be enterprise-wide process and organizational changes to prevent future failures.
Sometimes the cost of noncompliance is indirect. For example, when a manufacturer is required to remove a product from the market, it can lose significant market share in the time it takes to design and introduce a new, compliant product. Operating costs can also increase if the company is required to now provide two versions of the product for different parts of the world. Although no penalties are levied in this particular example, the cost of noncompliance can still be great.
Proving that an organization does, in fact, have strong compliance controls in place also may help mitigate fines, or avoid them altogether. For example, in 2012, a former global financial services firm executive was charged by the Securities and Exchange Commission (SEC) with violating the Foreign Corrupt Practices Act (FCPA) on a number of counts. But because the firm was able to show that it had taken FCPA compliance seriously for many years, the firm was not charged, although the executive was severely fined and punished.
Strong compliance programs and the avoidance of fines and penalties are increasingly important at a time when the U.S. Department of Justice has stepped up enforcement of fraud-related laws, such as the False Claims Act. In the fiscal year ending September 30, 2012, the DOJ secured $4.9 billion in settlements and judgments in civil cases involving fraud against the government, a record for a single year.
No. 2: Track costs recovered and avoided from suppliers and vendors
When fraud is perpetrated against a company by a supplier or vendor, it has a distinct cost component to it. Identifying such fraud, as well as tracking how much of those costs are recovered and avoided, can serve as a solid quantitative ROI metric.
Similarly, collecting penalties that result from noncompliance with supplier and vendor contractual agreements may serve as another compliance ROI metric. Companies may have hundreds of such agreements in place at any given time in the form of joint ventures, licensing agreements, and service-level agreements (SLAs) for services provided, such as outsourcing of information technology (IT), human resources, or manufacturing. SLAs, in particular, bear close monitoring. Forty-eight percent of respondents to Deloitte’s annual outsourcing study said they have terminated an outsourcing contract, with 71 percent of them attributing it to problems with the overall quality of service. Overall, 48 percent of respondents’ most recent outsourcing contracts had failed to deliver contracted services pursuant to an SLA. Companies should be tracking these SLAs and make sure to collect the financial penalties that are built into such contracts should there be instances of noncompliance.
No. 3: Document internal control enhancements and business process improvements
By putting internal controls and business processes in place where none existed before, or filling in gaps or standardizing existing processes that have been differently implemented across the organization, companies can address potentially significant exposure to risk, redundancy and inefficiency. The costs associated with that can be estimated and tracked, leading to greater organizational demand for the creation of harmonized, consistent business processes across the organization that are easily understood by employees and which allow them to more confidently execute their jobs and make decisions related to risk issues.
For example, in accounts payable, purchasing, and payroll—areas ripe for human errors, fraud, and abuse—instances of noncompliance can be found that create margin leakage and lead to tax withholding and federal and state reporting issues. Calculating the costs associated with and then addressing those internal control deficiencies can contribute to an effective definition of program ROI in this area.
There is frequently a technological efficiency component to this that can be estimated as well: automating processes that formerly were done manually and prone to error or fraud not only has the potential to improve compliance but also to increase process efficiencies. For example, food manufacturers that employ systems to comply with the Food Safety Modernization Act (FSMA) realize significant business process improvements. Companies that deploy product lifestyle management (PLM) systems in the development of new food products realize up to 3 percent reductions in total formulation costs. Good planning systems can reduce days-of-stock by up to 33 percent. And rework can be reduced by as much as 40 percent through automation.
No. 4: Rebalance Areas of Compliance Spending
Running an efficient enterprise compliance program, controlling compliance risks effectively, and selectively using a risk-based approach are also components of measuring program ROI. What this entails: rather than building compliance processes dedicated to controlling and monitoring every conceivable risk that could possibly go wrong, companies should consider performing regularly scheduled risk assessments and, based on the results, rank and prioritize the risks, then prioritize where to concentrate investment. This is similar to how internal audit groups have over the years evolved and become more sophisticated in their approach to audit planning—particularly in prioritizing operational audit testing. Prioritizing compliance activities based on overall risk makes for a much more efficient—and cost effective—enterprise compliance program.
No. 5: Monitor brand and reputational perceptions and changes
Reputation matters. Building and maintaining reputation as an organization with a high degree of compliance mitigates reputational damage that can otherwise result from compliance failures. Companies can calculate the impact of reputation for compliance on their cost of capital. As ratings agencies follow different companies and industries, they give out compliance scores to different organizations. Such scores can impact stock prices and a company’s credit rating, which can affect the cost of capital.
One landmark 2004 study of 250 companies by the MIT Sloan School of Management found that businesses with better than average IT governance—i.e., processes, procedures, and controls associated with how their IT systems and personnel comply with privacy and security regulations—realized 25 percent more profits than those with poor governance.
No. 6: Benchmark peer companies in the public record
Using the yardstick of what is happening to peer companies can be another ROI measure. If a company has a robust compliance program on which it spends $10 million annually, it can compare that with what its peers are doing, and try to determine how many fines, penalties, litigation judgments, and settlements with the SEC, Department of Justice, or other regulatory body they have paid.
No. 7: Monitor employee and cultural metrics
In 2011, the number of employees who personally witnessed fraud or other misconduct at work fell to new lows in recent years. Yet in the same year, the percentage of employees feeling pressure to compromise their standards to do their jobs grew significantly, along with the number of companies with weak ethics cultures. This tension within companies may create environments in which employee satisfaction plummets, with direct and indirect consequences, which companies should monitor closely.
Gallup research indicates that disengaged workers cost U.S. businesses billions of dollars every year. They have 27 percent higher absenteeism than their engaged coworkers, causing 86.5 million days per year in lost productivity globally.Turnover is also higher among disengaged workers, and the cost of replacing an employee is approximately one-fifth of that employee’s annual salary.There are also other costs related to poor employee job satisfaction, including non-meritorious Equal Employment Opportunity Commission (EEOC) claims and employment litigation. Much of this can be tracked and quantified.
Softer metrics can be found in exit interviews, which may indicate why employees are leaving an organization. These potentially represent a treasure trove of ROI information on culture, integrity, and respect for management—traits or attributes that, if not present in the company, can result in absenteeism, poor job satisfaction, and high turnover. The bottom line: people don’t want to work for an unethical company or a company that doesn’t take ethics and compliance seriously.
No. 8: Estimate value of future M&A and expansion opportunities
A company that is perceived as taking ethics and compliance seriously, and which possesses effective anti-fraud programs and controls, may enjoy more opportunities for mergers and acquisitions and other growth opportunities that create shareholder value.
The Ethisphere Institute each year releases a list of the world’s most ethical companies. It also indexes the winners against other leading corporations with regard to stock prices. In its 2011 report, it found that ethical companies had dramatically outperformed the S&P 500 by achieving an almost 27 percent return to shareholders since 2007, compared to the S&P’s negative 8.5 percent shareholder return in that same timeframe. The Ethisphere Institute rates companies on their ethics based upon whether they exceed legal minimums for compliance, introduce innovative ideas that benefit the public, and force their competitors to follow suit.
No. 9: Productivity gains as a result of compliance
Compliant companies are also more productive companies, and calculating the costs related to that improved productivity can also prove ROI.
For example, complying with safety regulations, such as those mandated by the Occupational Safety and Health Administration (OSHA) means that an organization is paying attention to safety management, which may result in greater morale and productivity. The organization spends less time dealing with regulatory infractions and more time on initiatives that improve competitive positioning.
Which came first?
Sometimes internal audit departments find themselves in the unusual position of being so effective that the number of exceptions and gaps they need to respond to decreases. Then questions start being asked: should we disband—or significantly reduce—our internal audit staff? This raises a timeless philosophical question: are we finding less problems because we “have more cops on the beat,” or because we have less “crime”?
Sometimes compliance departments are put in this same position of arguing that without their proactive anti-fraud initiatives, “crime” could go back up. However, studies have shown that noncompliance costs cannot be avoided entirely. So there must be some point after which further investment in compliance won’t reduce non-compliance costs. This is what makes ROI calculations so important: to assist in estimating the optimal level of program investment.
Legal and internal audit departments have been around for more than 100 years. Compliance departments are a more recent change to corporate governance.. As such these functions are still evolving their roles, authorities, accountabilities, staffing volumes, and reporting lines. By looking at various qualitative and quantitative measures, compliance departments can begin answering some of the questions that inevitably arise about their contributions to the financial bottom line and develop a baseline for future sustainability.
 “Report to the Nations on Occupational Fraud and Abuse.” Association of Certified Fraud Examiners. 2012. http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf
 “The Cost of Compliance Report 2012.” The Ponemon Institute. 2012.
“The Cost of Compliance,” Clothes Line. American Apparel and Footwear Association. January 15, 2013. https://www.wewear.org/clothesline/the-cost-of-non-compliance/.
 “How to avoid the high costs of noncompliance: Learn the nine hidden cost components of a compliance failure.” Parametric Technology Corp. 2011.
 Deloitte’s 2012 Global Outsourcing and Insourcing Survey. 2012. http://www.deloitte.com/view/en_US/us/Services/additional-services/Service-Delivery-Transformation/c78f7ebb3c356310VgnVCM2000001b56f00aRCRD.htm
 “The Time Is Now: The ROI of FSMA Compliance,” Deloitte. 2012.
 Weill, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. (Boston: Harvard Business School Press, 2004).
 “2011 National Business Ethics Survey® Workplace Ethics in Transition,” Ethics Resource Center, ©2012, page 12.
 Wagner R, Harter J. 12: The elements of great managing. Gallup Press, 2006.
 There Are Significant Business Costs to Replacing Employees,” by Heather Boushey and Sarah Jane Glynn | November 16, 2012, the Center for American Progress. http://www.americanprogress.org/issues/labor/report/2012/11/16/44464/there-are-significant-business-costs-to-replacing-employees/.
 Should You Invest in the World’s Most Ethical Companies 2011 Edition,” by Doug Cornelius, Ethics. http://www.compliancebuilding.com/2011/03/17/should-you-invest-in-the-world%E2%80%99s-most-ethical-companies-2011-edition/
 “Safety management and productivity,” by Somen Mondal. May 16th, 2012. http://blog.fieldid.com/wp-content/uploads/Safety-Management-Productivity.jpg.
 “The Cost of Compliance Report 2012.” The Ponemon Institute.
Contributing author Ron Schwartz is a partner in the Atlanta office of Deloitte Financial Advisory Services’ Forensic practice. He specializes in providing dispute consulting, forensic investigations (including investigations under the Foreign Corrupt Practices Act and False Claims Act), internal control consulting, fraud prevention consulting and arbitration services to his clients. Ron has provided forensic and dispute services including expert witness testimony in various industries including real estate, government contracting, consumer business, manufacturing and distribution, retail, service, insurance and telecommunications.
As used in this document, ‘Deloitte’ means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, and Deloitte Tax LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.