Costs of a compliance program
Compliance is the set of norms, regulations, policies and guidelines established by the company, which aims to avoid, detect and treat misconduct. We already know how important compliance is to your company. But in this blogpost, we’re going to understand what really matters: the numbers. How much does a compliance program really cost your company?
How much does it cost to not have a compliance program?
Before we analyze the cost of a compliance program, it’s important to understand how much more you can spend by not having one. That way, you can do the necessary comparisons to decide if the cost effectiveness is compatible with your company.
The Anticorruption Law’s fine is the main cost for companies who don’t have a compliance program. The fine can vary between 0.1% to 20% of the company’s gross income. However, the punishment will never be less than how much the company made illicitly. The image below shows how that math is done.
The losses that come from the fine can be avoided with a compliance program. That’s because it makes sure that illicit acts don’t happen. But better still, the Anticorruption Law forsees a 4% reduction of the fine for companies that have an integrity program. In other words, if compliance can’t avoid the illicit acts, it can lower the fine.
How much are companies investing in compliance programs?The costs of a compliance program for larger companies, especially the ones affected by legal actions, are very high. Just Odebrecht estimated an expense of R$ 64 million on compliance in 2017, almost 6 times the amount dedicated to the department two years ago. And Andrade Gutierrez, another construction company affected by Operation Car Wash, reevaluated all of it’s suppliers and partners, and payment processes. This resulted in them blocking over 100 suppliers.
Some examples of companies that were negatively affected by their involvement in corruption cases are:
– Engevix Construction was prohibited participation in any federal bidding for 5 years after being declared inidone by the Tribunal de Contas da União (TCU), due to irregularities it comitted during the construction of the Angra 3 nuclear powerplant. It’s income shrunk by about 70%.
– The food company JBS’s rating was lowered by the risk classification agency Standard & Poors. It cited poor governance policies as a motive. The lower the rating, the more the company has to pay for credit.
How much does a compliance program cost?
To determine the costs of a compliance program, 6 major points have been chosen. It has been determined that the costs of these 6 activities cover the total economic impact of conformity. In each one, direct and indirect costs have been analyzed.
Compliance PoliciesActivities related to the creation and dissemination of policies. The most important example is the Code of Ethics and Conduct. But the program can also contain specific documents about company trips, HR, risk evaluation, etc. The costs that surround policies are mainly from managing these documents (poor management can lower productivity significantly), as well as the legal consequences of not having them (nonconformity with anticorruption laws).
CommunicationActivities and associated costs that allow a company to train or create an awareness about the organization of related policies and procedures to protect sensitive data or confidential information. This activity includes all communication to employees, temporary employees, contractors, and business partners. It also includes the required notifications for policy changes and data breach incidents.
Program managementActivities and costs related to the coordination and governance of all in-company programs and activities, including direct and indirect costs. For example, the costs of a compliance officer, a compliance team, or the cost of a team to maintain the program in general.
Data securityAll activities and technologies used by the organization to protect information assets. Activities include professional security personnel, implementation of control systems, backup and disaster recovery operations and others.
Conformity controlAll activities developed by the organization to evaluate or assess external compliance, internal and contractual obligations. It includes the costs associated with internal audits, third party audits, verification programs, professional audit personnel, and others.
ExecutionThe activities related to the detection of non-compliance, including incident response. These activities also include remedial actions, such as corrective training of employees that violate compliance requirements, and voluntary denunciation to regulators.
In addition to the internal activities mentioned above, most companies are compromised on account of loss of opportunity as a result of non-compliance with data protection requirements and laws.
An example of a non-compliance situation includes end-user policy violations such as improper use of internet applications or the use of unsafe devices in the workplace. Other examples include contractual breaches with suppliers or business partners, organizational changes imposed by regulators, theft of intellectual property, and many others.