Comment Article
Getting the balance right: investment in compliance versus
business benefit
In today's world, companies face a
minefield of regulations, both
governmental and industry-specific. And
the list seems to be getting longer all the
time. But does complying with these
regulations just add cost to the business,
or do they provide companies with
business advantage, such as improved
customer service?
It depends on who you ask. The
Financial Times estimates that the cost
of complying with just Sarbanes-Oxley
alone for the average large Fortune 1000
company in the US amounts to a one-off
cost of $5.1 million for implementing a
qualifying corporate governance policy,
plus a further ongoing cost of $3.7
million, on average, for continuing
compliance measures over time. Other
sources state that annual IT spending by
companies that is specifically earmarked
for compliance efforts is growing by
around 10 percent per year.
For some companies, these costs are
just too high and there have been a
number of companies that have de-listed
from U.S. stock exchanges in order to
avoid the cost of complying with the
onerous requirements of Sarbanes-
Oxley, which has had the knock on effect
of fuelling the boom in private equity
spending. There are many examples, but
just one is that of technology vendor
SafeNet, which was de-listed and
acquired by private equity firm Vector
Capital in April 2007. But that is not the
end of the story and de-listing will not
reduce the burden of compliance with a
range of other regulations, such as data
protection legislation.
© 2008 Quocirca Ltd http://www.quocirca.com
By Fran Howarth, Principal Analyst, Quocirca Ltd
Because of this-and because the burden
of regulation is likely to increase in the
future, with legislation that will
potentially be introduced including e-
disclosure rules in the EU and a
strengthening of privacy rules at a
federal level in the U.S.-companies need
to view their regulatory compliance
efforts as a strategic investment that
covers all parts of the business. This
means that compliance must involve
input from multiple stakeholders in the
organization, including the board of
directors, legal resources, operations
and IT. Organizations taking just a
tactical or piecemeal approach by
considering each regulation with which
they must comply in isolation will fail to
see the bigger picture and are likely to
end up spending more in the long run.
Before any technology investments are
made, companies need to perform an
assessment of which regulations affect
their business, as well as taking into
account future regulations that are on
the horizon, and what the provisions of
those regulations are. This will provide
insight into overlaps between
regulations, such as the requirement
included in many regulations for
maintaining email records for long
periods of time, and where common
business processes can be implemented
to achieve multiple goals. This
assessment will form the basis of a
company's strategy and plan for
investing in technology-for example in
automated controls for managing
information produced within an
organization to achieve goals of privacy
and operational transparency required
by many of the regulations that exist
+44 118 948 3360
 Comment Article
today. Many of the technology solutions
available for helping companies to
achieve regulatory compliance include
templates or model policies relating to
the requirements of the most common
pieces of legislation and these can be
used to aid companies in ensuring that
their investments cover multiple rules.
An essential investment that companies
must make in their compliance efforts is
in tools for automating and improving
auditing and reporting capabilities. A
common complaint in recent years has
been that regulatory compliance involves
increased audit fees. For example,
British Telecom says that its spend on
audit fees increased by almost one-third
due to Sarbanes-Oxley alone. Other
companies have complained that
compliance burdens caused by the
increased level of investment required
have reduced the level of dividends that
they are able to pay their shareholders.
The benefits of achieving compliance
All this said, there are actually many
benefits to compliance-not the least of
which is the avoidance of penalties and
other costs, such as lawyers' bills.
Companies will also be in a better
position to prevent their reputation being
damaged, which can cause customers to
shun their products and partners to
cancel deals. Many of the regulations
have been developed as a result of
corporate scandals such as Enron that
have forced companies out of business
and the provisions of some of them
could lead to more corporate executives
languishing in jails in the future.
The benefits that will accrue to
companies that achieve regulatory
compliance include improved internal
processes, with enhanced accuracy of
financial reporting reducing the risk of
fraud, and a better audit trail of all
processes ultimately leading to the goal
of lower audit costs. For large
© 2008 Quocirca Ltd http://www.quocirca.com
companies, the costs of restating
earnings owing to poor financial
reporting can run into billions-spend that
can be avoided by putting in place more
efficient operations in the first place. And
because of controls such as improved
security mechanisms, better records
retention, and data recovery capabilities,
companies may even be in the position
to command reduced insurance
premiums owing to reduced risk
exposure to fraud and other problems
caused by data leakage.
As well as internal process benefits,
companies that can demonstrate that
they have the tools and processes in
place for achieving regulatory
compliance will benefit from being seen
as ethical, improving shareholder value
and potentially competitive advantage if
customers and business partners have
greater confidence in the business.
Companies will also be in a better
position to defend themselves against
litigation, such as e-disclosure lawsuits,
where the costs of manually finding
poorly stored documents can run into
the millions.
The investment required for compliance
efforts may be a bitter pill for a company
to swallow upfront. But, when a holistic
approach is taken to compliance
covering all parts of the business, all
processes used, and taking all
regulations into account in one
company-wide exercise, the benefits will
eventually outweigh the costs. In the
long run, regulatory compliance will even
be good for the business, allowing a
company to improve its performance,
avoid fines and penalties, and achieve
the ultimate goal for any company-that
of getting closer to its clients and
improving customer service.
+44 118 948 3360
 Comment Article

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360