A colleague of mine at a single-state Blue Cross Blue Shield organization often begins his talks on InfoSec and Privacy by asking, “Raise your hand if you think a health payer needs to adhere to HIPAA regulations.” Inevitably, all the hands in the audience go up. He then states, “No, we don’t.”
The audience is understandably confused. He goes on to explain that adhering to HIPAA, or any other regulation or law, is a business decision, plain and simple. An organization could simply choose not to, and face the consequences (fines, jail time, going out of business). Most firms likely won’t make that decision, but his point remains: deciding whether, and to what extent, to comply with regulations and laws needs to be a risk/value decision rather than a “comply at all costs” one.
Too often, as compliance professionals, we forget that the work we do is not a given, i.e., our organizations don’t have to comply 100 percent at all costs. Every decision to spend time, money and resources on compliance must be — and should be — balanced against both the value of doing so and the risk of not doing so … and then the decision about the way forward should balance the two.
The Value of Compliance
To alter your approach to compliance from “must do” to “could do, if worth it” requires a 180 degree shift in how you approach your job, whether InfoSec, Privacy, Records Management, Information Governance, etc. Rather than assuming your firm should support 100 percent compliance, regardless of cost, you need to define the range of compliance available, from de minimis to 100 percent, chunk responses up into viable tiers, and net out the cost, value and risk of each … and then let leadership decide which option they are comfortable supporting (and funding).
Easier said than done. How do you persuasively quantify the value of compliance with a given regulation (and quantify the costs)?
Related Article: Uniting Risk Management With Strategic Planning
The Costs of Compliance
To quantify the costs (and ultimately the benefits) of compliance, your first step is to identify the specific regulations, laws, standards and more that are “in play” for your organization. Too often, we subsume these under internal disciplines such as privacy, records management or InfoSec. But these categories are far too broad.
So rather than “records retention” as a whole (or “privacy” or “information security”), focus on specific obligations such as OSHA, SOX, HIPAA or GDPR. Doing so allows you to identify tangible requirements and the tangible responses (people, process and technology) that will enable you to meet them.
With that done you can calculate the likely costs of non-compliance, e.g., cost per HIPAA record, PCI theft, PII breach, SOX audit findings, etc. These are never a given, because the extent of a given breach or audit finding are difficult to predict and the resulting fines can always be negotiated down. Nevertheless, establishing baselines is a good starting point.
For example, if you have three terabytes of protected health information (PHI) on shared drives, you can calculate the number of individual PHI records at risk and multiply by $1000 (the typical cost of a per record fine). A breach won't typically access all PHI of course, and your organization will negotiate any imposed fines down, but this gives you an uppermost limit to begin with — and, of course, this is a worst case if things go horribly wrong with either the breach or the follow up interactions with regulators and the public.
Related Article: Foresight Is 20/20: How to Prepare for the California Consumer Privacy Act Now
The ROI of Compliance
Once you have both the level of risk your organization faces as well as the likely dollar amount attached to it, you can make a case for the ROI of remediating the risk. But know that the specifics of the ROI will depend on the specific risk your efforts address. For example, if e-discovery risk is the target, the ROI will never be “total e-discovery costs” because those costs depend mainly on the number and severity of litigation events.
So, if you had an e-discovery spend last year of $5 million, and you estimate you can reduce it by 50 percent by reducing discoverable content by 50 percent, you’d be taking a huge risk with this prediction — what if you reduced discoverable content by 50 percent, but the number of lawsuits increased by 50 percent? Costs would stay flat. Or if the the number increased? Or if the severity increased? Or both? In this case, you could expend resources and funds to reduce content volumes yet have an increase in e-discovery costs … and your execs would rightly question whether you achieved your goals (and whether you should keep your job).
Although the specifics of a strong ROI will differ based on many factors, the following is a good general list of ROI categories for typical compliance domains:
- E-discovery: lowered cost per litigation event (unit cost); more accurate early case assessment.
- InfoSec/Privacy: lower cost per breach (based on total number of sensitive records on company systems).
- Records Management: lower hours per employee to comply with records management policies; lower storage costs for paper (on site and off site).
Related Article: How to Deal With Compliance Dysmorphia
A Balance Between Compliance and Value
Ultimately, our job as compliance professionals is to articulate the costs of compliance, the risks of non-compliance, and the value of balancing the two for the good of the larger organization … not simply driving the hard line of “compliance at any cost.” Doing so may be foreign to many of us as first, but with practice, we can all come to realize that compliance is a business decision to be made in light of the risk and value of complying with any given regulation, law, standard, etc.
Once we make this conceptual shift, far from becoming an afterthought, we’ll become a true business partner, valued for our ability to quantify our work and its value, rather than hated and feared for being the perpetual bearers of bad news (and overhead).
Learn how you can join our contributor community.