Enterprise Compliance Costs Hit $3.5 Million, Study Finds

A survey of multinational corporations found those companies that performed internal audits spent less per capita on compliance than those that didn't perform any.

The penalties for being out of step with compliance mandates are not going away, and neither is the cost of keeping up with regulations.

However, a new report from the Ponemon Institute revealed that more compliance audits can actually have the effect of lowering the price tag.

According to the study (PDF), which included responses from 160 business leaders spanning 46 multinational companies, the average cost of compliance is more than $3.5 million. Twenty-eight percent of those surveyed said they do not conduct internal compliance audits, while 22 percent responded they conduct between three and five a year.

Those in the latter group had a lower per capita compliance cost than those in the former. Organizations with three to five internal compliance audits each year averaged a cost of $154 per capita. In contrast, those that did not perform internal audits had a compliance cost of $341 per capita, and their noncompliance cost-the cost of the consequences of compliance failure-stands at $1,275 per capita.

"I believe that the reason why internal audits reduce compliance cost is that they help prioritize the organization's overall compliance efforts," explained Larry Ponemon, chairman of the Ponemon Institute. "This leads to greater efficiency in managing the total compliance burden. In other words, companies that do not conduct audits appear to be less efficient in their ongoing program management of data protection and privacy efforts."

If companies spent more on compliance in areas such as audits, enabling technologies, training and expert staffing, they could recoup their expenditures and possibly more by reducing the cost of the consequences of being out of compliance, the report asserts.

The total cost of compliance varies significantly between industries, ranging from $6.8 million for education and research to more than $24 million for the energy sector. In terms of budget allocation, the areas of considerable cost include complying with laws and regulations ($1,588,900), addressing internal policies and procedures ($1,190,005), and funding contractual agreements with partners, vendors and data protection authorities ($564,230), according to the report.

A consistent theme in the institute's studies on data breach and compliance issues has been the role of strong management in maintaining and reaching regulatory compliance, Ponemon said.

"Executive leadership or sponsorship of data protection, privacy and information security initiatives almost always leads to a more favorable program effort and outcome," he said. "One reason for this finding is that executive support translates into a larger program budget, which results in the purchase of cutting-edge technologies, professional staff and more."

Unfortunately, compliance regulations have become a necessity because very few organizations have voluntarily created a secure environment for sensitive data, opined Rekha Shenoy, vice president of strategy at Tripwire, which commissioned the study.

"I believe that executive leadership involvement is imperative to be able to create a culture of not only compliance, but also of security," she said, adding that no industry or public sector is really improving in this area.

"The difference between companies that are improving and those that have a wider gap is likely executive leadership," she said. "We see the common thread being the number of internal audits occurring-which happens with executive support. So when the compliance dollars go toward investing in automated compliance and good security practices, the business reaps the benefits. We are excited that we have good economic data to prove what the industry has been debating for some time."