• United States



by John Hagerty

Regulatory Compliance: An $80 Billion Opportunity

Feb 11, 20055 mins
CSO and CISOData and Information Security

The Issue: Between 2005 and 2009, companies will spend more than $80B on compliance-related work. Companies must include business and process improvement while meeting legal and regulatory mandates for any hope of a return on investment.

For the past two years, weve written a lot about Sarbanes-Oxley Act (SOX) compliance and its effect on the financial governance practices of a broad swath of U.S. and multinational companies. But SOX is only one of myriad compliance requirements that companies face across the globe. AMR Researchs survey of more than 250 companies conducted in 4Q04 indicates that SOX is just the beginning; in 2005 alone, firms expect to spend $15.5B on a wide range of compliance programs (see Figure 1). For the next five years, this amounts to an $80B problem. But is it a problem? It can be, if you dont use these mandates as an opportunity to improve, or even rethink, parts of your business.

The compliance spectrum

Forward-thinking companies, having learned from their history of regulatory compliance, are putting a broad set of mandates in perspective. Not every company is subject to every regulation, but heres a sampling of what companies are dealing with in the next few years:

  • The Waste Electrical and Electronic Equipment (WEEE) and Restriction of Hazardous Substances (RoHS) directives to set environmental goals within the European Union (see the AMR Research Alert article RoHS and WEEE: Its an Executive Problem for more information)
  • The National Highway Safety Traffic Administrations Transportation Recall Enhancement, Accountability, and Documentation (TREAD) Act to identify potentially hazardous part failures in the Automotive sector (see the AMR Research Alert article TREAD Compliance Does Not Deliver Critical EWS Capability)
  • The Health Insurance Portability and Accountability Act (HIPAA) to mandate the privacy of patient health information
  • The U.S. Securities and Exchange Commission (SEC) rulings affecting financial services companies
  • Basel II Capital Accords for operational risk management within banking, which will regulate reserve requirements for global banks
  • International Financial Reporting Standards (IFRS) to establish and improve financial accounting and reporting standards
  • USA PATRIOT Act with its broad-ranging regulations to prevent terrorist activities

With a wide range of directives, leading companies are connecting the dots between overall compliance requirements and their own Enterprise Performance Management (EPM) activities. Yet, even the most aggressive firms have to take it slow at first before reaping the big benefits, and each aspect must be put in a much broader context of total company improvement.

Risk management must come first; compliance follows

With such intense focus on compliance, the natural inclination is to jump in and solve the most glaring problems first. But risk managementassessing all potential impacts to the businessmust come first. Risk management evaluates all relevant business risks, and controls and monitors mitigation actions in a structured way. Compliance is the execution of these objectives, based on risk tolerance. Tolerance for risk will vary greatly depending on the scenario within a company, and it will differ greatly between different firms. Once youve articulated the strategy, you can synchronize execution and measurement to these overall objectives.

A strong link to EPM and risk management

If you consider compliance expense as a sunk cost, profit margins will remain under pressure as you take action to meet requirements over the long run. But if you use these requirements to change your business practices, you can see dramatic improvements. Like chemical companies that had to address the disposal of hazardous waste in the 1970s and early 1980s, you can figure out how best to minimize the expense of disposal or engineer as much waste out of the process as possible, therefore reducing or eliminating disposal costs and/or penalties over time.

EPM is a superset of applications and processes that crosses traditional departmental boundaries to control and manage the full lifecycle of business decision making. It combines strategic goal setting and alignment with planning, forecasting, and modeling abilities. It uses powerful analytics along with tactical reporting to create smarter operational plans in light of inevitable and ever-present tradeoffs. A structured risk management program supported by strong planning and modeling scenarios will allow you to make the best decisions for the company in light of all competing needs for capital investment within the company.

Like risk management and compliance, EPM is not a one-time event; it is an iterative, continuous process that mixes the best of the command-and-control philosophy of management with the nimbleness of sense-andrespond activities that encourage constant readjustment based on causal inputs.


Regulatory compliance forces companies to make tradeoffs. But we recommend you balance risk, performance objectives, and compliance requirements to make the best long-term plan for your firm. These steps include the following:

  • First and foremost, assess the risk to the firm, process, and bottom line. This should lead to long-term remediation activities.
  • Understand your compliance objectives. These activities must be coordinated first to make sure you dont over-engineer or underestimate this requirement from the start.
  • Approaches can range from the simple to the sublime. If simple (to the letter of the law), the impact may be expensive, but low, on the core processes of the company. If trending toward sublime (total company improvement), coordinate activities and projects so that the benefits desired become benefits realized.