This is the second blog post in a series aimed at clarifying some of the concepts around The True Cost of Compliance report, conducted by the Ponemon Institute. The first post of this series deals with the difference between compliance and non-compliance. This one is going to focus on understanding the cost framework used in this research.
In the benchmark study, the researchers utilized an activity-based costing method that estimates compliance costs across six different activity centers: policy, communications, program management, data security, compliance monitoring and enforcement. Non-compliance costs are categorized across four different activity centers: business disruption, productivity loss, revenue loss, fines and penalties.
If we look at the average compliance cost by activity center, we see that spending varies dramatically. Some believe that the best way to compliance is spending on technology, but it’s about having the right combination of people, governance practices and technology.
If we look at the average non-compliance cost by activity center, we see that the most expensive category is business disruption. We can certainly see that non-compliance does have an effect on the business, because it takes people out of their regular duties to deal with non-compliance problems.
Additionally, within each activity center, they gave the participants a cost range for estimating direct costs, indirect costs and opportunity costs.
Direct costs are the direct expenses associated with accomplishing a given activity.
Indirect costs are resources spent but not as a direct cash outlay. This would include overhead, project management, productivity losses and other non out-of pocket expenses.
Opportunity costs are costs resulting from lost business opportunities as a result of compliance infractions that diminish the organization’s reputation and goodwill.
As we discussed in the previous blogpost, we can think of compliance as proactive spending, and non-compliance as reactive spending. One key finding of the report is that if organizations would spend more on compliance in areas such as audits, enabling technologies, training, expert staffing and more, they would recoup those expenditures and possibly more through a reduction in non-compliance costs.
Hope this help clarify the report further. We’ve also recorded a great presentation with Larry Ponemon himself.