Embarking on a compliance journey for the first time can be an eye-opening experience for many organizations. The undertaking can be more complex and costly than you could have ever anticipated. I’ve had numerous conversations with organizations about their compliance experience, and they often tell me, “No joke, I didn’t have any idea that this was going to cost this much.”
The truth is, there’s a whole realm of costs that many companies fail to anticipate when venturing into compliance. Let’s discuss some of these hidden elements and why it’s crucial to count the cost of compliance before you even begin.
The Obvious and Hidden Costs of Compliance
Certain costs in compliance seem quite obvious — the cost of registering your organization, hiring an Assessor, going through the actual assessment, or procuring compliance management software. It’s tempting to simply add up these costs and call it your total expenditure.
However, this approach overlooks significant costs that are not directly visible but play a crucial role — primarily, the time and effort involved in managing the compliance process, and the inevitable wasted time along the journey.
The compliance manager (or whatever poor soul was the last one to sit when the music stopped) is usually the unsung hero who shoulders most of the compliance burden. However, becoming compliant demands the involvement of people across all your operational departments, including HR, Legal, IT, and Sales. Depending on the size of your organization, you could have anywhere from three to thirty people whose regular duties are interrupted to assist with provisioning evidence or inputs to your compliance engagement.
This interruption of work and diversion of resources is a significant hidden cost that rarely gets considered. Overlook it and you’ll find your operations stuck in bottlenecks and perpetual overtime cycles. Client deliverables could be impacted as well. Or, worst case scenario, your compliance engagement is put at risk.
The Technological Black Box
There’s another hidden factor that adds to the cost — the state of your organization in terms of implementing security and compliance technology. Often, the executive leadership makes the wrong assumption that your IT people know what they’re doing — so when it comes to security and compliance, you’re good to go. The reality, however, is that while your IT staff may excel at their regular job duties, they’re unlikely to have a depth of experience in the realm of security and compliance.
This lack of experience translates into a steep learning curve, which takes precious time (and money) to overcome. Unfortunately this chasm that wasted time is pouring into comes at a very high cost. Some of your highest paid individuals and SMEs in the organization are the ones drawn into supporting the security and compliance efforts.
Preparation, Wasted Effort, and Time Management
The initial journey to compliance usually consists of two major phases: assessing your current situation, and preparing for the annual audit. In this preparatory phase, you’ll spend considerable time and resources identifying and fixing gaps in the controls of your organization.
From the day you start evaluating where you stand in terms of being ready for the assessment, a lot of time is wasted. Managing this process, tracking efforts, attending status meetings, and working on resolving issues are all time-consuming activities that add to the hidden cost of compliance.
Filling the gaps could involve developing a process or procedure, or finding and implementing the right tool. This means someone internally has to invest the time to learn, procure, and implement this solution, adding another layer to the cost pile.
Beware the Snake Oil Salesperson
More and more these days, you hear organizations making the claim that if you just go with them, all your compliance problems will melt away. Sign up for their solution, host your stuff with them, install their tool, use their compliance system that’ll magically remove all burden for your compliance while saving you millions in the process.
I’ve seen a lot of BS in the marketplace over the years and TCT keeps gaining new friends that initially were lured by the snake oil dribbling in their ears. These poor folks saw a myriad of outcomes, including:
- Long costly implementation times
- Pipedream promises that fell short
- Additional costs that snuck in late in the implementation cycle
- Vendors that effectively were lying about the efficacy of their solution
You know what they say. If it sounds too good to be true…
The Outsourcing Decision
In dealing with these challenges, you face a crucial decision: do you do it in-house, or do you hire a third party? You can offload some of the heavy lifting to third parties, but it comes with a price tag.
This decision involves a cost-benefit analysis. You might save on upfront costs by having your internal team tackle compliance, but remember, every hour they spend on this task is an hour not spent supporting your core business functions. Before you know it, your team has spent 2,000 hours trying to get your organization ready for the Assessor.
If 2,000 hours sounds ridiculously overblown, think again. Your compliance manager is likely to spend more than 300 hours on status meeting activities alone. Your central IT folks that do a lot of heavy lifting — they could very well be deployed to compliance related tasks for 20 to 40 hours a week, for months at a time. When you start to add up all the activities involved in your compliance engagement, and all the people who have a role to play, the time commitment skyrockets in no time.
Then there’s the actual assessment itself. I was on the phone the other day with an organization that was about to go into an annual cycle with an Assessor and they thought they would just pay the fee and pass off all of their evidence, and the Assessor would do their work on their own, behind the scenes.
Instead, the Assessor asked for a full schedule of four days worth of meetings and observations with all sorts of different people within the organization. This organization was surprised to learn how much of a draw on time and resources this on-site assessment would require.
The weekly cadence of meetings with your Assessor for those status meetings will also come into play, often involving more resources than merely the internal nominee as Compliance Manager. Assessors often want to have a more detailed discussion around the firewall, change control, access control or onboarding. Which means bringing additional resources into the meeting to get these items addressed and keep things moving forward.
It all adds up.
The Ongoing Cost of Compliance
The journey towards compliance doesn’t end with a certificate. Compliance isn’t a one-and-done thing, but a continuous process that requires ongoing investment. Many organizations forget this crucial fact in their joy of achieving compliance. They return to their day jobs, mistakenly thinking they’ve crossed the finish line.
The reality is, once you’re compliant, you’ve committed to continuous compliance — managing, maintaining, and repeating a host of activities to stay compliant with your certification. This is often a rude awakening a year down the line, when you discover you’ve neglected certain tasks. These oversights can put at risk the trust you’ve built with third parties that depend on your certifications.
There’s also the ongoing costs related to the technical solutions, vendors, and services you implemented for compliance. Neglect to budget these costs and you’ll face an unexpected draw on your organization’s personnel and resources.
Counting the Cost: A Crucial First Step
Before you embark on your compliance journey, it’s imperative to count all the costs, not just the big ticket items. Those hidden items add up and they can impact your operations and your budget more than the obvious costs do.
Go into your compliance journey with both eyes open and take the time to consider all the costs, and you’ll keep your organization running more smoothly and more productively — not just during your first compliance cycle, but for the long haul.