“Prevention is better than a cure” is an old, but very relevant, maxim for risk management and compliance.
Fines and penalties in the UK have been growing in recent years. Despite the risks and warnings, many organizations still fail to comply with stringent compliance rules. It was reported in 2016, that the largest 20 fines to organizations for breaches and violations, were three times higher than the largest 20 fines in 2015, and eight times higher than in 2014, demonstrating that while the cost of compliance may not be on the rise, penalties certainly are.
The cost of health and safety compliance for SME organizations in 2016/17 ranged between £5,000 and £40,000 per annum. EHS fines/penalties are now 65% greater than the expenditure compliant companies incurred to foster a safety culture. Organizations that invested in health and safety therefore potentially avoided a fine of £75,000 higher than their cost of compliance.
A total of £32,400,000 worth of fines were issued by the HSE in 2016 across the UK, all of which were related to a lack of compliance with EHS standards. Furthermore, non-compliance with EHS regulations are currently costing the European Union (EU) €476 billion a year, according to new global estimates, a sum of €9.9 billion per week. During 2016, the UK paid £14.9 billion in direct and indirect workers’ compensation costs, £2.9 billion of this sum was covered directly by UK employers.
Issue management will not fix the underlying problems for any organization. Showing us, once more, that prevention and deterrence is better than a cure, – this is what active compliance is all about!
The new GDPR (General Data Protection Regulation) is a great example of the consequences associated with non-compliance and potential risk management failures. Basically, fail to comply and you could be out of business. That’s the message being sent to organizations of all sizes that handle data of EU residents, ahead of the biggest changes to data privacy legislation in 20 years.
Research by Veritas Technologies suggests that companies will spend an average of £1.1 million (€1.3 million) on systems and training to comply with the latest GDPR. It also found that 65% of companies are seeking external help to comply with the new regulation. Whichever way you look at it, GDPR is going to cost a staggering amount. However, this is a drop in the ocean compared to the cost of being caught non-compliant when the Information Commissioner’s Office (ICO) comes knocking at the door.
$250,000 Vs. $420 Million? – In November 2017, a New York attorney handed a $700,000 fine to the Hilton hotel giant, for two, 2015 incidents in which the company was hacked, leaking credit card and other information of 350,000 customers. The $700,000 fine equates to $2 per lost record. However, this is cents on the dollar for a company which reported revenues of $11.2 billion in 2015, the year of the breach. Hilton reported a FY 2014 revenue of $10.5 billion. Four percent of that is $420 million dollars – or $1,200 for every customer record lost. This would have been a very different story had GDPR been in place at the time.
The Payment Card Industry Security Standards Council (PCI SSC) has also warned UK businesses that they could face up to £122bn in penalties for data breaches when the new EU legislation comes into effect. Non-compliance is simply not an option.
Healthcare is also an interesting, demanding and equally frustrating area when it comes to compliance. According to research, the total amount spent on regulatory compliance equated to an annual cost of over £34,672 per hospital bed and £885 per admitted patient, this may seem high but the cost of non-compliance can be substantial especially in healthcare when lives are at risk. Conducting a corrective and preventive Action (CAPA) can total up to £7372; addressing a warning letter may cost £1.4 million for a simple fix or up to £14 million if it requires changes to the organization’s structure and resolving a consent decree can top £73 million. However, having an effective compliance based solution can prevent this spiral and keep it under control.
With incredibly high demand, pressure on healthcare systems and new regulations continuously being introduced, teams of executives are working hard to maintain and ensure their compliance programs are meeting these standards.
How Businesses Can Mitigate Risk
Of course, we have discussed the financial costs of non-compliance but there are intangible costs associated as well. A lack of compliance can lead to a loss of reputation, resulting in a detrimental impact on any organization.
Continuous compliance is what is required, continuous monitoring, performance evaluation and improvement. In today’s environment, an investment in compliance could be the best ROI you will ever get.
With 2017 figures still being published, as we enter 2018, it is important to ensure your organization is taking compliance seriously and going above and beyond the standards and requirements set in previous years. While compliance costs may not be rising steeply, the penalty costs certainly are.
The AuditComply platform is the lifeline for numerous organizations operating in highly regulated environments. Providing a strong backbone, AuditComply streamlines your workflow, mitigates your risks and eases your road towards complete compliance.
AuditComply’s Risk Management Platform holds innovative features such as root cause analysis, which plays a vital role in shaping your risk and performance management plans and systems. We can help your organization understand your issues and assist in putting measures in place to prevent recurring risks. However, we cannot eliminate all threats but having a centralized, effective and digital risk management system in place will give you the best possible chance of dealing with potential risks across your organization.
Mitigate Risk, Drive Compliance and Improve Quality. Find out more about AuditComply here.