When asked why your company needs to comply, tell them this:
Investing in the company’s GRC program is not merely a compliance exercise but a move to shield our organization from this threat of non-compliance and the risks that come with it. By allocating the necessary budget, we are committing to uphold operational integrity, preserve our reputation, and avoid the substantial fines that can arise from non-compliance. Such an investment is critical for supporting our long-term success in an increasingly regulated and scrutinized business environment.
If they want to know more, here’s a much longer version. You can email me HERE and I’ll send you the long version as a PDF.
Let’s face it: we govern, and we comply, because we have to. We comply to cover our butts – that’s why and don’t let anyone argue otherwise.
I’ve seen way too many books, articles, and whitepapers that say that compliance is a “business driver” or a “source of competitive advantage.” That’s horsecrap.
I live at the top of a very large hill and my office is at the bottom, a couple of miles away. I play a game when I leave for work very early in the morning. You see, there are two stop signs and two traffic lights between my house and my office. If I time it right – and don’t stop at the first stop sign or the first stop light – I can get through the second one when it is green and coast the entire way from just outside my driveway to where I turn into the office parking lot. It’s fun. So, I play a game of risk. If I don’t see any cars near the stop sign, I don’t even brake (I can see a whole block left and right of me). If I get through that, the first stop light is on a ground-trigger and if my speed is just right, the light turns green just as I’m hitting the intersection. If I see other cars, the game is off. If I don’t, it’s on. It’s all a game of risk. I’ll comply with stopping if it’s risky for me not to do so.
Why do I do that? It’s fun, and I’m selfish. We as humans are all selfish. Period. Even our genes are selfish! A gentleman by the name of Richard Dawkins laid that argument out in his book “The Selfish Gene”[1]. In it, he introduces the concept of the “selfish gene,” suggesting that genes act in their own self-interest to ensure their survival and propagation, often at the expense of the organisms they inhabit. Dawkins explores various aspects of evolutionary theory, including altruism, cooperation, and kin selection, all through the lens of gene-centered evolution. In short, we will favor ourselves at the expense of the organization and our community if left to our own accord. So we are forced to comply. And we are forced to create a governance body to enforce compliance, or at least compliance when we aren’t willing to take the risk.
Threats come in four basic flavors:
Regulatory pressure for effective ethics and compliance programs (hereinafter “Program” is used to refer to an effective ethics and compliance program) has been increasing ever since the United States Sentencing Commission (USSC) passed the Federal Sentencing Guidelines for Organizations (FSGO) in 1991. However, scandals involving Enron, WorldCom, Tyco, Freddie Mac, AIG, Lehman Brothers, and others have significantly impacted modern regulatory compliance. These glaring misjudgments and compliance failures resulted in criminal actions that led to record fines and increased regulatory scrutiny designed to prevent future criminal violations.
Thus, today, more than ever, having a Program can directly impact a company’s bottom line by minimizing the risk of fines, penalties, and employee wrongdoing and by strengthening its corporate culture and reputation among its stakeholders. As businesses recognize the importance of the compliance function, the role of the compliance officer is also becoming more important, elaborate, and sought after. Unsurprisingly, the Bureau of Labor Statistics projects continued growth in the employment of compliance officers through 2022[2].
The Federal Sentencing Guidelines for Organizations (FSGO) established a systematic approach to deterring organizational wrongdoing by providing universally enforceable sentencing guidelines and mitigating conditions. These guidelines, instituted by the United States Sentencing Commission (USSC), offer a framework for sentencing organizations convicted of federal crimes. Under the FSGO, companies with effective compliance programs can significantly reduce fines and penalties, with reductions of up to 95 percent[3]. Conversely, organizations lacking such programs may face fines increased by up to 400 percent. The FSGO emphasizes the necessity for organizations to foster a compliance-oriented culture, promoting due diligence to prevent and detect criminal conduct[4]. These guidelines underscore the importance of robust compliance programs in fortifying organizations against legal and reputational risks.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) represents a comprehensive response to the 2008 financial crisis, aiming to enhance financial stability and consumer protection. Among its numerous provisions, Dodd-Frank introduces stringent regulations for the financial industry and establishes the Consumer Financial Protection Bureau (CFPB) to oversee consumer financial products and services. One key aspect of Dodd-Frank is its emphasis on whistleblower protection and enforcement[5]. The act incentivizes individuals to report violations of securities laws by offering them financial rewards, leading to a significant increase in whistleblower tips and complaints being reported to regulatory authorities such as the Securities and Exchange Commission (SEC). Dodd-Frank highlights the importance of transparency, accountability, and ethical conduct in the financial sector, driving organizations to strengthen their compliance practices and internal controls[6].
The Foreign Corrupt Practices Act (FCPA) is a crucial federal law that prohibits bribery of foreign officials by U.S. companies and individuals, aiming to combat corruption and promote ethical business practices globally[7]. Enforced by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the FCPA has seen intensified enforcement efforts in recent years, resulting in significant fines and penalties for non-compliant organizations. For instance, the DOJ’s enforcement of the FCPA led to substantial penalties for Marubeni Corporation, which was fined $88 million for foreign bribery charges in March 2014[8]. The FCPA’s enforcement underscores the importance of implementing robust compliance programs and internal controls to mitigate legal and reputational risks associated with corrupt practices. Compliance with the FCPA is essential for organizations operating internationally, as noncompliance can lead to severe monetary losses and permanent reputational damage.
The General Data Protection Regulation (GDPR) significantly impacted international privacy law by introducing stringent regulations and hefty fines for non-compliance[9]. Designed to enhance personal data protection and privacy, GDPR applies to all types of businesses operating within the EU, imposing flexible fines that scale with the size of the organization. Infringements can lead to fines up to €20 million or 4% of the firm’s worldwide annual revenue, whichever is higher, depending on the severity of the violation[10]. These regulations encompass a wide range of violations, including breaches of basic processing principles, conditions for consent, and data subjects’ rights. The regulation emphasizes the importance of adherence to its standards to avoid substantial financial penalties[11].
In the US, the federal government is cracking down on the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by updating regulations to include the Cybersecurity Maturity Model Certification (CMMC) 2.0[12]. CMMC 2.0 introduces a streamlined model compared to its predecessor, focusing on safeguarding sensitive unclassified information from cybersecurity threats, including advanced persistent threats. This new version is expected to impact a significant number of entities within the defense sector, emphasizing the importance of a data-centric security approach to combat insider threats and ensuring the protection of DoD-sensitive data.[13] The DoD specifies that once CMMC 2.0 is implemented, self-assessments or third-party assessments will be required depending on the CMMC level, emphasizing the importance of maintaining compliance to secure and participate in DoD contracts and that they will utilize the False Claims Act (FCA) to prosecute entities and individuals who fail to adhere to required cybersecurity standards or knowingly misrepresent their cybersecurity practices[14].
The most prominent examples of industry fines comes from the world of Payment Card compliance, specifically, complying with the Payment Card Industry Data Security Standard suite[15]. PCI DSS applies to all businesses that process card payments, with compliance levels based on the number of transactions processed annually. Non-compliance and breaches can lead to fines ranging from $5,000 to $100,000 per month, depending on the volume of transactions and the period of non-compliance[16]. Data breaches can incur fines of $50 to $90 per affected customer, potentially leading to lawsuits and compensation amounts reaching millions of dollars, as seen in the case of Equifax and others. Over the past decade, several notable violations of the Payment Card Industry Data Security Standard (PCI DSS) have resulted in substantial financial and reputational damage to the organizations involved. These incidents highlight the critical importance of adhering to PCI DSS guidelines to protect cardholder data and avoid the severe consequences of non-compliance. Here’s a summary of some of the most significant breaches[17]:
There are two great examples of loss of business. The first one hits very close to home for us here at Unified Compliance. Prior to 2024, the number of our clients that required a cyber risk analysis was 10%. At the beginning of 2024, 85% of our clients required a cyber risk analysis to be conducted prior to doing business with us (even clients who have been doing business with us for over a decade). Indeed, cybersecurity and third-party risk management are significant concerns for businesses today[18]. The growth in the use of external independent advisors for cybersecurity matters to 45% from 15% in 2018 indicates an increasing reliance on third-party risk analyses[19].
Organizations wanting to do online business with the US Federal Government must pass the Federal Risk and Authorization Management Program (FedRAMP) compliance in the US defense space. FedRAMP aims to ensure that cloud services used by the government have adequate security measures in place. There are two types of FedRAMP authorizations: the Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and an agency-specific Authority to Operate (ATO). While obtaining a JAB P-ATO can be more challenging due to its rigorous review process, it allows a cloud service provider (CSP) to offer their services across all federal agencies. The problem, at this point, is that because enforcement of FedRAMP isn’t prevalent, many organizations that need to comply are failing to comply[20]. This is probably the reason that the CFRs are being updated with CMMC 2.0 certification guidelines and enforcement policies.
There are instances where organizations have been refused cybersecurity insurance due to their inability to meet the security requirements imposed by insurance companies[21]. The cybersecurity insurance market has grown increasingly stringent, with insurers demanding detailed security measures as a condition for coverage. This is largely due to the rising costs associated with data breaches, ransomware attacks, and other cyber threats. For instance, organizations may be denied coverage for several reasons, including failure to maintain or follow an ongoing program of minimum security standards, discrepancies or errors in completing initial risk assessments and conducting their own initial forensic discovery without proper incident response planning[22]. Insurance providers assess whether businesses took “due care” to protect themselves from cyberattacks and closely scrutinize claims for ransomware payments, IT forensics, legal costs, and other factors related to breaches[23].
Don’t think of being compliant as a business driver. Think of it as the necessary seatbelts you must wear or hear that annoying “ding ding ding” in your car[24] if you don’t wear them.
Being compliant can keep you safe when threats arise – true.
If you get in a wreck, seatbelts can save your life.
If your payment system or marketing system is hacked, being in compliance can save you huge amounts in fines, and most likely, your insurance won’t get canceled.
In advocating for the allocation of a budget towards our Governance, Risk Management, and Compliance (GRC) program, it is imperative to recognize the fundamental role this investment plays in safeguarding the organization against a myriad of potential threats. The essence of building a robust GRC program lies in its ability to effectively mitigate risks and prevent the significant negative outcomes that stem from non-compliance with critical regulations such as the FSGO, Dodd-Frank, FCPA, GDPR, and standards such as PCI-DSS and CMMC 2.0. The consequences of failing to meet these regulations and standards are far-reaching and include severe legal penalties, substantial financial losses, and irreversible damage to our reputation.
No board is going to read the pages we’ve just written about why compliance is important. So here’s the TLDR[25] of everything we just said:
Investing in the company’s GRC program is not merely a compliance exercise but a move to shield our organization from this threat of non-compliance and the risks that come with it. By allocating the necessary budget, we are committing to uphold operational integrity, preserve our reputation, and avoid the substantial fines that can arise from non-compliance. Such an investment is critical for supporting our long-term success in an increasingly regulated and scrutinized business environment.
But of course you’ll be asked for proof, right? Right! Here’s some hard evidence for you that demonstrate the effectiveness of compliance programs. Here are five ways others have published for measuring the effectiveness of an organizational compli-ance program taken from a bevy of online sources [26]:
“The Selfish Gene (Popular Science): Richard Dawkins: 9780192860927: Amazon.Com: Books.” ↑
“Compliance Officer - Career Rankings, Salary, Reviews and Advice | US News Best Jobs.” ↑
“Effective Compliance & Ethics Programs Reduce Federal Fines by up to 95%.” ↑
“2010 FEDERAL SENTENCING GUIDELINES MANUAL: 2010 8b2_1.” ↑
“SEC.Gov | Office of the Whistleblower.” ↑
Haddon, “The Effect of the Dodd-Frank Act on Risk in the Financial Sector.” ↑
“Criminal Division | Foreign Corrupt Practices Act.” ↑
“Foreign Corrupt Practices Act.” ↑
Lechner, “GDPR.” ↑
“What If My Company/Organisation Fails to Comply with the Data Protection Rules?” ↑
“What Are the GDPR Fines? - GDPR.Eu.” ↑
“FAR 552.204–2 Security Requirements for FCI”; “48 CFR § 4.1901 - Definition of FCI”; “48 CFR § 52.204–21 - Basic Safeguarding of Covered Contractor Information Systems.”; “Executive Order 13556 of November 4, 2010L: Controlled Unclassified Information”; “32 CFR Part 2002 ‘Controlled Unclassified Information.’” ↑
Mroz, “CMMC 2.0.” ↑
“CMMC 2.0 Simplifies Requirements But Raises Risks for Government Contractors | Insights | Holland & Knight.” ↑
“PCI DSS Document Library.” ↑
Subabrata, “PCI DSS Fines and Penalties Explained.” ↑
“5 of the Biggest PCI Compliance Breaches to Date | GoAnywhere MFT.” and “8 Shocking Real-World PCI Violations and Their Consequences — Etactics.” ↑
“Gartner Survey Finds 45% of Organizations Experienced Third Party-Related Business Interruptions During the Past Two Years.” ↑
“What Cyber Disclosures Are Telling Shareholders in 2023.” ↑
fedweek, “Without Enforcement, Cloud Contracts Not in Compliance with FedRAMP.” ↑
“Why You Could Be Denied Cyber Insurance Policy Coverage | Mindcore.” ↑
“Four Tips to Avoid Denial of Cyber Insurance Coverage for a Data Breach.” ↑
“Avoiding The Most Common Cyber Insurance Claim Denials | GB&A.” ↑
Thank god I drive an old Miata that didn’t require the stupid “ding” noise when not putting them on. ↑
Too Long Didn’t Read ↑
Kelly, “5 Compliance Metrics Every Business Should Measure — GAN Integrity Blog”; Middleton, “Key Metrics for a Compliance Program to Monitor”; “Compliance Program Performance Metrics”; Team, “How to Measure Compliance Program Performance”; compliancelin1, “How Can You Measure a Compliance Program’s Effectiveness?” ↑