Virtually every industry has some form of compliance regulation to adhere to -- and the number of regulations continues to grow. It appears companies are paying attention to the trend.
Compliance strategy was ranked higher than most other broad initiatives within IT, such as cloud computing and big data, according to respondents of the TechTarget IT Priorities Survey. Despite all the attention the cloud and big data receive, the lean toward compliance is not surprising, said Chris McClean, analyst at Cambridge, Mass.-based Forrester Research Inc.
"Whatever industry you're in, whatever geography you're in, there are companies that are doing bad things or maybe not paying attention to what they should be," McClean said. "Whether it's privacy, it's security, it's health and safety, or financial controls -- all of those areas are getting more attention from the government, so there has to be more attention paid to compliance."
We've seen, in certain areas, hundreds of millions -- if not billions -- of dollars in enforcement action.
analyst, Forrester Research Inc.
The survey received 382 respondents in North America, and marked the second straight year compliance strategy was ranked as the initiative most likely to be implemented. The numbers hold up on a global scale as well, with compliance -- only behind mobility -- as one of the top-ranked initiatives culled from the more than 1,600 respondents located in the rest of the world.
This is likely because compliance violations hit businesses where it counts. In the last few years, compliance enforcement actions over have gone up exponentially in every industry, McClean said.
"We've seen, in certain areas, hundreds of millions, if not billions, of dollars in enforcement action," he said. "When you have that kind of huge enforcement action, with those huge penalties and fines, it becomes hugely important for CEOs and boards to start paying attention to compliance."
The hurt doesn't stop there, either. The reputational hit that comes with non-compliance is hugely damaging as well. Barry Murphy, an analyst and co-founder of the eDJ Group, pointed to the fallout when TJ Maxx owner TJX experienced a data breach that enabled the theft of millions of debit and credit card numbers.
"Companies realize that the brand value of TJX went way down [after] its security breach -- no one wants to be that company," Murphy said. "It all comes back to the bottom line at some point in time -- no one wants sanctions; no one wants a customer to abandon them."
The business benefits of compliance
Perhaps another reason for the increased compliance focus stems from its ties -- and benefits -- to numerous other business processes. Mark Reardon, chief information security officer for the state of Georgia, said a strong compliance strategy can actually help leaders accomplish business goals, especially from a risk management and security standpoint.
"Our experience has been that as state agencies focus on compliance with regulations, they see improvements in their security," Reardon said. "Compliance [with] regulations does not necessarily translate to proper security, but it is very difficult to have security without compliance."
Reardon was quick to point out that compliance should not be simply a checkbox, however. Compliance plans and programs should engage agency leadership, while providing them with information from which they can make security decisions, he said.
Through its compliance efforts, the state of Georgia tries to identify risks and manage them appropriately. It also helps executives understand security efforts and prioritize spending, Reardon added.
"No state agency has unlimited funds, so those used for security need to address the highest risks first," Reardon said. "This prioritizes financial stability with other potential impacts, such as life and limb, severe financial damage or simply embarrassment."
More on compliance strategy
The compliance approach to records management
Compliance department expands strategy role
Murphy agreed, noting that staying compliant can be beneficial, not only from a financial standpoint, but also from a security and risk management standpoint.
"A compliance program wraps all of those things together and says, 'Let's ensure the financial stability of the company by making sure we protect privacy, provide our customers with a secure infrastructure, and that we have a risk management function that makes sure we don't do anything wrong,'" Murphy said.
The sheer number of compliance regulations probably contributes to the increased compliance strategy focus as well. The 2008 financial meltdown, hackers and privacy rules have made compliance regulations the norm across countless industries.
And when there is a compliance lapse, especially at larger companies, it's big news.
"For companies, there's an increased awareness; there [are] more regulations to make sure they are following," Murphy said. "The CFOs and the CEOs are being held personally responsible when there are compliance problems. It puts [compliance] on the radar in a different way."
But it still comes down to money.
In recent years, compliance regulators have wanted more detail about internal processes, are requesting more compliance reports and more frequently, McClean said. Not complying with these requests can ultimately result in a decisive blow to a business: losing their license to operate due to compliance violations.
"All of these things point back to 'can we operate as a company? Can we compete effectively?'" McClean said. "You can't really do that unless you are compliant."