Every enterprise needs a regulatory compliance strategy as part of its risk management planning. The simplest strategy may be to comply with only rules that have legal consequences for noncompliance, and then to meet only the minimum requirements to avoid penalties. But many firms are going beyond this approach to mitigate risk and create a defensible strategy in the event of noncompliance.
Some are going even further and choosing voluntary compliance with regulations that don't actually govern them, from greenhouse gas (GHG) reporting in the United States to Sarbanes-Oxley compliance by European firms and Gramm-Leach-Bliley Act compliance by Asian banks. Let’s examine some lessons your enterprise might learn from these firms and why you, too, want to consider following compliance regulations that don’t legally apply to your business.
Occasionally, firms begin to modify processes in preparation for inevitable changes in compliance regulations or for doing business in new markets. In the case of privacy regulations, for example, stricter rules in Canada and the European Union provided warnings for U.S. firms, but the emergence of stricter rules in California pushed more firms to prepare for similar rules at the federal level.
Sometimes, however, the writing on the wall washes off with a change in political leadership. In the United States, many firms are looking at carbon management solutions but holding off on investments to see what happens in Congress. As we’ll see, though, some are moving ahead now based on external factors beyond regulations.
In the diagram below, we see several entities in the ecosystem besides the actual regulators that can drive compliance decisions (or nonmandated sustainability initiatives):
Customers: Customer perceptions may drive compliance with nonmandated requirements when failure would provide an advantage to one’s competitors (a reputation risk management strategy), or when compliance may be used to market a behavior or position that targeted customers favor. In the former case, a privacy breach would be less painful to a firm that had followed PCI standards or similar de facto approaches if it could be shown that they were best in class and the breach could happen to anyone. In the latter, a U.S. firm that adopts EU chemical handling approaches or GHG monitoring and management procedures may be a more attractive provider to green-conscious consumers or trading partners.
Suppliers: When another firm in your supply chain is subject to a regulation, your interaction with it may reflect its requirements. If product suppliers, for example, are concerned with lifecycle assessment (the impact of their output on the environment), they will be concerned about what happens to their products as they pass through your enterprise and beyond. As a result, they may impose constraints on your use of their products. Conversely, your enterprise may find itself imposing such requirements on suppliers based on your own compliance requirements. For example, although the Sarbanes-Oxley Act regulates only certain U.S. businesses, those entities often use outsourced or offshore resources that are not required by law to comply with SOX. Outsourcing firms around the world have adjusted their policies and procedures to enable SAS 70 compliance for their clients (one can entrust, but not delegate the responsibility of the regulated entity).
Channels: Pressure from channel partners is becoming the biggest factor in voluntary compliance with sustainability requirements for retail product manufacturers, from appliances to toys. This “Wal-Mart effect” is a direct result of initiatives such as the sustainability index, co-developed by Wal-Mart, that helps customers assess the environmental impact of products in their store. When your firm relies on a channel partner for sales and distribution, and that partner requires compliance, it has the same or greater impact than a government mandate. It cannot be ignored.
Employees: When recruiting and retention issues make it difficult to get the personnel a firm needs to compete effectively, voluntary adherence to stricter environmental standards may provide an advantage. The next generation of workers has shown an increasing interest in green strategies, so a progressive stance may reduce human resources costs, which should be factored into any voluntary compliance decisions.
Shareholders: Shareholders by definition are concerned with equity value, so they share the reputation risk concerns previously mentioned, in addition to consideration of potential cost saving benefits of compliance.
When recruiting and retention issues make it difficult to get the personnel a firm needs to compete effectively, voluntary adherence to stricter environmental standards may provide an advantage.
Nongovernmental organizations: Pressure from nongovernmental organizations most frequently affects decisions on environmental, health and safety issues. Increasingly, however, privacy advocates are shaping corporate policies as consumers worry about bad outcomes ranging from embarrassment to identity theft.
Competitors: If steps taken to ensure compliance result in a cost advantage, naturally those steps will mature into best practices regardless of the legal implications of noncompliance. Otherwise, the impact of competitor compliance may be indirect if the competitor markets that compliance as a differentiating benefit, or a risk assessment shows that your failure to comply could result in a marketing opportunity for competitors.
The next time you hear about a new rule on the horizon, go beyond the simple “do we have to?” question and see if it makes sense in your environment to plan for changes anyway. Compliance managers rightfully focus on immediate requirements and relationships with regulators, and they should continue to. As a general rule, though, CIOs and other executives with risk management responsibilities should establish a framework for evaluating emerging rules and regulations to determine whether compliance is required, advisable due to pressures in the ecosystem, or ignorable at this time. Being caught unaware should not be an option.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.