Organisations of all sizes are coming to grips with an increasingly troubling paradox. On one side, regulators are carrying bigger sticks: Non-compliance with the regulations that govern many industries has grown so expensive that it is simply not an option. At the same time, the cost of complying with regulations has skyrocketed, leading to questions on whether there are actually any financial benefits beyond regulatory compliance. For many companies, the return on investment (ROI) for compliance has become an expensive checkmark in a box.
A key factor driving up non-compliance costs in 2018 was the rise of privacy and data protection regulation, which caused every organisation that collects information on customers and prospects to scramble and securely align their operations with these mandates.
The cost of data protection non-compliance has jumped 45% since 2011, with yearly penalties averaging nearly $15 million for multinational firms, according to a 2017 Ponemon Institute report. And that was before Europe’s General Data Protection Regulation (GDPR) took effect May 2018. GDPR forced many companies to admit lack of compliance, generating headlines like this one from The Wall Street Journal: “Facebook faces potential $1.63 billion fine in Europe over data breach.”
Meanwhile, the average cost of compliance efforts alone hit about $5.5 million for the multinational enterprises in Ponemon’s survey. Damned if you don’t; damned if you do.
For companies that are wrestling with this paradox, there is another path — a way where regulations are viewed as performance guidelines rather than hard-line rules. Instead of simply complying with regulations, we should develop frameworks that offer benchmarks and targets to enhance performance and encourage innovation. This benefits entire markets and industries rather than simply punish.
Data protection compliance should be at the heart of every business
Shifting from regulatory compliance to performance
This view is gaining traction. Amid 2018’s growing regulatory compliance burden, professional services firm Deloitte stated, “Regulatory compliance should enhance innovation and business performance, instead of distracting companies from key opportunities for improvement.”
“As new business models and services emerge … government agencies are challenged with creating or modifying regulations, enforcing them, and communicating them to the public at a previously undreamed-of pace. And they must do this while working within legacy frameworks and attempting to foster innovation,” according to Deloitte’s June 2018 The future of regulation report. “The assumption that regulations can be crafted slowly and deliberately, and then remain in place, unchanged, for long periods of time, has been upended in today’s environment.”
Instead, Deloitte paints a vision of ‘outcome-based regulation’ that focuses on “results and performance rather than form.” Deloitte suggests such regulations must be developed collaboratively “by engaging a broader set of players across the ecosystem”; should include regulatory “sandboxes” in which new approaches are produced as prototypes and tested; and should be “adaptive,” i.e., responsively iterated rather than the proven to NOT work “set and forget” approach.
However, there is an enormous challenge inherent in the nature of current regulation: A compliance-only approach fosters a ‘check-the-box’ mentality that is the antithesis of performance improvement. In most cases, an audit won’t tell you where to improve — it only tells you what you’re doing right or wrong based on the regulation or standard. When businesses comply for the sake of complying, they diminish their ability to think about business behavior in a performance-focused way.
Because a compliance mindset is counter to the sustainable, repeatable processes necessary for a business to improve over time, some organisations choose to abandon the checkbox approach in favour of a performance-based model that wrings value out of their obligatory regulatory investment.
Take Siemens: After getting hit with hefty non-compliance fines in 2008, Siemens instituted a proactive regulatory compliance plan to protect, detect, and respond. Siemens’ actionable objectives and focus on continuous improvement and sustainable development led to a powerful ROI: Siemens said its record-breaking 2010 fiscal year was helped, not hindered, by its new perspective on compliance.
Organisations need to improve data protection and compliance protocols
From regulatory compliance burden to business performance boon
In support of Deloitte’s vision, and of companies such as Siemens which wish to move past a compliance mentality, enterprises may wish to explore the use of frameworks or models that aid higher performance or innovation.
Capability frameworks can help companies break the regulatory mold. Instead of providing boxes to check to demonstrate compliance, output from frameworks should be a roadmap for improving business performance. It’s a way for companies to examine their current processes and pinpoint where they are going wrong via comparison to global best practices.
For example, CMMI Institute released Version 2.0 of its Capability Maturity Model Integration (CMMI) performance-improvement framework in 2018 to help organisations boost ROI, quality and performance, while reducing cost and time-to-market. The framework’s flexibility and modularity let businesses — and even small teams within a business — pick and choose the elements that matter most to them. This framework is based on a set of global best practices tightly linked to key business performance objectives associated with planning, solving problems, governance, requirements development and risk management, quality and more.
In addition, Booz Allen Hamilton has developed a framework to help enterprises focus on innovation: the Innovation Maturity Diagnostic. This approach assesses and measures an organisation’s innovation capabilities through six different dimensions — individuals, teams, environment, resource allocation, networks and sharing, and enterprise. By measuring an organisation’s maturity, this model identifies strengths and weaknesses, allowing prioritisation of the most important opportunities for improvement.
Finally, the Open Innovation Maturity Framework, developed by researchers and published in the International Journal of Innovation Management, offers another option for formally improving performance and innovation, and moving beyond a compliance-based mindset. Open innovation involves the use of resources outside of solely the enterprise. This model combines the three core elements of open innovation (partnership capacity, climate for innovation and internal processes) with ﬁve maturity levels (initial/arbitrary, repeatable, deﬁned, managed and optimising) resulting in a framework that assesses open innovation maturity.
On the topic of innovation and maturity, there is another interesting piece of this puzzle cited in the January-February, 2019 issue of the Harvard Business Review front cover article on innovation – namely that innovation can’t be successful, or even happen consistently, without discipline. The article points out the confluence between innovation and maturity and discipline, stressing the need for maturity of process discipline when innovating.
There’s no doubt that companies are checking boxes as fast as individuals are. Like anybody else, companies must weigh frameworks that best move the needle. As individuals, we know it takes discipline to reach goals, like sticking to a diet or watching less TV. For companies, regulatory compliance does not mean just checking a box to keep the dogs at bay. Compliance can mean achieving performance benchmarks that move the company forward. That takes discipline.
Since most organisations have no choice when it comes to meeting compliance requirements, it makes sense to embrace compliance activities as a vehicle for improving performance. Performance-improvement frameworks are a logical place to start.
Ronald Lear’s bio: As the CMMI Institute’s Director of IP Development and Chief Architect of CMMI Products and Services, Ron brings over 34 years of experience with continual performance improvement, quality, and process management to supporting the development and launch of CMMI Products, including CMMI V2.0, the Medical Device Discovery Appraisal Program (MDDAP), and Cybersecurity Assessment products. Ron has also successfully held numerous executive and management roles for product and solution development, service delivery, and supplier management. In these roles, he has managed both small and large teams and projects delivering high-quality software, hardware, systems, and services to a wide variety of clients who are still using those products and services today.