Protect Your Business From Regulatory Pitfalls, With 'Practical Compliance'
There's a disturbing pattern, especially in the United States, that all entrepreneurs face: Criminal acts drive an increase in regulation and governance, which leads to more costs of compliance, to avoid penalties and litigation. This includes payment-card industry (PCI) compliance if you accept credit cards, HIPAA compliance if you see patients, workers compensation laws, data privacy rules -- the list goes on and on.
Consider our upcoming election (don't get me started): The much-discussed email breach by Hillary Clinton, and Donald Trump's insistence that Clinton's regulatory policies will "drive business out," are prime examples of how advances in technology and criminal activities and governmental responses are affecting U.S. businesses.
But the burden of compliance has to be nonpartisan. After all, more than 20 percent of small business owners claim that government regulation is the single most important challenge they face. And 47 percent of organizations say they struggle to keep up with changes in regulations and adjust their policies accordingly.
So, how can entrepreneurs address the trickiest regulatory pitfalls?
The secret lies in finding the right balance between mitigating business risks and allocating resources. We call this "practical compliance."
What's your risk tolerance?
Every business is different, of course. However, too many regulatory requirements are written as one-size-fits-all solutions. A hospital is very different from a dental practice, for example, but HIPAA requirements for the two are the same. This happens despite the fact that both entities have very different risk-tolerance and resource-allocation scenarios.
Finding your level of risk tolerance as it relates to regulatory compliance, then, is key to "practical compliance."
If you don't allocate any resources to compliance, for example, your employees can spend 100 percent of their time working on the most important priorities of the business. That sounds ideal, but if you're not allocating any time and resources to understanding and implementing regulatory compliance, you're exposing yourself to unnecessary risk.
Let's say you run a dental practice. Now, consider the implications for HIPAA (the federal Health Insurance Portability and Accountability law providing data privacy and security provisions for safeguarding medical information).
At your dental practice, neglecting these HIPAA compromises, which protect health information, might expose the practice to financial and reputation risk, should a data breach, patient complaint or HIPAA audit occur.
Related: 5 Trends Reinventing Healthcare
On the other hand, if you hire a full-time compliance officer, overinsure the business and work to understand and implement every law and regulatory requirement, you may have nothing left to pay your bills or grow your business.
Striking the right balance
Dealing with regulations requires manpower, energy and money. You can't get around it, but that doesn't mean regulations are bound to crush your entrepreneurial spirit. Determine the right balance by taking these steps:
1. Designate an owner. The cost of hiring a full-time employee to focus on compliance goes far beyond his or her base salary. You'll pay 10 percent or more to cover various taxes and workers' compensation insurance, and company-paid portions of medical insurance and 401(k) contributions will further drive up the cost of hiring a full-time employee.
Most new businesses don't have the resources to cover these expenses. Instead, find the right person who you can designate to lead the charge internally. Ensure this person has the skill set to research, teach and implement a culture of compliance in your business.
He or she should have a thorough understanding of your business's inner workings, should be flexible and inquisitive and should be able to stay abreast of the always-changing regulatory environment.
By designating the right person, you'll be able to make progress more quickly and streamline decision-making and execution.
2. Determine your risk tolerance, and align your priorities. Meet with your owner to discuss your key priorities. What compliance areas are the "hot spots" in your industry? For example, in healthcare, it could be HIPAA or OSHA. What's going to keep you up at night? Focus on those areas first. You can't do it all, but focusing on the "critical few" will help you make progress and mitigate your risks along the way.
Also, there are different types of insurance policies that can quickly mitigate your risk. For example, in healthcare, we advise practices to obtain data breach coverage, which specifically focuses on costs relating to fines, penalties and notification of patients if a breach occurs.
3. Budget time and resources. Now, it's time to realistically determine what all of this will cost. Going through the budgeting process helps refine your risk tolerance, too. Perhaps something you wanted to do can wait, or maybe something is much cheaper than you originally thought.
Established companies fare better at meeting regulations without draining their resources because they have experience navigating such legal waters. Smaller businesses can face a higher cost trying to adhere to regulations. So, establishing a budget of time and money will help you meet your goals.
Every hour of an employee's time costs about $20. In-house training may cost $3,000 to $5,000 or more per year. Documenting policies and procedures may cost another $1,000 to $2,000 per year.
Your costs should correlate with your risk tolerance. What are you willing to spend to reduce the risk of penalties, data breaches, employee or customer complaints, etc.? Figure out your practical risk level; then, allocate a budget each year to mitigate them. You'll never mitigate all your risks, but by going through the budget exercise, you'll focus on the areas of greatest concern.
4. Speak with peers and trusted advisors. Even the most savvy entrepreneurs can't do everything alone, and the consequences of a misstep in compliance could be disastrous. However, there's no need to reinvent the wheel.
Speak to your peers or hire a trusted advisor to kickstart the process. Seek guidance from attorneys, accountants, compliance consultants or your IT provider. All will provide valuable experience to lessen your learning curve. Tapping into your network of various outside experts will allow you to focus on the thing you do best: growing your business.
Regulations aren't going away. In fact, they will likely intensify. However, adopting a practical approach will help you not only find the right balance for your business, but also mitigate your risks by allocating the right level of resources. Don't let the requirements overwhelm you.
Focus on the critical areas, and adopt a culture of compliance from the start. You'll sleep better, and your customers and employees will benefit from your leadership.