What Your Company Gets Wrong About Compliance

Firms that cobble together programs as they grow just set themselves up for failure.

By Allan Matheson Originally published Jun 2, 2021

Opinions expressed by Entrepreneur contributors are their own.

Leaks of customer data, corrupt practices by foreign agents, IT breaches. These are just some of the biggest risks that companies face with their third-party relationships. Despite the known dangers, few get it right when it comes to budgeting for their defense strategies.

That's particularly true of mid-sized firms whose third-party ecosystems have grown while their compliance practices have remained stuck in a small-company mentality.

Often these companies have cobbled together compliance budgets as they've grown. That means is they end up with critical gaps that cost more to set right later. For example, a general counsel may have set up a program to assess foreign bribery and corruption risks some years ago … but did not put in place a system to re-certify and monitor relationships. The result is an outdated program that must be started anew.

Related: Is Your Company at Risk Due to New International Sanctions?

Or maybe that GC smartly included contract language giving their firm the right to audit its higher-risk third parties … but there's no budget to carry out those audits. It could be problematic if an enforcement agent investigation finds that your third-party contracts include a right to audit, but it's never been exercised.

Battle of the budget

Despite the obvious need, mid-sized companies' compliance pros still get pushback when they seek to fund compliance programs despite evidence to justify the expense. It's finally widely accepted that smart technology is vital to cope with rapidly changing regulation and digitalization of customers' private data.

Even so, it's not enough to simply buy some software and put up your feet. Budget should also be allocated to follow up on tech-identified problems, such as cutting relationships or remediating them. That requires funds for training, ongoing monitoring, due diligence, audits and investigations.

How much will a thorough compliance program cost? Well, how long is piece of string? The expense varies widely on factors including the industries and geographical areas in which a company operates. The bulk of the effort and expense will be devoted to the relatively small number of high-risk partners, but that could range from as low as 3% to or as high as 20%, depending on the industry.

Arguably the biggest cost determinant has less to do with the company and more about the type of partner it chooses to help it set up and run a compliance program. A firm that relies exclusively on external legal and technical expertise will end up paying a lot more than one that uses strategically assembled solutions to identify and isolate which third parties require spend — and which do not.

First steps

The process — and costs — of budgeting for a compliance program can seem daunting, but let's break it into two broad categories: Set-up and maintenance.

The initial set-up involves creating and supporting a tech platform. It also requires constructing a mechanism for assessing the company's spectrum of third-party risks. The next step requires drilling down into individual relationships to thoroughly understand the risks. Creating mechanisms for legal reviews of program operations and third-party assessments could require up to $50,000 and $25,000, respectively.

Related: The 3 Secrets to Building Successful Third-Party Partnerships

Technology is vital for breaking down internal silos and efficiently documenting responses obtained through questionnaires sent to suppliers and agents. The set-up and customization can range from $3,000 to $20,000 for a mid-market firm. If internal tech support is required and you will be billed internally, don't forget to budget for this item which could cost up to $50,000.

The important point here: It needn't be overly expensive. Smaller firms can get most of what they need from technology by using something that's best in class and more prescriptive, rather than a highly customizable option that requires more resources to set up and run.

Budget wild cards

A compliance program that isn't updated and monitored consistently is almost as bad as no program at all. Some would argue it's even worse. That's where the maintenance portion of the budget equation comes in, including tech licensing fees ($3000 to $20,000 per year), ongoing monitoring of third parties (up to $20,000) and changes in assessments to keep up with evolving national and international regulations (up to $25,000).

It's also essential to budget for due diligence. If your assessment deems a third party to be high risk, you'll need more research. Perhaps you have a third party in Vietnam who does a lot of selling to government, raising the potential for you to be associated with FCPA violations. Research to determine factors such as who is really behind that company, whether it's ever had any compliance issues, and whether it has its own anti-bribery program will be essential.

Related: The Cross Culture of a Global Business and its Intersection with International Law

Budgeting for this item can be tricky, but industry peers and vendors can help you assess what proportions of your population may require research.

The maintenance side also contains several budget wild cards.

Staff training is one. It's important to invest in training that gives your compliance team the skills to manage your hottest third-party risk areas. If most of your problematic relationships are in China, you should direct training dollars toward educating your colleagues at the front line of these relationships. The cost depends on a variety of factors, including whether you train internally versus hiring outside corporate specialists.

Will you need a budget for conducting investigations? Building it in raises awareness internally that you can play a key role in proactively identifying and mitigating risks.

While many of the line items mentioned above may be estimates, the exercise of budgeting alone is worthwhile. As you assemble the budget, questions regarding risk appetite, resources available, and how you operate your program will become much more obvious. Making smart, informed choices about how you allocate funds can help you achieve a well-functioning, defensible program without major spend.

Allan Matheson

Entrepreneur Leadership Network Contributor

Allan Matheson is the CEO of Blue Umbrella

Allan Matheson is the CEO of Blue Umbrella, a Vancouver-based compliance technology company.

Related Topics

Editor's Pick

Have More Responsibilities at Work, But No Pay Bump? Use This Script to Get the Raise You Deserve.
Black and Asian Founders Face Opposition at All Levels — Here's Why That Has to Change

7 Common Obstacles Aspiring Authors Face — and How to Overcome Them

Here are a few tips that will help you start writing that book you always dreamed about.

Business News

'Work for a Millennial': Employee's Viral Email Exchange With Boss Emotionally Praises Millennials in Management Positions

In a video that's been viewed more than 1.8 million times, 28-year-old realtor Kristen Mahon shared an email exchange with her boss, who she estimates is 6 to 7 years older than her.

Employee Experience & Recruiting

Ready to Hire? Here are the Best Recruiting Platforms.

When it's time to hire, finding quality job candidates doesn't need to be complicated. Job search sites can help you recruit and retain talent no matter your budget.

Business News

Massive Fire At Top Egg Farm Leaves Estimated 100,000 Hens Dead. What Does This Mean For Egg Prices?

Hillandale Farms in Bozrah, Connecticut went up in flames on Saturday in an incident that is still under investigation.


Is Giving a TEDx Talk Really Worth It? Answer These 3 Questions First.

Giving a TEDx Talk is more than a passion project; it's a big investment. Here's how to think about returns.