Thursday, November 17, 2011

A Study: Cost of Non-Compliance


In January of 2011, the Ponemon Institute LLC conducted a study of 46 multinational companies to determine both the costs of Compliance and Non-Compliance.  This was “the first study to use empirical data to estimate the full costs of the organizations compliance efforts, including the cost of non-compliance with laws, regulations, and policies. Here are some highlights from the study:

Costs of Compliance vs Non Compliance

  1. The average cost of Compliance for the 46 companies was 3.5 million- or about $220.00 per employee per year.
  2. The average cost of Non-Compliance for the 46 companies was 9.3 million- or about $820.00 per employee per year
  3. On average, the cost of Non-Compliance is about 2.65 the cost of Compliance for the 46 companies.
  4. In all but 2 cases, Non-Compliance costs outweighed Compliance costs.
                       Security Strategy and Non-Compliance Costs

  1. The study used a well known indexing method called the Security Effectiveness Score (SES).  They    found that;
    • The SES had no relation to Compliance costs.
    • The SES is inversely related to Non-Compliance costs
  2. Outcome:  When an organization spends more money on SES costs, Non-Compliance costs go          down.


     Breakdown of Non-Compliance Costs

  1. 43% of Non-Compliance Costs are Indirect Costs.  Indirect costs include data center downtime, diminished employee productivity, or administrative overhead.
  2. 30% of Non-Compliance Costs are Opportunity Costs.  Reduced potential, lost business opportunities that result from compliance infractions, or a companies reduced reputation are all opportunity costs.
  3. 27% of Non-Compliance Costs are Direct Costs.  Direct costs from non-compliance include loss in customers or revenue loss.

No comments:

Post a Comment