For many organisations, especially those in highly regulated industries such as financial services, education and healthcare, ensuring compliance with a growing number of government and industry regulations can be a nuisance and a drain on already strained resources. However, the costs of not complying can be extremely steep. Recent research indicates that failures to comply have become more costly than ever for schools, far exceeding the costs of compliance. In other words, it makes good business sense to ensure compliance with all relevant regulations.
Background - The Cost of Compliance
Based on a recent report by research firm the Ponemon Institute and security company GlobalScape, the annual cost of non-compliance to organisations now runs at an average cost of $14.8 million, a 45 per cent increase since 2011. The costs can range anywhere from $2.2 million to $39.2 million. The cost of compliance, on the other hand, was found to average $5.5 million, up 43 per cent from 2011. Non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. The non-compliance costs come from the expenses associated with business disruption, productivity losses, fines, penalties and other settlement costs.
To meet compliance mandates, schools can also employ a number of methods that can factor into the total costs. These might include administration overheads, consultant services, training, communication and technology. Data security has the highest average compliance cost for organisations, at $2 million a year. However, most organisations spend the most expense on tools for compliance including specialised technologies, incident response and audit and assessment.
The Highest Compliance Costs
Organisations annually spend on average about $1.3 million on compliance-related platforms, $1 million on incident response, and $750,000 on audit and assessments. This investment does ultimately pay off, however, as, according to the survey results, organisations conducting regular audits had a reduced overall compliance cost. More than two audits a year can significantly reduce the compliance cost. Companies for example might find themselves paying $14 million if they run more than two audits, compared with $27 million for one or two audits a year.
The cost of compliance can vary by industry. For example, media organisations average $7.7 million annually to comply with regulations and policies, while financial services organisations face more than $30.9 million annually in compliance costs. These costs vary widely based on the amount of sensitive or confidential information a particular industry handles and is required to secure. As data becomes more valuable, the risk of data breaches, data loss, cyber attacks or insider threats becomes an urgent compliance issue.
Understandably, organisations in heavily regulated industries have the highest compliance costs. The education sector has faced only a $3 million rise in compliance costs in the previous six years in comparison to some of the more heavily regulated industries.
The Cost of Non-Compliance
While monetary fines are still rapidly growing as a result of persistent non-compliance, they are not seen to have changed the underlying culture of many schools, with many schools considering financial penalties to be part of the standard cost of doing business. Regulators have instead moved to using a wider range of measures to ensure compliant behavior. This can result in the school or the individual suffering multiple instances of the cost and pain of the penalty, the ramifications of which will be felt by all stakeholders.
Example: Work, Health and Safety
Let us first use, as an example, a breach by a school of work, health and safety legislation. A breach by a school could be something as simple as bullying of staff or students, or an employee slipping in the school building. Under the harmonised WHS legislation, different penalties apply for a school, officers, and workers for breaches of this legislation. The penalties cascade into three different categories for workers, officers, and the organisation. In the most serious category of breach (e.g. a health and safety breach that leads to a severe illness or health injury as a result of recklessness and without any excuse) there is a financial penalty of up to $3 million. Further, officers can face fines of up to $600,000 and workers of up to $300,000, together with up to a five year prison sentence.
Schools should critically consider their management practices if they want to avoid facing heavy penalties and fines. However a school would suffer a lot more than financial penalties if there was a breach. There are significant costs related to the temporary replacement of an injured staff member who is unable to work, an increase in workers' compensation premiums and it can seriously compromise a school's trust and credibility as a caring employer with their staff.
Example: Privacy
Let us turn to a second example of a teacher taking a laptop home which is subsequently stolen out of their car. On the laptop are sensitive records of every student that the teacher has responsibility for throughout the school day. The Notifiable Data Breach (NDB) Scheme requires organisations covered by the Privacy Act 1988 (Cth), which includes most non-government schools, to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. Entities must also notify the OAIC about these types of data breaches.
The monetary penalties (up to $360,000 for individuals and $2.1 million for organisations) for a school for breach of the NDB Scheme are only one of a school's worries in these circumstances. The school also potentially faces reputational damage and a backlash from the existing school community which in turn may affect student enrolments.
Other rising costs of non-compliance can also include:
- financial implications much wider than the actual fine levied. They can include the termination of a specific program at a school, the curtailment of the ability to teach certain programs or ultimately the end of the school itself through loss of registration or accreditation.
- regulatory action having a negative impact on the reputation of a school and damaging its relationship with the school community, including potential new students and their parents/guardians.
- principals and deputy principals being in the regulatory firing line. Principals and deputy principals are increasingly being held to account for their own behavior, with the potential for career-ending decisions. All of this is in addition to being significantly distracted by having to spend increasing amounts of time on remedial actions rather than focusing on the operations of the school itself.
- expensive and disruptive operational consequences of non-compliance. This includes the increased cost of recruiting and retaining high-quality teaching resources and implementing past historical child abuse redress programs, which may require the involvement of costly third parties or skilled persons, which the school does not yet have on staff.
- legal implications. Depending on the nature of the non-compliance, some schools may face legal implications such as incarceration of officers, directors or teachers or the possibility of an ongoing legal case.
- an uphill battle for a school due to increased regulatory scrutiny, complexity, regulatory change and community distrust as a result of widespread compliance failures.
What can Schools Do Now in Preparation for the Coming Year?
Action needs to be taken at the most senior levels of a school not only to be compliant but also to avoid the growing costs of non-compliance. Instances of non-compliance can be costly to schools not only monetarily through fines, penalties, and legal fees, but also in the form of reputational damage, increased scrutiny, criminal prosecution, and even loss of registration.
Although achieving and maintaining compliance requires time, money, and manpower, it is more effective to use resources in a preventive manner rather than to face consequences due to non-compliance later. Schools can be proactive about their compliance by:
- performing a risk assessment in relation to their compliance and ranking the impacts of non-compliance through an enterprise risk management system. Resources can then be leveraged to focus efforts on each area accordingly.
- educating employees in relation to compliance requirements.
- encouraging a culture of compliance at the school where identifying and mitigating potential non-compliance is appreciated rather than discouraged.
- being alert and aware of any new requirements for compliance.
Most schools will benefit from applying best practice policies and procedures to ensure proactive compliance. In this way, the true costs of non-compliance will never be realised.