It will come as no surprise to many within highly regulated industries, such as oil and gas or finance, that the costs of compliance seems to be constantly increasing. If there is no obvious fiscal gain from investing in compliance, managers may find themselves wondering whether the potential cost of non-compliance might be worth the gamble. Unlike other investments, meeting the increasing costs of compliance doesn’t appear to increase profit. Why pay to ensure compliance when non-compliance may not be a problem in the first place? Why buy car insurance anyway when you don’t intend to crash your car?
If recent global trends are any indication, the return on investment (ROI) of compliance and good governance, risk management and compliance systems (GRC) means that they are always worth the cost – regardless of your organization size, current compliance levels or business objectives. RegTech (regulatory technology) is a key tool that enables businesses to implement efficient GRC’s, ensuring a profitable ROI for compliance. With compliance costs sometimes accounting for 5-10% of revenue for many large companies, using technology to reduce these overheads is an easy pathway to pleasing stakeholders.
What is the ROI of compliance?
In many organizations, compliance is viewed as an exercise in avoiding negative consequences. From that perspective, compliance management systems are effectively seen as insurance policies that only pay out when something goes wrong. While many of the up-sides of a GRC program can be seen as avoided costs when only viewed narrowly, introducing a proactive compliance management culture to an organization has a number of very real and ongoing benefits.
What benefits make up the ROI for compliance?
The real benefits and avoided costs of regulatory compliance include:
- Efficiency gains
- Avoidance of non-compliance costs
- Reduced external legal costs
- Reduced internal staff and management involvement
- Minimizing operational downtime
- Improved stock value
- Maintaining stakeholder confidence
Let’s look at each of these in some more detail.
Having a single GRC program across the width and depth of an organization provides gains in efficiency, transparency, and reduces daily operational costs. When compliance controls are performed in silos, the business is unable to benefit from the potential wider applicability of existing work or solutions and may even have units throughout the organizational structure that ‘reinvent the wheel’ on a regular and ongoing basis.
Siloed costs of compliance are often hidden at a low level of budgeting, so businesses may be spending significantly more on compliance work than they intended to without even knowing. Centralizing control to a single GRC program allows individual control measures to be reused or adapted as required, decreases wasted time, improves inefficiency of administration, and creates more up-to-date information that is easily accessible and shared. In a world where time is money, avoiding excess time spent on tasks that could be easily achieved through the use of a GRC program is an easy to realize efficiency gain.
Avoidance of non-compliance costs
Making a late filing or breaching a requirement is not an act most organizations would intentionally commit. However, these things happen in the most diligent companies, even with the best of intentions and staff actively working to prevent them.
Constantly changing legal obligations only add to the difficulties of a business working to stay legally compliant – often organizations learn of new laws or regulations with limited time to implement changes in their procedures, which can put their operations at risk of being non-compliant. Investment in a GRC system ensures the business can communicate changed compliance requirements related to their operations immediately. A system that also makes it easy for appropriate controls to be applied where required throughout the organization makes it easy to avoid the expensive (and unnecessary) fines that often accompany non-compliance.
Reduced external legal costs
External legal costs in any industry have a well-deserved reputation of being analogous to signing a blank check. Senior barristers can charge clients around $10,000 per day for court appearances. Those working in a specialized field, and oil and gas matters often require specialist expertise, can charge as much as $25,000 per day. These fees are in addition to all of the preparation fees that go into taking a case to court, which are also significant. Needless to say, prevention is always the best policy when it comes to avoiding excessive legal fees.
Reduced internal staff and management involvement
Breaches aren’t just costly for businesses in terms of fines and legal fees – they also take up time of staff and management, usually at the expense of their core duties, to deal with the fallout from the breach, and ensuring it doesn’t happen again. Incident reports, paperwork, investigation and remediation costs, loss of business and trying to salvage a business’ reputation are all factors that use up staff time and resources, both immediately following the incident and in the future. The upfront investment in a good GRC avoids these impacts on core business on an ongoing basis.
Minimizing operational downtime
In the oil and gas industry the downtime in operations or production resulting from a compliance breach can be both unpredictable and costly. It is often impossible to know just how long a rig, vessel, facility or crew will be unable to work, yet have to remain on standby, while the breach is being dealt with. Not only can this result in lost production time for the business, but it also means increased (and wasted) operational costs.
In an industry with so much at stake, few companies would be happy to see any additional increase in their operating costs, especially with no associated increase in production. GRC systems help prevent increases in operating costs by increasing compliance rates and avoiding and mitigating risk, but they also reduce both the cost of audits and the chance of finding things that need addressing. When all company compliance information is current, structured and readily accessible, auditors can plan shorter audit cycles, saving you both money and time.
Improved stock value
The impacts on both shareholder and other stakeholder confidence and stock value following a compliance breach are easy to predict: the value of the business will undoubtedly drop, particularly if the breach is a major one. What’s really worth noting though is how this drop is expressed: a study that analyzed companies on the New York Stock exchange found that immediately after a breach, stock prices dropped around 0.43%. This is in line with a usual fluctuation in daily prices, so nothing to be too worried about. The real damage to the business came in the long-term – before a breach, the businesses studied experienced an average stock value increase of 45.6% across three years. In the same period following the breach, the businesses only experienced stock value growth of 14.8%.
The businesses in this study had committed data breaches, but in the oil and gas industry we’ve seen similar effects in the wake of non-compliance. Following the Deepwater Horizon 2010 oil spill in the Gulf of Mexico on BP’s Macondo Prospect, BP’s stock dropped 55% in 40 days from the date of the spill. In March before the spill, stock prices were $57.07, after the spill they dropped to $28.80, and nine years later, the value sits at $36.05.
Investing in a good quality, reliable GRC system can be seen as an essential step in reducing the chances of the kind of catastrophic stock losses that can occur as a result of serious compliance breaches in higher risk areas of the oil and gas industry.
Maintaining stakeholder confidence
Although harder to quantify than impacts on stock value, reduced stakeholder confidence can cripple any business following a compliance breach. This is especially important in the oil and gas industry, where stakeholder trust is already wavering, even without any compliance breaches. Accenture Strategy released a report stating, “Investors, consumers, employees and partners doubt the industry’s purpose, commitment to sustainability, and role in the energy transition.” They recommend that the industry put their efforts into building trust with stakeholders (both existing and potential), in order to prevent losing up to 4% of future revenue due to this loss of confidence.
Any system that a company can implement that allows it to demonstrate to stakeholders that it is serious about avoiding not just compliance breaches and operational risks, but also the potential social or environmental impacts that they entail, goes a long way to generating genuine confidence amongst the company’s stakeholders. This is particularly important as the scope of the industry’s stakeholders expands to include joint venture partners, landowners, native title groups and many others.
Overall effectiveness of GRC systems for oil and gas companies – is it size dependent?
GRC programs can be implemented at any scale, as the systems can be tailored to suit both the size and goals of a company. Both public and private companies can benefit from allocating resources into a GRC system to manage their legal risk and obligations successfully.
Given the potential for significant penalties for oil and gas operators, these can be company-breaking for smaller companies and private companies, especially when investor confidence is vital to the company’s success. While the immediate fine may have a proportionally smaller negative impact on the value of a larger company, a negative reputation is much harder to pay off. Once a business has a tarnished reputation for breaching regulations and loses stakeholder confidence, its stock value will decrease growth long-term, and the business profit will drop.
The bottom line: is the ROI worth it?
To date, limited research has been done on the financial effects of GRC programs within the oil and gas sector specifically. However, in other industry sectors with more established uptake of GRC systems experience has shown significant financial benefits resulting from their use.
GRC programs are most beneficial for industries with complex or often-changing legislation, as they introduce efficiencies throughout an organization that are difficult or impossible to achieve through other means.
The ROI from the levels of compliance that GRC programs produce means that they pay for themselves many times over, freeing up personnel from carrying out low level administrative tasks and duplicating effort to spending time on value-add activities. Companies in the oil and gas industry have seen first-hand the effects that bad compliance and risk management can have on business; it can be financially crippling, have long-term negative effects on stocks, and irreparably damage stakeholder confidence. Businesses introducing GRC programs can be assured that not only are they making a smart competitive move, but their ROI will pay dividends both now and in the future.