The other day a compliance officer in the Middle East asked me a question: how much money should a company spend on compliance as a percentage of its annual budget?
Or, my friend added, should you define that benchmark as a percentage of annual revenue, or margin, or outlays for employees, or what? How can a company even begin to estimate what it should spend on compliance when trying to put together a program for the first time?
The most accurate answer is “it depends.” That isn’t an answer that boards and CEOs like to hear. The question, however, is one that businesses in emerging markets encounter all the time. The company has been humming along for years without a compliance function, and suddenly needs to create one, so the board and CEO ask something perfectly reasonable: How much is all this likely to cost?
As an aside, we should remember that most Western companies don’t encounter this question. Most Western companies already have at least some basic compliance function (for environment or workplace safety or whatever), so they already have a sense of the potential cost. A lucky few other companies are completely new (startups or spin-offs, for example), where the compliance officer can embed his program directly into the business as all the other functions are created.
But for compliance professionals like my friend in the Middle East, they need to find rough benchmarks. So let’s try to answer his question a few different ways here, and I would love to hear your thoughts as well. So would my friend, who ended his email with, “Please ask your U.S. compliance friends how they handle this!”
First, the Numbers
Good data about the actual size of compliance budgets is difficult to find. Some of the well-known compliance industry surveys out there focus only on anti-corruption. The single largest, best survey I know is the annual State of Compliance Report from PwC—which offers superb analysis about the maturity of the compliance function, but doesn’t include data on budgets or staffing. (At least, the 2016 report doesn’t include any.)
The most useful data might come from the Society of Corporate Compliance & Ethics, which published a survey in June 2016 reporting on budget and staffing. That survey cross-references its data by company revenue and size of workforce, to let you place your company among peers by size, although not by industry.
Another pile of data comes from Deloitte’s Compliance Trends Report for 2015. (Disclosure: I worked with Deloitte to create and conduct that survey.) That report polled 364 compliance professionals across 12 major industry sectors, and did ask about budget size and staffing levels. In that population…
- 43 percent reported a total budget (staff salaries, technology, equipment, etc.) of $1 million or less;
- 18 percent reported a budget of $1 million to $5 million;
- 48 percent had five people or fewer working full-time in the compliance function;
- 13 percent had six to nine staffers.
In other words, we can safely say that most companies have fairly small compliance functions: budgets below $1 million, departments with fewer than 10 full-time people. Anecdotally, I know numerous large companies with surprisingly small compliance departments.
The easy answer is to say, “Go talk to your peer companies.” That helps, but it’s not what my friend is asking. A peer group helps you benchmark your compliance program against what other companies do. My friend wants to know how he might estimate the “correct” size of his compliance program relative to the activity of his own company.
That returns us to my first answer: it depends, on many factors. Three come to mind immediately.
Budget Depends On…
It depends on your industry. Highly regulated businesses such as financial services and pharmaceuticals have enormous compliance demands compared to, say, transportation or media. Large banks can have compliance departments of 2,000 or more people, and spend millions on employee surveillance technology. Online retailers might have disproportionately large spending on technology to monitor their interactions with the public.
Even if you exclude industry-specific compliance, the narrow world of “corporate ethics & compliance” can still vary from one industry to the next. More than any other criteria, a good benchmark will depend on your industry norms.
It depends on your supply chain. The more your company outsources, the more third parties it has. That means more risk, and more spending to monitor those risks. Just this week I met an information security officer for a large European bank, who stressed that companies must incorporate their outsourcing and third-party risk strategies. “Once you force people to start thinking about third-party risk, you suddenly find a lot of ways to simplify your outsourcing and supply chain,” he said.
It depends on your leadership. If your chief compliance officer is well-placed in the senior leadership of the company, he or she can embed a lot of compliance work into other departments, and consequently need a smaller budget. One recruiter told me of an investment firm in Chicago, hiring its first-ever compliance officer. The firm wanted a superstar, who knew the rules for investment advisers and knew how to talk to other business units at the firm, specifically to get compliance done without creating a huge compliance department.
How much did the firm pay this superstar? “A boatload,” the recruiter told me. But one yacht still costs less than a fleet of smaller ships.
Ultimately my friend will need to consult his industry peers, and consider factors like those as he finds the “right” compliance budget for his company. But my three are only my three—what are we omitting here? How do you calculate your budget, relative to your company’s activity? We would welcome your thoughts.