A new Osterman study, sponsored by security awareness training company KnowBe4, shows a low satisfaction level with current methods of managing compliance, despite the fact that 63 percent consider regulatory compliance to be “very important." Only 13 percent are very satisfied with the current methods they use. Osterman's research also found typically 19 percent of compliance and audit time each year is spent on tracking requirements and another 31 percent on gathering and maintaining audit evidence.
According to the report, compliance management is subject to a high volume of change in regulations, with the U.S. government leading the way as demonstrated by the growth of the US Federal Register. This document, a daily publication that contains proposed and final regulations of US federal agencies, published an average of 3,827 final rules and 2,445 proposed rules each year between 2002 and 2012. That represents an average of 14.7 final rules and 9.4 proposed rules each workday. Managing this level of change using manual processes can be very difficult, if not impossible.
“Much of the discontent stems from the focus on manual processes,” said Stu Sjouwerman, CEO of KnowBe4. “This is quite cumbersome and expensive. Improving the tracking and gathering of audit evidence alone can help an organization save considerably in both time and budget.”
To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month. For a company with 500 employees, that is $261,000.
One of the fundamental problems of compliance management is the fact that much of it is focused on manual processes – maintenance of spreadsheets or Word documents or home-grown software that help an organization to stay current with its compliance obligations, but that require significant effort to maintain. Add to this the significant amount of time that is required simply to search for the right information to populate these documents and tools. One source has estimated that up to 80% of the time spent by compliance risk professionals is focused on the search for relevant data.
Moreover, there can be significant duplicate effort on the part of compliance management staff, particularly in large and distributed organizations because several people may be working on the same compliance issues unbeknownst to others in the organization. In conjunction with the manual nature of the compliance process in most organizations, this duplicate effort results in compliance management that is relatively inefficient and may actually be contradictory in some cases as different groups develop their own interpretation of how best to satisfy compliance issues.