The CEO Refresher Websites for Professionals
Take control of your online presence
with your own professional website!

Want to Cut Costs and Still Be Compliant?
Don’t Hire More Accountants: Improve Your Systems and Processes
by John Weathington


If your company is doing over $1 billion in annual revenue, you’re part of an “elite” group of organizations that have been fined an average of $80 million for each and every compliance failure. That’s right, $80 million on average for every compliance failure! This incredible statistic is from a study conducted by META Group Research (now part of Gartner) for PriceWaterhouseCoopers.

Even if you’re the head of a smaller company, you may some day be handed a compliance remediation price tag in the millions.

Would your company be able to survive such a hit?

A large compliance remediation price tag could mean the demise of many companies.  Yet most organizations are taking enormous risks and they don’t even realize it. What’s worse is that most of these high costs for compliance are completely unnecessary.

As the old saying goes, an ounce of prevention is worth a pound of cure, and it couldn’t be truer than in the world of compliance.

So, what should CEOs be doing to avoid becoming part of this statistic?

The Framework for Effective Compliance

To make compliance work, you need to have three things working in harmony: people, processes, and data systems. So your first step is determining your current strengths and weaknesses:

Organizations can be classified into one of three categories.

The Outlaws

Companies that have efficient and conscientious people and good data systems, but no processes in place for compliance are what I call “The Outlaws.” These companies treat their people well and are well organized – probably with the help of IT – but they don’t comply with anything until they’re forced to, and then they stop as soon as the bleeding has stopped. These companies are highly exposed because all efforts happen in remediation mode – the most expensive and damaging way to approach compliance.

The Unruly Class

Companies that have good compliance processes and good data systems, but people that aren’t willing to follow the processes, are members of “The Unruly Class.” These companies are highly exposed because they will spend huge amounts of money on process development and IT engagement for data systems, but their uncooperative employees will keep them from surviving an audit.

The Innocent Prisoners

Companies that have good compliance processes and good people who follow the processes, but no data systems to prove that they’re doing the right thing, fall into the category of “Innocent Prisoners.” This is an unfortunate class of company, because everybody’s following the rules and staying in compliance. However, in the world of compliance, it’s not enough to do the right thing – you need to prove that you are doing the right thing, and weak data systems will compromise your ability to do this.

How would you classify your company? Where is your biggest deficiency? This initial assessment will give you a good idea of where to focus your resources next.

Assessing Your Processes

The Outlaws will either have undocumented processes or documented processes that don’t take into consideration compliance requirements. If you don’t have all your processes mapped out, then you probably don’t have good control over what’s going on in your company.

Documented processes that are driven solely by your strategic objectives, however, are not enough.  Compliance requirements must also be taken into consideration.

Your process maps should call out what would be considered value-enabling activities – activities that are required for compliance.

In Lean Six Sigma, for example, value stream analysis stratifies the activities in any process by three classes:

  • Value-Added: Activities that are necessary to support the strategic objective
  • Value-Enabling: Activities that are required for compliance reasons
  • Non-Value Added: Any activity that is neither value-added nor value-enabling

Whether or not you embrace Lean Six Sigma, this type of analysis is valuable.

Assessing Your People

If you are part of the Unruly Class your people may be openly resisting compliance or doing so clandestinely. If the resistance is more clandestine, it will destroy your organization from the inside out. In other words, keeping track of who does what and when is not only good from an audit standpoint, but puts a spotlight on people who blatantly refuse to follow a process.

Whether the resistance is overt or covert, it’s important to enlist the aid of a change agent right away to determine the problem areas and offer remedial support. I’ve done both preemptive and reactive change acceptance efforts, and the skills are somewhat different so it’s important to know your own particular situation, what skills you need to hire and then find the right person for the fit.

The other place where the Unruly Class will have problems is in an audit report. When an auditor comes through to check your compliance and notices that your processes are well documented and your evidence is intact but you are still out of compliance, it’s because your staff is not following certain steps.

Assessing your Data Systems

The Innocent Prisoners are what I see the most, and here’s the reason. Process documentation is not really difficult, just tedious.  In addition, people are generally good people. They like their jobs and they follow orders as long as it makes sense – and compliance usually makes sense to people.
Getting your data system support is the biggest challenge in these situations as it will involve some sort of technological architecture, and this does not come easy to non-IT people.

I was recently in a General Services Administration (GSA) contract compliance effort at a large high-tech company and, like the typical Innocent Prisoner, they were doing everything right. The GSA didn’t believe this, however, and, when challenged to justify their position, my client initially couldn’t support the request. The part of the effort that I drove was to install a compliance data warehouse specifically for GSA reporting and auditing. After the effort, my client who was once sitting on the hot seat was praised for having one of the best practices around GSA audit support.
If auditors are having trouble getting through an audit plan because systems aren’t organized properly, you probably have a data system problem. Another classic indicator of weak data systems is a chronic problem engaging your Information Technology function.

The immediate next step here is to build a compliance project charter (there’s a free template you can download at my website if you need one), and organize a team to get a compliance data system in place at your company. This will cost some money, but not the $80 million compliance-failure price tag we talked about earlier. In addition to my template, there are both free and very inexpensive resources at my website if you need a jumpstart.

Compliance is no small matter these days.  The stakes are high and the need to be in compliance is not going away. With a few simple steps you can diagnose your situation and reduce your exposure with some quick and cost-effective immediate next steps. Take some time today to do a high-level assessment of your company. Are you a member of the Outlaws, Unruly Class, or Innocent Prisoners? The answer to that question will dictate your immediate next step.


The Author

John Weathington

John Weathington is President and CEO of Excellent Management Systems, Inc., a management consultancy that helps finance executives save money, reduce stress, and avoid penalties and fines. As testimony to his talent and expertise, during a recent audit, he helped Sun Microsystems fortify a $100 million government contract. See for contact information.

Many more articles in The CFO Refresher in The CEO Refresher Archives
The CEO Refresher

Copyright 2008 by John Weathington. All rights reserved.

Current Issue - Archives - CEO Links - News - Conferences - Recommended Reading

Refresher Publications