How to build a business case for compliance

In the second of three webinars, special guest Anthony Wareham is joined by Keith Serre from Deloitte to discuss how to build an effective business case for compliance. 

Industry experts Anthony Wareham and Keith Serre have extensive insight into health and safety operations. In this summary from our recent webinar, Building a business case for compliance, our experts outline their personal experiences building a strong business case for compliance. 

Compliance is obligatory, so you should have a strong case already

Anthony Wareham

Building a compelling business case for compliance is vital for meeting emerging regulatory requirements and ensuring your organization is compliant — and this means gaining buy-in from stakeholders and the board. By identifying the measurable benefits of a compliance program, aligning objectives with corporate goals, and demonstrating the team’s ability to meet those targets, you can create a winning business case. 

Read on for an overview of our panel discussion with these industry experts, as they discussed practical tips and lessons learned while building a business case.

What are the elements of a business case for compliance?

The first step to building a business case for compliance is to demonstrate an understanding of what you’re trying to achieve. A business case, Keith Serre noted, is a “justification for an investment.”  

Businesses need to understand the full scope of what they’re justifying to the board, acknowledging their reason(s) for developing the business case in the first place. For example, is your business encountering increased scrutiny recently? Are you struggling with compliance? 

Anthony Wareham emphasized the importance of focusing on the facts to communicate priorities to leadership. Identify the gaps in your compliance, the cost of filling these gaps, and the plan to fill these gaps so leadership know exactly what’s required. “Negotiate,” Wareham recommended, “tradeoff between the risk that you have and the money that’s available” — so all relevant parties know what to focus on first. 

It’s important to also include how you intend to help your organization achieve the goals laid out in the business case: 

  • What’s your ROI? 
  • What measures do you have to calculate progress? 
  • Who are your stakeholders? 
  • Where do you identify lost opportunities in the supply chain? 
  • Where is compliance costing you?

What’s the true cost of non-compliance?

The first question to ask is: do you have a good sense of how much non-compliance costs your organization each year?  

Wareham said that it’s not unusual for “one in two companies” to be unsure about the true cost of non-compliance at their organization. “In my experience, that’s not unusual,” he said. These costs can be divided into two categories: direct costs and indirect costs. 

 

Direct costs 

Direct costs are measurable and quantitative, and include the following: 

  • The cost of new or upgradeable resources and technologies to enhance team efficiency 
  • The cost of resolving inefficiencies of multiple systems 
  • Fines, orders, and prohibition notices 
  • Penalties and litigation — and the cost of fighting these orders 

The cost of litigation “is simply enormous,” Wareham said, “and a lot of people don’t understand how bad it can be when you get into a long-term litigation issue.” 

 

Indirect costs 

Indirect costs, on the other hand, could be harder to cover as they’re not quantitative. They require a long-term strategy to employ and control.  

  • Loss of productivity leading to employee apathy 
  • Reputational cost, leading to loss of business 
  • Blacklisting or the inability to bid for businesses 
  • Customer and shareholder impacts — such as shareholder price dropping 

“Indirect costs can be three to four times more damaging than direct costs,” Wareham said, and “reputational costs [in particular] are very high.” If your shareholder price drops, your business may have to change the entire financial strategy if you can’t afford your initial plans.  

It’s crucial leadership get to know the teams, the resources they use and need, and the technologies that measure cost, to have a cohesive understanding of what’s required to improve the business.

What’s the ROI of compliance?

ROI is the rate of return on an organization’s investment in compliance training, measuring how much money you’ve saved or earned back compared to the cost of the investment. Businesses need to ask what they’re expecting to see from the investment they’re making. There needs to be justification for the money your company is spending.  

In simple terms, say you want to invest £100,000 but that will save you £200,000, you can justify [the expense]

Keith Serre

From a quantitative point of view, businesses can: 

  • Compare their current risk and future possibilities 
  • Analyze their risk point reduction per dollar spent 
  • Visualize their insurance premium to avoid the risk 
  • Monetize the benefits of closing gaps 

If you have a gap in compliance, measure that gap and measure how much it’s going to cost to fill it in

Anthony Wareham

Businesses should focus on compliance gaps that require capital or large investment and communicate this priority clearly so leadership can factor in that cost. You can also “work out what the risk currently is and what it will be with the corrective action — and what that corrective action is going to cost,” Wareham continued. Leadership needs to understand what risk they’re “left holding.” 

Once you know your ROI, a host of qualitative benefits can follow, such as: 

  • Establishing a culture of compliance 
  • Fulfilling corporate social obligations 
  • Brand and reputational benefits 
  • Maintaining or gaining supply chain position 
  • Competitive advantage 

ROI “is a really strong argument [for a business case],” Wareham noted, “you’ve got to approach it in a corporate fashion using the language corporate leadership will understand and be able to respond to.”

How do you measure the success of a compliance program?

Metrics are used to win support for your programs, demonstrating how effective your strategy is in reaching long-term and short-term goals. 

“You have to argue for a set of metrics that are going to support your program, measure what you do proactively, and reward success, not the absence of failure,” Wareham said. In other words, you’re measuring the “presence of capacity, not the avoidance of incident,” Serre added.  

Before Wareham’s experience using Enhesa to understand and measure “how many laws [they] need to comply with”, their compliance was measuring at 93%. After implementing Enhesa’s process and “measuring everybody off the same baseline”, it moved further north to 99.7%. 

Both panelists agree: if your metrics display a gap in compliance, and you can align that with legal requirements, you should be able to obtain support for funding to close that gap.  

  • Look at the impact of the gap 
  • Prioritize higher risk over lower risk gaps 
  • Measure your progress 
  • Report back to the board 

There are also leading versus lagging indicators to consider. Leading indicators inform businesses of how to achieve their desired results, with measurable outcomes. Lagging indicators, on the other hand, are indicative of the company’s current status, rather than future prospects. They’re easy to measure, but difficult to change, as once you’ve had an accident, all you can do is investigate why it happened and analyze how to prevent it reoccurring.  

  • Number of fines and penalties (lagging) 
  • Compliance-related audit findings (leading) 
  • Controlled tests performed (leading) 
  • Public perception of the organization (lagging) 

 

The role of auditors 

To expand on how the business case should account for the role of auditors, the experts discussed how an external audit is regulation-driven, and businesses have little to no control over the reporting outcome. This audit produces fines or ‘fix it’ tickets if they discover issues with compliance. 

Wareham and Serre noted that there shouldn’t be a huge difference between what the site believes their performance is and how corporate measures it: “Corporate audits should be a confirmatory assessment of what the site already knows,” Wareham said. Ensure synergy across reports by making sure “the site and corporate audits are interlocking and measuring the same thing.”

Who are the key stakeholders in a sustainability business plan?

“Who are the key people and how do you communicate with them?” Wareham began. Companies should consider who the business plan would impact the most and ensure you receive their feedback during the process.  

Wareham and Serre identified three lines of accountability: 

  • Lowest level — managing the risk 
  • Second level — own management system 
  • Third level — audit team 

You must communicate with these teams before submitting a funding proposal, but particularly your Chief Compliance Officer, Head Legal Counsel, CFO, CEO, and whomever else would be largely affected. “Build up a plan to target the most influential,” Wareham recommended. Businesses can do this with a tool called a RACI (Responsible, Accountable, Consulted Informed) chart, whereby you enter all potential people and map their level of responsibility. From here, you can then decide on the best approach to communicate with them — for example, do you talk to them every year? Do you include them in the planning process? 

“As you get more senior in an organization, moving from a plant to a regional job to a global job… the requirements to manage the business cases become more and more pressing. So how good are you at managing upward communication to leadership? How good are you at preparing the business plan?” Wareham said.

Building your business case

To recap, businesses need to create a coherent, long-term plan with a structured process. This should include the justification for the business case, discussions with relevant teams and individuals who will be most affected by the cost, the right metrics to measure success and track progress, and the patience to implement it all.  

Serre reminded us to “think about [the] messaging and framing to bring key stakeholders on board, by communicating the benefits from their perspective.” Wareham added that “you can have all the best intentions in the world, but if you don’t have the right support from the right people, you’re going to struggle.”

Transform your business compliance

If you missed the first webinar on Transforming EHS compliance with a risk-based approach, you can download the recording for free here: RECORDING 

Catch up on the latest insights from special guests Anthony Wareham and Keith Serre. 

Watch the webcast