Compliance Burden

When lawmakers impose rules and regulations on how organizations are permitted to operate, those organizations must invest time, capital, and human resources into understanding the new rules and implementing policies and procedures that ensure compliance. Organizations can measure their compliance burden by quantifying the administrative costs associated with maintaining regulatory compliance.

What is a Compliance Burden?

A compliance burden, or regulatory burden, is the sum of all administrative costs related to maintaining regulatory compliance for a single organization. 

All organizations experience some measure of compliance burden, which tends to increase in magnitude and complexity as an organization grows and expands its scope of activities. Some regulations are uniformly applied to businesses of all types, while others may be more narrow in scope, applying only to specific industries or to organizations who engage in certain activities. 

For most organizations, compliance burden begins with the basic requirements associated with running a business. These include expenses that are triggered by:

• Corporate identity and record-keeping requirements
• Accounting or bookkeeping requirements
• Business licensing requirements
• Local, state, and federal taxation requirements
• Employee hiring, discipline, and termination requirements
• Employee scheduling and remuneration requirements
• Workplace health and safety requirements

Compliance burden is even greater for organizations who operate in highly regulated market sectors, such as finance, healthcare, consumer goods, and information technology (IT). Within these sectors, many organizations face industry-specific regulatory requirements that add significant costs and complexity to their compliance efforts. Some have entire government agencies devoted to their regulation and oversight.

The purpose of government regulation is to constrain organizational behaviors that could harm the public. At the same time, lawmakers understand that excessive regulations may negatively impact an organization’s ability to grow and compete in the marketplace. 

To ensure these impacts are addressed, regulatory agencies in the EU, Canada, and other nations have adopted a process called Regulatory Impact Assessment (RIA) whose purpose is to evaluate the economic costs and benefits of implementing new policies.

What is an Example of Compliance Burden?

Let’s look at an example of the compliance burden created by the Payment Card Industry Data Security Standard (PCI DSS). This standard creates 12 requirements for all entities who store, process, and/or transmit payment card data, including all merchants who accept payment cards. 

Among other things, the PCI DSS requires covered entities to:

• Secure networks with a firewall to protect cardholder data
• Encrypt cardholder data transmitted over public networks
• Secure devices, systems, and applications using anti-virus software
• Restrict physical access to devices that contain cardholder data  
• Impose data access controls, including individual user IDs and and permitting access to sensitive data exclusively on a need-to-know basis
• Track and monitor network security to ensure ongoing compliance
• Perform routine vulnerability and penetration testing 
• Create and maintain an information security policy for employees and contractors

Each of these requirements translates into administrative cost for the covered entity, adding to its compliance burden. These costs include the hardware and software systems necessary to meet the technical requirements of PCI DSS and the human resources needed to manage those systems and ensure ongoing compliance.

How Can Organizations Reduce Compliance Burden?

Digital technologies are helping organizations meet their compliance objectives more efficiently, manage greater complexity, and reduce compliance burden. Organizations can adopt compliance management software solutions that provide centralized oversight of compliance requirements, along with automation, process integration, and other features that reduce the overall cost of compliance.