When it comes to making compliance decisions many organizations will consider the cost and what they can afford. This will include evaluating risk and identifying the costs associated with noncompliance (e.g. a fine) and the cost to mitigate the non-conformance.
A risk/reward calculation is then performed to decide to proceed or not. If the cost of mitigation is higher than the fine then many might just accept the risk and proceed along that course of action. Why pay $100,000 if the fine is only $10,000?
At one level of analysis this makes sense and appears similar to the ALARP principle referenced in many regulations and standards — reduce the risk to “As Low As Reasonably Practicable”. It’s not reasonable or practicable to invest $100,000 to cover a $10,000 fine so let's just pay the fine if and when it happens.
Applying ALARP is a good principle and will lead to good decisions. However, I don’t think that is what’s happening. What appears to be going on is the scope of risk consideration is making compliance decisions “de minimis” – too small to be meaningful or material. In this case when the cost of a fine is only considered.
There are many reasons why a “de minimis” rather than a broader or comprehensive scope is used.
Some of this happens as a result from taking a reductive, siloed, and simplistic approach to managing compliance. Perhaps the largest factor is not considering the total value of what is at risk. This is enabled when no one owns or is accountable for enough compliance scope to make the risk consideration material. When this happens the methods used to evaluate risk are focused on only a fraction of what is at stake.
Risk is more than paying a fine or the probability of the sum of all possible fines that might need to be paid.
Effective risk-based compliance decisions requires that organizations widen their scope by considering all their promises: to keep people safe, to protect private data, to provide quality products and services, to be a good steward of the environment, and so on.
This starts by having credible answers to these questions:
What promises have we made to our stakeholders?
What capabilities and resources are needed to keep all our promises?
Do we have a credible plan to meet all of them?
What obstacles or opportunities will we find as we meet our promises?
How will we measure our progress?
Having answers to these questions will help organizations evaluate the impact of their decisions on their ability to keep all their promises to avoid such things as loss to reputation, loss of trust, and loss of life which are material and not "de minimis."
If you can't afford to keep your promises, fines will not be the only risk you will face an have to accept. You may face the risk of considering a new line of business.
Investing $100,000 to cover a $10,000 fine may not make sense for many organizations.
However, if that investment aligns with your values and helps you keep all your promises the reward will be much higher and will accrue over time. A better decision in the long run.
