Today, I conclude my three-part series on how to more fully operationalize your compliance program. I have been joined in this exploration by Ben Locwin. We have previously considered several topics including embedding compliance as a key component to the business equation of operationalizing compliance and the role of forecasting in operationalizing compliance, why prevention is a better solution than correction and how to operationalize compliance down to the staff level. Today I want to conclude by addressing one of the most often asked questions by compliance practitioners: how do I show a positive return on investment (ROI) for a corporate compliance program? 

This is one of the most exciting innovations for the compliance profession; to demonstrate a return on investment (ROI) as it demonstrates how a company which embraces compliance can become more profitable.

Ethisphere has been bestowing its World’s Most Ethical company awards for some 15 years now. They have generated and garnered quite a bit of economic data in this process and one of their key findings is that companies which have won this award are four times more profitable, on average, than the Standard & Poor’s (S&P) 500. But the key is that they are not more profitable because they are more ethical; they are more profitable because they have more fully operationalized compliance by building it into the business process.

As you might suspect, Locwin had an interesting spin on the Ethisphere findings. He began by cautioning, “there’s a tremendous tendency for people to transform correlation into causation and you get very adeptly avoided doing that. It is not just because you have good compliance programs that automatically gets more profitability. Rather by having better compliance, it is an indicator that the business is better run. This drives home the point that compliance is a good indicator for how well run the business is at all levels.” This means it is your entire compliance program, holistically viewed.

We next turned to how compliance can demonstrate value to the organization, factored into business decisions and   ROI. Locwin began by posing the question, “How do you know that something was about to go wrong that you prevented?” This negative is sometimes very difficult to put into ROI terms. Locwin drew from his experiences in the medical device sector. Initially noting it is a regulated industry and the products could be as diverse as cardiac stents or pacemakers, new arterial valves, replacement knees or shoulders replacement are produced in such a highly clean way and to such exacting specifications that they can be surgically implanted into humans, it is not an easy regulatory hurdle to clear.

As these devices are manufactured, there is ongoing monitoring of what is called batch success rate, which is essentially a key performance indicator (KPI). Locwin explained, “It is a lagging metric after the batch has been produced, a measure of what proportion of total of a given batch of devices pass quality assurance specifications. A manufacturer wants to have as close to a 100% success rate as possible. The rates are plotted on a control chart, so you can measure differences with tests of statistical significance to see if there’s variation that’s truly different and what’s just random noise.”

“By looking at the success rate and if its 99%, 98%, 99%, 97%; this sounds outwardly pretty good. However, if you are manufacturing 1000 devices per month and your success rate is 99%, then you’d have 10 devices failing in the first month. If your success rate is 98% in the second month you would have 20 failed devices in month two again in month three in month four in month five. If you do nothing systemic to your manufacturing and QA/QC processes over that time, even if you sustain one month of achieving no failed devices, the 100% success rate is random and you will likely have more failure next month.”

However, if you have accurate monitoring of your processes and outcomes and you can quantify your noncompliance issues weekly or monthly and develop a numerical trend, this data can be analyzed in exactly the same way as the batch success rate. According to Locwin, this means “if you use preventive measures as we talked about to systematically stop any issues from reoccurring, whether it’s malfeasance, misconduct, fraud, you can then show causality between your interventions and the reduced rate of issues occurring and if need be, assign a dollar value to this. That can provide to you a best practice around how you would maximize your approach to demonstrating ROI and being successful at it.”

From there you can bring your ROI metrics to bear and communicate this as the value compliance brought to an organization in terms of averting disaster. By engaging in statistical analysis on the data and improvements in your process over the months, a certain dollar cost can be avoided. It can be internal policy deviations that are avoided and all of those you can assign ROI. Locwin concluded by stating, “I would say because corporate compliance overseas a lot of transactional processes, it’s really much easier to equate compliances linked ROI than it is to link safety, health and environmental programs to the bottom line.”

Yet another method of demonstrating the ROI of compliance is the increased efficiencies by moving towards prevention. By doing so, you can remove the inefficiencies of having to engage a compliance department, and even perhaps a legal department, by using multiple resources helping you either develop or sell a product or a service. This is yet another strong reason for the business case of operationalizing compliance.

We conclude with the need to “Document, Document, and Document” by creating an auditable paper trail of your operationalization efforts, note your work is not complete until the paper trail is complete. To help determine ROI you must have a paper trail that you can not only benchmark against but can use the various techniques of forecasting, prevention and operationalization as a measuring stick moving forward. Obviously from the regulatory/legal perspective work is not done until the paper trail is complete and is available for auditing. Locwin noted, “if you’re properly documenting all that needs to be so, then you certainly have enough available data to make a proper analysis.”

I hope you have enjoyed this series. The benefits to more fully operationalizing your compliance regime are both legal, regulatory and business. Not only will you be closer to the Department of Justice’s most current formulation of a best practices compliance program but you will have a more efficient business process which will hopefully lead to greater ROI and greater profitability. It should also drive your compliance culture into the very fabric of your organization, making it more robust and better run as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018