ABSTRACT

Understanding and implementing sound compliance programs is a fundamental component of corporate governance and risk management. Effective risk management is not limited to understanding an organisation’s regulator-driven compliance requirements. It also includes managing an organisation’s overall operating context risks, within a business outcomes’ framework in order to mitigate these risks and in some cases, turn them into opportunities. With the increasing costs of implementing compliance systems and risk management measures, questions are often asked about their ‘worth’ to an organisation. In this paper, the costs of non-compliance as well as the benefits of good compliance and risk management programs are considered.

Introduction

The ASX Corporate Governance Council (ASX CGC) released its third edition of corporate governance principles in 2014 (ASX Corporate Governance Council, 2014). One of those eight fundamental principles is:

Principle 7. Recognise and manage risk: A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework.

As part of its Principle 7 commentary, the ASX CGC notes:

“Being given sufficient information to understand and assess investment risk is crucial to the ability of investors to make informed investment decisions. Recognising and managing risk is a crucial part of the role of the board and management.”

“Good risk management practices can not only help to protect established value, they can assist in identifying and capitalising on opportunities to create value.”

The quantum and type of risk management and compliance programs expected of an organisation will depend on key determinants such as size of business, corporate risk appetite and tolerance, mandatory requirements and what is expected as a reasonable standard of duty for that context. Consequently, for some organisations, it is not always clear ‘how much is enough’ – expectations at various levels (government, community, regulators, shareholders etc) may vary. In this paper, we look at the costs and benefits of compliance and risk management and present evidence to show what can happen when risk management is not followed or is inadequate.

The Cost of COMPLIANCE FAILURES

Failures of product or service quality, waterborne or otherwise, have an impact on companies through a variety of mechanisms including brand/reputation damage and shareholder value as well as direct costs through product recalls, reduced cash flow, legal challenges and compensation. Waterborne contamination occurring in both piped supply and bottled water sources over the last couple of decades has been found to be at least in the tens of millions, if not hundreds of millions of dollars in direct costs to the suppliers (Table 1. ).

Table 1; Cost of Waterborne Outbreaks and Incidents at a glance.

Water Product	Event	When	Economic Costs	Social Costs
Drinking water	A large outbreak of norovirus gastroenteritis was caused by contaminated municipal drinking water, in Lilla Edet, Sweden	2008	Costs associated with the outbreak were collected via a questionnaire survey given to organizations and municipalities involved in or affected by the outbreak. Total costs including sick leave, were estimated to be ∼8 700 000 Swedish kronor (∼€0·87 million) (Larsson et al 2014).	About 2400 (18·5%) of the 13 000 inhabitants in Lilla Edet became ill.
Drinking water	Wastewater contamination of the distribution system in Nokia, Finland occurred (pathogens thought to include Campylobacter sp., Norovirus, Giardia and Salmonella sp.).	2007	Halonen et al (2012) reviewed sick leave and lost work days’ data from public sector employees residing within the contaminated area compared to those residing outside of the contaminated area (as a cohort of those affected). Those living and working in the clean area were basically not affected. among the exposed. The estimated additional costs of lost workdays due to the incident were €1.8–2.1 million.	The prevalence of participants on sick leave was 3.54 (95% confidence interval (CI) 2.97–4.22) times higher on the week following the contamination incident compared to the reference period.
Bottled water	Coca-Cola’s brand Dasani was taken off the shelves after a contamination scare with bromate	2004	Approximately £25 million (approximately US$50 million).[1] As well as the contamination scare, TCCC’s brand image was severely dented through revelations that the water was actually bottled tap water.	Stress caused by consumption of the product and distrust in the brand
Drinking water	Bacterial contamination of Walkerton, Ontario, Canada (O’Connor, 2002)	2000	Estimated at C$64.5 million. At a household level, the contamination event cost Walkerton households ~C$7 million. In addition, real estate values fell by C$1.1 million with costs also falling on local businesses with purchasing of bottled water and disinfecting and replacing equipment (Livernois, 2001).	Deaths Several people left Walkerton moving to larger conurbations so they could be in close vicinity to good health care for their children, whose kidneys were damaged by the disease. Two of the operators of the Public Utilities Commission in Walkerton were found guilty of negligence in their duties. One operator went to jail, the other was held on house arrest.
Drinking water	Waterborne illness caused by Cryptosporidium contamination of Milwaukee’s water supply, WI, USA	1993	Corso et al (2003) estimated the total cost of the outbreak-associated illness to be US$96.2 million – US$31.7 million in medical costs and US$64.6 million in productivity losses.	Deaths. Stress caused by distrust in the water supply.
Bottled water	Contamination of Source Perrier’s water with benzene	1990	The product recall was estimated to have cost Perrier US$263 million (Knight and Pretty, 2002)	Stress caused by consumption of the product and distrust in the brand

[1] business.scotsman.com/agriculture.cfm?id=1125172006, acd 18 August 2015.

While most corporations will be able to survive a compliance failure incident, there are several factors that may determine the difference between recovery and non-recovery – not least being the culpability of management in the responsibility for safety lapses or breach of product quality (Knight and Pretty, 2002), for instance:

• There is among non-recoverers an initial negative response amounting to more that 10% of the corporation’s market capitalisation.
• In the first two or three months the magnitude of the estimated financial loss is significant among non-recoverers.
• If there is a large number of fatalities, this seems to govern recovery in the first two or three months, thereafter, the issue of management’s responsibility for accident or safety lapses appears to explain the shareholder value response.

In short, Knight and Pretty (2002) underlined the importance of risk management in their quote:

“Effective management of the consequences of catastrophes would appear to be a more significant factor than whether catastrophe insurance hedges the economic impact of the catastrophe.”

In essence, shareholders are telling corporations that they need to have adequate risk management measures in place to address risks and that corporations need to be seen to be endorsing and implementing those measures for shareholder confidence to be upheld or to return.

One of the non-recoverers in the bottled water market at the time was Source Perrier with its 1990, benzene contamination incident (Table 1). Apparently the carbon filters, which should have removed impurities from the source spring water, had become clogged. The monitoring mechanism for the filters involved a warning light, which happened to be faulty.

The fault had remained unnoticed by employees for more than 6 months allowing the filters to clog up. Upon detection of the benzene contamination,[1] 160 million bottles had to be recalled from 120 countries. Even though public health did not appear to suffer as a result of the incident, the incident still had a severe impact on the company’s performance and overall image with the company’s cumulative abnormal returns[2] trading in the negative up to a year post-incident.

Good risk management systems equal good business outcomes

There are many systems in existence (Table 3), which a business may choose to implement or may be required to implement by regulatory instruments such as operating licences. Some of these systems, such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO 22301 (business continuity management), may provide for certification, others, such as ISO 31000 (risk management), provide overarching principles, which can facilitate the adoption and implementation of sound business practices.

However, it is not enough just to implement a system. Robust compliance and risk management relies on having a continued ‘whole of corporation’ focus on the relevant management system, identifying and implementing system improvements. Management system compliance cannot be achieved by just relying on one key person to look after the system. In much the same way as work, health and safety responsibility must be embedded throughout the organisation, risk management processes and systems also need to be viewed as everyone’s responsibility. System management and improvement therefore requires the commitment of resources by management. It also needs tangible data from ‘on the ground’ and other system operators, to help guide effective decisions for the adoption of system improvements. It is not enough just to say that measures should be implemented because ‘it is the right or moral thing to do’.

Business decision-making is a critical area of risk management. Business decisions should be made on the basis of objective, evidence-based arguments about the benefits and risks of taking a proposed action (or not taking this action) and demonstrate consistency with corporate objectives. Within an effective risk management system, business cases also need to focus on the needs of the audience. Business cases therefore need to incorporate the following elements:

• Communicate the business case: ‘speak the right language’, target information to the appropriate people – for example CFOs and chief investment officers.
• Inform the audience: ‘bridge the knowledge gap’, build awareness and skills at the level of the C-suite and Board.
• Create an enabling environment: demonstrate how the suggested improvement integrates with other activities of the organisation and is consistent with corporate objectives, strategies and policies, including national and global frameworks. This includes being able to link business improvements within an organisation’s risk appetite and tolerance framework and then setting ‘SMART KPIs with which to judge the effectiveness of an implemented improvement (Davison, 2011; Elkington, 2013).

A body of information on the benefits (tangible and intangible) relating to systems’ implementation is growing. Table 5 provides examples of ‘benefit quantification’ for companies and organisations (public and private) that have implemented system and quality approaches in their businesses.

An overarching finding for the implementation of quality management systems in the manufacturing sector for instance, is that an organisation with total quality management in place is more likely to achieve better performance in the following operational areas:

• Employee relations
• Customer satisfaction
• Operational performance and
• Business performance (Terziovski and Samson, 1999).

Table 2:  System Examples within a water utility operating context.

Instrument	Jurisdiction	Type	Utility Operating Context
AS/NZS 9001:2008 Quality Management Systems – Requirements[1]	International (with national adoption)	System Standard	Quality
HACCP (Codex Alimentarius) http://www.codexalimentarius.org/about-codex/en/	International	System Standard	Water Products
Australia New Zealand Food Standards Code – Standard 3.2.1 – Food Safety Programs – F2011C00551 http://www.comlaw.gov.au/Details/F2011C00551	National	System Standard	Water Products
AS ISO 22000:2005 Food safety management systems – Requirements for any organization in the food chain	International (with national adoption)	System Standard	Water Products
Framework for Management of Drinking Water Quality (Management framework within NHMRC/NRMMC (2011) Australian Drinking Water Guidelines (ADWG) National Water Quality Management Strategy, Version 3.1 Updated March 2015 (ISBN Online: 1864965118)	National	de facto System Standard	Drinking Water
Framework for Management of Recycled Water Quality and Use (Management framework within the Australian Guidelines For Water Recycling (2006): Managing Health and Environmental Risks (Phase1). Natural Resource Management Ministerial Council Environment Protection And Heritage Council Australian Health Ministers Conference. Web Copy: ISBN 1 921173 06 8)	National	de facto System Standard	Recycled Water
NSW Health/NSW Department of Primary Industries – Office of Water (2013) NSW Guidelines for Drinking Water Management Systems ISBN 978-1-74187-890-5 http://www.health.nsw.gov.au/environment/water/Documents/NSW-Guidelines%20for-Drinking-Water-Management-Systems.pdf	NSW	System Development Guidance	Drinking Water
ISO 22301 Business Continuity Management	International	System Standard	Whole of System
ISO 31000:2009 Risk Management – Principles and Guidelines. (adopted in Australia as AS/NZS ISO 31000:2009)	International (with national adoption)	Standard	Whole of System

[1] Noting that the new version (due end 2015) will have an increased focus on risk (http://www.iso.org/iso/home/standards/management-standards/iso_9000/iso9001_revision.htm).

In the water industry, it has often proven elusive to quantify the benefits of implementing source protection measures, from a whole system ‘source to endpoint perspective’. However, even in the source protection area, benefits are starting to emerge including concrete quantification of economic dividends to organisations. South West Water in the UK for instance, was able to turn a risk (increasing operating costs) into a benefit through identifying and implementing upstream source protection measures, instead of focussing on downstream controls (Table 7). Similarly, Central Highlands Water was able to build a new water treatment plant at a lower cost, compared to that of a neighbouring utility sourcing water from a less well-protected catchment (Table 7).

HOW FAR SHOULD IMPLEMENTATION GO?

The costs of implementing compliance requirements and risk management systems are often discussed. Some of the off-setting benefits that may be derived from implementation of compliance and risk management processes have been mentioned above. However, it needs to be borne in mind that these benefits are only possible where the implementation of these processes is comprehensively applied throughout the organisation. Any inconsistency between the objectives stated by management and actual practice in the work place leads to confusion and undermines accountability. There are costs associated with this confusion and lack of accountability.

The Ponemon Institute (2011) used empirical data to look at the cost of compliance vs non-compliance, including the cost of non-compliance with laws, regulations and policies, for a sample of 46 multinational organisations. One of their key findings was that the cost of non-compliance can be more expensive than investing in activities to ensure compliance with laws and regulations. Ongoing risk management measures, such as internal auditing, can help to reduce the total cost of compliance. For four categories reviewed in detail, business disruption represented the most costly consequence followed by productivity loss, revenue loss and fines and penalties. For the organisations reviewed, on average, the cost of non-compliance was 2.65 times the cost of compliance.

Table 3: Implementing systems – examples of benefits.

Benefit	Comment	Comments/Examples
Reduced operating costs (Zero Waste Alliance, undated)	An EMS reduces operating costs through waste reduction, energy conservation, and other savings. The typical payback period for an EMS is 9 months to 2 years.	·       Tri-Met, Portland, Oregon – $US300,000 identified as operational savings – $US66,000 of this for energy conservation. ·       City of San Diego Solid Waste Division – saved $US700K in operating costs through more efficient equipment use. ·       City of Charleston – O & M savings far exceed EMS costs. ·       City of San Diego Refuse – Disposal Division saved $868,000 in heavy equipment and diesel rates by shutting off equipment during breaks and lunch period.
Reduced legal risk and potential liabilities (Zero Waste Alliance, undated)	An EMS provides a structured framework for identifying and meeting regulatory requirements. This results in fewer fines and other regulatory complications over time.	·       EPA often requires the development of a formal EMS as part of a consent decree (e.g. Supplemental Environmental Project or SEP). Examples include Willamette Industries, FMC Pocatello Plant, MIT and the City of Roanoke, VA.
Reduced future liabilities and constraints (Zero Waste Alliance, undated)	EMS provides a consistent way to manage your organization away from constraints imposed by future regulations, material shortages, community complaints, and other issues.	·       Oregon State Parks and Recreation has included criteria for making decisions that include issues of sustainability that can help avoid the organization “hitting the wall” in the future.
Tangible cost savings from implementing a knowledge management system (Yu, Chang, and Liu, 2006)	A model was developed to quantifying the benefits of implementing a knowledge management system.	·       Time shortening, man-hour saving, and cost reductions equated to 63%, 73.8% and 86.6% respectively.
Cost of quality and productivity gains quantified (Schiffaueorva and Thomson, 2006)	A US telecommunications company reviewed its manufacturing costs and total manufacturing costs from implementing quality management.	·       Cost of quality reduced from 23.3 % to 17.2 % in 5 years. Gain in productivity of 26%.
	A UK semi-conductor manufacturer reviewed the % of factory turnover from implementing quality management.	·       Cost of quality reduced from 35.8% to 18.1 % in 4 years. Output increased by 25% in 18 months.

In the case of compliance, smooth operations are jeopardised where personnel have no procedure or need to determine whether specific steps in a process are necessary or may be omitted “if we are not caught out”. Such inconsistent operation serves to reduce the quality of product/service output and increase discrepancies between planned and actual outcomes, which impact on forecasting, scheduling and budgeting. In the case of water quality requirements, even if there are no direct adverse impacts on public health, reductions in water quality may impact customers’ systems and equipment. Many environmental and asset management regulatory requirements are formulated after expert investigation and analysis to determine the most appropriate means to mitigate a variety of risks.

Finally, it should be recognised that failure to achieve the best possible degree of compliance also has the potential to strain relationships with regulators and damage the organisation’s reputation with customers and other stakeholders.

According to ISO 31000 (ISO 31000:2009), an organisation’s risk management system, especially the key elements of risk thresholds, risk criteria and frameworks for prioritisation and decision making, should be agreed by the Board, reflected in corporate objectives, and integrated throughout the organisation’s policy development, business and strategic planning, operational and review processes. The Board’s intentions should be effectively communicated throughout the organisation and progress in meeting compliance targets and risk management practice should be monitored and reported back to the Board. The Board should regularly review progress and consider any suggested improvements or remedial actions.

The steps of each process undertaken within the organisation should be formulated to be consistent with the risk management system. Failure to follow the established process steps inevitably leads to inconsistent quality and performance with the expected impacts on monitoring, review and continuous improvement.

Table 4; Source protection benefits.

Organisation	Description of Program and Benefits
South West Water, UK (Elkington, 2013)	South West Water was able to show how working ‘upstream’ with local landowners and land users to encourage better upstream management, helped to reduce downstream costs including costly remedial works. The benefits to South West Water from its ‘Upstream Thinking’ program outweighed the costs by 65 to 1 (not accounting for other spin-off environmental and social benefits).
Central Highlands Water, Victoria, Australia (Davison and Ford, 2006)	Central Highlands Water was able to arrange for a new treatment plant to be built for around 50% of the cost of a similar plant being built for a neighbouring water supply authority, Coliban Water. The Coliban Water water supply authority sourced water from a generally very similar surface water source to Central Highlands Water, but one that was not as well protected. The difference in cost was around US$ 20 million – an example of the source protection dividend to Central Highlands Water.

Conclusions

From an analysis of the costs of non-compliance incidents, our investigations support the proposition that corporations need to manage risks and embed risk management from ‘corporate to coalface’. Evidence has been provided that good risk management leads to good management outcomes. However, there are costs associated with incomplete implementation and the benefits of compliance and risk management are only achievable when systems are fully implemented.

A case is presented indicating that corporations should view expenditure to achieve full compliance with regulatory requirements as an investment.

Bio:

Annette Davison is a highly experienced certified auditor and award-winning risk manager in the water, environment, policy and mining fields. She has helped utilities implement water safety and risk management plans both in Australia and overseas. She has a multitude of journal, book chapter, books, technical papers, reports and other publications in several fields including bioremediation, biodiversity, microbial ecology, water utility due diligence and risk management. Annette is in demand as a conference and workshop presenter, for auditing of statutory and certified risk management plans, for developing utility risk management plans, ERM consultation and development and as a facilitator for board workshops.

Bob Burford with more than 20 years experience, Bob is a water industry, environmental and catchment management specialist. Bob has a particular interest in regulatory practice, corporate governance, and risk management. He has extensive experience in the development and implementation of Government regulatory instruments and processes. He was the former NSW representative and audit coordinator on the National Water Initiative National Performance Reporting Roundtable. Bob holds Masters degrees in both Science (Chemistry) and Business Management and is an accredited lead auditor for Drinking Water Quality Management System under the Exemplar Global Scheme as well as an ISO accredited lead auditor of Environmental, Quality, OHS, Food Safety and Information Security Management Systems. Bob Burford, Principal Phone: +61 417 007 835 Web: www.bbtech-consulting.com.au

References

ASX Corporate Governance Council (ASX) (2014) Corporate Governance Principles and Recommendations. 3^rd Edition (http://www.asx.com.au/documents/asx-compliance/cgc-principles-and-recommendations-3rd-edn.pdf).

Corso, P.S., Kramer, M.H., Blair, K.A., Addiss, D.G., Davis, J.P. and Haddix, A.C. (2003) Cost of Illness in the 1993 Waterborne Cryptosporidium Outbreak, Milwaukee, Wisconsin. Emerging Infectious Diseases 9(4): 426-431

Davison, A.D. (2011) Enterprise Risk Management. Risk appetite and risk tolerance: how robust are yours? Water 38(5): 65-68.

Davison, A.D. and Ford, R. (2006) The Powers and the Glory? Legal Tools for Managing Catchments. Enviro06. May 2006, Melbourne.

Doran, G. T. (1981). There’s a S.M.A.R.T. way to write management’s goals and objectives. Management Review, 70(11)(AMA FORUM): 35–36.

Elkington, J. (2013) Accounting & Sustainability: Future-proofing the CFO. http://www.csrwire.com/blog/posts/665-accounting-sustainability-future-proofing-the-cfo (Accessed 17 August 2015).

Gardner, L.K. and Lawrence, G.D. (1993) Benzene production from decarboxylation of benzoic acid in the presence of ascorbic acid and a transition-metal catalyst J. Agric. Food Chem. 41(5): 693-695.

Halonen, J.I., Kivima, M., Oksanen, T., Virtanen, P., Virtanen, M.J., Pentti, J., Vahtera, J. (2012) Waterborne Outbreak of Gastroenteritis: Effects on Sick Leaves and Cost of Lost Workdays. PLoS ONE 7(3): e33307. doi:10.1371/journal.pone.0033307.

AS/NZS ISO 31000:2009, Risk management – Principles and guidelines. Standards Australia/Standards New Zealand, 2009.

Knight, R.F. and Pretty, D.J. (2002) The Impact of Catastrophes on Shareholder Value A Research Report Sponsored by Sedgwick Group, The Oxford Executive Research Briefings (http://pdfsr.com/pdf/the-impact-of-catastrophes-on-shareholder-value).

Larsson, C., Andersson, Y., Allestam, G., Lindqvist, A., Nenonen, N. And O. Bergstedt (2014) Epidemiology and estimated costs of a large waterborne outbreak of norovirus infection in Sweden. Epidemiology and Infection Volume 142(3): 592-600.

Livernois, J. (2001) The Economic Costs of the Walkerton Water Crisis. The Walkerton Inquiry Commissioned Paper 14 (http://www.uoguelph.ca/%7Elive/Livernois_14%20Final%20Report.pdf).

O’Connor, D.R. (2002) Report of the Walkerton Inquiry: The Events of May 2000 and Related Issues. Part One: A Summary. Ontario Ministry of the Attorney General. ISBN: 0-7794-2558-8.

Ponemon Institute (2011) The true cost of compliance. A benchmark study of international organizations. (http://www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf via https://insights.cermacademy.com/2015/08/102-noncompliance-problems-cost-3x-mroe-than-a-strong-compliance-program-greg-carroll/).

Schiffaueorva, A. and Thomson, V. (2006) A review of research on cost of quality models and best practice. International Journal of Quality and Reliability Management. 23(4): 1-23. This reference includes many more successful quantifications of savings from various industries within Table IV. http://hawbw202.pbworks.com/f/Lit+Review_CoQModels-BestPractices.pdf

Terziovski, M. and Samson, D. (1999) The link between total quality management practice and organisational performance. International Journal of Quality and Reliability Management. 16(3): 226–237.

Yu, W., Chang, P. and Liu, S. (2006) Quantifying Benefits Of Knowledge Management System — A Case Study Of An Engineering Consulting Firm. ISARC2006: 124-129. http://www.iaarc.org/publications/fulltext/isarc2006-00049_200608160923.pdf

Zero Waste Alliance (undated) Environmental Management System Program Benefits Operating Costs – Bond Ratings -Insurance Costs – Risks – Recognition NW Pub 2. http://www.zerowaste.org/nwpub2/nwpub2/EMS%20Benefits%20050103b.pdf