According to a silicon.com article citing Financial Times figures, the average Fortune 1000 company in the U.S. spends $5.1 million to implement Sarbanes-Oxley and an ongoing $3.7 million to maintain compliance. It's a heavy burden, obviously, and it's growing. The story says:
[A]nnual corporate IT spending specifically earmarked for compliance efforts is growing by about 10 per cent per year.
To avoid the pain, many companies are delisting, but Quocirca analyst Fran Howarth warns that Sarbanes-Oxley is only part of the compliance problem anymore. Data privacy laws and the PCI Data Security Standard come to mind as others that apply to a wide range of organizations.
Howarth points out:
[B]ecause the burden of regulation is likely to increase with new legislation potentially covering e-disclosure rules in the EU and a strengthening of privacy rules at a federal level in the U.S., companies need to view their regulatory compliance efforts as a strategic investment that covers all parts of the business.
Taking such an approach, which Howarth calls "holistic," involves getting everyone on board (legal, operations, IT, board of directors); determining which regulations affect or will affect the business and what they require; formulating a strategy for meeting those requirements; and then making the technology investments necessary to carry out that strategy. If these things are done correctly, the benefits of compliance will eventually outweigh the costs, she says.
Lower insurance premiums due to lower risk of damage (reputational or financial) from fraud, better internal processes, increased security, and an improved ability to defend against litigation are just a few of the benefits companies that get their arms around a holistic approach to compliance will experience.