Investing in compliance: A new era of category-defining software solutions for efficient governance

Download as PDF

Summary

The following article discusses the growing challenges businesses face with increasing regulations, particularly in the EU, and the opportunity for software solutions to streamline compliance. But as regulatory complexity and associated costs rise, compliance is now a core business proposition rather than just a way to avoid penalties. And it’s not not only governmental regulations, but also industry standards and best practices need to be met to drive top-line growth. Treating compliance as an investment can unlock value, reduce risks, and drive growth. Managing these demands is nearly impossible without digital tools, especially AI-driven automation, which streamlines complex processes and transfers best practices. The success of these solutions depends on stakeholders and regulators trusting their outcomes, as only verified trustworthiness can drive the desired business growth. The article concludes that the converging trends of increased regulatory burdens and AI-driven automation are pushing us to the cusp of a new era of category-defining digital players in the compliance space.

‍

The Cusp

Regulation, particularly within the European Union, is a favorite target of criticism. Across Europe it has become almost a sport to lambast the latest EU regulations. People rail against the bureaucratic meddling that seems to increasingly impose endless restrictions on everything from product specifications to the “green tsunami” of environmental standards¹. The general consensus? EU regulations are the enemy of innovation and freedom, bogging down businesses with red tape.

Specific concerns include:

Economic Competitiveness: Businesses worry that regulations such as the AI Act and the Green Deal will place them at a disadvantage compared to less-regulated competitors or jurisdictions. These regulations are often seen as obstacles that prevent innovation and limit the ability to compete on a global scale.

Regulatory Uncertainty: Particularly with new regulations on the horizon, regulatory compliance often brings uncertainty about what is required to remain compliant, along with fears of hefty penalties for non-compliance or relevant changes in market dynamics. This uncertainty diverts attention away from core business activities and delays investments.

Cost of Compliance: Managing regulatory complexity often requires significant investments in both time and money, primarily due to the need for highly skilled resources. These costs are often perceived as an unavoidable burden, taking resources away from essential business operations. Additionally, regulatory requirements can pose significant operational challenges, especially for SMEs. Building up compliance resources represents a relatively larger expense compared to their revenue. SMEs typically have limited financial and human resources, making it difficult to allocate sufficient funds and personnel to manage compliance effectively. Beyond the practical burdens, these external norms may also be perceived as intrusive, potentially affecting organizational autonomy and decision-making processes.

Those concerns are not just subjective but do in fact have a significant impact on the bottom-line. For reference, a recent study by the CATO institute shows that an average US firm spends 3.3% of its total wage bill on regulatory compliance², including just running costs without even considering the initial set-up of the required systems. While compliance is often associated with merely following legal standards to avoid penalties, we believe it extends further to include non-governmental industry standards, such as ISO norms, as well as ethical codes of conduct and best practices within the industry. In our view, compliance encompasses the processes and actions organizations take to ensure they meet both internal policies and external requirements. Thus, efficient internal governance structures are crucial to support the implementation and enforcement of regulatory compliance.

In an ever-evolving landscape marked by geopolitical conflicts, sustainability challenges, and the rapid advancement of disruptive technologies, these complexities are intensifying, resulting in an increasingly intricate regulatory environment. When considering the net new regulations, i.e. all adopted or amended acts subtracted from all repealed and expired acts, it becomes evident that the overall volume of regulations in the EU has been steadily increasing. In Germany alone, the cost for businesses to comply with the newly issued 2022 regulations is estimated to be a staggering €7 billion³. This shows that it is a significant and growing challenge for organizations to effectively monitor, understand, and implement the sheer increasing volume of regulatory changes. This requires robust processes, adequate resources, and technological solutions to manage effectively, presenting a significant ongoing challenge for compliance officers and executive leadership⁴.

As mentioned, the EU is commonly considered at the forefront of regulation. Daron Acemoğlu argues, that “[…] one reason the EU is ahead of the US in terms of [AI] regulation is that so far it has been almost exclusively about regulating US corporations. So European politicians don't have to worry about killing the goose that lays the golden eggs. Things are different in the USA. Silicon Valley is a major contributor to the US economy, and US politicians are aware of this⁵.”‍

‍

Europe, though lagging in significant digital platforms, exerts considerable influence in the tech world through what is termed the "Brussels Effect." This phenomenon, described by Anu Bradford⁶, highlights how the EU's stringent regulations, like the General Data Protection Regulation (GDPR), become global standards due to the high cost for tech giants to implement different standards regionally. The EU's large market, contributing significantly to the revenues of companies like Facebook and Google, makes it impossible for these firms to ignore its rules. The European Commission aims toextend this influence on Artificial Intelligence (AI), promoting a secure and unified data space and encouraging AI development while mitigating associated risks., highlights how the EU's stringent regulations, like the General Data Protection Regulation (GDPR), become global standards due to the high cost for tech giants to implement different standards regionally. The EU's large market, contributing significantly to the revenues of companies like Facebook and Google, makes it impossible for these firms to ignore its rules. The European Commission aims toextend this influence on Artificial Intelligence (AI), promoting a secure and unified data space and encouraging AI development while mitigating associated risks.

Whether the EU's stringent approach (compared to a flexible, sector-specific and decentralized US approach) will be successful remains unclear.

The volume of regulatory change has not only increased in the past but is also expected to continue rising. Interestingly, the majority (59%) of compliance officers in the EU and UK anticipate only slightly more regulation compared to today, while in the US, roughly a third expects significantly more regulation compared to today. This disparity could indicate a higher degree of regulatory complexity in the EU today, in contrast to the US, where deep regulatory changes will catch up in the future – possibly due to the Brussels Effect.

As previously mentioned, avoiding government-enforced penalties is a significant motivator for companies to implement compliance measures. However, this is not the only factor at play. Equally important, if not more so, are the interests of suppliers, customers, and capital markets, who demand adherence to laws and standard management practices. Demonstrating strong compliance practices builds trust with stakeholders, enhances a company's reputation and credibility, which ultimately supports growth. This dynamic has a major implication: Regulatory compliance is not only about avoiding penalties, but a core proposition of the business.

An interesting case study for this dynamic is ISO 27001. Obtaining the ISO 27001 certification demonstrates a strong commitment to information security, building trust with customers, suppliers, and stakeholders, while also boosting customer retention as well as driving the acquisition of new clients. ISO 27001 can provide a competitive advantage, particularly in industries where data security is critical, such as healthcare or finance. Many clients from these industries prefer or require vendors with this particular certification, making the organization eligible to bid for contracts and projects they might otherwise be excluded from. Notably, these requirements are not imposed by the government but by other companies and stakeholders, reflecting that compliance with such standards is not a nice-to-have, but critical for successful business operations. It is important to mention that it is neither our role nor within our competence to assess the merits of regulation. However, the trend of increasing regulation is undeniable, and the market consequently needs solutions to address the associated challenges.

The Opportunity 

Meeting consumer demand is the first rule of business. Thus, compliance is no longer a mere checkbox exercise but rather a cornerstone for long-term business success. Demonstrating compliance is crucial for driving sales, as B2B customers demand strict adherence to regulatory and industry standards, while B2C consumers heighten their expectations for broader corporate responsibility. Consequently, compliance has become more essential to acompany's success than ever. Data privacy is a prime example, with consumers paying greater attention to the protection and use of their personal data. Privacy-first companies not only reduce the risk of penalties but also build trust with their target audience, encouraging them to engage with the business. The importance of this effect is reflected in the fact that companies, on average, allocate a significant 14.3% of their IT budget to ensure GDPR compliance⁷. Similarly, the Supply Chain Act requires companies to take accountability for the ethical and environmental practices throughout their entire supply chains. This legislation obliges businesses to ensure that their suppliers avoid harmful practices like forced labor or environmental degradation, which can damage both reputation and customer trust. While these regulations might seem burdensome, they offer businesses a chance to demonstrate (ethical) leadership, stand out from competitors, and secure sales. By treating compliance as an investment rather than a mere cost, companies can unlock value, reduce risks, and drive sustainable growth.
‍
However, such compliance often requires substantial investment in resources and time due to the high degree of complexity. Mentioned complexity arises, as constantly changing external requirements, that drastically vary across geographies, clash with internal processes of an individual organization. Internalizing the most efficient ways to fulfill those regulatory requirements is a key value driver for sustainable top-line growth. Hence, we see a significant opportunity for software solutions in that space. If you break it down, there are three main questions that need to be addressed: 

1. What do I need to be compliant with? (External)
2. How do I make sure I am compliant? (Internal)
3. How do I measure, document, and report that I am compliant? (Internal & External) 

The first question is a major concern for many compliance departments. As highlighted above, the complexity and number of regulations are increasing. Additionally, businesses must adhere to standards and practices demanded by stakeholders (e.g., ISO standards). Understanding new regulations and their specific impacts is crucial. According to Thomson Reuters, 54% of compliance officers spend more than four hours per week tracking new regulatory environments⁸. Traditionally, businesses have relied either on internal staff to manually manage compliance or external consultants, both of which are costly and consume scarce resources. For example, in the financial sector, 93.9% of compliance costs are labor-related, while only 3.3% are equipment-related⁹. Given the increasing regulatory demands, managing compliance requirements has become nearly impossible without software solutions. The sheer number of qualified professionals simply isn’t enough to meet the demand. Software solutions can help by searching for and analyzing the impacts of new regulations (e.g., mapping regulation to the product/service level), thereby reducing uncertainty. This is particularly relevant for markets where regulations are rapidly evolving and/or where the consequences of non-compliance are significant.

The second question is where the real opportunity lies: How can a business ensure it sets up systems that meet the right requirements? This presents a significant opportunity for software applications. Software not only streamlines and digitizes processes but is also characterized as a transfer of knowledge or best practices of workflows. Efficiently digitizing processes and distributing them to businesses with similar challenges (similar product or market logic) at no marginal cost can eliminate inefficiencies, as no single customer needs to reinvent the wheel for every new regulation. Consequently, leveraging (AI-driven) automation will be a powerful tool in this sector. This means not just optimizing processes but actually selling "compliance" itself by replacing error-prone and manual processes with intelligent automations. To clarify, adding an interface for prompting customer data might look like a product, but it’s not. Rather, the core value of a software product lies in its ability to accurately and automatically execute complex core processes.

A prime example of this dynamic is the field of pharmaceutical R&D, where speed to market is crucial for gaining market share. The primary obstacle, rightly so, for introducing new therapies is obtaining certification from governmental agencies, such as FDA approval—a highly complex and time-consuming process involving clinical trials. Solutions that enable pharmaceutical companies to streamline these processes while ensuring compliance can add immense value, potentially resulting in millions, if not billions, in revenue for pharma companies.

Lastly, it is critical for businesses to signal regulatory compliance to their stakeholders and the government. However, today, only 10% of organizations have fully automated both data collection and KPI generation, while 90% still require manual adaptation to track their compliance goals¹⁰. This requires rigorous and consistent collection of internal and external data (i.e., ESG-related data points for SFDR¹¹ and CSRD¹² reporting) at scale. Obtaining the right data is often challenging, as not only internal informationis required, but also proprietary data of external parties and some of those might be incentivized to remain undisclosed. Only solutions with an “unfair” advantage in accessing proprietary data points or inferring unique insights from commoditized data sources will be able to build a competitive edge.

To summarize, the synthesis of automating complex processes and accessing proprietary data is the winning combination of digital solutions in the compliance sector. Recyda, a climate tech startup from Freiburg, Germany, shows why: There are more than 300 different packaging and plastic regulations globally, enterprises will spend more than € 100m on EPR fees in Europe alone. Recyda supports customers in assessing the compliance of their entire packaging portfolio or designing packaging solutions in accordance with over 70 different national and supra-national regulations and guidelines (and counting). The recyclability tool is mainly used by packaging and sustainability experts in enterprises. It allows them to structure their packaging data,navigate compliance and perform packaging assessment at their fingertips.

Altogether, the uniqueness of digital solutions for compliance lies in the high level of trust required for these solutions. Only if stakeholders and regulators can verify and believe in the trustworthiness of the outcomes, the desired effects on business growth will be achieved. Hence, we firmly believe the synergy between compliance automation and data collection to be a powerful combination. On the one hand, a deep understanding of an organization's context is essential for effective automation — measure it to manage it. On the other hand, being deeply integrated into a customer's business landscape can create an “unfair” advantage in data collection and an informational edge, thereby activating network effects: The more customers a business can learn from, the better the insights for each individual customer, and consequently, the more effective the tangible actions to meet regulatory requirements. Ultimately, the converging trends of increased regulatory burdens and AI-driven automation are pushing us to the cusp of a new era of category-defining digital players in the compliance space.

Download as PDF

Sources:
‍
¹ Lindner et al. (2023)
² Trebbi etal. (2024)
³ Federal Statistical Office of Germany(2024)
⁴ Thomson Reuters (2023)
⁵ Bellikli (2024)
⁶ The “Brussels Effect" was first coined by Anu Bradford in 2012 Bradford, A. (2019). The Brussels effect. In Oxford University Press eBooks; The Economist (2020)
⁷ Ponemon Institute LLC (2017)
⁸ Thomson Reuters (2023)
⁹ Trebbi et al. (2024)
¹⁰ Link et al. (2023)
¹¹ SFDR refers to Sustainable Finance Disclosure Regulation
¹² CSRD refers to Corporate Sustainability Reporting Directive