I think that is an interesting question. Compliance is a key topic for every organization, with many facets. Currently we have an intense debate about the Deutsche Bahn (railway) and other organizations which have for example compared the bank accounts of their employees with the ones of suppliers. The target is to avoid corruption. From a Corporate Governance perspective and from a compliance perspective (mitigating risks of compliance and so on) that is a valid approach. From the data protection law perspective, it isn't that easy. There are obvious conflicts between different regulations.
What has this to do with the costs of compliance?
There is a solution to the conflict above which as well addresses the increasing costs for compliance (or, correctly, Governance, Risk Management, and Compliance). What has happened over the course of the years? Companies introduced platforms which help to address GRC requirements not only for a specific regulation but in a more standardized way. Even today, most of these GRC platforms aren't complete. Some focus only on Risk Management (and within that, only on IT Risk Management or Enterprise Risk Management). Others support only specific system platforms, like ERP systems. Some support mainly attestation, but don't focus on the counterpart, e.g. authorization management. But, anyhow, all these approaches try to consolidate GRC efforts.
The key value proposition of these platforms are reduced implementation costs, lower costs for fulfilling compliance regulations, and a consistent view on different regulations and their fulfilment. Reducing the costs of compliance is one of the main reasons for the success of these tools. On the other hand, the view on different regulations is what we need for the problem I've talked about at the beginning. If there are conflicts between regulations, they have to become visible. Then organizations can decide about the conflict. GRC platform approaches - at least the ones which really allow describing regulations and the resulting tasks and business rules - thus can help not only to reduce the costs of compliance but as well to deal in a structured way with conflicts between different regulations.
Currently, most of the GRC tools lack a good support for describing regulations, the associated policies and breaking this down to business rules and IT rules. But I'm convinced that we will see as well an increasing number of standards for such policies as an improved tool support within the next two or three years. That helps to deal with all the different regulations and at least to keep compliance costs under control despite a growing number of regulations.
We will have two Kuppinger Cole webinars this week which are related to the question above. One is on Thursday, 5pm CET, and has the title "Reducing Compliance Costs through Risk-Based Segregation of Duties Management". The other is on Friday at 3pm CET, in german language, and has the title "Zehn Gründe, warum Sie gerade jetzt in IAM und GRC investieren sollten." (Ten reasons to invest in IAM and GRC especially in these days). Both deliver some answers to the question I've started this blog entry with. More discussions around this topic will take place at European Identity Conference 2009.