The art and science of legal compliance risk management is a complex one, often requiring a
menagerie of different skills, resources and creativity to achieve effective outcomes. Two key challenges loom for practitioners on a day-to-day basis:
- Getting enough stakeholder engagement to take necessary actions to achieve required outcomes, and
- Having the necessary resources to ensure organization is operating at tolerable risk thresholds.
The above can often come into conflict with the organizational culture, particularly in where
there is a strategic imperative for innovation and growth. AI initiatives for example usually involve extrapolation of a vast amount of data subject to regulatory mandates, to generate meaningful results. With increasingly complex legislative frameworks operating across the globe, the administrative burden has also experienced exponential growth.
Getting a Bigger Piece of the Budget Pie
Legal compliance professionals should look across the table and ask why colleagues in cybersecurity (who have similar challenges) are doing a lot better. According to Gartner [1],
a typical organization is increasing its spend on security at a rate of 8-12% per year. Privacy teams on the other hand are facing budget cuts, with more than half of privacy professionals expecting budget cuts in 2026 [2].
Anyone who has kept an eye on both industries will notice a stark difference between how
the industries are reported or discussed in news articles - hinting at the underlying
reason. Privacy (and regulatory updates) discuss the nuances of changes to the regulatory mechanisms and/or provisions, with its impact often in relation to managing compliance within the bounds of such a change. Cybersecurity articles on the hand cite stats, stats and more stats - on everything from business budgets and industry segments, to investment category breakdowns.
The stark difference points to the laser focus cybersecurity professionals have on the business. In particular:
- How do we measure what we manage – through data driven business cases.
- How do we demonstrate the impact of non-compliance on the business – in dollars and cents.
It might be argued by legal compliance professionals that the latter is more complex on its end. The impact on the business for example is often indirect, as many legal frameworks require action to be taken by regulatory authorities, with the impact coming in the form of administrative fines or legal costs.
Irrespective of the above, it ultimately leads to the following potential budget ask scenarios:
- We need $X to address . was recently hit with $Y for not complying.
- We need $X to address . Our modelling suggests it may cost the business $Y annually if we do not deal with it.
The former highlights a danger but potentially also raises doubts in the mind of the corporate sponsor - is that relevant to our business and if so, how? The latter implicitly demonstrates a deep understanding of business operations and how non-compliance has a direct nexus to the bottom line.
To fall into the second scenario (and get a bigger piece of the budget pie), legal compliance
professionals must address the complexities inherent in cost modelling the direct impact regulatory action could have on the business.
Legal Math
That is why we developed Legal Math – a data driven approach to directly model the potential
administrative fines or legal costs to the business as a result of non-compliance through specific business action/inaction. It is based on the same principles used by cybersecurity industry [3].
Legal Math quantifies legal risk by breaking it down into measurable components – being the applicable legal provisions subject to non-compliance and past fine(s) imposed by regulators for breaching that provision. This is augmented by organisational data inputs in relation to the nature of the risk being assessed and the number of complaints about the organisation that gets referred to a regulatory agency each year. These data points help to generate an Annualised Expected Loss (AEL), representing how much loss (in dollars and cents) an organisation can expect to lose each year through specific business action/inaction.
A secondary loss multiplier can also be generated to approximate potential loss as a result of penalties imposed through related provisions and/or legal actions. This is used to account for instances where:
- Authorities impose penalties for contravention of multiple provisions simultaneously, or
- There is potential for peripheral actions as a result of breaches of other provisions, due to an organisation’s risk profile.
The Calculation Challenge
Legal Math is one area where leveraging AI is not a luxury but a necessity. The above process
requires a combination of legal and mathematical modelling skills, as well as domain data collection. Specifically:
- Every issue assessed must be analysed against the applicable framework to discern potentially applicable provision breaches.
- Each breach needs to be assessed against historical data on imposed penalties.
- Calculating an accurate estimate of the Annualised Expected Loss often involves use of probability distribution sampling that takes into consideration different scenario loss expectations.
Needless to say, doing the above manually would take a significant amount of time and resources.
Conclusion
To successfully do their jobs, privacy (and legal compliance) professionals need adequate budgets and resources. If it is not provided, relative to comparable business units within the organization and the pace of regulatory change, an objective assessment should be conducted. Ineffective stakeholder engagement, due to inadequate business focus, may be at the heart of the problem. Using data driven approaches to help develop budgeted business cases can help stakeholders intuitively understand that privacy (and legal compliance) actively measures what it manages and appreciates how its functions/activities directly impacts on the bottom line.
[1] https://www.elisity.com/blog/2026-cybersecurity-budget-complete-enterprise-planning-guide#:~:text=What%20the%20Numbers%20Say:%20Global,to%20benchmark%20your%20own%20spend.
[2] https://idm.net.au/article/0015470-budget-cuts-hit-privacy-teams-hard#:~:text=The%20report%20found%20that%2029,data%20protection%22%20in%20job%20titles.
[3] Fair Analysis of Information Risk (FAIR)