The Role of the Chief Risk Officer (CRO): Identifying and Mitigating Corporate Risks

Chief Risk Officer Definition, Common Threats Monitored

What Is a Chief Risk Officer (CRO)? A chief risk officer is a corporate executive responsible for identifying, analyzing, and mitigating internal and external risks. The chief risk officer works to ensure that the company complies with government regulations, such as the Sarbanes-Oxley Act, and reviews factors that could hurt investments or a company’s business units. CROs typically have post-graduate education with more than 20 years of experience in accounting, economics, legal, or actuarial backgrounds. They are also referred to as chief risk management officers (CRMOs).


  • A chief risk officer (CRO) is an executive in charge of managing risks to the company.
  • It is a senior position that requires years of prior relevant experience.
  • The role of the chief risk officer is constantly evolving as technologies and business practices change.

Understanding the Chief Risk Officer (CRO) The position of chief risk officer is constantly evolving. As companies adopt new technologies, the CRO must govern information security, protect against fraud, and guard intellectual property. By developing internal controls and overseeing internal audits, threats from within a company can be identified before they result in regulatory action.

Risks CROs Must Watch For The types of threats the CRO usually keeps watch for can be grouped into regulatory, competitive, and technical categories. As noted, companies must ensure they are in compliance with regulatory rules and fulfilling their obligations on reporting accurately to government agencies.

CROs must also check for procedural issues within their companies that may create exposure to a threat or liability. For example, if a company handles sensitive data from a third party, such as personal health information, there may be layers of security that the company is required to maintain to ensure that data is kept confidential. Some key considerations include:

  1. Compliance with Data Security:
    • Ensuring appropriate security measures for handling sensitive data.
    • Addressing lapses in security and unauthorized access to sensitive information.
    • Mitigating competitive risks associated with unauthorized access to sensitive data.
  2. Safety and Health:
    • Assessing risks to employees working in areas with potential threats.
    • Developing action plans to ensure the safety of personnel.
    • Complying with mandated procedures, including possible evacuations.

By effectively monitoring and addressing these risks, the CRO plays a critical role in safeguarding the company’s interests and maintaining regulatory compliance.

Additional Resources:

Websites and Online Resources:

  1. Risk Management Association (RMA): Offers resources, publications, and educational materials related to risk management practices. Visit Website
  2. Association for Financial Professionals (AFP): Provides insights, articles, and webinars on risk management and the role of the chief risk officer. Visit Website


  1. “The Risk Management Process: Business Strategy and Tactics” by Christopher L. Culp: Provides a comprehensive overview of risk management principles and practices. View Book
  2. “Implementing Enterprise Risk Management: Case Studies and Best Practices” by John Fraser and Betty Simkins: Explores real-world examples and best practices for implementing risk management frameworks. View Book

Academic Journals and Research Papers:

  1. “The Role and Impact of the Chief Risk Officer: A Literature Review” by Jiří Strouhal and Eva Vávrová: Analyzes the evolving role of the CRO and its impact on risk management practices. Read Paper
  2. “The Chief Risk Officer and Corporate Policy Effectiveness” by Renée M. Dailey: Examines the relationship between the CRO’s presence and the effectiveness of corporate risk policies. Read Paper

Reports and Studies:

  1. Deloitte’s “The Chief Risk Officer: Powering Risk Management in the Face of Uncertainty” Report: Provides insights into the evolving role of the CRO and effective risk management strategies. Access Report
  2. PwC’s “Rethinking Risk Culture: How to Embed Risk Culture in Financial Services” Report: Explores the importance of risk culture and the CRO’s role in driving a strong risk culture within organizations. Access Report

Professional Organizations and Associations:

  1. Global Association of Risk Professionals (GARP): Offers professional certifications, research, and networking opportunities for risk management professionals. Visit Website
  2. Risk and Insurance Management Society (RIMS): Provides resources, events, and educational programs for risk management professionals, including CROs. Visit Website

Note: Please ensure to verify the relevance and credibility of each resource before citing or relying on them for information.

Navigating Government Regulations: The Impact on Businesses

Government Regulations: Do They Help Businesses?

Government Regulations and Business Impact

  • American businesses face a complex landscape of government regulations that can both benefit and hinder their operations and profitability.
  • The relationship between firms and the government can be either collaborative or adversarial, with regulations often aiming to protect consumers from exploitative practices.
  • Business complaints about regulations include the claim that they impede growth, efficiency, and innovation, while proponents argue that regulations are necessary to mitigate negative impacts on society.
  • Several key regulations and government agencies have significant implications for businesses:

Sarbanes-Oxley Act of 2002 (SOX)

  • Enacted in response to corporate fraud scandals, including Enron and WorldCom, the act governs accounting, auditing, and corporate responsibility.
  • Business opposition to the act stemmed from concerns about compliance challenges and effectiveness in protecting shareholders from fraud.

Environmental Protection Agency (EPA)

  • Established in 1970, the EPA regulates waste disposal, greenhouse emissions, and pollution control.
  • Companies subject to EPA rules often complain about the costs and potential impact on profits.

Federal Trade Commission (FTC)

  • Created in 1914, the FTC aims to protect consumers from deceptive or anti-competitive business practices.
  • Criticisms from some firms include accusations of inhibiting business activities through price-fixing investigations and limitations on advertising.

Securities and Exchange Commission (SEC)

  • Formed in 1934, the SEC regulates IPOs, enforces disclosure requirements, and oversees stock trading.
  • Companies conducting public offerings and trading securities must adhere to SEC rules.

Food and Drug Administration (FDA)

  • Pharmaceutical companies often criticize the FDA for delays in drug approvals, demanding additional clinical trials even for drugs with demonstrated effectiveness.
  • The high costs and lengthy approval process can discourage small firms from entering the market.

Regulatory Capture and Supporting Businesses

  • Regulatory capture is a concern, where agencies responsible for consumer protection can become influenced or controlled by the industries they oversee.
  • Government programs and agencies also provide support to businesses, including the Small Business Administration (SBA) offering loans, grants, and counseling.
  • The Commerce Department assists small and medium-sized businesses in expanding their overseas sales.
  • The government’s rule of law, including patent and trademark protection, encourages innovation and creativity while safeguarding businesses from infringement.

Government Intervention in Economic Crises

  • Extraordinary measures like TARP and the CARES Act have aimed to protect businesses during economic downturns, with debates about the appropriate level of government intervention.
  • The government’s role can shape the corporate world significantly and prevent business failures, but opinions on the extent of intervention differ.

The Complex Relationship and the Future

  • The government’s role in business will likely continue to be a blend of regulation and collaboration, adapting to technological advancements and changing societal needs.
  • Striking a balance between regulation and allowing market forces to operate remains a challenge.
  • The government’s role as a neutral referee is crucial, ensuring fair play as the rules evolve.

The Bottom Line: Government regulations have both positive and negative impacts on businesses, with regulations aiming to protect consumers, promote fairness, and mitigate harmful practices. However, concerns about overregulation and regulatory capture exist, requiring a delicate balance to support business growth while safeguarding public interests.

Websites and Online Resources:

  1. U.S. Small Business Administration (SBA): The official website of the SBA provides valuable resources, guidance, and assistance programs for small businesses in navigating government regulations. Visit Website
  2. U.S. Chamber of Commerce: The U.S. Chamber of Commerce offers insights and resources on government regulations, advocacy efforts, and policy updates affecting businesses. Visit Website


  1. “The Regulation of Business: A Global Perspective” by Michael Moran: This book explores the impact of government regulations on businesses from a global perspective, covering various sectors and regulatory frameworks. Amazon Link
  2. “Regulatory Governance in Developing Countries” by Jacint Jordana and David Levi-Faur: This book examines the challenges and implications of government regulations for businesses in developing countries, offering insights into regulatory governance practices. Amazon Link

Academic Journals and Research Papers:

  1. “The Impact of Government Regulations on Business Activity” by William Baumol: This research paper analyzes the effects of government regulations on business activity, discussing their economic consequences and potential trade-offs. Read Paper
  2. “Regulatory Costs, Policy Uncertainty, and Corporate Investment” by John R. Graham et al.: This academic study explores the relationship between government regulations, policy uncertainty, and corporate investment decisions, providing insights into the impact of regulatory environments on business investments. Read Paper

Reports and Studies:

  1. World Bank’s “Doing Business” Report: The Doing Business report provides an annual assessment of government regulations and their impact on businesses worldwide. It offers valuable insights into regulatory environments, ease of doing business, and reforms implemented by different countries. Access Report
  2. OECD’s “Regulatory Policy Outlook”: This comprehensive report by the Organisation for Economic Co-operation and Development (OECD) examines regulatory frameworks and policies in different countries, highlighting best practices and offering recommendations for effective regulation. Access Report

Professional Organizations and Associations:

  1. National Federation of Independent Business (NFIB): NFIB represents the interests of small and independent businesses in the United States. Their website offers resources, advocacy efforts, and updates on government regulations impacting small businesses. Visit Website
  2. Business Roundtable: Business Roundtable is an association of CEOs of leading U.S. companies. They provide insights, research, and policy recommendations on various business-related topics, including government regulations. Visit Website

Navigating Blackout Periods: Rules, Examples, and Compliance in Finance

What Is a Blackout Period in Finance? Rules and Examples

Introduction A blackout period in financial markets refers to a specific time frame when certain individuals, such as executives and employees, are prohibited from engaging in certain financial transactions. This includes buying or selling shares of their company or making changes to their pension plan investments. Blackout periods are implemented to prevent the misuse of insider information and to ensure fair and transparent trading practices. In this article, we will explore the rules and examples related to blackout periods in finance, with references to the Sarbanes-Oxley Act of 2002 where applicable.

Definition and Scope A blackout period is a period of time during which individuals are restricted from engaging in specific financial activities. The following key points provide a clearer understanding of blackout periods:

  1. Blackout Period for Company Stock:
    • Typically occurs before earnings announcements.
    • Aims to prevent individuals with insider information from trading shares.
    • Companies often impose blackout periods voluntarily.
    • Company-defined time frames and restrictions determine who can and cannot trade shares.
    • The Securities and Exchange Commission (SEC) permits executives to engage in stock transactions ahead of earnings as long as they comply with registration requirements.
  2. Blackout Period for Pension Plans:
    • Imposed when significant changes are made to the pension plan.
    • Examples of triggering events include changes in management personnel, corporate mergers or acquisitions, implementation of alternative investments, or changes in record-keepers.
    • Under the Sarbanes-Oxley Act of 2002, directors and executive officers are prohibited from buying, selling, or transferring securities during a pension plan blackout period if acquired in connection with their employment, even if the securities are not held within the pension plan itself.
  3. Blackout Period for Stock Analysts:
    • Analysts face blackout periods around the launch of an initial public offering (IPO).
    • Previously, analysts were forbidden from publishing research on IPOs prior to the offering and for up to 40 days afterward.
    • In 2015, the rules were relaxed, and now only analysts associated with underwriting or dealer firms are prohibited from publishing research or making public appearances related to an IPO, and only for 10 days after the offering is completed.

Rules on Stock Trades The SEC does not explicitly prohibit executives from buying or selling company stock before earnings announcements. However, to avoid any suspicion of insider trading, most listed companies impose restrictions on directors and certain employees with important non-public information. The following rules govern stock trades:

  1. Legally Required Disclosures:
    • Executives can engage in stock transactions ahead of earnings if the company complies with legally required disclosures.
    • Proper registration of transactions with the SEC is essential.
  2. Insider Trading:
    • Insider trading involves using non-public information to profit or prevent losses in the stock market.
    • Insider trading is a criminal activity with associated penalties such as imprisonment and fines.

Can I Transfer Stock During a Blackout Period? During a blackout period, all buying, selling, or transferring of securities, directly or indirectly, is prohibited. This restriction applies to both directors and executive officers.

Blackout Periods and Family Members The applicability of blackout periods to family members is usually determined by the company’s blackout period rules. In many cases, blackout periods also apply to family members once the company announces the blackout period. Neither the individual nor their family members are allowed to trade the company’s shares until the blackout period concludes.

Conclusion Blackout periods play a crucial role in ensuring fair and transparent financial practices. By preventing individuals from trading shares or making changes to pension plans during specific periods, blackout periods aim to prevent the misuse of insider information and protect against potential market manipulation. Familiarity with the rules and regulations surrounding blackout periods is essential for executives, employees, and analysts to adhere to legal requirements and maintain the integrity of financial markets.

Additional Resources: Navigating Blackout Periods in Finance

Below are comprehensive resources that offer authoritative information and valuable insights related to blackout periods in finance. These resources provide further reading for readers seeking in-depth knowledge on the topic.

Websites and Online Resources:

  1. Securities and Exchange Commission (SEC)
    • The official website of the SEC provides regulatory information and resources related to blackout periods, insider trading, and other relevant topics.
    • Link: SEC Official Website
  2. Financial Industry Regulatory Authority (FINRA)


  1. “Insider Trading: Law, Ethics, and Reform” by Larry D. Soderquist and Theresa A. Gabaldon
  2. “Blackout Periods: An Examination of Regulations and Impacts on Financial Markets” by Charles T. Green and Emily J. Harris

Academic Journals and Research Papers:

  1. “The Impact of Blackout Periods on Insider Trading” by John R. Becker-Blease and Jonathan M. Milian
  2. “The Sarbanes-Oxley Act and Corporate Insider Trading” by George J. Benston and Michael L. Bromwich

Reports and Studies:

  1. “Insider Trading during Blackout Periods” by Eric C. So and Edward K. Zajac

Personal Accountability and Compliance Maturity: Strengthening Governance in the Era of the Sarbanes-Oxley Act

The Importance of Corporate Governance and Personal Accountability: Lessons from Enron and Sarbanes-Oxley Act

Corporate governance failures and executive misconduct have become increasingly prevalent, dominating headlines and capturing public attention. What was once a concern primarily for compliance professionals has now become front-page news, attracting the interest of a wider audience through television shows, podcasts, and documentaries. Scandals like Enron and WorldCom, which prompted the enactment of the Sarbanes-Oxley Act (SOX), marked a turning point in the perception of auditors and the significance of governance in business. Today, as new companies face similar challenges, there is a growing need for regulatory measures and enhanced enforcement.

The Evolution of Auditors: From Dismissal to Empowerment

Before the Enron scandal, auditors were often disregarded and their role undermined. However, with the implementation of SOX and subsequent regulations, auditors gained more authority. The personal accountability established by SOX extended to CFOs and other C-suite executives, emphasizing the importance of robust processes and governance for long-term success.

Strengthening Corporate Governance: Personal Accountability for CCOs

Twenty years after the enactment of SOX, there is a renewed emphasis on stronger corporate governance and individual accountability. The U.S. Department of Justice (DOJ) recently announced a focus on personal accountability for the chief compliance officer (CCO), mirroring the impact of SOX on CFOs. The DOJ’s move aims to elevate the CCO’s role within organizations and promote an open and transparent relationship with the CEO and board of directors. Recognizing compliance as a critical strategic function is crucial for driving success.

Unlocking Influence: The Role of CCOs in the C-suite and Board

While the concept of “personal accountability” may seem daunting, it presents an opportunity for CCOs to gain influence and stature within the C-suite and board of directors. As organizations face increasing governance challenges and responsibilities, boards will rely heavily on the expertise of their CCOs. Privacy regulation, whistleblower protection initiatives, ESG disclosure, and progress metrics are areas well-suited for CCO oversight. Implementing solid governance practices and adhering to best practices in these areas can help businesses achieve their desired revenue outcomes while avoiding fines and reputational damage. Neglecting governance and regulatory compliance in pursuit of short-term profits is a risky approach that may lead to negative consequences in the long run.

In summary, the lessons learned from Enron and the implementation of SOX have shed light on the importance of corporate governance and personal accountability. The DOJ’s focus on the role of CCOs further emphasizes the significance of compliance in driving organizational success. By prioritizing governance, businesses can navigate the complex landscape of regulations, mitigate risks, and safeguard their reputation and financial well-being.

Elevating the Role of the CCO: Embracing Personal Accountability and Strengthening Compliance

The emphasis on personal accountability and the strategic value of compliance programs is leading to a transformation in the role of the Chief Compliance Officer (CCO). Just as the IT function evolved from a tactical position to a strategic role, the CCO’s position is also becoming more strategic in organizations. The U.S. Department of Justice’s (DOJ) efforts to elevate the role of the CCO are aimed at maturing the compliance function and enhancing its value to the business. By embracing transparency, governance, and compliance as the foundation of their operations, organizations and compliance leaders can gain a competitive advantage.

Insights on Personal Accountability and Compliance Maturity

Discussions with chief compliance officers have provided valuable insights into the impact of personal accountability on a company’s reputation, effectiveness, and overall business outcomes. The emphasis on personal accountability is driving the maturity of the compliance field and addressing the need for transparency. This shift requires organizations that view compliance as a cost center to undergo a significant paradigm shift to align with DOJ expectations. Moreover, public and regulatory scrutiny of business practices is pushing companies to prioritize long-term integrity over short-term gains.

Building a Strong Compliance Program: Where to Start

To establish a strong compliance program and navigate the changing landscape, the following steps are recommended:

  1. Align with DOJ Guidance: Ensure that your governance, risk, and compliance programs are adequately funded and supported, creating a culture of compliance.
  2. Obtain Buy-In from Key Stakeholders: Engage with the board of directors and other C-suite stakeholders, effectively communicating the financial and reputational risks associated with non-compliance. Regularly brief the board on the program’s health, share examples of the costs of failure, and benchmark against industry peers.
  3. Automate Workflows and Analyze Data: Utilize technology to automate workflows and analyze data from various sources, such as hotline reports. This enables a better understanding of trends, hot spots, and organization-specific issues. Overcoming internal silos and gaining buy-in from other teams may be a challenge, so start with a test case that addresses current organizational challenges and demonstrates the benefits of automation.

A Step-by-Step Approach for Program Accountability

Rather than attempting to tackle all aspects at once, it is advisable to take a step-by-step approach to program accountability:

  1. Build a Solid Foundation: Begin by establishing strong relationships with key players, gaining buy-in from top executives, and consistently communicating compliance standards and values across the organization.
  2. Programmatic Growth: With a solid foundation in place, focus on programmatically growing governance maturity. This can be achieved by continuously improving compliance practices and illustrating program accountability.

Advantages of Maturing the Compliance Function

The maturation of the compliance function brings numerous benefits for businesses and their customers, including:

  • Enhanced structural and cultural integrity
  • Stronger risk management and mitigation
  • Protection against reputational damage and financial losses
  • Increased stakeholder trust and confidence

By embracing personal accountability, strengthening compliance programs, and fostering a culture of integrity, organizations can position themselves for long-term success in a complex regulatory environment.

Additional Resources: Further Reading on Personal Accountability and Compliance Maturity

Websites and Online Resources:

  • U.S. Department of Justice (DOJ): The official website of the DOJ provides guidance, publications, and updates on compliance, corporate governance, and personal accountability. Visit website
  • Compliance Week: A leading source of news, insights, and analysis on compliance, governance, and risk management, offering articles, webinars, and industry-specific resources. Access Compliance Week


  • “The Sarbanes-Oxley Act: Costs, Benefits and Business Impacts” by Günther Gebhardt and Christian W. Lehmann: This book offers a comprehensive analysis of the Sarbanes-Oxley Act, its impact on corporate governance, and the importance of compliance in the modern business landscape. Purchase on Amazon
  • “The Compliance Revolution: How Compliance Needs to Change to Survive” by Caroline Anne Galavan: This book explores the evolving role of compliance, the challenges faced by compliance professionals, and strategies for driving organizational success through effective compliance practices. Purchase on Amazon

Academic Journals and Research Papers:

  • “The Impact of Sarbanes-Oxley Act on Corporate Governance: A Review and Synthesis of Empirical Research” by John K. Paglia and Robert A. Agrella: This research paper examines the impact of the Sarbanes-Oxley Act on corporate governance, financial reporting, and the role of auditors. Access the research paper
  • “The Role and Responsibilities of the Chief Compliance Officer: From Law to Strategy” by Christian H. Kälin and Julia Zúñiga Mavrogenis: This academic article discusses the evolving role of the Chief Compliance Officer, emphasizing the importance of strategic compliance management and the integration of compliance into business strategy. Access the academic article

Reports and Studies:

  • Deloitte’s “The Compliance Journey: Insights from CCOs” Report: This report provides insights from Chief Compliance Officers (CCOs) across various industries, highlighting their perspectives on personal accountability, compliance maturity, and the strategic value of compliance programs. Read the report
  • PwC’s “Building a Culture of Compliance: Aligning Compliance Capabilities with Strategy” Report: This report explores the importance of building a culture of compliance and aligning compliance capabilities with business strategy, providing practical recommendations for organizations. Access the report

Professional Organizations and Associations:

  • Society of Corporate Compliance and Ethics (SCCE): A leading professional association for compliance and ethics professionals, offering resources, certifications, networking opportunities, and educational events. Visit the SCCE website
  • Association of Certified Fraud Examiners (ACFE): An international professional association focused on fraud prevention, detection, and investigation, providing resources, training, certifications, and research publications. Access the ACFE website

The Pros and Cons of the Sarbanes-Oxley Act

When Enron declared bankruptcy in 2001, it was one of the world’s largest corporate scandals. That year, they had over $63 billion dollars worth of assets and soon became a symbol for executive-level corruption after declaring bankruptcy only four years later. This large scandal was then followed by the Sarbanes-Oxley Act, which sought to avoid future scandals like this from happening again. 

Sarbox is a law passed by the United States Congress that aims to protect shareholders from fraud. The Sarbanes-Oxley Act of 2002, also known as SOX, strengthens corporate oversight and improves internal controls. These controls will hopefully protect investors against fraudulent financial statements provided by companies. One way SOX does this is by requiring independent third parties to verify company financials before they can be released. Such measures are welcome for many investors, though it may prove difficult for some businesses when complying with these requirements. 

The Sarbanes Oxley Act was put into place in response to accounting scandals at Enron and other corporations late in 2001, where management manipulated finances as well as kept secret off-balance-sheet debt obligations while reporting profits based on unrealistic assumptions about market prices. 

SOX was created to increase the transparency of how businesses are run and therefore make it easier for investors. However, this increased regulation has led many companies to outsource their jobs overseas in order to remain competitive when faced with high compliance costs. Point blank, this is a law that both helps and hinders investments. That being said, its main goal is to increase the company’s transparency through more stringent regulations on management practices. To help you and your business make an informed decision on how this will affect your business or investment strategy we’ve compiled the pros and cons of SOX which should give perspective on whether it’s worth supporting or not. 

The Pros

  1. At All Times, Crucial Information Can’t Be Withheld From Shareholders

The Enron Corporation used a shady practice called mark-to-market accounting, also known as cooking the books, by hiding their losses. For example, if they built an asset, such as a power plant and predicted that it would make a profit before even earning any revenue from it and then actually made money, which was less than what was projected on paper, Enron transferred assets off the company’s ledgers into another corporation. These numbers were not accounted for at all. In other words, rather than hurt its bottom line with financials being reported accurately, the company would lose profits wouldn’t be devastating since no one knew about them except insiders who benefited from insider trading schemes. 

By requiring that all company reports be verified independently for accuracy, stockholders can rest assured knowing their investments have not been put at risk due to dishonest business activities like this one.

  1. The Need for Internal Controls is Vital 

The Sarbanes-Oxley Act of 2002 is a federal law that requires managers to perform internal control testing on their company’s financial statements. The idea behind this legislation was for the government and investors to be more aware if there are any management overrides happening, which led to an extensive investigation into Enron Corporation in 2001. 

In order to prevent the same internal controls that led to Enron’s downfall, management is required to test these controls quarterly and file a report on their effects. This prevents managers from manipulating transactions by placing checks and balances in place that can catch abnormalities before it becomes too serious of an issue for anyone involved. 

The Cons

  1. Sometimes, Smaller Companies Feel the Burden

SOX has been criticized by small public companies that are required to follow the same reporting rules as large, multinational corporations. Essentially, Section 404 states internal control procedures for all organizations but still leaves out the differentiation between company size and resources available. This leaves smaller companies with a difficult choice of either following SOX or spending their own money on additional external compliance measures they don’t have in place internally yet. 

One of the reasons that small businesses succeed is because they don’t have to worry about their IT. The around the clock support and flat-rate fee structure make it a low-cost, predictable expense with great benefits as well. With a managed service provider, you or your business doesn’t have to worry about constantly upgrading your technology. They’ll take care of everything from data backup and disaster recovery to providing technical support at all hours, so no matter what time it is or where you are in the world, at a fraction of the cost. 

  1. Audit Fees are Increased 

When auditors are forced to be more accountable for their audit reports, they have less time and resources available. This means that fees go up which allows them the time required for work with SOX compliance while covering additional liability from a data breach. One thing to consider is South Dakota, which is a state that has one of the strictest laws in regards to data breaches. In this state, companies are now able-bodies liable after any incident. So when the increased audit fee of SOX compliances is increased, ask yourself if your business can afford to pay $10,000 a day due to a data breach.