If are interested in naval history, strategy and tactics, I have a question for you: Are you a disciple of Alfred Mahan or Julian Corbett? If you are a Mahanian, you probably focus on large naval engagements or the great battle concept. If you are Corbettian, you probably think about a series of smaller engagements, with an offensive-defensive mentality. I pose this as I am currently studying great military strategic thinkers. One thing they both advocate is information collection and analysis as a tool to not only predict potential future outcomes but to remediate defects as they might appear. In other words, measurement.
Why should an organization measure its compliance program? One quick answer is that it is one way to demonstrate that your compliance program is ‘effective’ under the US Sentencing Guidelines for Organizations. But more holistically, such measurements allow a company to know if it is operating within the parameters it has set and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Further, such metrics can provide more and better information for strategic decision making, help employee engagement with compliance and can aid to produce a clearer picture of compliance risks and requirements.
An article in Compliance Week, entitled “Measuring the Integrity of an Organization”, author Michael Rasmussen explored this issue and then facilitated a roundtable discussion on the topic. Rasmussen’s article was paired with another in the series of Open Compliance and Ethics Group (OCEG) GRC Illustrated pieces entitled, “Integrated Compliance & Ethics Metrics”.
In the roundtable, Patrick Quinlan, Chief Executive Officer (CEO) of Convercent, said, “compliance should be looking at objectively measuring how a location, a department, or employee behavior stacks up against the organization’s values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regulators may want to see checked boxes of compliance (percentage of policy attestations and training courses completed; controls in place; responses to incidents). Culture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employees respond to how they are evaluated; making ethical behavior a part of performance evaluations is an important part of instilling compliance at every level.”
Jose Tabuena, Global Compliance & Regulatory Counsel for Orion Health, believes that it is important for a compliance practitioner to “Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, compliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and observations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action.” Anita Helpert, Director of Internal Audit at Raytheon, specified four areas that organizations should compare. First, “awareness training completions that answer: Have we equipped attendees to understand expected conduct, to recognize issues, and to feel confident in reporting issues?” Second, you should look at tone-at-the-top: “What evidence supports leaders setting examples and nurturing an environment of ethical behavior?” The third is hotline reporting: “Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues?” Fourth, and finally, is ethics metrics: “When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?”
In the GRC Illustrated compendium, it detailed success factors. These included:
- Top level support – you can gain the endorsement of management and obtain a larger allocation of resources by “demonstrating how strategic decisions making depends on analysis and timely delivery of information.
- Employee engagement – by engaging employees you not only make them more comfortable with compliance but also more meaningful and beneficial.
- Knowing your needs – you need to determine what information is required to assist in “strategic decision making, support established values, improve compliance efforts and better manage resources.”
- Single source of information – there should be one centralized system to consolidate metrics and ensure increased accuracy for better analysis and decisions.
- Ease of use – the compliance practitioner needs to “enable quick, simple and meaningful management of data and dashboards for viewing and analysis of metrics.”
An interesting glossary in the GRC Illustrated compendium defined the types of metrics and examples that might be used. They were:
- Number – you should count the number of incidents, policies, surveys, reports, automated controls, and employee conduct – whether good or bad.
- Frequency – you should determine how often training and surveys take place, incidents occur, issues are reported and the workforce is surveyed.
- Flagged – you should identify policies requiring review or individuals, locations, and operations with multiple problems, high-level risks or strength in desired conduct.
- Ranking – here you should assess the severity of incidents, benchmarking outcomes, employee leadership qualities and the risk ranking of third parties.
- Trends – you should evaluate metrics for specific areas such as training completion or level of employee engagement over time and relate them to program changes.
- Relationships – you should consider the controls per risk, incident trends to training frequency or survey completion rates to the number of reminders.
Rasmussen ends his article by noting that these types of approaches to ethics and compliance allow not only the demonstrable proof that regulators such are the Department of Justice (DOJ) or Serious Fraud Office (SFO) are looking for but also “shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.”
With this integrated compliance architecture a company can create “an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.”
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014