One of the ongoing questions faced by compliance practitioners is how to measure the effectiveness of your compliance program. One of the mechanisms to do so is through Key Performance Indicators (KPIs). KPIs are a critical component in showing compliance program success (or failure), if you have been working towards your stated goals and for reporting success. And while specific requirements for this kind of reporting have been hotly debated in the industry for some time, KPIs are a requirement. Your KPIs are going to be specific and unique to your company and what business it conducts along with what goals you’re trying to achieve as a whole and as a compliance program – so there is no “set” list of these metrics.
How can you think about setting your KPIs? There are several steps you need to take to pursue this approach. The first thing you must do is to agree on the manner in which to use KPIs and then the blueprint for going forward. You should apply the KPIs to as wide a swath of your compliance program as possible, literally to all employees across the globe and including your Code of Conduct and the policies and procedures of your compliance program. Standardization of the measurements is key through standard mechanisms and forms. This is important not only to achieve consistency but also due to the upfront cost of development. If you can develop and utilize the same measuring mechanisms and reporting forms this will decrease costs and increase efficiencies over monitoring cycles.
Next is the area of reporting. Obviously by assigning values to KPIs you can more easily track the results to move to increase efficiencies. This will also allow you to better track progress over times as well. Ongoing monitoring provides not only the opportunity but sets the basis for ongoing enhancement to your company’s compliance program. You can utilize the results to effect improvement on a broad-based focus or into the weeds at a more granular level. Any new, emerging risks or noteworthy changes to the likelihood or severity of your organizational profile, either due to business changes or environmental developments can also be tracked.
Such results can be used in a wide variety of other compliance areas as well. One of the hardest areas in compliance is determining effectiveness of training. Putting KPIs around how many employees have successfully completed training and policy requirements, including the results of any post-training tests and policy attestation rates, can assist in this endeavor. In the area of employee feedback, KPIs received through employee focus groups, culture surveys and knowledge assessments, and how you are using this feedback to drive improvements. Finally, you can put KPIs around audit findings, specifically around the results of both internal and external audits and what these findings mean for the organization and the compliance program.
How do you go about measuring KPIs? One of the greatest things about the compliance profession is that we are only limited by our collective imagination. This means that in an area such as compliance and KPIs there are no clear guidelines for compliance professionals, you can use today’s data-saturated world and the heightened sensitivity around compliance across industries to develop the right KPIs for your organization. Start with the proposition that you need a sound method to measure your compliance programs’ effectiveness. From there consider a risk-based program to specifically account for an organization’s unique risk profile. Working from a risk-based assessment framework can establish the KPIs needed to identify program improvements. One way to do so is to provide a quantitative process maturity rating scale of 1-4 for each KPI. Each identified and evaluated compliance program area is then given a rating. An aggregate rating can then be calculated for each area. The ratings allow you to identify opportunities, analyze the root cause of the deficiency, assign ownership for improvement action and track next steps to ensure any vulnerabilities or weaknesses are resolved.
The rating scale would go something like the following. Ranking of 1, the issue is not fully mitigated by control or there are inconsistencies in the processes that make them susceptible to breakdowns and/or scrutiny. Under level 2, your compliance program processes and controls are in place to mitigate risk and are consistently operating. The third would be best practice, where your compliance processes have achieved best practice criteria. Finally, level 4 is where your compliance program has matured beyond best practice criteria.
KPIs provide yet another mechanism for you to monitor and update your compliance program on an almost continuous basis. KPIs can be extremely low in cost and therefore something you can put in place without a lot of approval from higher ups in your organization that you might have to go to for budget approval. Finally, innovation can come in many ways. Obviously ComTech can be a huge jump forward. But sometimes innovation can occur at much less cost and a much more granular level. KPIs can be such a mechanism for you.
I am presenting two upcoming events, sponsored by Convercent, where we are going to discuss compliance innovation, specifically including KPIs. I hope you can join me for one of them. The first one will be Roundtable in Houston TX, on March 10 from 12-2 at Steak 48. Registration and information is here. The second will be a Forum in NYC on March 12, from 3:30 to 7 at Santina. Registration and information is available here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2020