Reinventing Compliance Program Metrics
One of many pet peeves I have in the compliance space is the lack of creativity in compliance program measurement. Chief Compliance Officers have to take a fresh approach to this issue. They have to break out of the old mold and bring about some innovative approaches in this area.
I hate to be such a nay-sayer but something has to be done. If I see another color-coded chart filled with reports on how many people have been trained, how many complaints were received, and how many people have completed their annual certifications, I will not only scream but probably be tempted to “ring your doorbell and run” (one of Groucho Marx’s famous quips).
There are a number of other subjects on which a CCO can measure and report on to senior management and the board of directors.
Let’s consider a few other topics:
Company Culture: CCOs have to embrace the importance of company culture as one of the most important responsibilities they have. If you agree with me, then a CCO has to measure the culture. How do you do that?
Well, if we could survey all of our employees every quarter that would be great but realistically we would be luck to survey all of our employees once every two years.
To supplement an annual employee survey on culture, CCOs have to look for targeted culture surveys and reviews for company regions, countries or specific functions. A CCO should define a high-risk region or activity and conduct a targeted culture assessment. This can be done with a limited survey and/or focus groups/interviews.
Internal Investigations: A company’s commitment to organizational justice depends on its ability to identify complaints for investigation, and to resolve those investigations quickly and fairly. The time from intake to resolution should be measured, and specific explanations should be confirmed for investigations continuing beyond a guideline (60 or 90 days).
Additionally, the specific types of complaints should be measured. What percentage of complaints relate to code of conduct violations, legal violations, and the types of violations (e.g. human resources, fraud, theft, bribery, antitrust, health and safety, environmental)
Third Party-Due Diligence and Supply Chain: With the increased focus on due diligence, a company’s due diligence program should be tracked and measured. How long is it taking to complete due diligence? How many due diligence reviews are satisfied by basic screening or require higher-level screening?
While supply chain management is not the same as a third-party due diligence program, the time for onboarding new vendors and suppliers should be measured and reported. As part of this report, the level of scrutiny should be measured and the types of information reviewed and sources for such information tracked.
Timely Information Reporting: An often ignored issue is to track the dissemination of information among corporate functions relating to compliance. For example, human resources is responsible for training new employees. Human resources needs to report to compliance (and possibly others) on how many new employees have been trained or on how many existing employees have satisfied their training requirements.
Compliance depends on information flow among corporate functions and this information should be tracked on a simple format – required reports, deadlines and report received. You would be surprised how much information flow can be tracked and monitored. If a compliance function fails to receive information needed to exercise its responsibilities, the CCO should track the sharing of such information and the surrounding dates and times for such reports.
Risk Assessment Progress: Companies have adopted comprehensive enterprise risk assessment processes requiring components to meet or communicate to develop risk assessments for specific functions or responsibilities. A CCO can help the process by structuring record-keeping of individual function completion of tasks as part of an overall risk assessment process. Again, this operation is important to the company and should be monitored and measured by the CCO.
A couple of comments. The compliance MI dashboard should be reporting exceptions, not steady state activity. If this is not the case then it is way behind the program maturity model curve.
Secondly. Company culture. I agree that this is an essential metric to study. However, having consulted at group functions level at major institutions (100,00+ employees), I’m not sure that these sort of surveys (SurveyMonkey etc) are that useful. I am a big fan of exit interviews and am always surprised that major concerns do not see these as an essential risk/compliance tool.