Building a Compliance Dashboard (Part I of II)
This is a topic that every compliance professional has to address in one form or another. Chief compliance officers are so busy that they often cannot even take the time to tackle this difficult issue. This is a real practical issue of importance.
Just to define terms and the focus of this blog posting — we have to define the issues and purposes of the compliance dashboard. We are not proposing a new automated technology service; rather, we are attempting to assemble a relevant list of measurements, assign a frequency for collection and review, and establish a basis for compliance trends.
In doing so, we also have to consider the exact means by which the data can be collected and made available to the CCO. This capability may vary across organizations and depend on the exact IT systems employed. Some systems and products can collect and report data on an ongoing or regular basis. CCOs may have a wish list of data they would like to monitor but the reality of access and technology may create some limitations.
My outline of issues assumes that IT does not limit access or restrict the frequency of reporting. We have seen rapid changes in technological capabilities and I expect we will see many more. CCOs have to stay current on these capabilities and adjust their monitoring dashboard in response.
Let’s start with a basic list of topics that we should ideally include in a dashboard. Depending on the organization’s risk profile, the industry, its geographic footprint and related factors, this list may change. Within each issue, the specific measures will change based on specific circumstances.
With all these caveats, here is a basic list:
- Incident and Investigation Tracking
- Employee Discipline
- Compliance Communications
- Training
- Culture Tracking
- Conflicts of Interest
- Third-Party Risk Management
- Policies and Procedures
- Internal and Financial Controls (Charitable and GMET)
- Governance: Board, Senior Management and Compliance Committees
- Compliance Risk Assessment Monitoring and Mitigation Status
It would be easy to add several other topics such as Mergers & Acquisitions, if this is a part of your company’s business strategy, or add an Ethics and Compliance highlights section to capture certain events that may not occur each period.
Incident and Investigation Tracking: the monitoring of this category would center on the opening of “matters,” defined to include “incidents and investigations” to distinguish between incidents that result in an investigation and those that do not require an investigation, e.g. a routine employment matter that was handled without an investigation. For each matter, the following issues would be tracked on a regular (e.g. weekly, monthly or quarterly):
(1) Status (open, pending, closed, substantiated or not substantiated);
(2) Type (e.g. conflict of interest, theft, bullying, harassment, violation of specific policy, retaliation);
(3) Category of Actor (employee, manager, executive, senior executive, board member);
(4) Source of Concern (hotline, anonymous, human resources, compliance, legal, business, compliance application, other);
(5) Geographic Source (region and country);
(6) Line of Business; and
(7) Feedback (satisfaction of source/complainant)
Discipline: For each matter, the disciplinary process should be monitored to include:
(1) Time to Close: from matter opening to resolution;
(2) Resolution: verbal, written, suspension, resignation, discharge, and other;
(3) Category of Actor (employee, manager, executive, senior executive, board member);
(4) Review and Approval: approval of resolution by — human resources, disciplinary committee, senior management, board of directors, and other;
(5) Geographic (region and country); and
(6) Line of Business.
Compliance Communications: To track communications messaging, CCOs should track:
(1) Sources: senior management, middle management, legal, compliance and other sources;
(2) Type (oral, written/electronic);
(3) Geographic (region and country);
(4) Line of Business; and
(5) Tracking (clicks, opens).
Training: To measure training the operation of the training program, CCOs should track:
(1) Number: employees who have been trained on a specific topic
(2) Eligible: total number of employees who are required to complete training;
(3) Type: in-person or on-line;
(4) Topic: risk area(s) covered;
(5) Hours: number of hours per employee;
(6) Testing: number, success rate and percentage;
(7) Geographic (region and country);
(8) Line of Business; and
(9) Survey: employee feedback.
Culture Tracking: An important factor to measure on a regular basis should include:
(1) Survey(s): annual, quarterly, and pulse;
(2) Results on Key Factors: perception, knowledge of misconduct, reporting of misconduct and other factors;
(3) Geographic (region and country); and
(4) Line of Business.
Conflicts of Interest: Assuming that a company maintains an automated conflict of interest program, and an internal oversight committee function, CCOs should collect:
(1) Number and Type Disclosed (personal and family relationship, financial relationship or service and other)
(2) Result (resolved, mitigated, pending);
(3) Category of Actor (employee, manager, executive, senior executive, board member);
(4) Source: self-disclosure, complaint (anonymous or identified)
(5) Geographic Source (region and country); and
(6) Line of Business.
Michael:
I’d be interested in building these dashboards on our platform. What is the status of the buildouts you suggested in the post?