How to Measure Compliance Program Effectiveness
- To measure compliance program effectiveness in your organization, first, understand what matters to your business. Each business has their own unique key performance indicators. Start here for your tracking efforts to be most impactful.
- Refine your storytelling skills when presenting program data to organizational leadership. It helps them to connect to the data while taking away the key messages.
- Create a master inventory of all assets in your company so you know what to measure.
Measuring the effectiveness of a corporate compliance program is not as cut and dry as calculating the performance of a marketing campaign or the performance of a product’s sales in a new region.
The complexity is caused by a few factors. Measuring “effectiveness” is required by many authorities and regulators including the U.S. Sentencing Commission, the governing body that defines effective for corporate compliance programs.
Yet, all compliance programs are not universal, meaning they should adhere to the business’s unique variables such as industry, operating regions, and size. Therefore, there remains a lack of clarity around what comprises “effective.”
Gathering the metrics needs to determine what the Commission dubs effective is a bit of a catch-22 for many practitioners.
In our recent webinar, compliance and security experts Stephanie Jenkins, Chief Compliance Officer at ETHIX360 and Janelle Hsia, Director of Privacy and Compliance at American Cyber Security Management shared potential metrics that can be used to support the value of a compliance program; metrics that can be used to determine a program’s overall impact on a business.
To gather accurate compliance metrics, understand your business.
“To build a solid program foundation, you need to know what the requirements are and how you will measure success along the way,” says Stephanie Jenkins, Chief Compliance Officer at ETHIX360. “A really good starting point is to understand your business, not just the risk you face, but what your clients and other stakeholders care about.”
Knowing what matters most to the key people in your organization will help you form a story that can be supported by the data you collect and help guide you to collect the right kind of data. Compliance and ethics programs are flooded in metrics and the ways to collect them are repeatable — the challenge is getting the hook that will resonate with the business.
For example, if you work at a software startup, growth is likely a high priority for the company’s leadership. Every strategy and tactic built to support a high rate of growth gets leadership’s attention and increases the likelihood of getting budget to do so.
From a compliance and security standpoint, growth translates to a number of risks that need to be proactively taken into account. Employee-related compliance such as stock options, wage and hour laws, and promotion policies tend to get pushed aside to make room for rapid product development in fast-paced growing companies.
Yet these kinds of risks pose significant legal and financial risks that would greatly hinder the company’s growth if they became a reality.
By prioritizing the areas that have the most impact on legal ramifications or a high pull on resource demand, companies that are run lean like startups can be better prepared and poised for healthy growth.
Attaching these data points — those around the costs of not prioritizing stock option policies, for example — will begin to illustrate the business case for continued investment and support in the compliance and ethics function.
The data you collect from measuring should tell leadership a story.
“If there’s no story to tell, it’s just numbers,” says Jenkins. Numbers mean next to nothing to a company’s leadership. Knowing how to add colorful commentary to a data point, brings the data to life and helps leaders understand it’s value, and thus, the value of the compliance program.
There are many different data points that can be collected to help tell the story of your program, but what’s most important is to select the metrics that matter most to your company and your compliance program.
Metrics that may matter to your organization could include:
- Case Management: Hotline/helpline reports broken down by issues/allegation type, Code of Conduct, specific policy, anonymous vs. named, intake method (phone, web portal, text message), in-person/open door reports, number of reported cases opened/closed, number of data to close cases, number of legal proceeding types
- Conflict of Interest: broken down by annual, new hire and ad hoc employees, attestation completion rates, number of actual vs. perceived COIs, number of days to resolve
- Policy Management: number of active policies, how often they are reviewed, attested to, requested by prospect/client
When presenting any or all of these metrics to your leadership, wrap the hard and fast numbers into a meaningful story your leadership can relate to. Think about what matters most to them and the business to form the narrative of the data around it.
Compliance metrics at one company may not matter to the next based on industry, current real and potential risks, and program maturity, says Jenkins.
Analyze company processes and determine a risk tolerance to build a compliance framework.
For any company, it’s a business necessity when developing a compliance program to understand existing policies, procedures, and processes, or what Jenkin’s calls, the three Ps.
During this stage, you will quickly uncover gaps. Elements such as information security policies, cybersecurity, getting prepared for initiatives like GDPR are examples of corporate compliance table stakes should be considered, if not already, during this discovery.
“We can’t grow and be successful unless these things are in place,” says Jenkins.
You can’t measure what you don’t know — create an inventory of assets.
“Something as simple as knowing the number of systems, the number of software products, and the number of employees or contractors that are accessing your data,” says Hsia. “Not only do you want to know the number of systems or the number of software, but you also want to know what’s not authorized. The only way to know who’s not authorized is by knowing who is.”
Other metrics that can go into asset inventory, according to Hsia, include:
- Mean time between failures
- How often equipment is going to the IT department
- Percent of missing and stolen equipment including credentials and files
- Equipment maintenance schedules
- Endpoint protection updates such as antivirus software or patch updates
- Remediation rates for all types of IT related vulnerabilities
- Age of open vulnerabilities
- Number of vulnerabilities
For a deeper discussion of how to effectively measure your compliance program, access the on-demand webinar featuring Janelle Hsia and Stephanie Jenkins, Compliance Metrics That Matter.
Eager to share your thoughts with the world? Become a SurveyGizmo content contributor! Complete our contributor form and one of our editors will be in touch shortly.