Compliance metrics: Are yours good, bad, ugly or non-existent?
We all know we’re supposed to have metrics. We need to show the effectiveness of our program. We need to track our progress. We need to identify risk through data. But, often, that’s easier said than done.
Globally, regulatory expectations are high
Expectations regarding metrics and data analysis continue to rise. In the 2023 version of the Department of Justice’s Evaluation of Corporate Compliance guidance, the word “metrics” is mentioned repeatedly. Prosecutors are instructed to ask:
- What metrics does the company apply to ensure consistency of disciplinary measures across all geographies, operating units and levels of the organization?
- What information or metrics has the company collected and used to help detect the type of misconduct in question?
- How have the information or metrics informed the company’s compliance program?
- Does the company apply timing metrics to ensure responsiveness?
Expectations are even higher when it comes to monitoring and effectiveness. The words “monitor” or “monitoring” are used 14 times in the guidance, while the words “effective” and “effectiveness” are found a staggering 56 times in the 21 pages of the DOJ’s guidance.
It’s not just the DOJ. Regulators from the U.K., EU, Asia, Australia and beyond have all commented on the role of metrics, monitoring or data analytics.
Good versus bad metrics
It’s tempting to measure whatever you can, but if the metric you’ve chosen isn’t giving you good information, it isn’t worth tracking.
Good metrics provide very important information.
- They can tell you whether your program is effective.
- They can help you to prove that your program is adding value to the business.
- They can also tell you whether your program is improving over time.
Bad metrics don’t provide any of this information. Creating and reporting on bad metrics has two disadvantages. Management isn’t getting anything out of the metrics, so they won’t pay attention to them. What’s worse – management may think you’re not adding value because your metrics don’t show effectiveness, efficiency or positive change in the organization.
How can you tell the difference between a good and bad metric?
The key question: ‘So what?’
Good metrics will always answer the question, “so what?” If, as famous management consultant Peter Drucker said, “what gets measured improves,” then it matters that what you measure gives a clear answer to this most important question.
Let’s say that 96% of your employees finally finished the Code of Conduct training. So what? Does that mean the training was effective? Does that mean they enjoyed it? Does that mean they learned anything?
If you choose to track the percentage of the employee population that accesses compliance-related policies and procedures on the intranet, so what? Well, a growth in people accessing policies and procedures may indicate that there is an interest in the policies and an awareness that they exist.
KPIs and metrics
Many metrics benefit from the assignment of a key performance indicator (KPI). KPIs can help tell the story of your program and put the metric in context.
Let’s go back to our metric tracking the percentage of employees that accessed compliance-related policies and procedures on the internet. You may find that last year, less than 1⁄2 of 1% of the employee population accessed the compliance-related policies and procedures page of your company’s intranet.
In response, you may set your KPI at 5% annually. The metric has now been put into context, and a KPI has been assigned to it so that it is obvious whether the company is making progress toward the goal.
Choosing metrics that matter
Data that quantifies effectiveness and identifies risk makes your program stronger. By choosing the right metrics, you’ll ensure the success of your program, and ultimately, your career as well.
Interested in learning more about choosing the right metrics and using AI to streamline creation, monitoring and efficacy? Watch our webinar replay, Mastering Compliance Metrics: 7 Elements of an Effective Compliance Program, now.