How to evaluate legal compliance
“Compliance” can be such a nebulous term that it is often hard to pin down. Of course, all businesses should be operating in compliance with rules and regulations, but what does that actually mean, and how can they prove this is the case?
The term “compliance” describes the ability to act according to an order, set of rules or requests, according to the International Compliance Association. A business’s state of compliance can be evaluated at two levels:
- Compliance with the external rules imposed upon the business as a whole by government or industry body regulations, including compliance with laws or ethical standards; and
- Compliance with the internal systems of control imposed by the business to help it achieve compliance with those externally imposed rules
Legal compliance, then, could be seen as two things: compliance with the laws and regulations set out for a business to operate in good standing within a particular jurisdiction, or the internal compliance systems imposed by a legal department to ensure it runs smoothly and in accordance with rules and processes. In either case, in order to understand the level of compliance and where any gaps are, a business needs to know how to measure its state of compliance.
The Importance of Measuring Legal Compliance
Consider the state of a business’s compliance – often referred to as operating in good standing – the same way you would any business project. There will be risks and challenges to overcome; there will be milestones to hit and deadlines to meet; there will be responsible persons and stakeholders to manage. But how do you know what those risks and challenges are? How do you decide what those milestones are and hit those deadlines?
Only through adding a robust program of measurement to your compliance processes can you truly know how to evaluate legal compliance. The act of setting key performance and risk indicators (KPIs and KRIs) helps give those leading compliance a goal to aim for, a way to evaluate risk and success.
First, you must determine the compliance obligation; then you must decide how often you will evaluate legal compliance, who will be responsible for taking actions and monitoring those actions, and who will oversee the ongoing maintenance of that state of compliance. All of this will also need to be clearly and accurately documented and stored in a central repository that’s easy for all to access – you never know when the regulators or the auditors will come calling.
Evaluating legal compliance used to be difficult, with proof of compliance often falling on showing the code of conduct was being followed or that training was completed appropriately. Today, compliance KPIs can be used as an early warning system to detect potential compliance issues and help your business to work to remedy them before they become major issues. Using compliance metrics can help to prevent regulatory action such as fines and sanctions, bad press and media issues, or employee dissatisfaction.
Today, there are several KPIs that are considered essential to track to help you know how to evaluate legal compliance, including:
- The number of compliance issues opened
- The number of employee relations issues opened
- The percentage of outstanding post-audit issues
- The compliance investigation time cycle
- The percentage of internal audits completed on time
How to Evaluate Legal Compliance: Five Steps to Help
The Office of Inspector General at the US Department of Health and Human Services developed a resource guide to help measure the effectiveness of compliance programs. In it, they contend that a sufficiently comprehensive compliance program includes seven elements:
- Standards, policies and procedures
- Compliance program administration
- Screening and evaluation of employees, vendors and other agents
- Communication, education and training on compliance issues
- Monitoring, auditing and internal reporting systems
- Discipline for non-compliance
- Investigations and remedial measures
KPMG says organizations should use a combination of metrics to evaluate these compliance programs:
- One-dimensional, based on one data attribute
- Qualitative, based on intangible or subjective measures
- Quantitative, based on tangible and concrete metrics that are easily measured
- Multidimensional, based on multiple data attributes
- Predictive, leveraging past data and trends to make predictions about potential future compliance risks
But how do you actually measure these elements, and track them to help evaluate legal compliance? Measurement and reporting of compliance-related metrics can tend to lag the rest of the organization, but effective compliance metrics can provide a window into a business’s compliance risks and controls. Start to learn how to evaluate legal compliance by following these five steps:
Step One: Determine Your Benchmark and Set KPIs
You can’t measure if you don’t know what you’re measuring, so the essential first step is to determine what the best metrics are to display your compliance. There is no single metric that can be used to evaluate legal compliance, so compliance leaders tend to rely on a range of different metrics. Strong metrics combine both qualitative and quantitative data sources, such as the hard stats of compliance training vs. focus group feedback on knowledge retention. Once you have decided on your metrics, take a baseline so you can benchmark performance, and set your KPIs.
Step Two: Track Your Compliance Metrics
Once you know what metrics you will use to help you evaluate legal compliance, the obvious next step is to track them. Gather together your data sources and start to keep a record of performance against those KPIs. This is where having a single source of truth for all data and compliance information becomes essential, so that you are comparing like with like.
Step Three: Conduct an Audit and Evaluate Compliance Metrics
At regular intervals – usually once each year – conduct an internal audit to check the state of compliance across the business, including all individual entities, bearing in mind that compliance requirements will differ across jurisdictions. Make sure to note the data of each metric, and plot it in all charts and compliance risk assessment plans you are keeping.
Step Four: Make Any Necessary Changes, and Continue to Monitor and Evaluate Regularly
Where the audit and evaluation exposes issues, determine and take the necessary steps to remediate the issue. This could mean updating or installing new training processes, establishing a process to meet a new filing requirement, creating new codes of ethics, or recruiting specialist staff. These remediation steps should be monitored and evaluated at regular intervals to ensure good progress toward achieving compliance at the next audit. Ensure that you keep a record of all audit outcomes, too, as these can be used to prove compliance to any regulator or industry body that needs proof.
Step Five: Communicate Your Compliance State
Communication is key for compliance, so ensure you have a plan to inform and involve anyone necessary, from the board down to the frontline workers. The board itself will have compliance responsibilities, and will want to know about how the organization is monitoring risks, controls and mitigation efforts; meanwhile, staff will need to know what’s expected of them and when. Bring compliance processes into the onboarding of new staff and ensure regular communications to all staff about compliance and ethics.
Technology’s Role in Evaluating Legal Compliance
All of these steps require easy and quick access to up-to-date, real-time data to ensure the evaluation of legal compliance is robust and correct. Measuring using old or incorrect data can actually cause compliance to slip, which can have a long-lasting financial and reputational impact on an entity or larger group of entities.
Entity management software has emerged as a solution to getting and storing that data. The main objective of legal entity management software is to store and maintain all subsidiary-related information to establish a single source of truth for all entity-related information. It allows for the implementation of processes and procedures across all global entities to ensure precision, accuracy and timeliness with your compliance program.
Get in touch with us and schedule a demo to discover how Diligent’s entity management software can support your compliance team in achieving control and visibility of governance, risk and compliance goals, and help you to get clarity on how to evaluate legal compliance.