Metrics are the key to determining the effectiveness of a company’s compliance program. Compliance program performance metrics can inform compliance professionals about potential issues, successes, and risks related to employee performance and spend. They can also help ensure that companies keep in line with regulatory compliance expectations and avoid issues that could lead to fines or investigations from law enforcement. Simply put, compliance metrics are the foundation of any compliance management program that provides meaningful insights to its users.

But what makes for a meaningful compliance metric, and what importance do they serve beyond providing compliance professionals with information about their company? This article will explain why it is essential to understand how traditional compliance metrics work, how compliance metrics relate to regulators’ expectations, and what effective compliance program performance metrics look like in practice.

Why Do Compliance Metrics Matter?

On a basic level, the insights that compliance metrics can provide about a company’s corruption and fraud risks make them understandably important for compliance management and the compliance officers responsible for their company’s compliance processes. Recent updates from the United States Department of Justice further emphasize the importance of having compliance metrics that matter.

The department’s 2020 updates to its guidance for the Evaluation of Corporate Compliance Programs directed prosecutors to consider three fundamental questions when evaluating companies’ performance:

1. Is the corporation’s compliance program well designed?

2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?

3. Does the corporation’s compliance program work in practice?

For regulators, it’s not a matter of how many compliance metrics a company uses but whether those metrics answer the three questions above regarding the compliance program’s effectiveness as implemented. Therefore, ensuring that your company has effective compliance metrics, as well as effective compliance analytics, and understanding why they matter should be of paramount importance for compliance professionals. 

For example, it’s essential to consider whether the metrics your company’s compliance program uses are actually helping to mitigate risk rather than simply “checking the box.” Traditional metrics such as hotline reports, employee training completion records, and tracking the number of resolved cases year-over-year have their place in the compliance process. Still, companies need to use additional metrics that provide further insights about transactions and employee performance across the enterprise to meet regulatory compliance expectations.

The compliance program performance metrics a company uses to gauge program success can vary heavily depending on its size, industry, and scope. For instance, a locally-owned restaurant might use very different metrics to determine its sales strategies than a nationally-oriented IT consulting firm. However, when it comes to compliance, a handful of metrics are universally important for gauging the effectiveness of a company’s compliance program.

Having effective compliance metrics is foundational to ensuring that companies can satisfactorily answer prosecutors’ questions about commitment to regulatory compliance if an investigation occurs. With that in mind, let’s examine several meaningful metrics that can benefit companies of all shapes and sizes.

Metrics That Matter: Five Examples of Metrics for Every Effective Compliance Program

1) Predicted Risks Versus Actual Risks

There is a tendency in compliance programs to rely heavily on a point-in-time survey and interview-based risk assessments or enterprise risk management (ERM) processes to assess the organization’s compliance risks. Less effort is placed on detailed continuous testing of transactions across the enterprise to validate whether actual risks match those predicted risks.  This point is where predicted versus actual risk comes into play. It's essential for compliance professionals - and the compliance programs they implement - to accurately judge the severity of a given risk in practice and plan an appropriate response. Metrics that only display the expected severity of a specific risk, from a risk assessment or enterprise risk management (ERM) review, without determining whether that judgment is accurate are insufficient.

Using a metric that weighs the impacts of predicted risks versus actual risks allows compliance officers to determine whether their company's expected risks were in-line with the outcomes of their company's actual risks. Understanding and using this metric enables compliance efforts to objectively decide whether or not they are focusing their attention on the parts of their company that demonstrate high-risk behavior, rather than just working off assumptions about their company's risk profile. 

For example, suppose a company segment was predicted to be low-risk through an annual risk assessment or enterprise risk management (ERM) review but is instead causing significant issues. In that case, this metric could notify compliance officers of the problem and allow them to redirect their attention appropriately.

2) Time Spent Detecting and Resolving Risks

A well-designed compliance program should be capable of efficiently detecting risks, ranging from abnormal invoices submitted by vendors to atypical gifts for government officials, and aid compliance professionals in resolving those issues before they become systemic. Therefore, having a compliance metric that judges the timeframe for your company’s risk detection and resolution is integral. 

This metric can reveal inefficiencies in your company’s current risk management processes and provide insight into areas requiring improvement. For example, hotline reports and whistleblower reports are commonly used to detect fraud. However, those reports usually focus on one subject and don’t always tell the complete story about spending in an organization, which means other examples of non-compliance may go undetected. Furthermore, those reports are often only made months or even years after problems have begun, which means that even if issues are detected, they might have already become systemic.

A company’s number of hotline reports and whistleblower cases per year are two of the most well-known traditional compliance metrics, but their aforementioned limitations make them insufficient for companies looking to get ahead of compliance risks and stay in the good graces of regulators. Therefore, companies should judge how long it takes for their compliance processes to detect actual risks in their organization and the time it takes to resolve those risks.

3) Recurring Risks

Your compliance processes might be able to identify and resolve risks, but does your company track how many risks of the same type, such as abnormally costly expense reports for travel and meals, continue to occur over a period of time? A successful compliance program will have metrics to inform its users about whether their company is taking appropriate steps to prevent various kinds of risks from becoming recurring issues, such as by taking appropriate action against unethical individuals and otherwise ensuring that teams are actively learning about risks and how to avoid them.

A traditional - and inadequate - metric that companies frequently use to determine the success of their compliance processes is the completion rate for employee training. A company’s training completion rates might be high, but that “tick the box” metric doesn’t indicate that training is necessarily understood or followed. Simply tracking training completion rates rather than employee knowledge and adoption can mask the risk of unethical action, intentional or otherwise. A compliance program that prevents risks from recurring is a program that is being applied earnestly and working in practice - which is what regulators expect such programs to do.

4) Costs of Risks & Risk Mitigation 

It is inevitable that companies will lose at least some revenue on an annual basis to non-compliance, such as fraud, embezzlement, or even corruption. Compliance programs can help identify and resolve these issues, but it’s important to consider the effectiveness of your company’s program to ensure it is detecting and cost-effectively mitigating risks. 

The benefits of having a metric that evaluates the costs of risks are twofold: 

First, in the worst case, high-risk segments of an enterprise are more likely to cause issues. These issues can cause companies to lose revenue to waste or be subject to regulatory investigations that lead to expensive legal cases and adverse media attention, which can negatively impact a company’s reputation and harm its bottom line. Having metrics that provide insights on which parts of your company pose the highest risk of monetary loss due to non-compliance ensures that your company’s compliance team is dedicating their time and resources appropriately.

Second, understanding the costs associated with risk detection and mitigation is also crucial. Having metrics that reveal which parts of your compliance processes cost the company the most money can make it easier to determine which compliance processes need improvement. For example, if a metric shows that your company is spending an inordinate amount of time and money performing manual third party due diligence, reducing those manual steps and investing in continuous compliance monitoring software could provide a better return on investment in terms of improving your company’s compliance program and risk mitigation efforts.

5) Unidentified Risks 

The worst kinds of risks are those that your company does not detect before they become serious issues. Performing this analysis allows the identification of issues that should have been flagged earlier in the compliance process but slipped through the cracks. This metric has a more meaningful impact than simply examining the number of risks detected and solved in a given time frame, as that statistic doesn't include undetected issues.

Compliance software that is bolstered with machine learning, which is an increasingly popular feature in modern compliance programs, is capable of automatically monitoring transactions and other financial data in your company to determine if specific payments are anomalous, which can simplify the process of uncovering previously unidentified risks. Even if your compliance program does not use machine learning, identifying and adapting to the risks that were undetected will ensure that your company is being applied earnestly and having a materially positive impact on your company's compliance record.

Next Steps

Understanding which metrics can benefit your company’s compliance program and recognizing the limits of traditional “tick the box” statistics are invaluable in solidifying your company’s stance against risks such as fraud and corruption as regulatory expectations for corporate compliance programs continue to increase. For more information about how to ensure that your company is meeting regulators’ expectations, read our recent article on how data can be used to comply with the Department of Justice’s guidance for corporate compliance programs.

FAQs

How many compliance metrics should a company use?

For regulators, it’s not a matter of how many compliance metrics a company uses but whether those metrics answer these three questions: Is the corporation’s compliance program well designed? Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively? Does the corporation’s compliance program work in practice?

What are the five metrics for an effective compliance program?

Predicted risks versus actual risks, time spent detecting and resolving risks, recurring risks, costs of risks and risk mitigation, and unidentified risks.

How can my company meet regulators’ expectations?

Read our recent article on how data can be used to comply with the Department of Justice’s guidance for corporate compliance programs.