Compliance metrics: Are yours good, bad, ugly or non-existent?

We all know we’re supposed to have compliance metrics. We need to show the effectiveness of our program. We need to track our progress. We need to identify risk through data. But, often, that’s easier said than done.

Globally, regulatory expectations are high

Expectations regarding metrics and data analysis continue to rise. In the 2023 version of the United States Department of Justice’s Evaluation of Corporate Compliance guidance, “metrics” are repeatedly mentioned. Prosecutors are instructed to ask:

  • What metrics does the company apply to ensure consistency of disciplinary measures across all geographies, operating units and levels of the organization?
  • What information or metrics has the company collected and used to help detect the type of misconduct in question?
  • How have the information or metrics informed the company’s compliance program?
  • Does the company apply timing metrics to ensure responsiveness?

Expectations are even higher regarding monitoring and effectiveness. The words “monitor” or “monitoring” are used 14 times in the guidance, while the words “effective” and “effectiveness” are found a staggering 56 times in the 21 pages of the US DOJ’s guidance.

It’s not just the US DOJ. Regulators from the U.K., EU, Asia, Australia, and beyond have all commented on the role of metrics, monitoring, and data analytics.

Good versus bad metrics

It’s tempting to measure whatever you can, but if the metric you’ve chosen isn’t giving you good information, it isn’t worth tracking.

Good metrics provide essential information.

  • They can tell you whether your program is effective.
  • They can help you prove that your program adds value to the business.
  • They can also tell you whether your program is improving over time.

Bad metrics don’t provide any of this information. Creating and reporting on bad metrics has two disadvantages. Management isn’t getting anything out of the metrics so that they won’t pay attention to them. What’s worse – management may think you’re not adding value because your metrics don’t show effectiveness, efficiency or positive organizational change.

How can you tell the difference between a good and bad metric?

eBook banner for the ebook, 5 challenges to data compliance strategies

The critical question: ‘So what?’

Good metrics will always answer the question, “So what?” If, as famous management consultant Peter Drucker said, “what gets measured improves,” then it matters that what you measure gives a clear answer to this most important question.

Let’s say that 96% of your employees finally finished the Code of Conduct training. So what? Does that mean the training was effective? Does that mean they enjoyed it? Does that mean they learned anything?

If you choose to track the percentage of the employee population that accesses compliance-related policies and procedures on the intranet, so what? Well, a growth in people accessing policies and procedures may indicate an interest in the policies and an awareness that they exist.

KPIs and metrics

Many metrics benefit from the assignment of a key performance indicator (KPI). KPIs can help tell the story of your program and put the metric in context.

Let’s go back to our metric tracking the percentage of employees accessing compliance-related policies and procedures online. You may find that last year, less than 1⁄2 of 1% of the employee population accessed the compliance-related policies and procedures page of your company’s intranet.

In response, you may set your KPI at 5% annually. The metric has now been put into context, and a KPI has been assigned to it so that it is obvious whether the company is progressing toward the goal.

Choosing metrics that matter

Data that quantifies effectiveness and identifies risk strengthens your program. By choosing the right metrics, you’ll ensure the success of your program and, ultimately, your career as well.

Call to action banner for Booking a demo to see Diligent in action
Share This