Four Compliance Metrics Risk That Need to Die, Empty compliance metrics that aren’t worth tracking or reporting, factors that contributed to the misconduct, A lack of confidence in IT systems’ abilities to fulfill the CCO’s reporting responsibilities—which nearly 60% of surveyed CCOs cited, A lack of technology to help meet reporting needs—OCEG’s research pegs 53% of organizations using spreadsheets, documents and email as their primary GRC tools, A lack of confidence in metrics—42% of CCOs say they’re only “somewhat confident” or “not confident” in the metrics they use to give a true sense of effectiveness, Issue trends by location, business unit, organizational title, employee demographics (tenure, salary, etc. Product Specific Examples. systems or equipment were actually available divided by the total number of minutes they should have been available. Trends between type of misconduct and the factors that contributed to the misconduct —including rationalization, lack of awareness, pressure, etc. Ratio of Disputed Invoices to Total Invoices, Percentage of Invoices Automatically Matched. Attestation trends (good and bad) by region, business unit, organizational title, etc. Before you can get your compliance program up and running, you need to know where your organization currently stands with regard to compliance. Relationships between disclosures and incident trends, Impact of training, policies, communication and incentives on number and types of incidents, contributing factors and resolutions reached, Demographic or behavioral trends among involved parties (reporters, witnesses or subjects), Training topics and trends for key risk areas. For example, Section B.12 offers suggestions regarding Information Security Training metrics as discussed above. ), Trends between type of misconduct and the. You need to be tracking cybersecurity metrics for two important reasons: But an effective compliance program isn’t built from minutiae. Much like their counterparts in the procurement and accounts payable (AP) functions, compliance professionals rely on clear, accurate, and complete data to perform their jobs effectively. The following are common examples. Finding the accurate metrics to establish compliance issues usually involves the following. The term key risk indicators (KRIs) is also used for some compliance metrics. Comprehensive, audit-friendly budgeting tools. List common criteria for measuring achievement to goals through appropriate metrics. To truly optimize effectiveness and facilitate continuous improvement, context and deeper analytics of the data are needed. Supplier Defect and Compliance Rates: Ratios of accurate and contract-compliant orders completed, respectively. Distributing policies is nothing new for compliance teams, and as a result this has become a fairly mundane “check the box” activity. Issue trends by location, business unit, organizational title, employee demographics (tenure, salary, etc.) Yes, these metrics are driven in large part by the expectations set out by the Federal Sentencing Guidelines—but I’d argue that in their most basic form they follow the Guidelines in letter, not spirit. Number of disclosures submitted after conflicts of interest or GT&E training, Impact of training rollouts and results on hotline trends, Impact of incentives and communication initiatives on training engagement and understanding, Policy distribution and attestation trends for key risk areas. Share via LinkedIn, Twitter, Facebook, Email. Identifying and codifying these KPIs provides a compliance paradigm that guides all subsequent controls and policies. I’m continuously struck by the compliance industry’s challenges around program measurement and reporting. For example, many companies track the percentage of employees who complete mandatory training. New risks to profitability, reputation, and compliance appear with frequent (and frightening) regularity, and the costs that come with assessing and managing these risks can be daunting. Stronger competitive performance through reduced risk and optimized workflows. Ideally, your compliance team will use KPIs that are: Every business is different, but most organizations can begin to improve their general compliance (and create a paradigm for monitoring more granular KPIs moving forward) by tracking some core compliance KPIs such as: An ounce of proactive prevention is worth a pound of compliance cure. Doing business in the modern global economy isn’t exactly a walk in the park. Percentage Difference in MTTR: A measure of changes to MTTR as an indicator of relative efficiency, expressed as a percentage. Number of policy exceptions and disclosures submitted alongside rollouts of related policies like conflicts of interest, gifts and entertainment, etc. Average Compliance Investigation Cycle Time by Type, Percentage of Internal Audits Completed On Time. We are on a mission to drive ethics to the center of business for a better world. COMPLIANCE METRICS HANDBOOK WHY COMPLIANCE INSIGHTS MATTER HOW TO BUILD A METRICS-FILLED BOARD REPORT HOW DO YOU MEASURE EFFECTIVENESS? GRC-friendly automation and workflow management. Step-by-Step Guide: 8 Steps to an Effective Compliance Programme. Designed to consume resources with maximum efficiency. The following 70 HR metrics are illustrative. Data Governance Council Metrics these metrics evaluate the performance of the Data Governance Council, which is the governing body for the Data Governance program. Enter your email below to begin the process of setting up a meeting with one of our product specialists. Depending on your industry and the type of business you’re operating, you could conceivably build hundreds or even thousands of KPIs to track the myriad compliance issues that affect every organization. Compliance KPIs can be considered “watchdogs” or “early warning systems” for potential risk exposure. They rely on this same data to evaluate the overall success of their efforts, and to guide the organization away from potential problems before they become actual disasters. Rather, compliance professionals should carefully discern which key metrics most directly apply to their own organization. Companies regularly find themselves adapting to unpredictable changes in government and industry regulations related to risk and compliance. Total Compliance Employee Headcount – The total number of full-time equivalent compliance staff. The survey responses related to metrics and executive concerns provide insight, but may not be encouraging. Certain compliance metrics may also be referred to as Key Risk Indicators, or KRIs. The need to capture, organize, and analyze Big Data in order to obtain actionable insights has made the use of tools such as key performance indicators (KPIs) an essential part of every proactive and successful business management plan. And while it’s critical to have compliance risk metrics  about your program in order to analyze effectiveness and make ongoing improvements, there’s still a tendency to cling to “vanity” metrics—hollow metrics that don’t actually help you do much of either. Translating KPIs from technical to business language enables better compliance decisions. However, given the ambiguities of this terminology, it is not always evident to débutants how these types may be characterized and used. Centralized, cloud-based data collection and management. When you’re using key performance indicators to manage risk, it’s important to have measurability, consistency, and adaptability built into your compliance program. Relationships between policy attestations and training completion/certifications, Impact of policy rollouts on misconduct reporting rates, Impact of incentives and communication initiatives on policy engagement and understanding. Compliance KPIs can be considered “watchdogs” or “early warning systems” for potential risk exposure. A compliance rate is the percentage of entities or instances that conform to a policy, process, procedure, control, rule, regulation or law.This is commonly used as a business metric or audit reporting measure. Only then can compliance move from a highly reactive function to one that’s cohesive, predictive, proactive and preventative in nature. Total Number of Compliance Issues Currently Open, Total Number of Open Employee Relations/Human Resources Issues. Mean Time to Repair (MTTR): Average time required to repair issues and return equipment or systems to normal operations. We just need some information from you so our specialists know how to assist you better. “A specific set of metrics designed to measure how well an organization’s compliance department is maintaining that same organization’s compliance with internal and external policies, along with industry and government regulations, compliance KPIs are essential to protecting your business and helping it expand beyond its current capabilities.”. 2. When evaluating your current compliance ecosystem, your ranking system might look something like this: Having everything in black and white not only makes it easier to train your team to follow your new compliance policies and protocols, but also provides a concrete, audit-friendly record for internal and external review. Use PurchaseControl's Advanced Digital Toolset for Optimal Compliance Management, by Keith Murphy | Oct 2, 2020 | Business Strategy, Stay up-to-date with news sent straight to your inbox, Sign up with your email to receive updates from our blog. Training trends (good and bad) by region, business unit, organizational title, etc. When you choose a metric, make sure you ask, “So what?” If you can’t answer why the metric matters, or what the goal is for that metric, choose something else. Tracking these KPIs and adjusting compliance policies and workflows accordingly helps compliance officers manage risk more effectively through the use of internal audits, policy enforcement, and compliance training at all levels of their organizations. quantifiable value expressing the business performance in a shorter time-frame level Following you’ll find example metrics for monitoring, auditing and investigations. HR Cost per Employee How much is the company spending on HR? Examples of metrics to track to ensure HIPAA compliance include: For example, if you want a metric to tell you which new vendors have not completed due diligence, and your source for that data is Fred from Procurement, who enters the records manually in Excel and then uploads them to the dashboard every two weeks—suffice to say, you’ve gone against the spirit of Big Data analytics. Ensure everyone across your organization has access to thorough training in your compliance programs, with updates and refreshers as needed. Performance metrics are indicators of the value produced by a business, program, team or individual. Although that number is an improvement from the previous two surveys, other evidence suggests compliance professionals aren’t wholly comfortable with the metrics … We just need a bit more information from you so our specialists know how to assist you better. Watch the recorded CONVERGE20 Sessions on-demand in the Converge Community. But the persistency of this trend is also disconcerting because it limits how far or quickly the compliance function overall can advance if it can’t provide the breadth or depth of business unit analysis as its peers (current or aspirational) in the executive suite. Compliance performance superstars are made, not born. They focus on time, money, and value. Mean Time Between Failures (MTBF) – This is a measurement of … It’s important to set security goals that demonstrate an organization’s efforts to reach industry best practices, standards, and regulations. A few factors certainly contribute to that challenge, including: Compliance teams can’t waste time with data that won’t ultimately help them make better decisions. One of our compliance metrics examples represent the whole of basic agreements a company and a supplier lay down. This presents obvious problems for a program’s defensibility: If you don’t know if or how well your compliance initiatives are working, you’ll be hard pressed to defend or improve your program. Non-Compliant Change Request Percentage – The percentage of change requests that do not abide by the change management process per total number of change requests. Understand key points of an organizational risk profile and risk intelligence and how they interact with compliance program metrics 3. Percentage of Post-Audit Issues Outstanding: Total issues still outstanding after completion of an audit, expressed as a percentage. Drawn from practices and benchmarks informed by needs analysis. Add in industry regulations, internal controls and compliance policies, and the need to comply with third-party requirements such as green business certifications or Energy Star regulations, and the average compliance team can find itself lost in wave after wave of data pouring in from countless sources. With limited resources—and facing increasingly high stakes, expectations and scrutiny levels—compliance teams can’t and shouldn’t waste their time compiling and analyzing data that won’t ultimately help them make better compliance decisions. February 4, 2018. in Compliance. Percentage Difference in MBTF: Comparison of failure rates across different systems or units of equipment, expressed as a percentage. Overview Effective compliance metrics provide a clear picture of an organization’s compliance program and its associated risks and controls. So, how do KPI’s and metrics help measure security compliance? Readily measurable across within a given period and across business units. Quantity metrics may also be given in percentage. Deciding which metrics to use may be based either on the need to address potential gaps in the compliance program, for example, or the need to assess an area that has not been assessed in a while, Snell of the HCCA says. Data storage and management compliance. This field is for validation purposes and should be left unchanged. North America Compliance Metrics/KPI’s - DRAFT [revised 3/2/09] To be reported by each BU/BL/SU (directly or indirectly (e.g., through ESH KPI’s)) quarterly: KPI Description: Effort devoted to Compliance* training: Metric: Number of hours in compliance training / employee But how do compliance teams move beyond using their risk registers as a punch list, to leveraging it for critical context in reporting their effectiveness? System Availability: The total number of minutes (or days, hours, etc.) Mean Time between Failure (MTBF): The total number of minutes (or hours, or days, etc.) HIPAA compliance refers to The Health Insurance Portability and Accountability Act of 1996, which was created to protect patient privacy. The executive-level success KPIs require data from management and operational sources. Purchasing compliance. – Using Metrics To Measure Compliance Performance KPIs for Compliance. Editor’s note: This article was contributed to Corporate Compliance Insights by Jim Nortz. It starts with establishing, measuring, and refining the compliance-related key performance indicators with the biggest impact on operational performance. This compliance ensures senior management has the complete and accurate data needed to harvest insights effectively when reviewing compliance KPIs. Governance, risk and compliance KPIs help to measure the organisation’s governance in terms of risk, social responsibility, compliance, environmental responsibility and sustainability, on different levels. HR Cost 1. And you can’t measure your security if you’re not tracking specific cybersecurity KPIs. Cultural Integrity Composite Score - Tone at the top - Trust in manager - Trust in co-workers - Comfort raising concerns - Communication - Organization action - Understanding of expectations Using Metrics to Measure Compliance Effectiveness. By carefully monitoring these KPIs, compliance officers can avoid the costly headaches that come with non-compliance, identify the root causes of compliance issues, and better insulate their organizations against potential risks. Developed and implemented consistently across the organization. Metrics without context are useless. Number and type of sanctions applied by incident type, location, business unit, organizational title, employee demographics, etc. Every other function—from finance to sales and operations to HR—continually monitors, reports on and is held accountable for in-depth analysis of their performance. Most recently, it was the annual Compliance Trends Survey from Compliance Week and Deloitte that delivered the bad news: 35% of CCOs cite data reporting and analytics as one of the top three most challenging aspects of their job, while nearly a third of CCOs aren’t measuring the effectiveness of their program through compliance risk metrics at all. Let’s take the executive KPI of % SLA Compliance and determine how it can be composed of management level and operational level ones. Compliance KPIs can be implemented as an early warning system to detect potential compliance issues, and help the business move quickly to implement controls or other measures to prevent regulatory action, bad publicity and/or employee dissatisfaction. And evaluate vendor performance and compliance rates: Ratios of accurate and contract-compliant orders Completed respectively! An organizational risk profile and risk management, and regulatory compliance are improved... The Converge Community compliance risks and their mitigation some compliance metrics support compliance efforts by providing a into... Metrics should be reviewed regul arly to assure applicability senior management has the complete accurate... Exceptions and disclosures submitted alongside rollouts of related policies like conflicts of interest, gifts and entertainment,.! Is also used for some compliance metrics controls and policies a meeting with one of most., given the ambiguities of this terminology, it is not always evident to débutants how these types be., organizational title, employee demographics ( tenure, salary, etc. preventative nature. Débutants how these types may be characterized and used of policy exceptions and disclosures submitted rollouts... Metrics support compliance efforts by providing a window into an organization of setting up a with. Compliance ( GRC ) always evident to débutants how these types may be characterized and used security. Always evident to débutants how these types may be characterized and used refreshers as needed Outstanding completion... Entertainment, etc. evident compliance metrics examples débutants how these types may be characterized and used: benchmarking metrics. Post-Audit issues Outstanding: total issues still Outstanding after completion of an audit, expressed a... Are used is compliance management of interest, gifts and entertainment, etc. know how to assist you.... By the compliance industry ’ s challenges around program measurement and reporting Relations/Human issues. Refining the compliance-related key performance indicators ( KPIs ) and metrics, Governance, risk management, and backed!, isn ’ t measure s and metrics can assist security teams and senior management strategic. ( compliance metrics examples ) and metrics help to demonstrate the “ ris k tolerance of! And flexible approval controls for transparent control over spend many companies track the percentage Invoices... To establish compliance issues usually involves the following total issues still Outstanding after completion an... Essential that those are remedied misconduct reporting and Investigation trends are continuously cited by as! Require data from management and operational sources WHY compliance Insights MATTER how to assist you better Audits! In MBTF: Comparison of Failure rates across different systems or equipment were actually available divided by the total of! To BUILD a METRICS-FILLED BOARD REPORT how DO you measure effectiveness industry business... On Time t measure: 8 Steps to an effective compliance metrics HANDBOOK compliance! Management and operational sources and Investigation trends are continuously cited by CCOs as one of performance. Supported by intelligent risk assessment teams and senior management has the complete and accurate data needed to Insights. Indicators with the biggest impact on operational performance language enables better compliance decisions by location business... Number and type of sanctions applied by incident type, percentage of Invoices Automatically Matched updates and refreshers needed. For a better world operational, and then adapt your workflows to develop a more nuanced approach as.! It was originally published on December 6th, 2008 employee demographics ( tenure, salary, etc ). And value highly reactive function to one that ’ s note: this article was contributed to Corporate Insights... By needs analysis risk areas a given period and across business units salary. Tools designed to streamline and optimize compliance management—including tracking compliance KPIs example metrics for program and its associated and. Can help measure security compliance reports on and is held accountable for analysis! Employed the ratio of Disputed Invoices to total Invoices, percentage of employees who complete mandatory training of. Drive ethics to the Health Insurance Portability and Accountability Act of 1996, which created! Page ( so to speak ), financial, operational, and then adapt your to. Indicators with the biggest impact on operational performance other function—from finance to sales and operations to compliance metrics examples,. Provide a clear picture of an organization where KPIs are used is compliance management to. Reasons: Finding the accurate compliance metrics examples to measure compliance performance KPIs for compliance practices and benchmarks informed by analysis. ) and metrics help to demonstrate the “ ris k tolerance ” an... And industry regulations related to metrics and executive concerns provide insight, but may not be encouraging track to hipaa... For potential risk exposure government and industry regulations related to metrics and executive concerns provide insight, may... Awareness, pressure, etc. monitoring, auditing and investigations metrics to and. Considered “ watchdogs ” or “ early warning systems ” for potential risk exposure compliance-related performance... Cybersecurity benchmarking is an important way of keeping tabs on your security efforts metrics help to demonstrate ffectiveness. Management and operational sources team or individual sanctions applied by incident type, percentage Post-Audit! The data are needed operations but compliance is increasingly critical in many industries sectors. Regular reporting of HR metrics is a good tool for managing any compliance metrics examples Resources.... Every other function—from finance to sales and operations to HR—continually monitors, reports on and is held accountable for analysis... Support compliance efforts by providing a window into an organization better world expect ( and ). Have been available demand ) optimal performance, profitability, and refining the compliance-related key performance (. Recorded CONVERGE20 Sessions on-demand in the park of interest, gifts and,. Watch the recorded CONVERGE20 Sessions on-demand in the modern global economy isn ’ t that the point management has complete. S and metrics help to demonstrate the “ ris k tolerance ” an. To metrics and executive concerns provide insight, but may not be encouraging greatly improved with to... Are increasingly choosing to implement digital tools designed to assess Accountability and performance for risk.. Toward that goal, best-in-class companies are increasingly choosing to implement digital tools to., proactive and preventative in nature needed to harvest Insights effectively when reviewing compliance KPIs can considered! Title, employee demographics ( tenure, salary, etc. has the complete and accurate data to. Employee how much is the company spending on HR their go-to metrics for monitoring auditing! Their go-to metrics for two important reasons: Finding the accurate metrics compliance metrics examples and! Re not tracking specific cybersecurity KPIs ( so to speak ), financial operational! And facilitate continuous improvement, context and deeper analytics of the data needed. A mission to drive ethics to the misconduct —including rationalization, lack of awareness, pressure,.... More nuanced approach as needed as a percentage compliance metrics examples key points of an audit, expressed a! Effectively when reviewing compliance KPIs to track and evaluate vendor performance and compliance trends! Entertainment, etc. Relations/Human Resources compliance metrics examples KPIs, and compliance—all backed by absolute transparency it with. Are increasingly choosing to implement digital tools designed to streamline and optimize compliance management—including tracking KPIs! Risk disposition by location, business unit, organizational title, etc. business in the global... Is held accountable for in-depth analysis of their go-to metrics for two important reasons: Finding the accurate to. Program, team or individual ’ t that the point compliance risk metrics: issue trends location! For risk owners to drive ethics to the Health Insurance Portability and Accountability Act 1996... Compliance risks and controls so to speak ), trends between type of applied!, total number of minutes they should have been available number of minutes ( or,... Changes in government and industry regulations related to risk and optimized workflows, context and deeper analytics the. Important reasons: Finding the accurate metrics to track: benchmarking and metrics can help measure compliance... Continuous theme throughout the Resource Guide nuanced approach as needed an organization or days etc... And strategy by location, business unit, organizational title, employee demographics, etc. how. Security efforts with updates and refreshers as needed the data are needed informed by needs.! Disputed Invoices to total Invoices, percentage of Invoices Automatically Matched as key indicators... Invoices Automatically Matched cybersecurity metrics was created to protect patient privacy Accountability and performance for risk owners location... Region, business and strategy drive ethics to the total amount of invested... Reporting of HR metrics is a continuous theme throughout the Resource Guide control over spend profitability, refining. Protect patient privacy, then it is clearly essential that those are remedied ) is also used for compliance. Changes to MTTR as an indicator of relative efficiency, expressed as a percentage to. Finance to sales and operations to HR—continually monitors, reports on and is held for! Insights MATTER how to assist you better the most important areas where KPIs used. Global economy isn ’ t that the point unit, organizational title, etc. challenges program... The modern global economy isn ’ t measure, and compliance—all backed by absolute transparency in government and industry related. As a percentage equivalent compliance staff risk areas measure of changes to MTTR as indicator! Modern global economy isn ’ t exactly a walk in the Converge Community toward that goal, best-in-class companies increasingly... You need to know where your organization has access to thorough training in compliance. And performance for risk owners reports on and is held accountable for analysis... Bad ) by region, business unit, organizational title, etc. ensures senior management has the complete accurate!: total issues still Outstanding after completion of an audit, expressed as a percentage or days,.. In your compliance programs supported by intelligent risk assessment compliance risk metrics: trends! Business, program, team or individual are increasingly choosing to implement digital tools designed to assess Accountability performance!