Originally appeared in KPMG’s “The Compliance Investment”
Compliance leaders across industries are focused on assessing and enhancing their compliance effectiveness in response to regulatory requirements and expectations. This includes ensuring that they have a strong compliance culture embedded throughout the organization and that they are able to demonstrate to their boards and regulators that they understand and can manage their compliance risks. In addition, compliance leaders in organizations with more mature programs are also attentive to the need to improve the sustainability and efficiency of their programs.
While many compliance leaders are beginning to realize the value of their compliance investment through this focus on effectiveness, they often struggle with how to evaluate it.
Many rely on internal metrics for insight into the effectiveness of their programs, including year-over-year improvement and how well they are filling self-identified compliance gaps and inefficiencies, as well as through an external analysis against peers. However, these may not be the most useful metrics given an organization’s risks and strategic goals. Furthermore, compliance leaders recognize the limits of one-dimensional statistics, such as feedback from customers and regulators or decreasing fines. While these metrics provide some insight, they do not generally enhance an organization’s awareness of its actual compliance effectiveness.
Measure Against Peers: 2017 Benchmark Reports
Multidimensional metrics, for example, can enable an organization to better understand the root causes of issues related to retention, engagement, and attitude; the time needed to close audit issues and the number of repeat issues; and client satisfaction or complaints at the business unit level.
In response, compliance leaders are increasingly pursuing multidimensional metrics that link operational performance with compliance as well as metrics that can provide a deeper understanding of the organization’s compliance effectiveness. Multidimensional metrics, for example, can enable an organization to better understand the root causes of issues related to retention, engagement, and attitude; the time needed to close audit issues and the number of repeat issues; and client satisfaction or complaints at the business unit level. These metrics also provide insights into compliance effectiveness.
Further, leaders are seeking data and analytics and other forward-looking predictive measures, as well as utilizing behavioral science indicia, to assess compliance trends and to enhance their understanding of emerging risks and potential misconduct. Examples of such forward-looking metrics might include a “click rate” that measures the number of employees who have read a particular policy, or tracking minor employee misconduct as an indicator of potentially more serious future misconduct.
In addition, certain metrics gleaned from employee surveys, cultural assessments, or focus groups can demonstrate how the compliance program is deployed within an organization and highlight the soundness of its design and execution. Assessments, for example, can also provide insights on cultural issues across the enterprise or on compliance bypasses that would not necessarily be caught through the other metrics.
While there are no universally accepted definitions of what makes a compliance program effective, and there is no one metric for evaluating effectiveness, the pillars of an effective compliance program are sound design and execution, timely and proactive responses to compliance issues, and readiness for regulatory change.
Sound Design & Execution
Sound design and execution is the foundation of effective compliance. This is demonstrated when the program works as intended and recurring issues decrease over time. To assess design and execution, many compliance leaders look at their key risk indicators (KRIs) year over year or at surveys of targeted employees. They typically also consider the Committee of Sponsoring Organizations’ (COSO) internal controls framework and guidance and measure their program against the seven topics set forth in the U.S. Federal Sentencing Guidelines. Regulators in certain industries have developed industry-specific guidance.
Timely Response to Issues
While misconduct, gaps, and other issues can still occur regardless of the strength of an organization’s compliance program, how an organization responds to a problem or crisis reflects its compliance effectiveness. A critical part of this response is the ability to implement a sustainable process to self-identify and self-report to regulators potential or alleged misconduct in advance of regulatory scrutiny. In addition, organizations should have processes for receiving and resolving broader issues, including consumer complaints.
Readiness for Regulatory Change
Readiness for regulatory change requires organizations to both anticipate regulatory changes and respond quickly to comply. This includes revisions to its internal infrastructure and approaches. In addition to effectiveness, organizations with more mature compliance efforts often find that the next step in their compliance journey—and a key to realizing a return on their investment—is making compliance more efficient and sustainable. Efficient compliance can address an organization’s many regulatory mandates through a common set of controls that may require new automated, enterprise-wide controls to replace multiple or compensating controls within business units. This can be especially important for decentralized organizations and organizations that operate under multiple regulatory jurisdictions and face growing challenges in tracking and managing regulatory changes. Additionally, sustainable compliance requires compliance leaders to demonstrate effectiveness throughout the supervisory cycle as well as repeatable processes for an external consultant or audit assessment. Given staffing pressures and recent high attrition rates, embedding sustainable processes is increasing in importance.
Find "The Compliance Investment" in Full.