3 Pillars to Measuring Compliance Program Effectiveness

amy matsuo KPMG

Originally appeared in KPMG’s “The Compliance Investment


Compliance leaders across industries are focused on assessing and enhancing their compliance effectiveness in response to regulatory requirements and expectations. This includes ensuring that they have a strong compliance culture embedded throughout the organization and that they are able to demonstrate to their boards and regulators that they understand and can manage their compliance risks. In addition, compliance leaders in organizations with more mature programs are also attentive to the need to improve the sustainability and efficiency of their programs.

While many compliance leaders are beginning to realize the value of their compliance investment through this focus on effectiveness, they often struggle with how to evaluate it.

Many rely on internal metrics for insight into the effectiveness of their programs, including year-over-year improvement and how well they are filling self-identified compliance gaps and inefficiencies, as well as through an external analysis against peers. However, these may not be the most useful metrics given an organization’s risks and strategic goals. Furthermore, compliance leaders recognize the limits of one-dimensional statistics, such as feedback from customers and regulators or decreasing fines. While these metrics provide some insight, they do not generally enhance an organization’s awareness of its actual compliance effectiveness.


Step-by-Step Guide: 8 Steps to an Effective Compliance Programme


Multidimensional metrics, for example, can enable an organization to better understand the root causes of issues related to retention, engagement, and attitude; the time needed to close audit issues and the number of repeat issues; and client satisfaction or complaints at the business unit level. 

In response, compliance leaders are increasingly pursuing multidimensional metrics that link operational performance with compliance as well as metrics that can provide a deeper understanding of the organization’s compliance effectiveness. Multidimensional metrics, for example, can enable an organization to better understand the root causes of issues related to retention, engagement, and attitude; the time needed to close audit issues and the number of repeat issues; and client satisfaction or complaints at the business unit level. These metrics also provide insights into compliance effectiveness.

Further, leaders are seeking data and analytics and other forward-looking predictive measures, as well as utilizing behavioral science indicia, to assess compliance trends and to enhance their understanding of emerging risks and potential misconduct. Examples of such forward-looking metrics might include a “click rate” that measures the number of employees who have read a particular policy, or tracking minor employee misconduct as an indicator of potentially more serious future misconduct.

In addition, certain metrics gleaned from employee surveys, cultural assessments, or focus groups can demonstrate how the compliance program is deployed within an organization and highlight the soundness of its design and execution. Assessments, for example, can also provide insights on cultural issues across the enterprise or on compliance bypasses that would not necessarily be caught through the other metrics.

While there are no universally accepted definitions of what makes a compliance program effective, and there is no one metric for evaluating effectiveness, the pillars of an effective compliance program are sound design and execution, timely and proactive responses to compliance issues, and readiness for regulatory change.

  1. Sound Design & Execution

Sound design and execution is the foundation of effective compliance. This is demonstrated when the program works as intended and recurring issues decrease over time. To assess design and execution, many compliance leaders look at their key risk indicators (KRIs) year over year or at surveys of targeted employees. They typically also consider the Committee of Sponsoring Organizations’ (COSO) internal controls framework and guidance and measure their program against the seven topics set forth in the U.S. Federal Sentencing Guidelines. Regulators in certain industries have developed industry-specific guidance.

  1. Timely Response to Issues

While misconduct, gaps, and other issues can still occur regardless of the strength of an organization’s compliance program, how an organization responds to a problem or crisis reflects its compliance effectiveness. A critical part of this response is the ability to implement a sustainable process to self-identify and self-report to regulators potential or alleged misconduct in advance of regulatory scrutiny. In addition, organizations should have processes for receiving and resolving broader issues, including consumer complaints.

  1. Readiness for Regulatory Change

Readiness for regulatory change requires organizations to both anticipate regulatory changes and respond quickly to comply. This includes revisions to its internal infrastructure and approaches. In addition to effectiveness, organizations with more mature compliance efforts often find that the next step in their compliance journey—and a key to realizing a return on their investment—is making compliance more efficient and sustainable. Efficient compliance can address an organization’s many regulatory mandates through a common set of controls that may require new automated, enterprise-wide controls to replace multiple or compensating controls within business units. This can be especially important for decentralized organizations and organizations that operate under multiple regulatory jurisdictions and face growing challenges in tracking and managing regulatory changes. Additionally, sustainable compliance requires compliance leaders to demonstrate effectiveness throughout the supervisory cycle as well as repeatable processes for an external consultant or audit assessment. Given staffing pressures and recent high attrition rates, embedding sustainable processes is increasing in importance.


Step-by-Step Guide: 8 Steps to an Effective Compliance Programme


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Individuals Are Ethical – Groups not So Much

Behavioral Ethics & Just-in-Time Compliance Communications

When it comes to ethics and compliance messages being heard, absorbed and acted on, timing is everything. The time at which we ask employees to attest to a policy may determine if the standards in that policy are followed. The strategic moments at which we encourage honesty can directly impact the immediate decision making choices that follow. Timing can be everything, so let’s discuss how to make the most of our time.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Compliance Training Lessons From Utah, Caught on Tape

A couple weeks after the dust has settled in the arrest of the University of Utah nurse for upholding hospital policy, it’s time to investigate to see what ethics and compliance officers can learn. The lessons here include more than just having a strong policy and procedure management program, but also pairing it with an effective compliance training program that inculcates strong processes that can withstand pressure and not sacrifice core values.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments