Posted by Paul Campbell, Principal, Deloitte & Touche LLP and Howard Friedman, Director, Deloitte & Touche LLP
“Our best metric is still a gut feel.” That’s how one panelist summed up his company’s approach to making sure its compliance program provides the most useful feedback.
That comment was part of a panel discussion on compliance data benchmarks we facilitated on October 2, 2014 as part of Deloitte’s Dodd-Frank Compliance Leadership Academy. The participants were eager to get in front of compliance trends so they could apply the indicators today they’ll need to report on tomorrow. And while many of those indicators arise directly from the compliance function, we found it’s just as important to keep abreast of operations-related data, such as the management of physical assets.
But first, back to that “gut feel.” One theme that ran through our discussion was the need to take a broad view of what constitutes useful compliance data.
One panelist told us the search should begin with operational activities that may pose compliance risks down the road. Compiling those findings into a “story” can help people outside the compliance function understand and act on them. For example, a large company might build its compliance stories around people, process, and technology data, while a smaller company may use information on breaches obtained from HR.
As a different panelist told us, the raw count of compliance metrics may end up meaning a lot less than the accuracy of the information and the context in which it was obtained. The same is true when compliance teams seek to put that data to use. The balance of cause and effect may not work in the company’s favor if the output is purely punitive.
For example, some panelists said they tie compensation to compliance performance. But should that tie be on the group level or aimed at individuals? How can a company assign accountability at the dollars-and-cents level? Will the time lag between the act and the paycheck blunt the intended message? Will the wrong approach trigger employee lawsuits?
Our group also examined the cultural impact of compliance-based penalties. One panelist’s company has adopted the policy of disciplining people over compliance issues only if it was a third party that identified the problem. That preserves an internal culture where people feel comfortable bringing issues forward.
High-volume data and the tools to use it are still important in compliance. For example, one person told us his company’s system automatically detects the improper transmission of intellectual property in outgoing emails, so it’s an active frontier. But our conversation about metrics ended up focusing a great deal on behavioral and cultural indicators. The rules may be black and white, but the people who adhere to them — and the people who enforce them —remain very human.