I recently moderated at an interactive discussion on evaluating compliance programs at Deloitte’s Cross-Industry Compliance Leadership Summit, where compliance executives from a variety of industries compared notes on the methodologies and metrics they use to measure their efforts.
“If my compliance program prevents, that’s great,” one attendee stated. “If it fails to prevent but detects, that’s okay too. Where it ultimately fails is if there’s management inaction.”
“I’m wary of false security,” one participant shared. “If we’re doing our jobs fairly well, the numbers won’t look horrible. They’ll fall within an established risk-tolerance level. But compliance is about human interaction, and you’re never going to get to zero. I struggle with the idea that metrics lull management into a false sense of security. Zero is a bad number. Any organization is going to have problems and need to fix them.”
During the session discussion, many participants agreed it was more important to measure actual problems than performance against controls. That’s because sometimes, the controls work but the performance fails. No company has an acceptable number of regulations it’s willing to violate, but every company has to accept that technical violations will happen. As one individual noted, “These are things you can actually track. Bringing the conversation to that level can help demystify it. You might not like how we solved it, but we found it.” This can be balanced though by tracking performance overtime, using “stats” both for monitoring performance at any one time but also for trending and regression analysis; which if managed appropriately will allow companies to implement risk sensing capabilities.
That doesn’t mean quantitative metrics go out the window. In fact, more than one participant in our discussion said they had recently added PhDs and analytics experts to their teams for the first time. One use of that capability is to track the back-end of compliance efforts—to make sure the people who step up don’t fear for their jobs as a result.
“A speak-up culture is important,” one participant noted. “You can’t operate if there’s a fear of retaliation, so we implemented retaliation detection methods.” This executive’s company randomly selects hotline callers and asks them six, 12, and 18 months later if they’ve experienced signs of retaliation. An algorithm in SAP helps track phenomena like terminations and degraded performance appraisals against whistleblowing activity.
In sharing views, we learned circumstance can alter the standard of measurement for compliance.
In some industries, compliance officers find the more influence they have in their own organizations, the more credibility they have with regulators; a factor that is often considered in penalty assessment. The compliance officer’s career longevity and access to the board can be important. “If you don’t have a seat at the table, if you’re not participating in the important decisions, you don’t have an effective compliance program,” one person related. “You’re not adding a whole lot of value to the process. You’re just the guy who shows up and says no.”
|Paul Campbell leads Deloitte & Touche LLP’s energy regulatory and risk consulting services for the Governance, Regulatory & Risk Strategies practice.|