To assess compliance, look beyond the rules


I recently moderated at an interactive discussion on evaluating compliance programs at Deloitte’s Cross-Industry Compliance Leadership Summit, where compliance executives from a variety of industries compared notes on the methodologies and metrics they use to measure their efforts.

“If my compliance program prevents, that’s great,” one attendee stated. “If it fails to prevent but detects, that’s okay too. Where it ultimately fails is if there’s management inaction.”

“I’m wary of false security,” one participant shared. “If we’re doing our jobs fairly well, the numbers won’t look horrible. They’ll fall within an established risk-tolerance level. But compliance is about human interaction, and you’re never going to get to zero. I struggle with the idea that metrics lull management into a false sense of security. Zero is a bad number. Any organization is going to have problems and need to fix them.”

During the session discussion, many participants agreed it was more important to measure actual problems than performance against controls. That’s because sometimes, the controls work but the performance fails. No company has an acceptable number of regulations it’s willing to violate, but every company has to accept that technical violations will happen. As one individual noted, “These are things you can actually track. Bringing the conversation to that level can help demystify it. You might not like how we solved it, but we found it.” This can be balanced though by tracking performance overtime, using “stats” both for monitoring performance at any one time but also for trending and regression analysis; which if managed appropriately will allow companies to implement risk sensing capabilities.

That doesn’t mean quantitative metrics go out the window. In fact, more than one participant in our discussion said they had recently added PhDs and analytics experts to their teams for the first time. One use of that capability is to track the back-end of compliance efforts—to make sure the people who step up don’t fear for their jobs as a result.

“A speak-up culture is important,” one participant noted. “You can’t operate if there’s a fear of retaliation, so we implemented retaliation detection methods.” This executive’s company randomly selects hotline callers and asks them six, 12, and 18 months later if they’ve experienced signs of retaliation. An algorithm in SAP helps track phenomena like terminations and degraded performance appraisals against whistleblowing activity.

In sharing views, we learned circumstance can alter the standard of measurement for compliance.

  • One participant noted that priorities changed when his company moved from a parent that viewed it as a financial holding to a different parent that viewed it as a strategic holding. In one case, earnings and financial performance were paramount. Later, customer service became more prominent.
  • The compliance spotlight can vary based on who’s doing the regulating. “Does the activity threaten capital, or earnings?” an attendee asked. “There’s a different set of tests. The OCC (Office of the Comptroller of the Currency) is concerned about safety and soundness of the bank. But, the CFPB (Consumer Financial Protection Bureau) is focused on consumer protection, irrespective of your financial condition.”
  • Another contributor said that in addition to hard numbers, a regulator in his industry would consider the conversations taking place among top managers, the effectiveness of compliance training programs, and how well the company was able to execute on the specific promises it makes – such as archiving 100 percent of calls and emails.

In some industries, compliance officers find the more influence they have in their own organizations, the more credibility they have with regulators; a factor that is often considered in penalty assessment. The compliance officer’s career longevity and access to the board can be important. “If you don’t have a seat at the table, if you’re not participating in the important decisions, you don’t have an effective compliance program,” one person related. “You’re not adding a whole lot of value to the process. You’re just the guy who shows up and says no.”

paul campbell Paul Campbell leads Deloitte & Touche LLP’s energy regulatory and risk consulting services for the Governance, Regulatory & Risk Strategies practice.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s