Compliance and ethics is not the same today as it was a few years ago. The forces shaping compli­ance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compli­ance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches tax­ing the business. This resulted in a maze of processes, reporting, and information. Each department relied on document-centric and manual approaches that did not integrate, and compliance profession­als spent more time managing the volume of documents than it did actually managing com­pliance. There were inconsistent formats for policies and proce­dures, issue/incident reporting, and assessments.

Like battling the multi-headed Hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the Hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compli­ance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient pro­cesses led to overwhelming complexity that slowed the business, even as the busi­ness environment required more agility.

Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while address­ing uncertainty and acting with integrity.”

Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do busi­ness as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with feder­ated compliance functions throughout the business. Organizations are looking to monitor and measure integrity of the or­ganization through information, activities and processes coordi­nated across the organization.

These trends point in one clear direction: a compliance ar­chitecture that is dynamic, pro­active, and information-based. That is, a new model for ethics and compliance that:

Is aligned with stake­holder demands for transparency and accountability;

Functions as a strategic partner with executives and aligns with organiza­tion strategy and values;

Takes full advantage of emerging technologies to improve efficiencies;

Provides an easy-to-use and engaging interface to get information and par­ticipate in compliance process; and,

Measures integrity through an inte­grated framework of metrics.

The result is an approach to ethics and compliance that not only delivers demon­strable proof of compliance effectiveness, but at the same time shifts the focus of ef­forts from being reactive and “checking the box” to proactive and forward-look­ing. This shift enables compliance to mon­itor integrity by processing and managing metrics across the organization in the con­text of rapidly changing business, regula­tory, legal, and reputational risks to ensure compliance is operationally effective.

Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and under­stand compliance in the context of busi­ness strategy and execution. Measuring integrity requires that the organization have clear insight into metrics support­ing the development and communica­tion of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these sys­tems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.

Measuring Compliance and Ethics: An OCEG Roundtable

Rasmussen: Compliance has changed over the past decade. Facing increased pressure, what is the role of metrics in today's compliance and ethics program?

Helpert: We measure a set of Key Per­formance Indicators (KPIs). It is im­portant to measure what helps achieve objectives. We look for a correlation between KPIs and desired outcomes. We apply clear metrics that provide visibility to deviations, enable us to de­termine why they occurred, and assure corrective resolutions prevent repeat is­sues. The goal is to demonstrate a pat­tern of continuous improvement.

Tabuena: Metrics aid an organization in demonstrating that compliance is “ef­fective” under the criteria set forth in the Federal Sentencing Guidelines for Organizations and related standards. Metrics make the case to a regulator that a program is working as intended. Compliance metrics are to be included in annual reports that keep stakehold­ers informed and validate the effective­ness of compliance.

Quinlan: Metrics involve data. It is in­cumbent upon organizations to under­stand how the firehose of data can be narrowed to key insights that advance business. Compliance is in a trans­formative time. The time is right for putting metrics surrounding ethics, compliance, incidents, and employee engagement to work to achieve ethical and thriving culture through insight.

Rasmussen: How would you categorize metrics that a compliance program should collect and evaluate?

Quinlan: Specifically, compliance should be looking at objectively measuring how a location, a department, or employee be­havior stacks up against the organiza­tion's values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regula­tors may want to see checked boxes of compliance (percentage of policy attes­tations and training courses completed; controls in place; responses to incidents). Culsture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employ­ees respond to how they are evaluated; making ethical behavior a part of perfor­mance evaluations is an important part of instilling compliance at every level.

Tabuena: Compliance is similar to other processes and how they approach met­rics. Consider distinctions between structure, process, and outcome. Struc­ture and process demonstrate the “ef­fort” put into a compliance program. However, we need to demonstrate that compliance activities have an effect in the organization. Outcome metrics determine how employee perceptions and conduct have improved over time. Outcome metrics measure the effect of compliance (e.g., trends on observed misconduct, frequency and nature of reporting, fear of retaliation). This encourages companies to undertake evaluative efforts to review results. Compliance can be easily undone by a poor corporate culture; metrics are used to track perceptions and behav­iors that point toward potential issues.

Helpert: I categorize compliance metrics as risk-, results-, and program-focused. Risk-focused metrics are tied to gen­eral areas of law, regulation, social con­vention, or voluntarily obligation. In addition, ongoing monitoring of sig­nificant ethics- and compliance-related issues and trends. Program-focused metrics document the scope and scale of a company's specific compliance activities. This includes indicators for monitoring initiatives that a company is not currently funding, supporting, and/or implementing; or where the program is insufficient to achieve de­sired results. Results-focused metrics document success of various aspects of compliance program activities.

Rasmussen: What are some of the key metrics to measure the integrity and compliance health of the organization?

Quinlan: The important thing is to mea­sure results, but measuring activity is easier and most often reported—e.g. training completion rates, policy at­testations, or number of hotline calls. These are important numbers, but don't truly offer insight, whereas training test scores from a follow-up survey that demonstrate how much of the session an employee actually retained do. An hour of training is the input, but how it changes the employee's attitudes and behaviors is the output. Compliance needs to measure output so we can stay on top of issues before they arise.

Tabuena: Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, com­pliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and obser­vations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action. I would utilize a survey to as­sess corporate culture. Benchmark the company's hotline data against peers. Finally, develop risk metrics: Healthcare trends in accuracy of billing and coding can be tracked over time.

Helpert: I recommend organizations compare relationships in four areas. One, awareness training completions that answer: Have we equipped attend­ees to understand expected conduct, to recognize issues, and to feel confident in reporting issues? Two, tone-at-the-top that addresses: What evidence supports leaders setting examples and nurturing an environment of ethical behavior? Three, hotline reporting: Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues? Four, ethics metrics to find: When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?


Michael Rasmussen,Moderator

Chief GRC Pundit,

GRC 20/20 Research

Anita Helpert,

Director Internal Audit,


Patrick Quinlan,



Jose Tabuena,

Global Compliance &

Regulatory Counsel,

Orion Health

Source: OCEG.

Rasmussen: How do metrics for compli­ance benefit the organization? Is it just about demonstrating we have checked the checkboxes or is there a greater value that compliance returns to the organization that can be demonstrated through measurement of outcomes?

Helpert: Measuring and reporting on compliance lets a company know if it is operating within regulatory and in­ternal boundaries. By analyzing met­rics, managers know whether they are moving the entity closer to objectives. Measuring compliance and ethics per­formance helps organizations gauge improvement and learn whether the approach is contributing to success. An organization's compliance and ethics program should be measured like any other critical capability. Keeping the board informed is a critical activity, and reporting facilitates that effort.

Quinlan: Today's compliance officer has a real opportunity to play a key role in helping create a thriving and ethical company culture. Metrics is just one component of the role of data in com­pliance. Data-driven metrics are able to give us a picture of what's going on (i.e., Is this department falling behind in their staff attestation rate? Is the Shang­hai office reporting increased FCPA incidents?). Compliance professionals need tools to be able to act quickly, effi­ciently, and nimbly. Recent studies show that monitoring and measuring ethics and compliance is directly beneficial to the success of the company.

Tabuena: One benefit is showing an ef­fective program during a government investigation. Organizations with ma­ture programs go beyond a check-list to more in-depth benchmarking of leading practices, testing the operat­ing features of the program design and conducting culture assessments. Such measures are valuable to opera­tions and not just the sustainability of compliance. Stakeholders need specific metrics to understand the program is performing. A “performance” evalua­tion looks not only at the effectiveness of the program, but also its efficiency, responsiveness, and the degree to which it delivers outcomes to the business.

Rasmussen: What role do GRC solu­tions/technology play in measuring and monitoring metrics for compli­ance? Can this be done well in spread­sheets, documents, and e-mail?

Quinlan: It often is done that way. How­ever, the effort involved is not efficient, and certainly not likely to yield in­sights. Compliance technology must be integrated because the relationship between employee behavior and cor­porate risk is woven together. If only half of your workforce knows your values, or the latest regulatory require­ments, you're likely to have a problem. The right technology brings company values, policies, regulations, education programs, and case management into one integrated view. Spreadsheets, doc­uments, and e-mail cannot achieve this.

Helpert: GRC is designed to ensure the enterprise is ethical, internally compliant with policies, externally compliant with regulations, operating in accordance with risk appetite, and aligned with objectives of the organization. While it is process, not technology that should drive GRC, it is all about communication, sharing, and use of data to provide a picture of the or­ganization. Technology enforces a rigor around the process that spreadsheets, documents, and e-mail cannot.

Tabuena: Generating metrics for report­ing can be done by spreadsheet, docu­ments, and e-mail, but it can be a messy process that is prone to error. One of the headaches I've had as a compliance of­ficer is when compliance staff is scram­bling to gather data needed to report. There always seems to be data acces­sibility and quality issues. Technology proves valuable in measuring and moni­toring metrics. There is work in adapting technology to processes in an organiza­tion. However this leads to more efficient and effective measures with a better abil­ity to spot emerging problems.