Compliance and ethics is not the same today as it was a few years ago. The forces shaping compliance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compliance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches taxing the business. This resulted in a maze of processes, reporting, and information. Each department relied on document-centric and manual approaches that did not integrate, and compliance professionals spent more time managing the volume of documents than it did actually managing compliance. There were inconsistent formats for policies and procedures, issue/incident reporting, and assessments.
Like battling the multi-headed Hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the Hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compliance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient processes led to overwhelming complexity that slowed the business, even as the business environment required more agility.
Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while addressing uncertainty and acting with integrity.”
Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do business as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with federated compliance functions throughout the business. Organizations are looking to monitor and measure integrity of the organization through information, activities and processes coordinated across the organization.
These trends point in one clear direction: a compliance architecture that is dynamic, proactive, and information-based. That is, a new model for ethics and compliance that:
Is aligned with stakeholder demands for transparency and accountability;
Functions as a strategic partner with executives and aligns with organization strategy and values;
Takes full advantage of emerging technologies to improve efficiencies;
Provides an easy-to-use and engaging interface to get information and participate in compliance process; and,
Measures integrity through an integrated framework of metrics.
The result is an approach to ethics and compliance that not only delivers demonstrable proof of compliance effectiveness, but at the same time shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.
Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.
Measuring Compliance and Ethics: An OCEG Roundtable
Rasmussen: Compliance has changed over the past decade. Facing increased pressure, what is the role of metrics in today's compliance and ethics program?
Helpert: We measure a set of Key Performance Indicators (KPIs). It is important to measure what helps achieve objectives. We look for a correlation between KPIs and desired outcomes. We apply clear metrics that provide visibility to deviations, enable us to determine why they occurred, and assure corrective resolutions prevent repeat issues. The goal is to demonstrate a pattern of continuous improvement.
Tabuena: Metrics aid an organization in demonstrating that compliance is “effective” under the criteria set forth in the Federal Sentencing Guidelines for Organizations and related standards. Metrics make the case to a regulator that a program is working as intended. Compliance metrics are to be included in annual reports that keep stakeholders informed and validate the effectiveness of compliance.
Quinlan: Metrics involve data. It is incumbent upon organizations to understand how the firehose of data can be narrowed to key insights that advance business. Compliance is in a transformative time. The time is right for putting metrics surrounding ethics, compliance, incidents, and employee engagement to work to achieve ethical and thriving culture through insight.
Rasmussen: How would you categorize metrics that a compliance program should collect and evaluate?
Quinlan: Specifically, compliance should be looking at objectively measuring how a location, a department, or employee behavior stacks up against the organization's values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regulators may want to see checked boxes of compliance (percentage of policy attestations and training courses completed; controls in place; responses to incidents). Culsture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employees respond to how they are evaluated; making ethical behavior a part of performance evaluations is an important part of instilling compliance at every level.
Tabuena: Compliance is similar to other processes and how they approach metrics. Consider distinctions between structure, process, and outcome. Structure and process demonstrate the “effort” put into a compliance program. However, we need to demonstrate that compliance activities have an effect in the organization. Outcome metrics determine how employee perceptions and conduct have improved over time. Outcome metrics measure the effect of compliance (e.g., trends on observed misconduct, frequency and nature of reporting, fear of retaliation). This encourages companies to undertake evaluative efforts to review results. Compliance can be easily undone by a poor corporate culture; metrics are used to track perceptions and behaviors that point toward potential issues.
Helpert: I categorize compliance metrics as risk-, results-, and program-focused. Risk-focused metrics are tied to general areas of law, regulation, social convention, or voluntarily obligation. In addition, ongoing monitoring of significant ethics- and compliance-related issues and trends. Program-focused metrics document the scope and scale of a company's specific compliance activities. This includes indicators for monitoring initiatives that a company is not currently funding, supporting, and/or implementing; or where the program is insufficient to achieve desired results. Results-focused metrics document success of various aspects of compliance program activities.
Rasmussen: What are some of the key metrics to measure the integrity and compliance health of the organization?
Quinlan: The important thing is to measure results, but measuring activity is easier and most often reported—e.g. training completion rates, policy attestations, or number of hotline calls. These are important numbers, but don't truly offer insight, whereas training test scores from a follow-up survey that demonstrate how much of the session an employee actually retained do. An hour of training is the input, but how it changes the employee's attitudes and behaviors is the output. Compliance needs to measure output so we can stay on top of issues before they arise.
Tabuena: Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, compliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and observations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action. I would utilize a survey to assess corporate culture. Benchmark the company's hotline data against peers. Finally, develop risk metrics: Healthcare trends in accuracy of billing and coding can be tracked over time.
Helpert: I recommend organizations compare relationships in four areas. One, awareness training completions that answer: Have we equipped attendees to understand expected conduct, to recognize issues, and to feel confident in reporting issues? Two, tone-at-the-top that addresses: What evidence supports leaders setting examples and nurturing an environment of ethical behavior? Three, hotline reporting: Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues? Four, ethics metrics to find: When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?
OCEG ROUNDTABLE PANELISTS
Michael Rasmussen,Moderator
Chief GRC Pundit,
GRC 20/20 Research
Anita Helpert,
Director Internal Audit,
Raytheon
Patrick Quinlan,
CEO,
Convercent
Jose Tabuena,
Global Compliance &
Regulatory Counsel,
Orion Health
Source: OCEG.
Rasmussen: How do metrics for compliance benefit the organization? Is it just about demonstrating we have checked the checkboxes or is there a greater value that compliance returns to the organization that can be demonstrated through measurement of outcomes?
Helpert: Measuring and reporting on compliance lets a company know if it is operating within regulatory and internal boundaries. By analyzing metrics, managers know whether they are moving the entity closer to objectives. Measuring compliance and ethics performance helps organizations gauge improvement and learn whether the approach is contributing to success. An organization's compliance and ethics program should be measured like any other critical capability. Keeping the board informed is a critical activity, and reporting facilitates that effort.
Quinlan: Today's compliance officer has a real opportunity to play a key role in helping create a thriving and ethical company culture. Metrics is just one component of the role of data in compliance. Data-driven metrics are able to give us a picture of what's going on (i.e., Is this department falling behind in their staff attestation rate? Is the Shanghai office reporting increased FCPA incidents?). Compliance professionals need tools to be able to act quickly, efficiently, and nimbly. Recent studies show that monitoring and measuring ethics and compliance is directly beneficial to the success of the company.
Tabuena: One benefit is showing an effective program during a government investigation. Organizations with mature programs go beyond a check-list to more in-depth benchmarking of leading practices, testing the operating features of the program design and conducting culture assessments. Such measures are valuable to operations and not just the sustainability of compliance. Stakeholders need specific metrics to understand the program is performing. A “performance” evaluation looks not only at the effectiveness of the program, but also its efficiency, responsiveness, and the degree to which it delivers outcomes to the business.
Rasmussen: What role do GRC solutions/technology play in measuring and monitoring metrics for compliance? Can this be done well in spreadsheets, documents, and e-mail?
Quinlan: It often is done that way. However, the effort involved is not efficient, and certainly not likely to yield insights. Compliance technology must be integrated because the relationship between employee behavior and corporate risk is woven together. If only half of your workforce knows your values, or the latest regulatory requirements, you're likely to have a problem. The right technology brings company values, policies, regulations, education programs, and case management into one integrated view. Spreadsheets, documents, and e-mail cannot achieve this.
Helpert: GRC is designed to ensure the enterprise is ethical, internally compliant with policies, externally compliant with regulations, operating in accordance with risk appetite, and aligned with objectives of the organization. While it is process, not technology that should drive GRC, it is all about communication, sharing, and use of data to provide a picture of the organization. Technology enforces a rigor around the process that spreadsheets, documents, and e-mail cannot.
Tabuena: Generating metrics for reporting can be done by spreadsheet, documents, and e-mail, but it can be a messy process that is prone to error. One of the headaches I've had as a compliance officer is when compliance staff is scrambling to gather data needed to report. There always seems to be data accessibility and quality issues. Technology proves valuable in measuring and monitoring metrics. There is work in adapting technology to processes in an organization. However this leads to more efficient and effective measures with a better ability to spot emerging problems.
No comments yet