Everyone wants to measure the effectiveness of his or her compliance program. It helps in managing risks, improving performance, setting goals, convincing the board that you’re doing a good job—and there’s that bit that regulators expect you to measure the effectiveness of your program, too.
Done right, metrics can gauge behavioral issues, spotlight where employee conduct might diverge from company values, and validate whether expensive efforts like employee training really are getting the job done.
All you need, then, is to understand what you want your compliance program to do and the metrics to measure progress along that road. Um, simple—right? Compliance Week recently put that question to compliance executives at our latest executive roundtable, sponsored by advisory firm LRN in Washington.
“To properly develop metrics, you have to know what it is you want to accomplish,” said Wayne Brody, senior knowledge leader at LRN and a former chief compliance officer himself. “The goals come first.”
The following panelists participated in the March 24 CW & ProcessUnity roundtable on vendor risk management. Click on participants' names to see their full bios.
Karen BerthaChief Ethics & Compliance Officer,MCR
Adelle EliaChief Ethics & Compliance Officer,USIS
Alexina Guiomar-JacksonEthics & Compliance Counsel,AES Corp.
Greg HarrisAssistant General Counsel,Corporate Compliance,Verizon Communications
Joe KaleChief Ethics & Compliance Officer,DynCorp International Inc.
Barbara PetittiEthics & Compliance Officer,Alstom
Hillary StanleyAssociate General Counsel,Managing Director of Ethics & Compliance,Accenture
Richard WiedisEVP of Risk Management,HR & Financial Control,MicroStrategy Inc.
Many roundtable participants said one valuable metric is simply gauging how comfortable employees feel about coming forward to report any potential problems or concerns; it speaks to the strength of a company’s culture and is a crucial conduit for reports of misconduct to reach the right senior executives. “If there is a way to get that insight from the population of employees at large, as to whether or not they believe that there is someone they can call—and will call—then that’s a pulse point,” one executive said.
That metric—call it “comfort in speaking up”—isn’t about tangible data such as hotline calls. It is more about culture and environment at the business, which is really is another way to describe the tone at the top regulators stress so much. “I get very few hotline calls, but I get scores of direct calls and e-mails,” said Karen Bertha, chief ethics and compliance officer for MCR, a government contracting business. “What that tells me is that employees feel very comfortable contacting me directly.”
Marsha Ershaghi Hames, practice leader for education solutions at LRN, stressed the importance of evaluating employee engagement in the context of the company’s culture. “If employees are escalating issues directly to management versus calling into the hotline, then that actually may be the metric that you want to measure," she said. "The program effectiveness metric should not be limited to the number of calls that are coming into the hotline.”
In some instances, keeping track of hotline calls can even be counter-productive. As another executive put it, analyzing year-over-year complaints to the HR department means nothing if the company has also grown by 50,000 employees. “It becomes this numbers-recording, data-dumping practice,” the executive said. “We found it wasn’t really helpful.”
Particularly useful, participants said, is to focus monitoring efforts based on a strategic view of the company. One way to achieve this is to follow the company’s highest risk areas—such as gift giving in countries where the company has clients that are state-owned entities, for example.
Furthermore, if your company has a regional-level “ambassador” who has done focus groups and collected input from employees and management in various business units or geographic markets, it’s a good idea to consult with him or her while conducting a risk assessment, Ershaghi Hames said. “Let that person weigh in with what the risk assessment is showing, too, because you have a risk profile in the region, and then you have certain realities on the ground that might not be showing up in the measurement,” she said.
“To properly develop metrics, you have to know what it is you want to accomplish. The goals come first.”
Wayne Brody, Senior Knowledge Leader, LRN
Ershaghi Hames’ point sparked a discussion at the roundtable on the importance of the compliance department having on-the-ground presence in each country of operation. Some attendees said they perform “desk reviews,” where someone from legal or internal audit will go into the country and sit down and talk to employees to understand what’s really going on.
Global energy company AES Corp. performs periodic on-site program assessments that include points such as employee training and focus groups with different stakeholders at different levels, plus one-on-one interviews. “Those compliance program assessments are one of the best ways for us to measure if our program is effective,” Alexina Guiomar Jackson, ethics and compliance counsel for AES, said. “During assessments we spend a significant amount of time on location depending on the size and complexity of the business.”
Tying in Training
Aside from measuring program effectiveness, pushing effectiveness forward is another goal of compliance programs. Little surprise, then, that the roundtable conversation turned to live training as another way to engage with employees and improve a company’s overall culture. “The visibility is not going to work—they’re not going to trust to come to me—unless they see that I’m someone who is responsive, knowledgeable, and helpful around answering questions,” said Barbara Petitti, ethics and compliance officer for the U.S. division of Alstom, the French construction giant.
A common obstacle while developing training programs, however, is the challenge of establishing one global culture that has the same influence on employees across all geographic markets and all backgrounds—particularly when communicating the company’s core values. Take AES as an example, which operates in 20 different countries; the compliance team is managed by a U.S.-based team of subject matter experts, with local compliance officers in each of its businesses.
The question, Jackson said, is how to identify appropriate local employees and representatives, and then teach those employees that the U.S. way of doing business is a practical approach that can help those working on the front lines—not just a set of values and theories sent from Central Command back in the States. “Ultimately, how do you make people working in local businesses part of the compliance team?”
Ershaghi Hames’ answer: A lot of compliance programs make the mistake of focusing on a push toward compliance, “and there is not a two-way dialogue.” [In order for us to be able to retain information—such as what’s a bribe—and apply it on the front lines every day, you need to “put them in a safe sandbox” and apply what you just trained them.]
Storytelling is another low-cost investment that packs a big punch, Ershaghi Hames said. Create ethical dilemmas for employees and then push them with hard-hitting questions: “What if you actually did the right thing and spoke up about an issue, and management doesn’t take action? What would you then do?” Ershaghi Hames said. “Show it in the context of the realities of what a lot of employees are facing.”
Useful allies to achieve that are your front-line managers, who should be held accountable for having such conversations with their employees at least once or twice a year. “Encourage them to share stories,” Ershaghi Hames said.
“There is almost no such thing as effective tone in the middle without effective tone at the top,” Brody said. That being said, your program is going to be less effective if you don’t have tone in the middle.
The idea is for the company’s purpose and values to inform decision making and guide employee and corporate behavior. “Values drive behaviors; behaviors drive outcomes,” Brody said. “That’s it. It’s really that simple.”