Compliance teams often rely on metrics to measure and report on the effectiveness of their compliance programmes. Using a data-driven system is the essence of good science and by unlocking the power of data, businesses can enhance the impact of their compliance programmes and support risk navigation.

Nevertheless, only 58% of chief compliance officers are confident that the metrics they use give them a true picture of success. Many are uncertain which are the most insightful metrics and how to interrogate them correctly. So, to address this issue we have identified the top compliance metrics to assess, in order to help you improve your performance.

What Are Compliance Metrics

Compliance metrics are measurements that indicate how well your compliance program is operating. By using metrics, we can turn data into knowledge and then share the knowledge to drive action. Metrics are important because they can highlight problems, successes, and risks. They can spotlight areas for improvement and ultimately avoid the risk of monetary fines and remediation costs because of corporate misconduct.

How Is Compliance Measured?

Compliance is measured by identifying a specific point of data related to a compliance issue and then logging it into a centralised database. It really is that simple, and achievable with the astute use of technology.

The actual data recorded will vary and as we always reaffirm there is no one-size-fits-all approach. Organisations will benefit from an in-depth assessment and a bespoke solution designed to address each business’s size and needs.  Generally, though, it is records and figures for investigations; amounts spent on investigations; issues identified by subject type; names or roles of people under investigation; types of disciplinary action and more that are being logged.  Compliance technology can be devised to collect fields of data that your organisation needs to record and then provide robust reporting that can then be interpreted.

Top 5 Compliance Metrics

So, what metrics should your compliance programme track? Here are five that will give you a good sense of your programme effectiveness:

1. Average Time to Discover an Issue

This metric gives you a sense of how quickly your programme discovers a compliance issue. You calculate it by adding up all the total “issue discovery times” and dividing that number into the total number of incidents. The result is your meantime to issue discovery.

Meantime to issue discovery can shed light on questions such as whether you have a strong speak-up culture, or the right data monitoring capabilities to find incidents as they happen. Ideally, you want to see this number fall over time – this means you are becoming aware of issues more quickly.

NB/ To calculate this number you will need to ascertain the gap between when an incident started and when the compliance team discovered it. Depending on the situation this can be achieved either through interviews or data forensics.

2. Average Time to Resolve an Issue

You can calculate this metric in a similar way to the one above- add up the total time for all issues to be resolved, and then divide that number by the total number of issues. The result is the meantime to issue resolution.

Time to issue resolution can suggest problems with resources, technology or workflows (too many manual processes, where automation could help).

NB/ Be aware of combining too many issues into one number since that might blur away important information about specific types of issues. As much as possible, track meantime for issue resolution by each type of issue, so you don’t lose that insight.

3. Compliance Expense Per Action

This can be calculated by dividing your total compliance budget into the number of actions your programme manages, you can calculate it every quarter or every year.

This metric can help you understand why certain issues cost more to resolve than others. this in turn might help you understand what solutions would make the most sense for your business.  For example, if a lot of your budget is spent on due diligence it may be more cost-effective to introduce automation.

4. Risk Mitigation Timeframe

This is the time that elapses between your discovery of risk and when you implement any changes necessary to mitigate that risk. It’s relatively easy to calculate because you’ll know the discovery date of every risk and the date when you complete any mitigation. So just add together the mitigation times for all risks, divide that number by the total number of risks you monitor.

This is a good metric to know because it shows how well the compliance programme can implement changes. It may help you convince your Board to invest in your department or may instigate a change in approach altogether.

5.Difference Between Predicted and Actual Risk

If you can measure the gap between the predicted severity of a risk and its actual severity you will be able to understand your risk assessment capabilities. Ideally, you need this gap to be small.

NB/ You should measure the severity gap both financially and operationally to get a complete picture of your assessments.

1RS Here to Help

Here we have touched upon the five metrics we feel provide a good insight into your programme’s basic functions of issue identification and resolution. We have only really scratched the surface and there are many other aspects such as, analysis; reporting; policy review frequency; and results from culture surveys that will further enhance your agenda. Contact 1RS if you would like to speak to our experts about this topic. Compliance improvement is ongoing and we’re here to help.