Many business leaders acknowledge the need for a compliance program and have hired experienced professionals (e.g., a Director of Compliance) to lead the charge. Yet, in most organizations, the compliance function is still seen as a cost center. Many organizations have made a baseline level of investment in compliance to meet their regulatory obligations and gain access to certain markets, but they’re feeling the pinch and wishing that they didn’t have to spend their limited resources on compliance-related costs.
Why do business leaders feel this way? One reason is that measuring the effectiveness of a compliance program is inherently difficult. Risk data and compliance data typically reside in many disparate systems, so it’s hard for the compliance officer to get meaningful insights on how their efforts in compliance are moving the dial for the business.
Metrics that are most readily available to compliance officers tend to be activity-based metrics (e.g. number of compliance policies created, number of internal controls put in place to meet a regulation, training hours completed on a per-employee basis, etc.). But unfortunately, these metrics aren’t satisfactory to business leaders, who think in terms of revenue, costs, and risks.
When a senior management team does not understand how their investment in compliance translates into business outcomes, it’s challenging — to say the least — for compliance officers to secure the budget and resources they need to truly protect their organizations.
As a compliance officer, you have the ability to change senior management’s perception of your function and get the support and resources you need — if you can measure the right things and communicate what your team is accomplishing in a language your senior leaders and board understand.
Metrics That Tend to Resonate With Executives
In this article, our CEO — Craig Unger — provides his take on the key metrics and outcomes that your senior leadership team and the board want to see from the compliance team.
Craig is in a unique position, as he’s been on both sides of IT compliance. As the co-founder and CTO of Azuqua, a category-leading enterprise SaaS company now owned by Okta, Craig had to make the investment in compliance as a business leader and play the role of a compliance manager. He spearheaded projects at Azuqua to certify the company for SOC 2 and GDPR.
At the end of the day, a compliance program is created to help the organization both assess and reduce risk. Best practice and regulatory standards call for risk-based program reviews to specifically account for an organization’s unique risk profile. Working from a risk-based assessment framework can establish the key metrics you need to identify program improvements.
Any metric you can share on the risks that your company faces associated with various activities is sure to help build appreciation and gain the support of your management teams. Metrics will be different depending on the scenario. Your goal is to demonstrate relative reductions in risks over time. You’ll receive bonus points if you can show the reduction in your company’s risk stance is the result of implementing your compliance program.
Currency: How recent was the last risk assessment?
Frequency: Number of externally and internally identified high-risk incidents over time and vs a control without a risk program.
Coverage: Number of control processes identified against a given set of risks over time with proof of control effectiveness.
Responsiveness: How quickly the monitoring systems alert on the controls they monitor.
Risk and Compliance is typically handled differently across different teams within an organization. Some teams may use free form tools like email and spreadsheets, while others might have created databases with control lists. This leads to both uneven results and inefficiencies on the cost side. To the degree your risk assessment methodology, compliance tools, and policy bring standardization to the organization, you may be able to lower the risk while also lowering the cost.
Cost: Reduction in identification and response time for critical incidents x Cost of incidents per unit time
Automation: Amount of time invested in manual control processes (vs automated).
Reuse: The reuse of processes and evidence across discrete compliance programs.
Oversight: Total time spent preparing and engaging in individual audits over time.
Let’s face it, growing the top line is top of mind for executives. If you can demonstrate that enhancing your compliance stance helps your sales team shorten their sales cycles by allowing them to pass the vendor risk assessment more quickly, then you are both adding to the top line and reducing the bottom line.
In today’s sensitive social and political climate, individuals and organizations only want to transact business with future-thinking organizations that promise a high level of transparency and a commitment to ethics. Your work on compliance can help build your company’s brand and identity and show that you are an organization that is transparent and keeps its commitments.
Today’s workers want to work for an organization that makes a positive difference in society. Your commitment to compliance, transparency, and lowering the risk for your company, your customers, and your partners will show your employees that they work for an ethical, above-board organization. This helps build deeper employee loyalty and increases retention.
Practical Tips on Reporting
If you’re just starting to build out reporting on your compliance program, it’s important to keep it simple. Rather than making assumptions, have a conversation with your management team to see what data they would find useful in allocating limited resources to better manage compliance and ethics risks.
To make the information digestible to management, use a visual dashboard, which provides an effective medium to communicate the whole picture in a short period of time and shows trends over time. In your dashboard, you may want to assign an overall risk score that makes sense for your organization (there isn’t really an accepted standard when it comes to risk assessment). The relative change over time is what management should be watching.
Lastly, the best time to ask management for support and additional resources is when the pressure is off. Surface key asks during regular communications. When you do this, you show management that you’re being proactive, not reactive.
How Does Compliance Management Software Fit Into the Picture?
Compliance management software such as Hyperproof acts as a system of record for all of your compliance information — including compliance frameworks you’ve chosen to use, the requirements within each framework, internal controls, and your evidence. You can import your existing programs and evidence into Hyperproof in a matter of minutes (or set up a new compliance framework directly in the product), and start to manage everything in a more efficient way.
The software is built to help you save time on manual processes as you manage your compliance program on an ongoing basis: it gives you the ability to map your internal controls back to the program requirements, map controls across multiple frameworks to reduce redundancy, collect evidence of compliance from various stakeholders, and reuse that evidence across multiple controls, frameworks, and audits.
Hyperproof also provides dashboards you can use to quickly communicate progress with your senior leadership team. Because all of your compliance data lives in one place, Hyperproof is able to generate out-of-the-box dashboards with an overview of your compliance programs, including controls you’ve implemented and potential issues.
If you’re interested in how you can optimize your compliance program and better demonstrate the effectiveness of your compliance efforts, we’d love to talk.