Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
Effective compliance metrics provide a clear picture of an organization’s compliance program and its associated risks and controls. Metrics that are precise and insightful help an organization identify its key risks and root causes so that resources can be applied where they most matter. Furthermore, metrics that are aggregated from data across the different lines of business can provide a more accurate view of the compliance risk that might otherwise be overlooked.
It is critical that organizations evaluate and determine key metrics that can give insights into the effectiveness of their compliance program, enabling more effective prevention, detection, and response to existing and future compliance risks. These metrics can help compliance professionals identify gaps in their programs and have better controls in place, enabling the organization to be more risk aware and realize greater value from its compliance program.
However, reporting on compliance metrics is not an easy task for compliance officers. While some struggle to arrive at the appropriate metrics and access to the required data, others are confronted with the challenges of coping with the market dynamics and complexity.
Here are a few metrics to help compliance leaders boost their compliance program.
Though this might appear basic, it is one of the most important metrics that the compliance function must track. The reporting of risk events is common in most organizations and these reports should be shared with senior management, and the board of directors’ audit and risk committees. Regulatory findings also need to be documented, as the severity and publicity of the finding can be critical to the institution’s reputation. The value to the organization in sharing risk events is the detailed analysis of the controls that may have failed as well as a better understanding of risks that may not have been previously identified.
Instances of customer and employee complaints can be logged via reporting hotlines. Hotlines can be anonymous if required, but the value lies in the data that gets captured. It is important to do a quality check on how hotline calls are recorded to ensure that you are getting relevant and timely information from the complainants. The data that you capture can help analyze trends on the complaints received. These trends and reports can be shared with senior management, and change management should follow in response to the complaints. Recurring customer and employee complaints can be indications of a governance risk within the organization that can lead to regulatory action and significant loss to reputation if analysis, reporting, and remediation are delayed.
Significant compliance investigations, and audit and QA findings that evaluate compliance processes need to be logged and reported. Most regulators expect records to be maintained and produced as and when required. The details of the investigations including any specific findings, follow ups, and the remediation plan proposed should also be documented. When you have all the data on a common platform, trends can be analyzed for more effective and efficient risk management processes across the organization.
KRIs are specific parameters that are developed and viewed as early warning signs of a significant driver of risk. For instance, if you are managing a compliance program for high risk customers from an AML and sanctions perspective – some of the KRIs that need to be considered could be the number of high-risk accounts opened in a given quarter, and the number of accounts with significant OFAC or AML violations.
These statements are used to establish outer limits of an organization’s tolerance to a particular risk. First of all, you need to determine which risks are under the scanner for mitigation. Then you need to ask if there are actual processes that will provide the compliance team with the relevant data. If these data points don’t exist, you may need to create them. Finally, you need to establish a risk tolerance level with baseline metrics for KRI etc. An example of a risk tolerance statement would be no more than two instances of missed OFAC screening in a quarter, per business area.
Employee and stakeholder culture surveys helps assess morale in the organization and provide insights into the organization’s governance, management strength, reputation - both in terms of the quality of the products and services offered, and the ethical culture. There need to be defined processes to implement policies and standards across the organization.
This is an assessment of the extent to which the compliance program is able to achieve its programmatic objectives including acceptance of the program and the cooperation received from the different business lines. It’s a great metric to measure the effectiveness of the compliance program. Some organizations review business area performance appraisals to better understand whether managers adopt compliance standards and guidance/ recommendations from the central compliance function. This assessment helps understand how different lines of business are implementing the recommendations from the compliance function.
While defining and evaluating these metrics is critical, it is clearly not a one-time activity. Organizations should revisit their compliance metrics on a periodic basis and enhance them so they can better manage their evolving compliance risks, be at par with market and regulatory trends, and ensure that the metrics remain aligned to the organization’s biggest risks.
The views expressed by the speaker are her own and do not represent the views of the Federal Reserve Bank of New York or the Federal Reserve System.