When I think of compliance data, the first thing that comes to mind is defense. If you don’t know if or how well your compliance initiatives are working, you’ll be hard pressed to defend or improve your program. However, a recent survey shows almost half of compliance professionals are only somewhat confident or not confident in the data they use and over half are relying on spreadsheets, documents and email to manage compliance. You need to be confident when it comes to protecting yourself, your colleagues and your organization. Furthermore, you do not want to depend primarily on a process that is manual because not only is it prone to human errors, but it is extremely time consuming.
Since there is so much data when it comes to compliance and it is so very important, I wanted to discuss useful data vs. data. And, to make it a little more fun on this Friday afternoon, I’ll be comparing it to something we can all relate to – a doctors visit.
Every time you visit the doctor, no matter the reason, there are certain things they always measure. A few that come to mind are weight, height, blood pressure, cholesterol, etc. This data is useful to your doctor because it is measurable, verifiable and contextual. Since it is measurable they are able to see changes over time and compare against the baseline for your age and gender; when its verifiable the records meticulously maintained over time and are reliable, historical data to bench mark against; and being contextual it allows you to see how imbalances in one area may explain red flags in another. With these stats, you are able to start getting a 360-degree view what is going on. Isn’t that every CCO’s dream?
compliance data— in order to be useful —needs to be measurable, veriﬁable and contextual.
When you can measure and verify data, in context, you can accomplish a lot. First, you are able to quickly identify areas of concerns so you can focus your efforts where they’re actually needed. It also allows you to draw logical conclusions and make informed decisions based on the big picture. Since decisions are now being made from logic vs. guess work, you are confident in the accuracy and completeness of the data you’re basing your decision on. So, enough about the doctor, this is a compliance blog after all, but why should compliance be any different when it comes to collecting data? It shouldn’t be!
Today, compliance officers are recording incidents from the hotline, web and in person reports, tracking investigations, managing policies and acknowledgements, administering and tracking training, conducting risk assessments and managing disclosures and surveys. Recording all of this is a must, but it still doesn’t give an accurate picture of compliance effectiveness.
For starters, you need an eﬀective strategy that outlines what to measure, how to measure it and to facilitate improvements once you have the critical data in hand.
- How do you know what you’re doing is working?
- How do you validate improvements in your program?
- How do you show a good-faith implementation of your program?
Like your personal health, compliance data— in order to be useful —needs to be measurable, veriﬁable and contextual.
1. Measure Everything
It goes back to that saying we’ve all heard so many times before “you can’t manage what you can’t measure.” Once you start measuring everything, you begin to collect quantitative data that provides consistency, progress overtime and quick assessments of weak spots or problem areas. With quantitative data, you also can start benchmarking against your historical results, industry peers and industry best practices. Not only will this help you continuously improve your program, but as well know so well, regulators expect you to benchmark and constantly improve.
2. Make sure you can verify
Since you are now measuring everything, it’s important that the data is accessible and reliable for your compliance team, your front-line managers, your board, your auditors and for regulators (if they should ever ask). If anything ever goes wrong, it is critical to have a record of your program initiatives readily available.
3. The data needs content
Your compliance initiatives are not standalone eﬀorts. Policies are written to address your risk areas, training and communications reinforce policies, hotline reports indicate gaps in training and policies, culture surveys show how eﬀective your hotline is and the list goes on and on. Your data needs to be just as connected so that when you have a surge in discrimination claims, you can immediately focus on your discrimination policies, training and communications.
You should strive for a risk-based program and risk-based data. Your risk assessment should be the lens you evaluate your program data through. This will help you prioritize your efforts and resources to address your most critical risks.
Sounds easier said than done, right? If compliance programs continue to be tied together by email, file sharing, excel and manual processes, it is very hard to verify useful data, difficult to measure over time and nearly impossible to understand the context of what you’re seeing. But, that’s where technology comes in and saves the day.
Technology facilitates the tracking, measuring, reporting and assessment of key compliance program metrics. It allows you to easily:
- Identify, manage and mitigate key compliance risks
- Enable eﬀective oversight and monitoring by executives and directors
- Easily assess and benchmark your program
- Continuously improve your program
Ultimately, you’ll provide your organization with an aﬃrmative defense in the form of an eﬀective and measurable compliance program that preserves the ﬁnancial and reputational health of your organization. After all, isn’t that the point?