It’s no secret that ethics and compliance professionals struggle with measuring the effectiveness of their programs. Sometimes the “well, we have to do it anyway” mentality can preclude any attempt at real measurement and sometimes people get caught up in siloed data, like employees’ business ethics training scores, compliance policy attestations and whistleblower hotline calls.
I read the article “Business Ethics: 3 Questions Every Business Leader Must Ask” by Jim Nortz and found it interesting because he advocates, as we at The Network do, that to be successful at measuring effectiveness, ethics and compliance leaders have to go beyond those traditional metrics and get a full picture of the program to have real insight into the ethical health of an organization.
I’ve blogged before about how this is a popular topic amongst our clients and prospects. The point Jim makes in his article is that business professionals – and I’d add ethics and compliance professionals in particular, love information. They love data, like metrics, statistics, anything that can show them how to measure risk and allocate resources, which is why it’s easy to get caught up in that data… to see those metrics and then stop.
Despite the fact that the Federal Organizational Sentencing Guidelines have mandated that the a company’s governing authority “shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program,” many companies are simply not measuring anything beyond basic metrics like whistleblower hotline calls, business ethics training scores and compliance survey results. And others are not even measuring that much.
According to Jim, who has a great writing style, even though there have been “numerous corporate compliance and ethics scandals that have occurred over the decade since this requirement was established, compliance and ethics KPIs continue to be as rare on corporate dashboards as polar bears in the Sahara.” But more importantly – and I fully agree on this point – the real problem is that few business leaders have the academic or on-the-job training to help them understand what a meaningful compliance and ethics KPI looks like, let alone how to effectively respond to one.
I think the key word is ‘meaningful’. It’s not that business ethics training scores are not meaningful, it’s that they are not meaningful in isolation, without context or as a standalone KPI. Jim advocates that best way to think about how to implement and measure the effectiveness of your company’s compliance and ethics program is to seek answers to the following three questions:
1. What is the strength of our ethical culture? I love this. Many companies claim to have an ethical culture and to prioritize ethical business practices. But are they measuring their culture? To take my above example about business ethics training scores. If everyone scores 100 on their anti bribery training course, you’ll be tempted to think you have a very ethical culture. But if you have an unethical culture, those scores just tell you that you have educated employees… not necessarily ethical employees.
I know that Apollo Education Group measures their culture; I blogged about a session at Compliance Week wherein James Berg, Apollo’s Chief Ethics and Compliance Officer, presented the five measureable components of his company’s ethical culture. The company surveys the employee base on the same five components each year and then compares those results against an industry benchmark. By doing that regularly, they establish a trend and can proactively implement corrective actions when the trend begins moving in the wrong direction. This measurement gives them valuable insight into how the employees feel about the company’s culture, how knowledgeable the employees are about the company’s Code of Conduct and how they feel about speaking up when they witness behavior that doesn’t align with its values. That is a meaningful KPI.
2. How effective are the systems we’re counting on to manage our legal and ethical risks? Many companies count on compliance software and systems to help them manage risks. There are several kinds of systems that can help ethics and compliance professionals do everything from manage investigations to track corporate policy attestations to monitor third party compliance… and the list goes on. It’s smart to consistently look at your system and ask yourself where the holes are. What could that system be doing that it’s not? Are you using three pieces of compliance software when you could ideally be using one? Where are you being inefficient because of the system(s)? The Network’s integrated GRC was built with that thinking in mind – having everything ethics and compliance professionals need in one place, so they can see connections between cases, incidents, policies, training, etc., so that’s a sentiment I embrace.
3. What are the objective metrics we’re relying on to monitor compliance and ethics system performance? Some of the metrics I wrote about earlier, like employee business ethics training outcomes, whistleblower hotline calls, policy attestations – those fall in this category. Those are important, but it’s important to look at those metrics in context. An example I use frequently is that just because hotline calls go up, that doesn’t mean that misconduct is up. Maybe the compliance training that was just rolled out, just increased awareness, which in turn prompted more calls. Metrics and data are important, they just aren’t, and shouldn’t be treated as, the whole story.
The key is to “seek answers” to those questions, not to just answer them. That means including leaders from other functional areas outside of compliance.
Does your organization measure it’s ethical culture? Who measures the effectiveness of your ethics and compliance program and by what KPIs do they do that?