How effective is your Compliance program?
How effective is your Compliance Program? Does it work in practice? Does it produce the intended outcomes? These are questions worth asking.
But first, how can you even measure compliance effectiveness?
You are in the right place – this is at the heart of everything we do in Comhla, and we are happy to share our tips!
What does it mean anyway?
There are different views on how to measure Compliance program effectiveness.
The US DOJ’s Evaluation of Corporate Compliance Programs (Upd. March 2023) suggests asking three questions when assessing your Compliance program:
1. Is the Compliance Program well designed?
2. Is the Compliance Program adequately resourced and empowered to function effectively?
3. Does the Program work in Practice?
On the other hand, ISO 37301: 2021 (Compliance Management Systems) suggests measuring effectiveness in terms of achieving compliance objectives.
There is no checklist or set formula against which to measure. Each organisation is different, has its business model, and operates in unique conditions and risk environments. No single model fits every scenario.
Instead, we shall ask the ultimate question: does the program, as designed and operated, achieve its intended outcomes and have the desired impact?
Where to start?
Risk assessment is a starting point of any compliance program. It frames how the compliance control framework will look, its design, priorities, resource allocation, operating model, and how it evolves over time.
However, risk is only one element of the equation. The true measure of effectiveness will depend on the internal and external (contextual) factors surrounding the organisation and affecting its operations, business processes, management decision-making, and employee behaviours. And these factors are not static—they change with time, depending on geographical location, business unit, and, importantly, corporate culture.
What are the indicators?
The first question, though, is how good your processes are. What data do they produce? What’s the quality of this data?
If you pass the threshold question, look at the data you collect through the operation of your Compliance Program over time and geographically. And then analyse it in the context of internal and external factors that have the capacity to affect your organisation – collect this data through your:
- Compliance Risk Assessments
- Regulatory Horizon Monitoring
- Compliance Processes Performance Monitoring: Trends and Outcomes
- Lessons Learned
- Investigation management: Identifying and analysing root causes of misconduct and near-misses
- Employee surveys
- Internal Audits findings
- Control testing and process operations reviews
- Benchmarking against peers and industry
Now what?
Do your analysis: Do you see trends between the operation of your processes, the outcomes, and, ultimately, the impact? Of course, correlation is not causation. Nevertheless, it gives us essential indicators.
But there is a lot of data - can AI Help? It sure can. AI engines help us to identify patterns and outliers in the data, producing much-needed insights and helping to make prevention and detection more effective and efficient. It helps to point to trends and predict the likelihood of achieving intended outcomes.
AI isn’t magic, though; it will not replace competence and expertise. However, with proper design and deployment, it can be a game changer in your compliance toolkit.
This sounds good, isn’t it? Still, there is something else. Something that goes beyond compliance.
Corporate Culture’s Impact on Program Effectiveness
When we talk about Compliance Program effectiveness, no element has a bigger impact than Corporate Culture.
These five elements are the most important:
- Moral Attentiveness: Can employees recognise the situation representing a concern? Can they recognise what’s right or wrong? Help them make the right choices.
- Moral Engagement: Do employees believe that the organisation is driven by its declared values? Are they motivated to follow those and speak up if something goes wrong?
- Clarity of Expectations: Did the organisation clearly state what standards of conduct are expected from employees? Did it explain the “what” and “why” and support employees in doing the right thing?
- Organisational Justice: Do employees believe the organisation will apply a fair process? Will leadership act upon a report? Are there consequences for misconduct? Lead by example.
- Psychological safety: Do employees feel psychologically safe doing the right thing under pressure, raising concerns, and speaking up? Will their leaders listen and act?
I am often asked – how would you measure the effect of corporate culture on compliance? Amy Edmondson, the Novartis Professor of Leadership and Management at Harvard Business School, best known for her pioneering work on psychological safety, has shown the way (Check this out: Fostering Ethical Conduct Through Psychological Safety (mit.edu)). And every organisation can do it, too.
If you are interested in measuring the effectiveness of your Compliance Program, get in touch! This is what we do!
See you next time!
Comhla Intelligent Compliance
At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. By leveraging our in-depth governance, compliance and internal control expertise, actionable data insights and cutting-edge applied research in organisational science, we help our customers build effective regulatory and compliance management to safeguard their license to operate, protect the bottom line and enhance reputation as responsible businesses.
Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic
Learn More https://comhla.co
We aim to publish once a fortnight. The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.