Have you ever wondered how to articulate to your family, coworkers, executives, and board members that your everyday actions at work as a compliance professional impact your organization or how to explain that your team creates value and improves organizational risk? Have you wished to say more than just “we are revenue protectors” or “a revenue integrity department”? There is a way, my friends!
Going beyond effectiveness
We are all familiar with the expectations to measure the effectiveness of our compliance programs, whether it is based on the Evaluation of Corporate Compliance Programs guidance from the U.S. Department of Justice (DOJ) or other government bodies—depending on our industries. Could we go beyond effectiveness and measure the impact of our program based on predetermined objective criteria? Effectiveness is crucial and can be defined as the degree to which something is a success. Impact, by contrast, strongly influences someone or something. Certain impacts may lead to effectiveness, but I would argue that while the two may be linked, they are distinct and can glean different data and information when measured. While we—as the industry—are pursing making compliance more human and approachable for others, impact may be another opportunity to demonstrate our positive influence on others.
Compliance has an extremely broad reach within any organization. It is typically cumbersome or labor-intensive (or, at times, simply impossible) to measure the value of something that we prevented or the impact of our program across the enterprise; however, it is worth trying to at least take incremental steps toward collecting additional data beyond the customary kind. How many hotline reports you received in a given year (which ones are anonymous), reports by channel types, training completion rates, retention or effectiveness of your training (if you are lucky), and so on, are all critical data points for your consideration; however, they are just not enough to tell the story and, certainly, not enough to show impact.
The DOJ’s guidance references access to data in asking: “Do compliance . . . personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”[1] Yes, we can and should access data that is available to other departments and our business counterparts, but we can also collect our own data that is right in front of us. Consider this for your risk-based compliance programs: a real-time approach (through ticketing or inquiry centralization) to objectively assign and measure the impact of your daily interactions within the company, your consulting efforts, and more, so that you can truly have insights into compliance data, trends, potential or evolving risks, and—importantly—the impact.