Companies often use key performance indicators (KPIs) and other metrics to measure the performance or progress of their business, including measuring whether anti-corruption compliance programs are being implemented effectively. This makes practical sense and it is also increasingly expected.
The Department of Justice’s (DOJ) most recent iteration of how it will evaluate a corporate compliance program – titled Evaluation of Corporate Compliance Programs – makes clear that the Department will look closely at a company’s “collection and analysis of compliance data” to determine whether the evidence supports that a compliance program is working effectively. The evaluation looks at a variety of questions:
- Has the company assessed whether policies and procedures have been effectively implemented?
- What information or metrics has the company collected and used to help detect misconduct?
- How has the information or metrics informed the company’s compliance program?”
In the effort to build robust programs, many companies are taking proactive efforts to measure anti-corruption programs against concrete, quantifiable targets or goals. The question for many is where to start? A new whitepaper from CREATe.org provides guidance.
As a threshold matter, companies should ensure that what they measure is actually useful to them. In this regard, it is helpful to understand the difference between KPIs and metrics. A KPI is typically a values-based measure or goal. A metric on the other hand is an objective, quantifiable measure to track progress on a specific process. Good KPIs and metrics are both quantifiable and specific to an organization’s strategic plan.
For a company with a relatively new compliance program, the focus should be on ensuring that foundational elements – including policies, procedures and controls – are in place. As a company matures, so should its compliance program. Companies with more sophisticated programs should focus on implementation and effective performance.
Sharon J. Zealey, founding member of NextGen Compliance LLC and former global chief ethics & compliance officer of The Coca-Cola Company, recommends breaking down metrics into a few different categories:
- Quantitative – Numerical data such as training statistics
- Qualitative – Measures of effectiveness
- Process – Efficiency or productivity
- Practical – Interface with existing company processes or functions
- Directional –Whether the organization is getting better at a process, activity, or task
- Input – Resources necessary to reach the goal
Mapping KPIs to Program Elements
How does the KPI approach work in the real world? An effective anti-corruption program involves a range of business processes that should be in place – from ‘policies, procedures and controls,’ to a dedicated ‘anti-corruption compliance team,’ ‘conducting risk assessments,’ ‘managing third parties,’ ‘training,’ and monitoring the program and taking ‘corrective actions’ when an issue does arise.
Using risk assessment, as an example, a relevant KPI might be that the company has assessed its corruption risk and aligned its program with those risks. Metrics rolling up to this KPI could be:
- The company performs and documents an annual anti-corruption risk assessment that includes the elements identified in the Resource Guide to the U.S. Foreign Corrupt Practices Act or the ISO 37001 Anti-Bribery Management Systems Standard.
- The company has executed a plan for testing its policies, procedures and controls based on the assessment findings.
- All findings that pose more than a low risk are addressed within six months.
For training, a relevant KPI could be that the company has a comprehensive training program that has been rolled out across the organization. A related metric cold be: training 100% of employees on the company’s anti-corruption policy within a year, and then doing so annually. As the company’s program matures, the KPI could also evolve to feature training tailored to specific business functions or area of risk.
Although KPIs and metrics help to measure the effectiveness of a company’s compliance program, there is also the potential that a KPI or metric could be incentivizing unwanted behavior. For example, in 2015 Toshiba was found to have been inflating profits by $1.2 billion USD due to the unrealistic sales targets set by the former CEO. The issue of KPIs prompting instances of unwanted behavior, or even fraud, is found across industries and geographies.
Compliance programs are multifaceted, complex and unique to each organization. Using KPIs can be a valuable tool to ensure that business controls are effectively embedded across an organization.
To learn more, download the complimentary CREATe.org whitepaper here.