Creating an Inventory of Compliance Metrics with Michele Edwards
By Thomas Fox ,The Compliance Evangelist, Author
I recently had the opportunity to visit with Michele Edwards, Partner at StoneTurn, to consider some of the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update).Edwards had one of the most interesting and basic insights for a compliance professional. She is a CPA by professional training and came at the requirements laid out in the 2020 Update from a quantitative perspective, not the qualitative perspective that most lawyers bring to the table.
The 2020 Update not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program,but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in both continuous monitoring and continuous improvement.
The DOJ for some time now has stressed the importance of leveraging data in order to have objective evidence around whether or not a compliance program is working effectively.
Yet, as many CCOs are legally trained they are unsure about what some of the specific areas to be considered are in establishing quantifiable metrics to monitor for effectiveness.
The 2020 Update mandated a new series of questions around data for a CCO. Under the section Data Resources and Access it posed the following questions:
1-Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
2-Do any impediments exist that limit access to relevant sources of data and,if so, what is the company doing to address the impediments?
She said the first thing that companies need to do is to establish quantifiable metrics, to measure and monitor the effectiveness of their compliance programs. This is accomplished by creating an Inventory of Metrics.
How can you create such an inventory?
You can do so by looking at the 2020 Update and taking it section by section to understand where there might be opportunities for a company to begin defining these metrics and assessing the data sources to to measure these key metrics. From there, a compliance program can move to developing a process to regularly report on their progress of a compliance program and an assessment of the effectiveness of the compliance program to key stakeholders, such as a Board of Directors, Audit Committee or Compliance Committee.
Edwards identified a number of areas where companies can begin to establish those metrics. Obviously, third-party management is still on the forefront of every compliance program. This means the DOJ continues to communicate its guidance around aspects of a third-party management program that are critical for an effective compliance program. There are multiple metrics that a company can consider as they think about the processes in place in order to manage the relationships with their third parties. It all begins with the five-step process of the lifecycle of third-party management. Yet in many ways a compliance professionals work begins after the contract is signed and in the assessment of how those relationships are going.
One of the most straight-forward ways a company can measure the effectiveness of that process, is to assess how many third parties were actually suspended, terminated or audited for compliance issues throughout the course of the third-party relationship.
This creates a quantifiable metric which the company can periodically report as a result of its due diligence and ongoing diligence procedures related to its relationships to key stakeholders.
Other metrics could be annual certification, compliance training and updated training.
Of course, the real work of managing a third-party is after the contract is signed so metrics based on the number of compliance-related meetings led by the Relationship Manager and number of audits can form key metrics.
Similarly, a number of metrics to be considered are around Joint Ventures (JVs), teaming agreements or other business relationships.
Such metrics could begin with due diligence on such relationships and the additional number of counter-parties which might go down the line (4th Party, 5th Party, etc.) From there you can move to measuring the compliance metrics in the JVs by looking at the JVs fulfillment with its own compliance program.
Edwards pointed to another area ripe for an inventory of compliance metrics; in conjunction with mergers and acquisitions (M&A).
When it comes to M&A due diligence, oftentimes companies before entering into a merger or acquisition with a company will undertake a similar due diligence process where they are looking at the business relationships an acquisition target has. Of course, compliance professionals are assessing those relationships and doing due diligence on them to identify potential risks. Very similarly a company can also look at the number of third parties re-evaluated under the acquirer’s new standards and policies. This could be another key metric to apply very similarly to the lifecycle of third-party management.
Edwards said that a methodical review of the 2020 Update to identify the different areas where a company could potentially establish and quantify metrics to assess effectiveness is the place to start.
Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they are in compliance with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.”
But it is now the barest minimum of what compliance professionals must do. For instance, they could consider the lifecycles of Quote To Cash (QTC) or Procure To Pay (P2P). The key is to start with a documented process which can be audited and build out from there.