Everyone wants to get the most bang for their buck. But unless you’ve got a measuring stick, it’s almost impossible to know whether what you’ve bought is a bang or a bust. Subjective measurements, including how you feel your program is doing, are important. But subjective measurements can’t tell the story to the Board and C-suite like objective metrics.
Today we’re going to explore metrics relating to monitoring, auditing and investigations. This is Part 3 of our series. If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen. We’ve also explored metrics that can be used with policies and procedures, which can be found HERE.
What do you think would happens if you put a huge amount of energy into making the most beautiful fish tank in the world, lovingly put your fish in the tank, then never tended it again? Your fish would die. Fish tanks need to be monitored to ensure the chemical balance is right, algae are cleaned off of the slides, and that the water is changed on regular intervals, to keep the environment optimal for fish happiness and growth. The same thing is true with your compliance program. You have to monitor it to ensure it is functioning in an optimal way.
Auditing is simply the process of testing. Auditing and monitoring are similar and related, but are not the same thing. An auditing program should pro-actively test controls to ensure that they are working, and create work-plans and action items to correct when the controls fail.
Investigations are necessary for multiple reasons. Investigations show individuals that the company takes rules seriously, and that there are consequences for breaking those rules when reports are substantiated. The types of investigations undertaken also matter. By reviewing investigations, you can see trends in the types of misconduct reported, where misconduct is reported, and the consistency of disciplinary outcomes.
The most important question when it comes to metrics is this: So what? Each metric needs context, so it tells a story. In addition, each metric needs to be tied to a goal or Key Performance Indicator (KPI), so you can tell if the trend is going in the right direction. Metrics without context are useless. When you choose a metric, make sure you ask, “So what?” If you can’t answer why the metric matters, or what the goal is for that metric, choose something else.
Following you’ll find example metrics for monitoring, auditing and investigations. Not all the examples will fit your program. Metrics, by their nature, need to be tailored so that they match the maturity of your program, the nature of your business, the size and geographical expanse of your business, etc. For each, a “So What?” answer and example KPI or goal is included.
Notice that for some of these metrics, the KPI or goal measures how fast you are able to respond to the information you’re receiving. The fact that more people disclose a relationship with a vendor isn’t necessarily good or bad – it indicates that a root cause analysis should be done, and an evaluation of the best response should be completed. Once the evaluation is complete, the plan should be implemented as quickly as possible. The implementation time is the KPI for this metric.
Good metrics tell the story of your program. They show its evolution and give you confidence in its effectiveness. By monitoring your monitoring, auditing your auditing, and investigating your investigations, your program can improve enormously.
Next time in our series, we’ll be examining metrics relating to training. In the meantime, have an excellent week!