Duncan Milne (dmilne@bupalatinamerica.com) is Chief Risk and Compliance Officer for Bupa Global Latin America in Miami, Florida.
With the breadth of most compliance programs in large international organizations and the number of policies and reports to follow, it can be easy to lose focus of the bigger picture and fall into the trap of measuring the input—how many reports or spreadsheets did I issue; how many training sessions did I run—rather than the output and whether your program is meeting its objectives and actually having any positive impact on the business.
Regulatory expectations in this area are increasing, and when setting compliance metrics, we should always challenge ourselves about not only what any particular metric is trying to prove, but also why that metric is relevant and aligned with the wider business goals.
When going through this exercise, it can be useful to look at metrics through the lens of four different levels, and ideally, your program will contain a balance of each one to be able to prove that the program is functioning and understood, affecting behaviors, meeting its goals, and adding value to the organization.
Operational metrics
The most basic level of metric are operational metrics. These are usually quantitative and record a factual event (for example, the number of compliance training sessions that have been held).
We typically use operational metrics to prove that the program has been implemented and is functioning—for example, to track the dedicated number of resources in place or the number of whistleblower reports that have been received. These metrics can be a useful foundation, but on their own, they don’t really tell you very much and are only a starting point to then link to the more qualitative aspects of whether a compliance program is actually effective.
