What Goes on a Compliance Dashboard?
The email arrived earlier this week from my friend the Vendor. He and his team are working on a proposal for a client, he told me: a dashboard application, driven by Big Data analytics, that would sit on the desktop of a chief compliance officer or general counsel. So if that dashboard were going to present 10 to 12 key data points to a CCO—what data points would I recommend?
First, my friend the Vendor works at a top-tier software business. When he says his firm is working on a Big Data project suitable for compliance officers at Fortune 500 companies, his firm can do it. Second, of course the immediate answer to his question is, “It depends on the company.” The dashboard metrics important to a CCO in oil & gas will not be the same as those important to someone in banking or retail.
We can all agree to those points. Still, my friend the Vendor’s question has a delicious openness to it—what metrics would any compliance officer want to see on a dashboard every day? “As I hit my desk in the morning,” he wrote, “what do I need to have access to on an ongoing basis at the 30,000 foot level?”
So let’s work our way through the problem.
The starting point should be to ask, what worries compliance officers and general counsels the most? That is easy enough to answer at a high level: you worry that risks the company has are metastasizing beyond your comfort zone. A dashboard should show you which risks may be doing that at any given time.
The next question, then, is what types of risk cause CCOs and GCs the most worry? If we want to be industry-agnostic here, then again, the question is easy enough to answer at a high level: supply chain misconduct, employee misconduct, and regulatory probes. (Cybersecurity might be a large enough risk to name here too, but not necessarily for all companies—so for the sake of simplicity, I’m going to shunt that one off to the CIO’s dashboard.)
My friend the Vendor wanted a dashboard with 10 to 12 total metrics displayed, so that would be three or four metrics for each of those three risk categories above (supply chain misconduct, employee misconduct, and regulatory probes). In that case, we might configure a dashboard that looks something like…
Supply chain misconduct
- Number of third parties or business partners with unclear beneficial owners, or owners who are Politically Exposed Persons;
- Critical suppliers where no anti-bribery training or audit is included in the current contract;
- New suppliers (on-boarded this quarter) where the due diligence checklist is incomplete.
Employee Conduct
- “Critical” whistleblower allegations (for example, FCPA or financial fraud allegations, or allegations of retaliation);
- Exception requests for travel & entertainment policies, perhaps segmented by geography or employee seniority;
- Compliance training completion rates (an evergreen metric suitable for any dashboard).
Regulatory Probes
- Open investigations: perhaps by length of time open, but ideally something more informative like “cases approaching final disposition”;
- Potential damages or some similar metric to denote potential penalties;
- Some metric that categories all your regulatory probes—perhaps by geography, or regulator, or nature of the problem (environmental, financial, worker safety, etc.); the goal is to find any patterns in what is attracting regulatory scrutiny.
And remember, my friend the Vendor said he wants to build a dashboard driven by Big Data analytics. I define that as using multiple points of data to gain better insight about one question—so each of those 10-12 metrics should, ideally, be built on several points of data that give the CCO a better sense of what’s going on.
For example, you don’t want a metric about whistleblower allegations that only tells you how many complaints you have; you want a metric that categorizes them by nature of complaint, or division of the company that’s complaining. Likewise, a metric that monitors new vendors with incomplete due diligence should also track which business units are on-boarding these laggard third parties.
As you can see, the guts behind this dashboard are now pretty unwieldy: several dozen “lines of data” all feeding into one interface for the chief compliance officer to read. Many vendors can make the technology of that project work, but the success really hinges on your own company processes to collect that data in the first place. For example, if you want a metric to tell you which new vendors have not completed due diligence, and your source for that data is Fred from Procurement, who enters the records manually in Excel and then uploads them to the dashboard every two weeks—suffice to say, you’ve gone against the spirit of Big Data analytics.
Those are my ideas for a dashboard useful to CCOs, at least—and since every company has specific needs, the total number of possible metrics is endless. Thoughts? What would you want to see on your dashboard?
3 Comments
Leave a Comment
You must be logged in to post a comment.
Matt, in my experience few CCOs have a comprehensive dashboard—and many have not been through an exercise to list all the information they need to manage the function—so there’s definitely a market for your vendor friend.
One of the benefits of the current generation of data visualization tools is that dashboards can be built to suit multiple users: the executives can have a quick summary to monitor performance and line management can have tailored more detailed metrics and indicators that allow filtering or drill down to the underlying transactions.
Your list is a great starting point. I would suggest though that it’s not all about anomalies and exceptions —there should also be metrics that show how well compliance is being performed—for example, whistleblower statistics, status of third party due diligence, training throughput, policy and procedure updates, other leading and lagging indicators. As appropriate, these metrics can be weighted and aggregated to provide a summary of the overall compliance performance.
With these metrics, as with all metrics, context is vital—most metrics are meaningless without an understanding of whether the result is good or bad. It is context that enables decisions—does this metric require action or does it not? What should the number be—how does it compare to target, or peers, or past performance, what is the trend and what is the forecast?
[…] month I wrote a post about what should be included in a chief compliance officer’s dashboard—that is, which metrics convey the most useful information that helps CCO decision-making. The […]
I think a dashboard for a chief compliance officer should contain a summary of the controls his/her company must adhere to. In regulated industries it might be SOX, PCI, HIPAA, Dodd Frank, etc. A typical enterprise (10,000+ employees) might have 200+ controls which can be categorized/summarized. Smaller companies might have 10-50 controls even if they are not dealing with regulations.
Find out what controls the CCO is responsible for and have a discussion on whether they should be grouped, or ranked by risk and then you should have a very valuable dashboard. Of course it will be dependent on whether your big data repository contains the right information sources. Good Luck!