More on Useful Compliance Dashboards
Last month I wrote a post about what should be included in a chief compliance officer’s dashboard—that is, which metrics convey the most useful information that helps CCO decision-making. The column was heavily circulated on LinkedIn and I received great ideas from compliance professionals, so today we’re going to have a follow-up based on those insights.
Two themes emerged from the comments: compliance officers want metrics that help them predict risks, and they want metrics that give the CCO a sense of employee attitudes and behaviors. As one person put it: “I would want to track employee complaints—which ones involve HR, which involve compliance, how long it takes to respond, what is the resolution. In short, track potential whistleblowers before they become whistleblowers.” That comment captures both themes nicely.
The challenge is to figure out which nuggets of data, packaged together in the right way, truly help you predict when a risk passes the threshold from theoretical to impending. In fact, when my original post mentioned that a dashboard should include your key regulatory risks, several people said that part was easy: Foreign Corrupt Practices Act, economic sanctions, anti-money laundering, perhaps industry-specific regulators such as the Commodities Futures Trading Commission or the Department of Health & Human Services. Accurately predicting how those risks might change is the hard part.
We’ve touched on this concept before with whistleblower reports. The crucial data there isn’t the number of whistleblower hotline calls, I said; you need to know data about the calls, such as how many mention retaliation (in absolute numbers, relative percentages, about which managers, and so forth). The more information you have describing the nature of your whistleblower calls, the better you can determine whether your anti-retaliation training is effective—and that’s how you get to more a predictive analysis of compliance that a CCO will find useful.
Software coders would describe this as meta-data: data that describes some other piece of data. So that’s one way to focus your thinking. First ask, “What do I want to know about?” Then ask, “What types of information describe that thing?” Those types of information are what you want to feed into your dashboard, to fuel the metric that’s on your dashboard.
That point about the data feeding into your dashboard was made several times. One person even said the dashboard itself—the window on your computer screen that you read every morning—is easy to configure, if you have the right vendor. The trick is selecting the right data to feed into that dashboard, since those feeds will likely come from different sources and in different formats.
For example, if you want to track employee complaints, you might end up blending data from an outside party running your whistleblower hotline, and data from the legal department on case closure times, and data from the HR department about discipline doled out after a complaint. Those are three very different types of data. Some might be managed manually in a spreadsheet (that’s our obligatory cheap shot at the HR department), some from an automated data feed. How do you consolidate all of that into one metric for complaints management?
Another person made an excellent point in passing. He rattled off a list of key regulations he would like to monitor “and business communications” almost as an afterthought. That’s all he said, so I’m not 100 percent certain what he means—but if he means communications his company sends out to the world, that’s the excellent point. Dashboards should not simply inform you about “inbound risks” coming from regulators or other parties; you need a way to monitor what “outbound risks” your company is creating by its own actions. Careless statements to the world certainly qualify.
Your dashboard will also take a while before it renders genuinely useful information, because the biggest indicator of changing risk is time—and you will simply need to let time pass as you accumulate more and more historical information. One person, for example, said she likes to know which areas of the business have relationships with third parties who haven’t been through due diligence. That’s an excellent “in the moment” point of data. The next step, however, is to see whether your due diligence efforts are improving. That will take time.
Along those lines, if you want a dashboard that gives useful information about employee attitudes, somehow you will need to account for context. That is to say, you’ll need to know what “normal” attitudes are at your company. Maybe they’re poor; you’re a new CCO or the business is suffering or a merger went wrong, and you’re trying to figure out a useful strategy for ethics training. Maybe the attitudes are excellent, and you want to focus on regulatory compliance risks. Either way, you’ll need time and patience, just as much as you need good data.
Clearly we’ve found a good subject here, so if you have more ideas about what should go on a CCO’s compliance dashboard or how to make dashboards work well, let me know!