The Department of Justice’s watershed Evaluation of Corporate Compliance Programs Guidance Document made it very clear: a risk-based approach is necessary to avoid “devot[ing] a disproportionate amount of time to policing low-risk areas instead of high-risk areas.” The Guidance goes on to describe all of the areas where a risk-based approach is required. Having a risk assessment is just the beginning. Monitoring the right metrics relating to the risk assessment is critical to judge the health of the program.
In this blog, we’re going to explore metrics relating to risk assessments. This is Part 8 of our series. If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen. We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, third-party risk management, which can be found HERE, governance, which can be found HERE, and communications and tone from the top, which can be found HERE.
What Needs a Risk-based Approach?
The phrase “risk-based approach” is used by many compliance officers, sometimes without an understanding of what it means. The DOJ Guidance defines several areas in which risks should be managed using a risk-based approach. These include third-party due diligence, assignment of training, gathering metrics and reporting for the Board, and the allocation of resources (both human and financial). Without a proper written risk assessment that is effectively monitored, this is impossible.
The Most Important Question - So What?
As with other programmatic areas, each metric needs context, so it tells a story. In addition, each metric needs to be tied to a goal or Key Performance Indicator (KPI), so you can tell if the trend is going in the right direction. Metrics without context are useless. When you choose a metric, make sure you ask, “So what?” If you can’t answer why the metric matters, or what the goal is for that metric, choose something else.
Following you’ll find example metrics for risk assessment. Not all the examples will fit your program. Metrics, by their nature, need to be tailored so that they match the maturity of your program, the nature of your business, the size and geographical expanse of your business, etc. For each, a “So What?” answer and example KPI or goal is included.
Spot the Trends
Metrics relating to risk assessment tell their story over time. A single snapshot is unlikely to give you large amounts of information, whereas the comparison of metrics month-on-month can tell a much fuller story. For instance, if the number of risks correctly identified by the business during the risk assessment period drops from six to two, investigation needs to be done to see why that is the case. Did the risk profile of the business shift significantly? Is there a new manager who doesn’t understand compliance risk? By tracking these numbers, you give yourself the story which will allow you to be more effective.
Good metrics tell the story of your program. They show its evolution and give you confidence in its effectiveness.
Next time we’ll put it all together to ensure you can create a successful monitoring program. In the meantime, have an excellent week.