While some industries, particularly those that are intensely regulated, have well-developed risk and compliance functions, the newly released Justice Department guidance, “Evaluation of Corporate Compliance Programs,” is essential reading for all businesses. Specifically, the guidance focuses on the use of data in the assessment of compliance programs.
Finance and operations groups have long used key performance indicators (KPIs) to review past performance, determine actions to be taken in furtherance of corporate goals, and benchmark results among industry peers. Now is the time for enhanced compliance functions to monitor compliance efforts through the greater use of KPIs to detect and act on potential misconduct.
Companies focused on ensuring regulatory compliance will need to tackle the 11 topics addressed by the DOJ in the recent guidance. In communicating with the DOJ, presentation of well-defined KPIs can show how effectively and efficiently companies are managing these potential risks.
And, given that the same metrics can be measured worldwide, KPIs can be considered a universal language when presenting risks that were identified and analyzed and issues that were remediated. Therefore, not only are well-developed and executed KPIs consistent with DOJ guidance, they will help globally, given the increased cross-border data-sharing between foreign jurisdictions in recent settlements involving countries such as Brazil, the Netherlands, Switzerland, and the United Kingdom.
Two crucial points in the guidance are the analysis and remediation of underlying misconduct and the continuous improvement of compliance efforts with data and metrics.
More specifically, the DOJ will examine a company’s root-cause analysis of the misconduct, the systemic issues identified, and who in the company was involved in the analysis. It will also look at whether the company is making a concerted effort to measure its compliance efforts and continue to fine-tune them based on benchmarked data.
The DOJ makes reference to continuous improvement and periodic testing and review. For those strategic KPIs that indicate potential misconduct despite established policies and procedures, the Plan-Do-Check-Act (PDCA) model, also known as the Deming circle, is a simple and quick four-step process control and improvement method. The PDCA steps are to plan; execute the plan (do); check the results obtained; and act on the causes for deviations on a continuous basis.
With the objective to implement change, the PDCA cycle drives compliance teams to plan by defining the means to achieve the goal, executing what was planned and collecting data on a frequent basis.
The company can then check and compare the results and act on root causes if the anticipated result is not achieved. During this step, converting available data points into meaningful information depicts trends and deviations that will require further analysis. Root-cause analysis should be performed to understand what happened based on data, understand why the problem occurred, and identify solutions to prevent recurrence.
The actions should focus on eliminating the cause, rather than treating the effect. To ensure this outcome, it is extremely important to distinguish the problem from the root cause at the outset, or the analysis will be flawed. Given the amount of data, running data analytics is becoming more relevant.
When multiple departments are tasked to resolve a problem, brainstorming is a very productive method for conducting root-cause analysis. The compliance group needs to repeatedly ask “why” (i.e., the “5 Whys Technique”) to reach the underlying problem, or remediation actions will not be sufficient to address the fundamental issue(s) and prevent recurrence. Even relative to fraud or fraud risks, entire departments can be mobilized to create an action plan and minimize the risk of future issues.
Companies must also look at prior indications in the analysis and remediation of underlying misconduct. For example, did the company have prior opportunities to detect the misconduct in question? If so, why were these opportunities missed?
Continually asking “why” hones in on the root cause of the problem and can be helpful in determining whether it is likely to recur. Connecting the cause-and-effect relationships of a problem is extremely important because recurrence indicates that deviations are part of the normal process and were previously ignored. If there is a lack of control over the process, a new action plan is required.
While it may be impractical to conduct a root-cause analysis on each KPI, prioritizing KPIs that may be more indicative of fraud risk is helpful for compliance. The ultimate goal is to eliminate potential risks that can clearly be depicted in simple-to-use KPI dashboards.
The KPI dashboard serves as a central repository for all your KPIs, analysis, graphs, and actions plans used in the remediation process.
The presentation and monitoring of strategic KPIs, such as those from compliance, becomes more effective and efficient for management by focusing the analysis on only those pointing to potential and reoccurring causes of problems. The well-executed dashboard will immediately indicate when deviation occurred from established policies and procedures, which are mainly driven by people and underlie the continuous improvement process.
To ensure success of continuous improvement, the KPI dashboard should be completely transparent to demonstrate a top-down commitment to compliance, including board of directors and various committees. All KPIs should be reviewed in a group meeting on a frequent basis — at least monthly, which is consistent with the closing of financial statements.
KPIs can be derived from the company’s strategy map, such as a one-page diagram, that lays out overall business goals. Each department establishes KPIs that connect their mission and objectives to the strategy map, aligning the entire organization. Over time, KPIs shift with the company’s strategy. If the metrics change, KPIs should evolve as well.
It is very important to prevent “vanity” or feel-good KPIs, which are data points, but not robust enough for any significant analysis — for example, the number of audits vs. number of potential fraud risks identified by an audit.
It is fundamental for compliance to establish and measure KPIs to quickly act on potential risks and eliminate root causes. Establishing a plan and appropriate measurements of improvement will, at first, be a large undertaking. However, the cost of non-compliance is almost always higher than the alternatives.
Companies that use KPIs as a risk-assessment tool and a measurement of success will be in a better position to meet increasing regulatory expectations. KPIs can not only be an ally in detecting deviations in controls, but also in identifying fraud or risk areas on a proactive basis. With KPIs in place, the success of continuous improvements can also be measured.
Steven Neuman is a managing director at StoneTurn, a forensic accounting and expert services firm. He advises companies on forensic accounting investigations, due diligence, business strategy, operations, and general business-related disputes.