How to Measure and Improve Your Compliance Program
When was the last time you assessed the effectiveness of your compliance training program? Not just a high-level assessment, but a full audit.
If you’re like most businesses, it might have been a while ago.
Historically, measuring compliance training effectiveness hasn’t always been high up on the list of business priorities, but it’s increasingly becoming a major cost driver for businesses in all industries.
Whether it’s GDPR violations, non-compliance with accounting regulations like Sarbanes-Oxley, or payment processing issues that cause you to run afoul of PCI DSS regulations, non-compliance can lead to substantial disruptions and costs.
Noncompliant businesses face interruptions in operations as they work to remediate issues, and reputational damages can work against your sales team — to say nothing of the direct costs of fines and penalties.
Being able to assess your compliance programs, make systematic improvements, and gradually formalize your programs is essential for any business in a heavily regulated industry. There are a few key things we’ll help you understand as you gauge compliance program effectiveness:
- The costs of non-compliance
- What questions you should ask to evaluate your compliance programs
- What steps you can take to improve and formalize your processes
The High Cost of Poor Compliance Programs
Building a business case for a robust compliance program can be difficult because the return on investment (ROI) isn’t necessarily obvious in the same way as for investing in operations, sales, or marketing. However, just because it’s not obvious, doesn’t mean it’s not real or substantial — especially in heavily regulated industries like financial services, healthcare, industrial, and technology.
Non-compliance is costly, and a study from Globalscape showed that non-compliance costs grow in lockstep with company headcounts. In fact, the study found that for companies with more than 25 people, the cost of non-compliance greatly outweighs the cost of compliance.
The study showed that businesses lose an average of $14 million per year in non-compliance costs, up 45% from 2011 levels. The main costs of non-compliance fall into the following areas:
- Business disruptions
- Productivity losses
- Lost revenue
- Fines and penalties
Research from Lorman adds some additional context to these findings on the state of compliance training:
- 23% of companies have no formal compliance training plan.
- 40% say their compliance programs are “basic” or reactive.
- 70% attempt to measure the effectiveness of their compliance training.
What should we make of this data? Why are non-compliance costs increasing, and why are so many companies struggling to implement an effective program?
One place to start is right at the top. A study from Deloitte showed that many companies are still lacking the dedicated leadership that a robust compliance program needs. This is especially true in smaller companies where it may be harder to devote resources to compliance.
A designated chief compliance officer (CCO) can serve as a steward for stronger compliance practices and lead the function internally. Too often, compliance leadership is thrust upon someone else in an organization, like a chief risk officer or chief audit officer.
Deloitte’s research showed that around 1 in 5 companies do not have a designated CCO, and that most companies have very small compliance teams. Only a third of respondents in the study said they had a standalone CCO position, while 21% had no designated CCO.
Among companies without a formal CCO, 20% gave CCO-like roles and responsibilities to the general corporate counsel, while around 12% gave the position to other C-level leaders in the company.
The study found that a lack of compliance leadership is often correlated with overall underinvestment in compliance. If no one “owns” compliance, the program likely has some significant gaps.
This lack of clear leadership has trickle-down effects to employees. Per Lorman’s research, 33% of U.S.-based workers say company-provided training doesn’t meet expectations, while the same number said their organization’s training is out of date.
To learn more about the costs associated with non-compliance, view "The Ultimate Cost of Non-Compliance on Your Business."
How to Evaluate Your Compliance Program
To prevent non-compliance costs from spiraling out of control, you should start by taking stock of your current compliance practices.
Here are some questions you can ask to evaluate your current compliance program:
How Do We Detect and Handle Non-compliance?
When reports of non-compliance arise, are they investigated in a timely and thorough manner? How often are you auditing your processes to ensure employees are following compliance procedures? Are you relying on “snapshots” from months ago to tell you if your teams are compliant, or is it an ongoing effort?
If there are gaps in how employees and managers can report non-compliance, if those reports are essentially going into a black hole, or if the consequences aren’t enough of a deterrent for future non-compliance, you’ll likely see consistent negative outcomes.
Do We Have the Appropriate Resources to Ensure Compliance?
Has your compliance function been given adequate resources to fulfill its duties? For example, are compliance investigations left to individual managers or line-of-business leaders who may not have the time or training to conduct a thorough investigation?
If compliance hasn’t been given the budget, staff, and training required to meet the needs of the business, you’ll need to make a case for why the shortfall should be addressed.
Does Anyone ‘Own’ Compliance?
As the Deloitte study found, a lack of clear ownership of compliance-related initiatives often dooms these efforts to failure.
Assess the current leadership in charge of enforcing compliance and determine if there’s a clear compliance champion. If there isn’t, you may need to hire one or transition an existing leader into a full-time role as CCO or a similar title.
Do We Have a Clear Compliance Charter With Documentation Around Procedures and Processes?
Are your compliance processes and procedures for different functional areas clearly documented?
Departments such as accounting and finance, IT, security, operations, and HR must follow strict guidelines when handling customer or employee data, ensuring workplace safety, and doing business across national borders.
Determine if each of these areas has a robust compliance onboarding program for new employees, as well as regular role-specific training for existing employees. If there’s no clear documentation for role- and department-specific compliance practices, you’re either forcing employees to sit through irrelevant training or relying on ad hoc remediation after a compliance issue arises.
What Metrics Tell Us if Our Compliance Training Is Effective?
If you don’t have readily available data on your compliance training’s effectiveness, you’ll have no insight into where your gaps are and how you can improve.
For example, if compliance with Occupational Safety and Health Administration (OSHA) guidelines is a critical area for your business, you could track workplace safety incidents before and after trainings to see if there is evidence of training effectiveness.
You can also conduct surveys with employees to get a sense of how they perceive the training’s usefulness. Qualitative data can be impactful to understand where your training is strong and where it needs improvement.
If you have no metrics on the effectiveness of your training — or if the available metrics are scattered and difficult to draw conclusions from — it’s likely that your training is more reactive and seen simply as a box to check.
How to Improve Your Compliance Program
Asking the right questions can tell you where you stand now. In this section, we’ll look at actionable strategic moves you can make to formalize and improve your compliance training program.
Centralize Compliance Governance
Centralized compliance governance lowers the total cost of compliance. More specifically, Globalscape found that deploying a central data governance program reduces total compliance costs by $3 million.
If different areas of compliance — such as incident response, auditing, legal, compliance technologies, and program certifications — are all run by separate people in silos, you’ll end up with a patchwork of compliance infrastructure that has gaps. A centralized governance structure ensures that there is one source of truth and that different areas are working toward the same goals.
Appoint a C-Level Compliance Leader
This goes hand in hand with the idea of created a centralized compliance governance program. If you don’t have anyone in a CCO or similar role, it’s worth appointing a dedicated leader who can oversee compliance efforts and provide regular reports to the rest of the executive team.
Create a Formal Compliance Charter
Work with all relevant stakeholders (i.e., executives and line-of-business stakeholders) to learn what they want from compliance training. Determine together what success looks like, what each functional area needs, and how better learning outcomes can support key business goals.
This information will help you create a defined mission and vision for your compliance training program that has buy-in from all lines of business. This can be codified in a formal charter that is accessible by all stakeholders.
Perform Routine Audits
The cost of doing compliance audits might seem daunting when you add them up, but Globalscape’s research showed that doing audits more frequently actually reduces the overall cost. Companies that do five or more audits a year spend an average of $8.8 million, while those that do fewer than five spend over $10 million yearly.
The reason is simple: Non-compliance is costly. Fines, penalties, business disruptions, and revenue losses add up quickly. In this case, prevention is worth more than the cure.
Make Policies and Procedures Accessible and Transparent
Publish your program charter where it can be easily accessed by anyone in the company. It should not only include high-level mission and vision statements, but also in-depth descriptions of procedures, standards, key roles and responsibilities, and milestones for program success.
Bring on the Right Tools
Research and acquire the tools to successfully implement a compliance training program for today’s workforce. At a minimum, you’ll require a compliance management system or learning management software, project management software, and anything your IT team needs to ensure successful integration of all tools.
Find vendors with which you can build strong partnerships — this way, you’ll always be on top of key developments for the product, as well as for the industry as a whole.
Allow People to Train Their Way
Set your employees and managers up for success in learning outcomes. Lorman’s research found that employees crave flexibility in when and how they learn.
- 89% of employees want always-available training for just-in-time tasks.
- 85% want to be able to choose when they do training.
- 80% want more frequent training, rather than formal one-off sessions.
- 91% want their training to be highly relevant and personalized.
This is where a compliance management system can help. Whether you have a standalone compliance management system or one that’s part of a learning management system, a good solution should give you access to hours of curated compliance training content for each functional area of your business. It should also provide that content in different formats to accommodate different learning styles.
Compliance training doesn’t have to be reactive and ad hoc. By assessing your company’s needs and goals, formalizing the governance structure around compliance, and deploying the right tools to support your initiatives, you can be proactive about compliance. Over time, compliance can be a competitive advantage thanks to cost savings, higher performance, and an improved reputation in your industry.
To learn more about the intersection between compliance, learning management, and talent development, check out our eBook, “Thriving in a Highly Regulated Environment.”