A 2015 Deloitte Risk Services Report1 found that 35% of companies still do not actively measure the effectiveness of their compliance programme. The rest of the study’s participating companies (that is, 65%) measure the effectiveness of their compliance function using “busy metrics” such as the number of incidents and completion of compliance training. The COBIT 5 Monitor, Evaluate and Assess (MEA) process MEA03 Monitor, evaluate and assess compliance with external requirements itself focuses on busy metrics such as the number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment.
While it is always welcome to see a downward trend of these numbers, they do not get to the effectiveness of the compliance process. Are all incidents equal? How many small issues equal 1 significant issue? What is a small issue? Could the incident have been prevented? Should the problem have been prevented? Has anything actually been done that affected the number?
This is the difficulty with simple counts. They do not tell us much. External factors might account for the decline in the number. Generally, busy metrics are indicative of a maturing process. Organisations generally start by focusing on volume metrics because it is easy. However, eventually organisations must move beyond reporting just busy metrics. Metrics should focus on quality, value, volume and performance. So how is the effectiveness of the compliance function and process measured?
Reporting on the number of people who attend compliance awareness sessions does not mean there is a change in attitudes within the organisation.
Several reports,2 including Deloitte’s, look at the amount spent on compliance and infer that it is not enough and an increase in compliance spending is called for. But where is the money spent? Is it another round of PowerPoint presentations to an uninterested audience? Remember, culture eats compliance. Reporting on the number of people who attend compliance awareness sessions does not mean there is a change in attitudes within the organisation. When the organisation does not manage culture, culture will manage the organisation. Perhaps the money was spent on acquiring governance, risk management and compliance (GRC) software? Does anyone really believe that GRC software contributes to compliance? Even though the amount spent on compliance goes up, the amount of incidents remains fairly stable.3 So money is probably not the answer.
The same report also says that some companies see a real possibility that, going forward, they might not comply with all the new rules. This is okay and is why you assess the risk associated with non-compliance. The costs of non-compliance, such as regulatory fines or sanctions, are an input into impact and risk. If the non-compliance risk is too great, the options of avoiding the activity or breaking it into more manageable pieces are always available.
A compliance programme must be tied to overall organisational performance. The Deloitte report states that compliance executives are aware of the need to measure effectiveness, but most of them are restricted to their volume metrics because it is all they really can measure. As long as an organisation thinks that compliance is something to bolt on rather than build in, compliance is not providing value to the organisation. When employees implicitly assess compliance with every decision, there will be a positive effect on the bottom line.
There are 3 things that every employee must focus on at all times: security, risk and compliance business activities. Implicitly, we think of these in our daily lives. When we start our car, we focus on some safety issues: we ensure we have enough fuel to reach our destination, we buckle our seatbelt and we look in the mirror before pulling into traffic. We are constantly assessing risk: Should I change lanes? Should I pass the car in front of me? Should I turn now? Should I speed up or slow down? Every time we decide to speed, text while driving or not buckle our seatbelt, we have assessed our compliance options. We have implicitly decided that the probable fine associated with speeding is less than the benefit of going faster.
Employees need to unconsciously consider GRC when making every decision. Until the security, risk and compliance ethos is inculcated into the corporate culture, there will always be issues. Instead of counting incidents, the organisation should get the first line of defence to prevent them! The enterprise needs to develop a compliance culture that emphasises ‘Do the right things’. Or it can build larger and larger second and third lines of defence. Your choice.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 27005 Lead Risk Manager, ISO 28000 FC, ISO 31000 Lead Risk Manager, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
1 Deloitte Risk Services, Compliance in motion: A closer look at the Corporate Sector, March 2015
2 Thomson Reuters, Cost of Compliance 2015
3 Securities and Exchange Commission, Form 8-K, United States. Perhaps some educational institution could determine whether there is a relationship between 8-K filings and money spent on compliance.