Companies have used “key performance indicators” for years to track data that can help measure progress toward whatever goals a company has. And as compliance and risk management have risen to be primary corporate goals, so have compliance- and risk-related KPIs.
“In the last year, much more attention has been paid to how to operationalize compliance,” explains Sean Kracklauer, director of the Sarbanes-Oxley compliance practice at the Hackett Group, a consulting firm.
Kracklauer
Specifically, he says, as more and more companies complete their second year of SOX compliance, they want metrics better able to help them understand where they can reduce overall compliance costs. Companies are studying elements of their controls environment such as the number and composition of processes, as well as the mix of preventative and automated controls as a percentage of total key controls. The goal: a simpler, stronger subset of their current controls framework. “Companies are using KPIs for internal comparisons, which help them with this evaluation,” Kracklauer says.
Another group neck-deep in compliance KPIs is the Open Compliance & Ethics Group, which will soon publish a 68-page guide to creating metrics for compliance and ethics programs. The OCEG paper says companies must measure their ability to achieve program objectives, and should evaluate their processes and practices according to effectiveness, efficiency and responsiveness. This reporting would describe the health of the company and its ability to achieve optimum performance.
Well-chosen indicators and metrics illuminate “how [a company] measures success to everyone in the organization,” according to a draft of the forthcoming guidance. “Using accurate, timely data on program performance, managers know whether what they are doing is achieving the universal and specific program objectives.”
Typically, compliance- and risk-related KPIs are created from thresholds of some particular risk within the organization—indeed, some experts now prefer the term “key risk indicators” since noncompliance with regulations is a bona fide business risk these days. A common technology tool for compliance KPIs is the executive dashboard, which senior executives and board directors can use to monitor these indicators, Kracklauer explains.
The dashboard frequently comes in the form of a heat map, which shows where each indicator stands. Some of the data is tracked weekly, some monthly, while others on a quarterly basis. “Part of the challenge is figuring out what is most relevant because there is so much activity going on,” explains Michael Rost, vice president of marketing with Paisley Consulting.
What To Monitor
External benchmarks to help companies gauge their compliance performance are still hard to find. Experts say companies can examine ratios such as what peer companies are spending per $1 billion in revenue on, say, compliance, documentation or testing. That at least gives executives a sense of whether they are spending the right amount on functions such as external audits.
Rost
Otherwise, most companies are monitoring their internal controls. The trick, however, is to identify only the critical controls that need attention. Rost says many companies typically try to monitor the 15 or 20 internal most critical to their organizations. “Beyond that, there are too many variables to track,” he says. “You should be able to identify the top ones.”
One key control that many companies monitor is a requirement under Sarbanes-Oxley that the individual who receives an invoice does not wind up being the person who pays the invoice. This is a critical type of conflict of interest, or segregation of duties, issue that SOX aims to avoid.
Many companies also monitor their three-way matching with their ERP system. “This is to make sure they are not paying something without the proper purchase order requisition,” says Brian Cleary, vice president of marketing for OpenPages, a maker of governance software.
Kracklauer at the Hackett Group gives the example of monitoring purchase orders to assure that anything over, say, $10,000, is correctly routed through a company’s ERP software system for approval—the larger the amount, the more senior the executive who approves it. Confirming that control, he says, “requires going back to the purchase order requisition and validating through the workflow history that the purchase order was approved by someone at the appropriate level.”
“From a compliance standpoint, which indicators are relevant, leading or lagging depends upon the organization.”
— Michael Rost, Vice President of Marketing, Paisley Consulting
Companies also monitor financial reporting using KPIs, such as how close they come to meeting a self-imposed deadline to close the books within a certain number of days. Still others track how quickly a material event is elevated to the senior team so that it can be disclosed to the market. (Unfortunately, Kracklauer says, “most companies are not there.”)
Exception rates—how often something abnormal crops up—can be measured by dividing the number of deficiencies by the total number of key controls. Kracklauer estimates that an average exception rate for companies in the initial year of Section 404 compliance is 2 to 4 percent, and typically drops in subsequent years.
Some companies are specifically tracking fraud in their accounts payable operations. Rost at Paisley Consulting notes that they may track new account setups and flag every time credit is extended over a certain threshold.
Beyond SOX: What Else To Monitor
Many companies track much more than SOX-related compliance requirements. Some companies track compliance obligations with the Patriot Act, Rost says, since it requires many companies to perform certain checks and inspection of certain activities. For example, the law forbids corporations from doing business with a long list of questionable vendors.
Other companies have instituted KPIs for security and IT governance. Banks and broker-dealers face the most stringent requirements, usually from the Federal Reserve Bank as well as securities regulators, Rost says. “The nice thing is that a lot of it is data- or event-driven,” he adds. Banks also develop KPIs as checks against money laundering, privacy polices and fair lending practices. Still other industries must worry about health information under HIPAA or proper use of consumer data.
“From a compliance standpoint, which indicators are relevant, leading or lagging depends upon the organization,” Rost says.
Related resources can be found in the box above, right.
No comments yet