A lot of credit for equating managing with math goes to the late Peter Drucker, pictured left. “What gets measured gets managed,” he said, and “If you can’t measure it, you can’t improve it.” Those pithy quotes launched a thousand quantitative b-school courses.
If management is about math, what does that mean for managing compliance? Put another way, can we measure compliance?
Well, we can measure elements of compliance programs. And we can use those measurements to make assumptions about compliance itself.
Take training. Managers at Acme Energy Company can measure how many (what percentage of) employees receive annual compliance training. Acme managers can also measure how educationally effective the training is by testing trainees. Using those measurements, Acme’s compliance managers can adjust who gets trained and how.
What the managers aren’t measuring, of course, and can’t, is the trainees’ intent. Do all intend to practice what they’ve learned? What might happen when they face real-world choices whether to comply or cheat?
We can’t measure intent because it’s invisible and instantly changeable. Nonetheless, measuring the frequency and effectiveness of training can lead to reasonable assumptions about intent. We can assume, for example, that adequately trained employees will be more inclined to comply and less inclined to cheat. Why? Because they’re more aware of compliance requirements and adverse outcomes if caught cheating, such as losing their jobs or ending up in jail.
Let’s take the next step. If Acme Energy doesn’t detect any compliance problems, should we measure its compliance program as 100 percent effective? We can’t do that. Because if there’s a compliance problem, we wouldn’t say the compliance program is zero percent effective. That doesn’t logically follow. And fortunately, that’s not how the DOJ and SEC look at it.
The U.S. Sentencing Guidelines at Chapter 8 (which flow into the DOJ’s Justice Manual and the DOJ-SEC FCPA Resource Guide) encourage compliance managers to use measurements but don’t specify how. “The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.” (My italics)
How can we know if training is effective? As we talked about above, by measuring both participation and educational outcomes.
What about unmeasurable “intent”? The Sentencing Guidelines may still credit a program even if there’s a compliance problem — up to a point. Failing to prevent or detect one offense doesn’t necessarily mean the compliance program isn’t effective, according to the guidelines. On the other hand, “recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to meet the requirements of this guideline.” (My italics)
The problem of unmeasurable intent aside, compliance leaders can and should measure their programs wherever possible. Budgets should translate into appropriate resources. Headcounts should result in deployment of adequate expertise. Training should achieve effective results.
What’s appropriate/adequate/effective? It’s partly what compliance managers can defend and partly what the feds say it is. That’s a double tautology, I know, and not too helpful.
Still, sometimes measurement is pure math. Other times — as with compliance programs — measurement is math plus professional judgment, plus benchmarking, plus real-world outcomes, plus external expectations.
What’s that mean? Don’t stop measuring.