Lao Tzu famously said, “The journey of a thousand miles begins with one step.” One of the biggest challenges found in trying to start a metrics and monitoring program is that it is so easy to get overwhelmed. In this blog, which is the last in our series, we’ll explore how to set up a metrics program intelligently, and in a sustainable fashion. We’ll also deal with objections and excuses, and find ways of pushing through fear and feet dragging to get where we need to go.
This is Part 9 of our series. If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen. We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, third-party risk management, which can be found HERE, governance, which can be found HERE, communications and tone from the top, which can be found HERE, and risk assessment, which can be found HERE.
Dealing with Excuses and Objections
It’s easy to find an excuse not to collect and analyze metrics. Here are four common objections and how to overcome them.
I don’t know where to start!
Start slowly. No really. Pick three to five metrics, tops, to begin. Some people get so excited about next-level metrics and tracking the effectiveness of their program that they pick 16 metrics to track. Inevitably that becomes overwhelming, which leads to a failure to collect the metrics on a regular basis.
Most people find it best to start with some basic metrics. This may include training completion rates, number of calls to the whistle-blower hotline, and number of substantiated cases. Will these metrics tell you about the effectiveness of your program in the same way that more advanced metrics will? Of course not. But it is MUCH better to start somewhere and improve over time than not to start at all.
I don’t have the budget!
Programs that are already in place may give information if you use them correctly. Do you have a due diligence platform? A whistle-blower hotline? A case management system? These can all be used to create reports. Call up your representative and make sure that you know how to use the information aggregating and report generating functions in the most expansive way.
You can also engage with other functions to piggy-back on their systems to gather information. Many of the ways of gathering information – such as through surveys or through testing key controls – are already being performed by other departments. Perhaps HR keeps the engagement survey results or conducts exit interviews? Do they have any questions that relate to the compliance program, and if not, can they include a few questions? Make sure they hand them over to you each year so you can do your analysis.
You don’t need fancy tools to collect the information. You can use Excel spreadsheets and emails to gather and analyze information. Use what you’ve got.
I don’t want to report my metrics – they’ll make me look bad!
Some people don’t want to track metrics because they are afraid that the results will make it look like they’re failing at their job. Remember – a compliance program is never going to be finished. Continuing improvement is the name of the game. If every metric showed 100% accomplishment, you wouldn’t be telling the truth. Remind yourself and others that all compliance programs are always work in progress.
Also – you don’t need to report the tiny little details of every metric to the management. And if you do, don’t worry about looking bad because you’ll put everyone to sleep before you finish! Focus on delivering a high-level analysis of the metrics, which should include upward or downward trends, how your program has improved, and where your program needs more resources or support from management.
How to Execute
Motivation is great, but execution is the key to getting things done. To get your metrics program off the ground, first, determine exactly which metrics you want to collect. Be sure to ask yourself why you are collecting each metrics. Good metrics tell the story of your program and help to reveal trends that will help you to target the areas of your program that need improvement.
Next, determine exactly how you will obtain the information. I recommend avoiding metrics that rely on other people’s help. There’s a big difference between asking HR to see the results of the engagement survey, versus relying on IT to obtain information about how many people clicked on compliance-related policies each quarter. Do your best to control your own destiny by choosing metrics that you can control. If you’re going to use someone else’s information, make sure they are already collecting it for their own purposes.
Lastly, determine the schedule on which the metrics will be obtained, analyzed and reported on. Will you gather all metrics monthly? Quarterly? Some but not all annually? Decide when you’re going to obtain the metrics, the amount of time you will allocate to analysis, and how often and in what form/forum you will report on them to management.
You can do it!
Gathering metrics that matter can be a big project. However, there is no more effective way to monitor the health of your program than to gather and analyze information that you can use to diagnose problems early. Good metrics will let you spot problem areas quickly, and help you to allocate resources in the most risk-based and cost-effective way.
Start today, and use the examples in our series to get you started. By
implementing metrics that matter, you can have a much more effective compliance program.