When we visit a doctor, we learn much about our health risk based on various measurements. Doctors check our blood pressure, heart rate, and cholesterol levels, and then compare them to medically determined acceptable rates. If our results are higher than the acceptable rates, doctors will advise us how to manage those rates downward to reduce our overall health risk.
Similarly, many chief risk officers today are asking department heads to establish key risk indicators for their business lines as part of a risk appetite framework. That task is pretty straightforward for business areas that are quantitatively measured, such as capital, liquidity, asset-liability management, and credit risk. But when it comes to compliance, how can risk be measured? What are key risk indicators a chief compliance officer can establish to help determine the amount of compliance risk that a company is willing to assume?
This article offers an approach for determining the appropriate key risk indicators for an organization and then identifies examples of key risk indicators that chief compliance officers can consider to effectively measure compliance risk.
How to Begin
At the outset, it is important to assess the maturity of a company’s compliance program and the data that is available to measure. Consider, for example, Company A whose compliance management system is in its early stages. Company A might choose to measure the effectiveness of its training program and customer complaint management. The only data that might be available to Company A would be training completion rates and complaint response volumes. Alternatively, consider Company B whose compliance management system is more mature and includes regular testing, issue tracking and remediation, change management, and risk assessments. The types and amount of data available for Company B to measure are substantially greater than Company A.
Once data availability has been assessed, the next step involves correlating the data with compliance risk. For example, training completion rates are an indicator of employee knowledge about the compliance requirements of their roles. Also, increases in customer complaints can signal process or system breakdowns, or deterioration of customer service levels. Likewise, missing target dates for issue remediation or implementation of new laws and regulations can indicate that compliance violations are continuing, the business is unable to manage compliance risk effectively, or sufficient resources are not being devoted to compliance.
The final step is to set numerical thresholds for the selected key risk indicators and monitor them on a regular basis. These thresholds establish the organization’s compliance risk appetite, or the amount of compliance risk that the organization believes is appropriate for its size, scope, and complexity. The thresholds will vary from company to company and will depend on a company’s attitude toward risk and aptitude for managing risk.
Exceeding these thresholds can indicate that compliance risk has increased above an acceptable level and must be managed closely to return the organization to a healthy state of compliance risk.
Examples of Key Risk Indicators
Listed below is a menu of key compliance risk indicators, by category, that a company may consider. Initially, selecting three to five key risk indicators is probably sufficient. Over time, more can be added as the process matures or more data becomes available.
- % of employees who complete their required annual compliance training
- % of employees who pass the assessment on the first try
- % increase in number of customer complaints
- % increase in number of customer complaints in high-risk categories
- % of customer complaints responded to by the prescribed due date
- % increase in credit disputes
- Number of credit disputes not responded to within 30 days
Issue Tracking and Remediation
- % increase in high risk compliance issues
- % of compliance issues remediated within the target timeframe
- % of change management items implemented after the effective date of the law or regulation change
Testing and Internal Audit
- % increase in high-risk testing or internal audit findings
- % of repeat testing findings
- % of repeat internal audit findings
- % increase in high-risk examination findings
- % of repeat regulatory examination findings
- % increase in privacy incidents or breaches
- % increase in the number of customers impacted by a privacy incident or breach
- % of privacy incidents or breaches resolved in a timely manner
Policies and Procedures
- Completion of annual review of compliance policies
As with most areas of risk — even health risk — the goal is not to eliminate compliance risk completely; such an exercise would not be feasible or productive, or even in line with regulators’ expectations. Rather, the goal is to set parameters for compliance risk that help manage and minimize risk to a level that is commensurate with an organization’s risk appetite.
Linda Iannone is the Chief Compliance Officer of Toyota Financial Services.