What Gets Measured Gets Done: Establishing Key Risk Indicators to Measure Compliance Health

When we visit a doctor, we learn much about our health risk based on various measurements. Doctors check our blood pressure, heart rate, and cholesterol levels, and then compare them to medically determined acceptable rates. If our results are higher than the acceptable rates, doctors will advise us how to manage those rates downward to reduce our overall health risk.

Similarly, many chief risk officers today are asking department heads to establish key risk indicators for their business lines as part of a risk appetite framework. That task is pretty straightforward for business areas that are quantitatively measured, such as capital, liquidity, asset-liability management, and credit risk.  But when it comes to compliance, how can risk be measured? What are key risk indicators a chief compliance officer can establish to help determine the amount of compliance risk that a company is willing to assume?

This article offers an approach for determining the appropriate key risk indicators for an organization and then identifies examples of key risk indicators that chief compliance officers can consider to effectively measure compliance risk.

How to Begin

At the outset, it is important to assess the maturity of a company’s compliance program and the data that is available to measure. Consider, for example, Company A whose compliance management system is in its early stages. Company A might choose to measure the effectiveness of its training program and customer complaint management. The only data that might be available to Company A would be training completion rates and complaint response volumes. Alternatively, consider Company B whose compliance management system is more mature and includes regular testing, issue tracking and remediation, change management, and risk assessments. The types and amount of data available for Company B to measure are substantially greater than Company A.

Once data availability has been assessed, the next step involves correlating the data with compliance risk. For example, training completion rates are an indicator of employee knowledge about the compliance requirements of their roles. Also, increases in customer complaints can signal process or system breakdowns, or deterioration of customer service levels. Likewise, missing target dates for issue remediation or implementation of new laws and regulations can indicate that compliance violations are continuing, the business is unable to manage compliance risk effectively, or sufficient resources are not being devoted to compliance.

Identifying Thresholds

The final step is to set numerical thresholds for the selected key risk indicators and monitor them on a regular basis. These thresholds establish the organization’s compliance risk appetite, or the amount of compliance risk that the organization believes is appropriate for its size, scope, and complexity. The thresholds will vary from company to company and will depend on a company’s attitude toward risk and aptitude for managing risk.

Exceeding these thresholds can indicate that compliance risk has increased above an acceptable level and must be managed closely to return the organization to a healthy state of compliance risk.

Examples of Key Risk Indicators

Listed below is a menu of key compliance risk indicators, by category, that a company may consider. Initially, selecting three to five key risk indicators is probably sufficient. Over time, more can be added as the process matures or more data becomes available.


Customer Complaints

Credit Disputes

Issue Tracking and Remediation

Change Management

Testing and Internal Audit                                          

Regulatory Examinations


Policies and Procedures

As with most areas of risk — even health risk — the goal is not to eliminate compliance risk completely; such an exercise would not be feasible or productive, or even in line with regulators’ expectations. Rather, the goal is to set parameters for compliance risk that help manage and minimize risk to a level that is commensurate with an organization’s risk appetite.

Linda Iannone is the Chief Compliance Officer of Toyota Financial Services.

Exit mobile version