Compliance Program Effectiveness

5 Operational Metrics to Check if Your GRC Program isn't Compliance Theatre Everyone has a GRC program that looks great 3 weeks per year. That works for some time but once your program is out of the honeymoon phase, you need to do something about it. Here are 5 hard metrics to help you separate real GRC programs from compliance theatre: 1. Mean Time to Remediation (MTTR) 📉 Not just how many findings you have, but how fast they get FIXED. If your average remediation time is measured in geological eras instead of days, you've built a museum of vulnerabilities, not a security program. "We'll fix it after this sprint" shouldn't mean "after the heat death of the universe." 2. Cross-Team NPS Score 📊 Ask engineering, product and sales teams: "On a scale of 1-10, how much does GRC help vs. hinder your work?" If your score is close to Arctic temperatures, congratulations – you've created a program that engineers actively avoid like security awareness training from 2023. 3. Evidence Collection Automation Percentage 🤖 What percentage of your evidence is collected through APIs vs. screenshots? If you're still sending "friendly reminders" for screenshots in 2025, you're operating a digital paperwork sweatshop with slightly better coffee. 4. Risk-to-Remediation Ratio 📈 How many risks in your register have actually resulted in implemented fixes vs. eternal "monitoring until next review"? If your risk acceptance rate matches your deployment frequency, you're running an expensive vulnerability documentation service. 5. Random Audit Readiness Score 🎯 Give yourself 24 hours to produce evidence for 10 random controls without warning. Score from 0-100%. If your score is perfect during scheduled audits but drops faster than the stock market today after a random check, you've mastered compliance theatre, not security. A GRC program can have perfect documentation and still provide very limited security value. What must-have GRC metrics do YOU use to ensure your program delivers more than just paperwork? Let me know! #GRCEngineering #SecurityCompliance #MetricsThatMatter

This weekend, I was preparing a gap analysis of a Compliance program.   After having experience implementing COMPLIANCE across various sectors – from state-owned enterprises and municipal and regional-owned companies to private sector organizations – I came to a clear conclusion about what is essential for an EFFECTIVE compliance program:   1. COMPETENCE ↳ An effective compliance program starts with competencies. Where does compliance risk arise? Wherever people work. To minimize that risk, we must provide employees with the knowledge and skills necessary to responsibly perform their tasks.   2. POLICY AND PROCEDURE ↳ Policies and procedures must be clearly defined. They should not only meet regulatory requirements but also help employees understand why certain behaviors are important.   3. ROLES AND RESPONSIBILITIES ↳ Every individual must clearly understand their responsibilities within the compliance framework. Clarity reduces the risk of errors and strengthens personal accountability.   4. SPEAK UP ↳ A culture where employees feel free to report irregularities or suggest improvements is crucial for strengthening the compliance program. It is easy to write this down but very challenging to achieve in practice.   5. COMMUNICATIONS ↳ Open, clear, and two-way communication about rules, expectations, and opportunities is key for effective compliance implementation.   6. CONTINUAL IMPROVEMENT ↳ Compliance is not static. The program must continually adapt to changes in the business environment and proactively prevent future irregularities.   7. BALANCE OF RISK AND GOALS ↳ To foster truly responsible behavior, organizations must balance ambitious targets with acceptable levels of risk. Excessive pressure, unrealistic expectations, and constant high stress not only undermine compliance efforts, but they also actively create an environment where mistakes, omissions, and misconduct become more likely. And most importantly...   8. LEADERSHIP COMMITMENT ↳ When leadership actively lives and integrates all these elements – competence development, purposeful procedures, clear roles, open communication, a speak-up culture, continuous improvement, and balance of risk and goals, they demonstrate true commitment to compliance.   📌 Compliance must be a living system of values, and employees should feel it as part of their professional purpose, not as an imposed rule.   Wishing you a successful start to Compliance Week! 👋 #compliance

The DOJ consistently says that compliance programs should be effective, data-driven, and focused on whether employees are actually learning. Yet... The standard training "data" is literally just completion data! Imagine if I asked a revenue leader how their sales team was doing and the leader said, "100% of our sales reps came to work today." I'd be furious! How can I assess effectiveness if all I have is an attendance list? Compliance leaders I chat with want to move to a data-driven approach but change management is hard, especially with clunky tech. Plus, it's tricky to know where to start– you often can't go from 0 to 60 in a quarter. In case this serves as inspiration, here are a few things Ethena customers are doing to make their compliance programs data-driven and learning-focused: 1. Employee-driven learning: One customer is asking, at the beginning of their code of conduct training, "Which topic do you want to learn more about?" and then offering a list. Employees get different training based on their selection...and no, "No training pls!" is not an option. The compliance team gets to see what issues are top of mind and then they can focus on those topics throughout the year. 2. Targeted training: Another customer is asking, "How confident are you raising bribery concerns in your team," and then analyzing the data based on department and country. They've identified the top 10 teams they are focusing their ABAC training and communications on, because prioritization is key. You don't need to move from the traditional, completion-focused model to a data-driven program all at once. But take incremental steps to layer on data that surfaces risks and lets you prioritize your efforts. And your vendor should be your thought partner, not the obstacle, in this journey! I've seen Ethena's team work magic in terms of navigating concerns like PII and LMS limitations – it can be done!

I am the Head of Compliance. How do I know if I’ve had a good year? It’s a question I’ve asked myself more than once—and I suspect I’m not alone. What is the metric? Is success defined by a clean regulatory record? By frictionless growth? By the absence of complaints or the presence of impressive board reports? In truth, those are surface metrics. The deeper question is: Did our compliance function calibrate risk effectively—and prove it? That’s a tougher test. Much of what we do is invisible when it’s working. Our real value lies in the structures we build, the risks we anticipate, and the governance we uphold—even when the evidence of our success is a lack of drama. Here’s what I’ve come to believe matters most: ·      Define and document your firm's risk appetite—and the rationale behind it. ·      Make sure the board owns and approves it—formally and visibly. ·      Ensure that the compliance function’s work aligns to the agreed risk appetite. ·      Ensure every compliance process—first line or second—is auditable, defendable, and aligned to that appetite. (And you need the right tools to allow that to happen – its why we are in business) Because true compliance leadership isn’t just about avoiding enforcement. It’s about building confidence in decision-making. Creating clarity amid ambiguity. And enabling the business to grow—safely. And yes, that’s hard. But it’s also what makes it valuable. #ComplianceLeadership #Governance #RiskManagement #RegTech #ComplianceExcellence

If compliance only works when leadership is watching, it isn’t compliance. It’s supervision. Real compliance holds on busy shifts. On weekends. When staffing is short. When pressure is high. That’s where most programs quietly break. Not because staff don’t care. Not because training failed. But because the system underneath the work was never built to support the behavior being expected. When ownership isn’t clear, staff are forced to guess. When workflows aren’t standardized, shortcuts become survival. And when leadership signals shift, so does compliance. High-performing facilities don’t chase behavior. They stabilize expectations. They design workflows that remove uncertainty. They make the right action the easiest action. This cheatsheet breaks down the three layers of infection control compliance most leaders skip and later pay for. Use it to see whether compliance in your building is being supported or simply assumed. Because surveyors don’t audit intentions. They trace systems. Save this. Share it with a leader responsible for safety beyond the checklist. Repost to help another organization build compliance that holds under pressure. Follow Joi A. McMillon BSN-MBA HA-CRRN-WCC-HACP-CMS-CIC- AL-CIP for daily infection-control systems that strengthen every shift.

𝗥𝗶𝘀𝗸-𝗯𝗮𝘀𝗲𝗱 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘃𝘀 𝗰𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝙈𝙖𝙣𝙮 𝙤𝙧𝙜𝙖𝙣𝙞𝙨𝙖𝙩𝙞𝙤𝙣𝙨 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙨 𝙖 𝙘𝙝𝙚𝙘𝙠𝙡𝙞𝙨𝙩 𝙚𝙭𝙚𝙧𝙘𝙞𝙨𝙚. Policies created. Training completed. Forms signed. Boxes ticked. On paper, everything looks compliant. But effective compliance is not about ticking boxes. It is about understanding risk. A checklist approach often focuses on completing required tasks without asking the more important question: Does this actually reduce our risk? A risk-based approach looks very different. It focuses on: • understanding how the business actually operates • identifying where real exposure exists • prioritising controls where risk is highest • adapting controls as risks evolve • ensuring compliance efforts deliver real protection This distinction is becoming increasingly important across many regulatory environments — particularly in areas such as AML/CTF, fraud prevention, governance, and financial crime risk management. Regulators increasingly expect organisations to demonstrate that they understand their risks, not simply that they have documentation. In practice, the organisations that manage risk most effectively are not the ones with the longest compliance manuals. They are the ones where compliance is embedded in decision-making and business operations. Because when compliance becomes risk-driven rather than checklist-driven, it moves from being a regulatory burden to becoming part of good governance and effective management. 𝗤𝘂𝗲𝘀𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗽𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀: 𝙒𝙝𝙚𝙧𝙚 𝙙𝙤 𝙮𝙤𝙪 𝙩𝙝𝙞𝙣𝙠 𝙤𝙧𝙜𝙖𝙣𝙞𝙨𝙖𝙩𝙞𝙤𝙣𝙨 𝙢𝙤𝙨𝙩 𝙘𝙤𝙢𝙢𝙤𝙣𝙡𝙮 𝙨𝙩𝙧𝙪𝙜𝙜𝙡𝙚 𝙬𝙝𝙚𝙣 𝙢𝙤𝙫𝙞𝙣𝙜 𝙛𝙧𝙤𝙢 𝙘𝙝𝙚𝙘𝙠𝙡𝙞𝙨𝙩 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙩𝙤 𝙖 𝙧𝙞𝙨𝙠-𝙗𝙖𝙨𝙚𝙙 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝? • understanding their real risk exposure • leadership engagement with compliance • integrating compliance into business operations • over-reliance on templates and documentation Interested to hear others’ experiences.