When it comes to risk & compliance it is important to identify, collect, and monitor data of all kinds. However, what data should be collected and which is most useful? To answer this it is helpful to consider two principle meanings behind the word measure:
Measurement - Estimate or assess the extent, quality, value, or effect of something
Method - A plan or course of action taken to achieve a particular purpose
The first meaning uses the word measure to refer to measurements usually tied to values and most often the counting of things:
How many injuries did we have this year?
How many complaints did we receive?
What was the amount of green house gas emissions this year?
These are the easiest to capture and are useful to provide the status or condition of a particular risk or compliance system.
The second meaning of measure refers to a plan or course of action to achieve an effect or result. These measures or you could say methods take the form of controls to achieve specific risk & compliance objectives.
W. Edward Deming reminds us that,
“ A goal without a method is nonsense.”
Similarly, for risk & compliance – methods without measurements is also nonsense.
While it is essential to know the status of risk & compliance system it is also important to know the effectiveness of the measures that are keeping an organization operating between the lines and within a specified level of risk. These are most useful when assessing the performance of a risk & compliance program.
Measuring the effectiveness of risk & compliance controls (i.e. measures) will help to identify if the underlying systems are capable of keeping an organization in compliance today and in the future. Measures of effectiveness and performance are some of the best predictors of organizational resiliency.
Unfortunately, many organizations do not measure the effectiveness of their risk & compliance controls. Work is done but without the assurance that this work will produce the desired effect or result. These companies have measures without measures which is waste.
To reduce this waste the first step is to evaluate the effectiveness of the most critical risk & compliance controls. Effectiveness will be connected with progress towards targeted outcomes and objectives. Identifying which controls are effective will form the basis for determining which should be eliminated or improved.