kpis and tracking metrics using iso 37001 · kpis and tracking metrics using iso 37001. ... •...
TRANSCRIPT
Segoe UI 20 bold
Pauline Bailly – Head of Certification at ETHIC IntelligenceCEEEC 2019 – Opatija, CroatiaApril 19, 2019
KPIs and Tracking Metrics using ISO 37001
Segoe UI 20 bold
ETHIC Intelligence
N°1 answer: Measuring compliance impacts on the businessStudy realized by ETHIC Intelligence, sampling of 120 participants (Target: Chief and Compliance Officers, Legal Counsel)
What are the greatest challenges in articulating the value of an anti-bribery compliance program to the business?
Segoe UI 20 bold
ETHIC Intelligence
Business vs.
Compliance Program
Objectives?
Cost & time reduction01
02
03
04
Customer retention
Profit increase
Brand value and reputation
Program effectiveness
Ethical values
“Clean” profit
Fair business practices
Segoe UI 20 bold
ETHIC Intelligence
• Performance and effectiveness• Is the program truly preventing corruption?• Is it detecting corruption effectively?• Is it understood and accepted by all staff?
(from rules to values, from procedures to behaviors)
• Is it helping my organization to conductbusiness more ethically?
• Does it convey a more positive image of myorganization?
What needs to bemeasured?
Segoe UI 20 bold
ETHIC Intelligence
• Lack of consistency in current KPIs (examples)
• Percentage of personnel trained
• Number of alerts raised
• Number of DD reports
• Lack of established best practices
• Lack of interactions between compliance programs and operations
• Lack of correlation to the business
Why current KPIs are not helpful?
Segoe UI 20 bold
ETHIC Intelligence
• How much time was saved by not having to complete DD questionnaires?
• How much money was saved by implementing due diligence on high risk third parties?
• Was the compliance program a decisive element in some contract negotiations? In call for tender?
• Did proving your commitment to ethical business practices increase revenue? Did my compliance program help me to close a deal?
• Did it improve my brand reputation? Results of marketing studies performed on the subject?
• Are employees performing better with compliance related objectives/incentives?
What KPIs should address?
Segoe UI 20 bold
The High Level Structure forISO Management Systems StandardsIn 2012, ISO decided that every ISO Standard on Management Systems (ex ISO 9001 Quality, ….) would have:
1. Common terminology:
• Organization: person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives
• Objective: result to be achieved
• Management system: set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve
those objectives
• Policies: intention and direction of an organization, as formally expressed by its top management
• Processes : set of interrelated or interacting activities which transforms inputs into outputs
2. …A common structure (10 chapters)
Each standard will add to the High Level Structure the specificities
related to its sector and needs:
• ISO 9001 on Quality Management Systems
• ISO 19600 on Compliance Management Systems (2014)
• ISO 37001 on Anti-Bribery Management Systems (2016)
Segoe UI 20 bold
ISO management system standards
High LevelStructure
ISO
26
00
0
ISO
310
00
ISO
19
60
0
ISO 19011
ISO/TR 10013
ISO 37001
ISO 9001
ISO
142
98
ISO
29001
ISO
2200
For example:• Auditing• Documentation
Specific guidelines: Generic guidelines:
For example:• Risk management• Social responsibility• Compliance
management (2014)
Generic standards: For example:• Quality management• Anti-bribery
management (2016)
Sector standards:
For example:• Food safety• Oil and gas industry• Graphic technology
High Level Structure▪ Identical for all ISO
Management systems
Guidelines:▪ « The organization
should… »
▪ Benchmark that allows for an external audit
▪ “The Management system of Company X has been audited by Y according to ISO Z”
Standards:▪ « The organization
shall… »
▪ Benchmark that allows for external certification
▪ “Company X has been ISO Y certified by Z”
Segoe UI 20 bold
How does ISO 37001 help bridging the gap?KPIs are at the core of any ISO management system and even more for ISO 37001, which is the first one to introduce a risk-based approach.
1
2
3
“Appropriate” tailored to your organization and business structure
“Reasonable and proportionate measures” In setting up objectives
“Risk-based” Not ONE suitable KPI, but A specific KPI depending on the level of risk
Segoe UI 20 bold
Objectives
Management System
4. Act
3. Check
2. Do1. Plan
Controls
Targets
Policy & procedures
ISO benchmarks … a process to continuously improve the efficiency of the management system
New Objectives
Improvement
Leadership
Segoe UI 20 bold
4.Risk analysis:
identification of high risk 3rd
parties
Setting realistic objectives and define coherent
ways to measure them
5. 6. 7.Empowering
resources: budget and compliance
function
Management commitment to push down AC requirements
Business Associates
Segoe UI 20 bold
8.Empowering tools: DD, contract, proof
of services, etc.
Dealing with wrongdoings:
corrective actions and corrections
9. 10.1 10.2Improvement:
business decisions and definition of new KPIs as the program
matures
Performance evaluation: 3rd party
audits, questionnaires, etc.
Business Associates
Segoe UI 20 bold
ISO 37001 Anti-Bribery
Management System
Aligns KPIs and metrics with business specificities and risks
Allows KPIs update to fit the program maturity
Meets the management business expectations in defining the right KPIs
Gives a common baseline to benchmark the program
Proves with certification that the program is appropriate
Segoe UI 20 bold
Why Proof MattersCertification = Demonstrating proof of anti-bribery programs to outline their value to the business
1
2
3
BUILD trust with stakeholders
ESTABLISH credibility in the market
GAIN a competitive advantage
4 STABILIZE partner ecosystems
5 BECOME more efficient