Compliance program performance metrics: How to measure compliance

Which compliance KPIs to measure, how to know your program is working, and how to track improvement over time

Kelly Maxwell
Content Marketing Specialist, OneTrust
September 7, 2022

Stack of multi-colored shipping containers

A company that measures compliance effectively can prevent reputational damage, protect the bottom line, and potentially avoid costly fines and enforcement actions – all by arming itself with the right compliance program performance metrics. But in a data-driven world, it is easy to get overwhelmed by the sheer volume of numbers at our fingertips. We are regularly inundated with metrics, so determining what really matters ends up being equal parts art and science.

As compliance becomes compulsory in our rapidly evolving and regulated business landscape, how do you measure your organization’s compliance effectiveness? Read on to learn more about how to make your data do the heavy lifting for you and your compliance initiatives.

Why tracking compliance program performance is essential

The U.S. Department of Justice (DOJ) Criminal Division updated their Evaluation of Corporate Compliance Programs guidelines in June 2020 – and the update emphasizes that compliance teams need to know whether their program is working.

The DOJ’s Corporate Compliance Programs guidance includes three questions that prosecutors should ask when investigating a company: 

  • Is the organization’s compliance program well-designed?
  • Is the program being applied earnestly and in good faith, e.g. is it being implemented effectively?
  • Does the program work in practice?

Keep these three questions top of mind to not only set your compliance initiatives up for success, but to prevent any costly legal consequences. In particular, compliance officers at companies that are under a monitorship or corporate resolution should pay close attention to the first question, as the DOJ revealed in 2022 that they will require CCOs and CEOs to certify that their program is well-designed at the close of the monitorship.

The DOJ’s updated guidance also includes two sentences that deserve special attention:

  • Have the policies and procedures been published in a searchable format for easy reference?
  • Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Not only does this guidance emphasize the importance of your internal policies and procedures, but it also calls out compliance program performance metrics – specifically, which policies are garnering employee engagement. If employees are engaging with your policies, but you don’t have the data to prove it, as far as the DOJ is concerned, your compliance efforts fall short and may be subject to further scrutiny. Measuring your organization’s compliance effectiveness is more than checking off boxes in an extensive list of guidelines; it is about taking the time to make sure that your compliance program is structured to measure what matters most.

How do you measure your organization’s compliance effectiveness?

Compliance metrics come from many potential sources – culture surveys, risk assessments, disclosures, and your helpline, to name a few. With the right compliance management tools, you can view a substantial amount of that vital data in centralized dashboards. But without a strategy or knowing which compliance program performance metrics you’re trying to measure, the raw data can be overwhelming.

Start by identifying your compliance KPIs.

What are compliance KPIs?

Key performance indicators – aka KPIs – are the data points or metrics that indicate how well your team or organization is performing at key initiatives. Compliance KPIs can measure employee engagement and awareness of your compliance program, how well your organization complies with local, national, and global regulations, and ethical decision-making throughout the workforce.

How do you measure compliance KPIs?

Your compliance tech platforms – for example, your hotline, disclosure manager, policy manager, and compliance portal – should each provide you with rich data, and ideally each of these platforms connects to the others in one holistic dashboard. The most sophisticated compliance measurement platforms incorporate HR data and other inputs to provide a complete picture of risk across the organization.


Screenshot of onetrust platform showing message from chief compliance officer


What if you don’t have access to a dedicated compliance measurement platform? While manual spreadsheets can be time-consuming and lack real-time data, they’re better than nothing. If you are using a manual process to track KPIs, import updated numbers on a regular basis and maintain your records over an extended period so you can track your program’s progress.

Which compliance KPIs should you measure?

The most important KPIs are the ones that track directly to your program’s goals – but you may have to dig a little deeper than the obvious compliance metrics like policy attestation rate or reporting rate.

For example, if your goal is to increase awareness of your helpline and code of conduct, are you tracking how many times the code is viewed, or how many reports are submitted outside of awareness campaign cycles? What about the number of clicks or interactions within your interactive code of conduct? (Hint: you should be. The DOJ included this question in their most recent guidance for corporate compliance programs.) If your goal is to overcome reporting reluctance, are you comparing the intake rate across different intake channels like open-door versus anonymous online reports?

Our Compliance KPIs Worksheet contains many more suggested KPIs for you to measure. Throughout the process of completing it, you’ll identify which data you already have access to, and what it can tell you about how effective your compliance program is. Here’s a preview of some of the compliance measures you’ll explore:

Compliance KPIs to measure compliance program performance:

  • Number of times and how often code and policies are reviewed and/or updated
  • Number and nature of code and policy violations
  • Culture surveys and knowledge assessments results
  • Training reach, medium, frequency, and completion rates
  • Reach, medium, frequency, and engagement rates of compliance communications
  • Training program update rates
  • Post-training test results
  • Number and nature of incidents by employees who have completed training
  • Reporting rates, known and anonymous/1000 employees by reporting channel
  • Retaliation report trends, including the number of reports of retaliation

How to choose which compliance KPIs to prioritize

First, you have to understand what data you currently have access to. There are sources of rich, untapped data in your HR department, sales team, and more that your compliance program can use to gain deeper insights into issues like cultural health, brand reputation, and silent retaliation.

Then, you can put each data point in context – both to understand how to interpret it, and to evaluate how relevant it is to your compliance program’s goals and your regulatory requirements. These insights empower you to more effectively allocate resources, tell a more compelling compliance story to your Board of Directors, and ultimately achieve a healthier and more ethical culture.

Use our Compliance KPIs worksheet as a health check on your current data analysis and compare results with your teammates. You may be surprised to find that compliance-adjacent roles have access to different data than you do or are layering data in ways you hadn’t considered to create a more holistic risk profile.

Tracking compliance performance over time

The rise in stakeholder capitalism means that regulators, employees, and customers demand more from the companies they regularly interact with. But when measuring something as multifaceted as the ethical health of your organization, how do you treat your KPIs with the respect and attention they deserve?

Reveal your organization’s biggest compliance strengths and weaknesses by tracking improvement over time, using the same set of benchmarks. Over the long term, you can measure exactly how much progress your focus and cross-departmental energy has brought about.

Use our Compliance KPIs worksheet to conduct a health audit and data analysis for your organization. Compare your results to other compliance-adjacent roles at your company and develop a plan of action for all your organization’s data.

You may also like


Ethics Program Management

Ethics Exchange: Third-party applications and ephemeral apps

Learn practical advice on how to navigate the risks of ephemeral apps and employee privacy in BYOD world.

November 09, 2023

Learn more


Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance. 

November 02, 2023

Learn more


Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more