Continuous improvement: The leading indicator for successful compliance programs

Building a compliance program isn't a one-and-done activity – regulators expect your program to adapt and improve on a constant basis

Gbemi Yusuff
Senior Counsel, OneTrust
January 11, 2023

Exterior of modern wavy architecture

No business operates in a completely static environment. The economy, competitive landscape, business environment, and customer needs change continually – so to be effective, a business must constantly adapt. That’s doubly true for the company’s ethics and compliance program, which must respond to a changing business environment as well as regulatory changes, requirements, and evolving risks.

That’s why, in a recent joint webinar with OneTrust and the Ethics and Compliance Initiative, OneTrust Senior Counsel Gbemi Yusuff stated that continuous improvement is “the number one metric for effective compliance programs.” And we’re not alone in making that statement – the DOJ’s comments throughout 2022 by Kenneth Polite and Lisa Monaco, their 2020 Evaluation of Corporate Compliance Programs, and the 2020 FCPA Resource Guide list continuous improvement as a key indicator of whether a compliance program works in practice.

So, what exactly is continuous improvement, how is it implemented, and how can it be used within your compliance program? Keep reading to find out.

Ready to evaluate your compliance programs against DOJ expectations? Download our Annual Compliance Program Checklist for a comprehensive program check-up.

What is a continuous improvement process?

Continuous improvement is a method of operationalizing improvement to processes, products, or other aspects of a business through a cycle of repeatable steps. The goal is to make significant transformation attainable through incremental shifts. Businesses use a variety of frameworks for continuous improvement, many of which overlap or have been combined in practice – these include, Kaizen, Plan-Do-Check-Act, Six Sigma, and Total Quality Management.

While each of these approaches to continuous improvement has its advantages and nuances, they share a similar underlying philosophy – that significant change for the better is achievable primarily through a series of small steps, those steps should happen within a repeatable cycle, and improvement requires input from across the business, not just leadership.

Why is continuous improvement necessary for compliance programs?

Business environments, regulatory requirements, and risk landscapes are all dynamic – changing in different ways, at different speeds, and with unexpected surprises. This is the complex ecosystem that your compliance program must operate within, and in order to thrive, your program must be adaptable. Continuous improvement makes this adaptation possible, allowing you to validate what’s working and what’s not on a regular basis.

The impact that a continuous improvement process can have on your compliance program could be motivation enough to get started – but in case it’s not, perhaps encouragement from the U.S. Department of Justice is.

Hallmark 9 of the FCPA Resource Guide

The DOJ’s FCPA Resource Guide devotes a section in Chapter 5 to the Ten Hallmarks of an Effective Compliance Program that they and the SEC consider when evaluating compliance programs. Hallmark Nine is “Continuous Improvement: Periodic Testing and Review.” The FCPA Resource Guide emphasizes regular employee surveys and targeted audits as two methods for testing the effectiveness of your program and uncovering new risks. Significantly, the Resource Guide states, “undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.”

DOJ Guidance 2020 Update

The DOJ issued an update to their Evaluation of Corporate Compliance Programs in 2020. In part, the update consisted of a new section on continuous improvement. It expands upon the FCPA Resource Guide by listing four areas where continuous improvement may have an impact:

  • Internal audit
  • Control testing
  • Evolving updates
  • Culture of compliance

The DOJ believes that compliance programs aren’t set up once and then operate successfully – instead, they must continually adapt to their circumstances through information gathering, control testing, audits, and improvements.

Board reporting

Having a continuous improvement process in place will uncover new risk areas and help you demonstrate progress — two areas that your company’s executive leadership should be aware of. The compliance team’s access to leadership including the board of directors is another key area of focus for regulators, so having a recurring reason to update them is a best practice.

How to use a continuous improvement process for compliance

Whether your company has a preferred approach to continuous improvement, you decide to adopt one of the methods above, or you’re starting from scratch, it’s worth keeping a few key elements in mind as you design a continuous improvement initiative:

  • Aim to achieve significant change through a series of small improvements
  • Operationalize those improvements through a cycle of repeatable steps
  • Use input from across the business, including front-line employees who are the closest to business processes

In our joint webinar with the Ethics and Compliance Initiative (ECI), OneTrust Senior Counsel Gbemi Yusuff and ECI Vice President, Research and Analytics Evren Esen explored a few ways to implement a continuous improvement process within a corporate compliance program.

Annual plan and long-term (2-3 year) objectives

If you’re aiming for big transformation, define that goal as a long-term objective. Then, use your annual plan to identify achievable milestones that will help you get there. Esen used the example of building speak-up culture. “I think it’s important to distinguish between your plans, what are those short-term plans that you can turn around pretty quickly, versus any sort of culture change effort [which] always takes longer,” she explained. “Being able to measure those incremental changes, so that you see that the needle is moving each year, is a great metric to keep track of and to be able to report to higher management to the board.”

Measurable metrics to show progress

When you report to the board, they’ll expect you to report on your progress with data – that means tracking metrics over time. Two examples of measurable metrics are your hotline reporting rate and investigation processing time (for more, see our Compliance KPIs Worksheet). “Keeping higher management, and even employees, aware of these metrics is critical to really having that sense of a focus on ethics within your organization,” said Esen. “Because if you don’t have those metrics, then nobody knows how things are going.”


While tracking metrics gives you visibility into your progress over time, benchmarking against similar companies shows how effective your program is in comparison (and regulators increasingly expect it). Benchmarking is generally quantitative – for example, comparing your reporting rate against that of similar companies – but can also be qualitative. Consider networking events an opportunity to connect with likeminded compliance professionals and find out what they are experiencing within their own program.

Your compliance program’s approach to continuous improvement should be uniquely suited to the realities of your business environment. You may choose an established framework, or simply define the KPIs you wish you measure and the goals you aim to achieve. Regardless of the approach you choose, it’s imperative that you set goals, measure progress, and adapt over time. Regulators expect it – and it’s essential for your continuous improvement program to be effective.

Ready to evaluate your compliance programs against DOJ expectations? Download our Annual Compliance Program Checklist for a comprehensive program check-up.

You may also like


Third-Party Due Diligence

Sanctions and export controls: Ensuring compliance

Watch our live expert webinar on understanding global sanctions and export controls and how to reduce your organiztion's risk exposure and ensure compliance.

June 29, 2023

Learn more


Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

June 20, 2023

Learn more


Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more