The compliance officer who cannot evaluate the effectiveness of their own programme is not managing a programme — they are maintaining one.
The compliance officer spends considerable effort measuring aspects of the compliance programme: training completion, case volumes, risk assessment coverage, third-party due diligence completion rates. These metrics are operational — they tell the compliance officer whether specific processes are running. They do not, individually or collectively, answer the question that matters most: is the compliance programme actually reducing the organisation's integrity risk?
The unwillingness to ask this question directly — to construct an honest assessment of whether the programme is working, rather than whether it is running — is one of the most common and most consequential blind spots in compliance function management. It is understandable. The question is uncomfortable. A thorough self-assessment may reveal that significant investment has produced limited impact in the areas of greatest risk. It may reveal that the metrics being reported to governance look good while the underlying culture does not support them. It may reveal that the compliance function's credibility with the business is lower than assumed.
But the compliance officer who does not perform this self-assessment regularly — honestly, rigorously, and with a willingness to act on what it reveals — is not providing the governance bodies they report to with an accurate picture of the programme's effectiveness. And they are not giving themselves the information they need to make the programme better.
Four questions that generate the analytical content governance needs.
The first question is whether the programme is addressing the right risks. The answer requires mapping the programme's current coverage — the risks addressed by training, monitoring, controls, and due diligence — against the compliance risk assessment. Where the risk assessment identifies significant exposures that the programme does not adequately address, the gap is a programme design issue. Where coverage is concentrated in areas that the risk assessment does not identify as priorities, resources are being misallocated. Neither situation is unusual, and both are fixable once identified.
The second question is whether the controls are functioning as designed. A control that exists on paper but is not applied consistently is not a functioning control. Answering this question requires testing — checking whether approval processes are being followed, whether due diligence is being conducted on the parties it is designed to cover, whether the speak-up channel is being used in the way the culture assessment would suggest it should be, whether training is changing behaviour rather than only generating completion records. Testing controls requires access to operational data that the compliance function must build relationships to obtain.
The third question is whether the culture is moving in the right direction. Culture measurement is the most difficult component of the self-assessment because the data is least amenable to quantitative analysis. But the question can be approached through a combination of indicators: speak-up channel usage patterns and the quality of concerns raised; the results of engagement surveys and exit interviews analysed for compliance-relevant signals; direct conversations with employees at multiple levels about what the compliance function is perceived to do and whether it is perceived to be effective; and the patterns of behaviour that the training assessment and monitoring processes reveal.
The fourth question is whether the programme is improving over time. This is the benchmarking dimension: comparing current performance against historical performance on the same indicators, identifying which areas have strengthened and which have not, and asking honestly whether the programme has developed in response to the organisation's evolving risk environment or whether it has simply repeated the same activities in the same way for another year.
The most useful document a compliance officer can produce annually is not the governance report that describes the programme's activities. It is the honest internal assessment that answers the question: what do we know, from the evidence available, about whether this programme is actually reducing our integrity risk? That document need not be shared with governance in its raw form — but it should inform everything the governance report contains. A governance report that does not rest on this kind of honest internal assessment is a reporting exercise, not a compliance evaluation.
The assessment is only as valuable as the decisions it produces.
The self-assessment that identifies gaps in the programme is useful only if those gaps are translated into changes in the programme. This requires the compliance officer to be honest with themselves about what the assessment reveals — including findings that reflect on the function's own performance, not only on the organisation's behaviour — and to act on those findings with the same rigour they would apply to findings about any other aspect of the compliance framework.
It also requires the compliance officer to communicate the findings to governance with sufficient honesty to allow governance to make informed decisions about the programme. The governance report that presents only positive metrics, that manages uncomfortable findings out of the narrative, and that consistently characterises the programme as performing well provides governance with a picture that cannot support meaningful oversight. Governance bodies that receive only good news from the compliance function are governance bodies that have been deprived of the information they need to exercise their oversight responsibility.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. Organisations seeking specific guidance should consult qualified counsel in the relevant jurisdiction.
Download this article
Save a PDF copy for offline reading, or share it with a colleague who might find it useful.