Compliance Outputs Versus Outcomes
Key Points:
- Compliance program effectiveness relates to outcomes, not outputs.
- Outcomes refer to the result and value generated from the process.
- Outputs are typically expressed in numerical terms, unlike outcomes.
- Compliance officers often fall into the trap of measuring only outputs.
- Process outputs should not outweigh the intended outcomes.
- 10 ideas for evidencing positive compliance outcomes are explored.
Surveys by Strategic Management and SAI360 found that many compliance officers remain unclear as to the difference between compliance outputs and outcome in evidencing compliance program effectiveness, and that distinction is important. The U.S. Department of Health and Human Services Office of Inspector General and the Department of Justice, when reviewing compliance programs, aim to evaluate their effectiveness. In doing so, they seek to understand the result or outcome of the program’s operations. Many organizations attempt to demonstrate this through metric data; however, most such data reflects outputs, not outcomes.
Outputs are the direct results of activities or processes. They are typically quantitative, immediate, and within the organization’s control. Examples include the number of (a) employees trained on compliance, (b) compliance audits completed, (c) parties screened for sanctions, (d) policies written or revised, and (e) hotline reports logged. While these figures are easy to quantify and report, they represent activity rather than impact. This type of data is often used in reports to leadership and the board, but its value diminishes over time if not connected to meaningful outcomes. On the other hand, outcomes are the result of process activities, effects, or changes. They focus on the actual impact of a compliance program, such as changes in behavior, reduction of risk, or improvements in performance.
Evidence of outcomes may include: (1) employee retention from compliance education and training programs over time; (2) measurable reductions in billing error rates, violations, and privacy breaches; (3) improved audit scores or regulatory compliance; (4) independent third-party surveys evidencing employee knowledge of the compliance expectations and how to report concerns without fear of retaliation; (5) program managers actively monitor their compliance risks; (6) executives are visibly proactive in identifying and mitigating risk; (7) root cause analyses of risk failures result in corrective actions that lead to lasting improvements rather than temporary fixes; (8) third-party evaluations documenting program improvements; (9) observations from internal reviews, audits or self-assessments evidencing active management and employee adherence to written guidance; and (10) positive comments from external assessors on culture of compliance, willingness to improve, and transparency in reporting and investigations.
CONCLUSION. While quantitative output metrics indicate what is happening within the compliance program, qualitative outcome evidence demonstrates whether compliance is truly embedded in the organization’s culture. Collecting such evidence requires time and deliberate effort but is essential to providing a credible assessment of compliance program effectiveness.
For more information and advice on this subject contact [email protected]. You can also keep up-to-date with Strategic Management Services by following us on LinkedIn.
