Evaluate Organizational Health through Metrics and Benchmarking
Expert Insight from George K. Campbell
Hotlines are a key tool used to monitor and measure the health of an
organization. George Campbell wrote: Measures in Corporate Security:
A Workbook for Assessing Performance & Demonstrating the Value of
Corporate Security Functions. We’ve asked the metrics expert to
provide insight into using metrics and benchmarking information to evaluate
the effectiveness of compliance programs.
Q: Based on your expertise and experience, how do you define
benchmarking?
A: Benchmarking is a relative term. In benchmarking
there are two extremes. One is the classical benchmarking study where
you consult volumes of information, seeking best practices from a variety
of sources, and then compare them to your own organizational services.
It’s an incredibly extensive, expensive and long term proposition.
On the other significantly simpler end of the spectrum, you engage several
colleagues from other companies, ask them for comparative data on the
services you seek to evaluate and then record the results to yield your
standing in the group. It’s important to make a distinction between
the very rigorous business-centric process where you go out into multiple
industries and search for best practices as opposed to simply doing comparative
data analysis on one or a few particular factors.
Q: Why should organizations use metrics?
A: I don’t know how an organization can manage
any function without looking at metrics. It’s fundamental to tracking
and assessing your progress toward your planned objectives. If you have
a compliance program or internal investigations, there are multiple results
that can be tracked to protect the investments you’re making in
those activities. If senior management has allocated a significant amount
of resources they will want to see the results, because their goal is
to increase profit. Compliance programs have metrics that are increasingly
critical as a result of Sarbanes-Oxley standards.
Q: What advice do you have for organizations when first reviewing
new benchmarking information?
A: A warning sign for any organization is when benchmarking
measures and metrics are taken at face value and insufficiently analyzed.
Many people are tempted to put some numbers together, put a graph up
and say, "Here’s the current situation," on whatever
topic they may be discussing without going into a strong, objective analysis
of what these numbers mean. People tend to take the numbers at face value
and draw simple conclusions without really drilling down.
Q: How do you view the roles of the Chief Security Officer,
Compliance Officer and Ethics Officer - What are their responsibilities?
A: We can be accused of being the constant deliverer
of bad news, but part of our job is to know what data to watch, whether
good or bad, and glean meaning from it. It is increasingly imperative
that these key governance functions consistently maintain a database
that tells senior management if we’re healthy as an organization
or if some trends suggest we’re becoming less healthy. But don’t
rush into the chairman with a graph that shows a spike in hotline call
volume and make a judgment that, "There’s something terribly
wrong here." They will want rigorous analysis around the potential
causes of the issue. They will want information as to why there is a
problem and what they should do about it.
On a quarterly and annual basis, I would provide senior management with
metrics on areas we track and address specific issues I know are hot
buttons for each of them. Take, for instance, problems with information
security regarding viruses or amount of downtime for critical systems
or increases in incidents of identity theft. In some cases senior management
does not know what they should look for. It is then my duty to alert
them to such issues, because the business integrity issues that are left
alone can leave an organization in harm's way and at a competitive disadvantage.
Q: We often engage in discussions about business integrity issues
and the effectiveness of compliance programs. What are some best practices
you could share?
A: You’re measuring the health of an organization
by looking at the metrics provided by your hotline call data. The confidentiality
of the information allows you to have a large and diverse database. If
I was attempting to do a simple benchmarking exercise looking at the
trends in internal misconduct cases or other confidential integrity issues,
it would be justifiably difficult to get my colleagues to share this
competitively sensitive information.
The benchmarking information from The Network and the CSO Executive
Council, on the other hand, represents one of the very few databases
that you can look at without knowing the identities of the sample. From
a comparative point of view, this is an incredibly useful database. It
can help us understand how we compare with regard to key reputation risk
issues and suggest the need for new programs or reinforcement of those
in place.
There’s a whole set of best practices wrapped around having an
organizational culture that reinforces good conduct. Let’s discuss
four of those best practices: analyzing the data, interdepartmental collaboration,
lessons learned and communication.
Best Practice - Analysis
Having run the hotline in our company, I know that a large percentage
of calls tend to be HR related. Isn’t it interesting that we see
spikes in calls of this nature around annual review time? Having the
data and being able to drill down to figure out why there’s an
abnormality in this area of compliance or around our hotline is incredibly
valuable.
What does it mean if there are twice as many issues as last year? I
could draw the conclusion that people feel safe to use this anonymous
vehicle to report concerns that are obviously very serious to them. Perhaps
a new communications initiative provoked a spike in call volume, indicating
the organization has a culture that reinforces good conduct where communication
was frequent and top down support from management was apparent.
There could be other motivations as well. The union environment could
have a group who, during a grievance time, decide: “We’re
just going to overflow this hotline; we’re going to make things
look like the sky is falling.” So, these metrics can be manipulated.
It’s imperative that you drill down to understand benchmarking
data and not take the information at face value.
With issues of integrity, you cannot take the data at face value. Instead,
you need to review information within the broader picture of comparative
benchmarking. There’s incredible value here, a picture that you
wouldn’t otherwise have if you weren’t watching and only
trying to understand what the numbers mean.
Best Practice - Interdepartmental Collaboration
Let’s examine how different departments within an organization
might view the issue of fraud from different perspectives: Ethics, Security
and Legal. These people are in a unique position to advise senior management
regarding these issues. However, if they aren’t talking to one
another, simply looking from their own unique perch, they are not in
a good position to understand issues of honesty and integrity. The exchange
among these governance colleagues yields a 1 + 1 = 3.
For example, in a situation where proprietary information was leaked,
the Legal Department may not want the issue to get out, because it’s
a liability matter. But Ethics and Security may feel the issue needs
to take the risk of disclosure. If the issue wasn't properly addressed
and later exposed, liability could be maximized.
Legal, HR, Security, Audit, Compliance and Ethics all have a strong
stake in corporate integrity and honesty issues. They all bring unique
perspectives and data to the table. When these perspectives and data
are considered together, that collaboration provides a much clearer picture
on the roots (not just symptoms) of risk and its alternative solutions.
Each angle makes a richer picture of what’s going on in the company.
Best Practice - Post Incident Review
Another best practice is the incident post mortem process. OK, it’s
happened and we’ve dealt with it. What are the lessons learned?
What caused this incident? After an issue has been identified and addressed,
do you dissect the event afterward and identify the vulnerabilities that
contributed to the incident? Do you have a plan for sharing the lessons
learned within your organization? Get the various players together and
deal with issues proactively rather than reactively by communicating
expected values and behaviors with employees and demonstrating top down
support by management.
Best Practice -Communication & Awareness
If there is a benchmark of an organization that is or has been in serious
reputational trouble, it is a lack of management attention on setting
expectations around honesty and integrity. Organizations must make people
aware of these expectations on Day One and reinforce them with action
at every opportunity. Supervisors model the behavior, performance reviews
reward integrity, managers have low tolerance for misbehavior, messengers
of bad news are supported, and it is safe to use both open and anonymous
lines of communication to report suspected problems. This is a healthy
culture that reinforces good conduct.
Q: About your book …
A: My book is a 30+ year compilation of lessons on
what has worked and what hasn’t for me and for others. It’s
about the increasing knowledge and accountability of Chief Security Officers
and their governance colleagues. We possess unique information that can
influence the organization to better manage risk and our standing in
the marketplace. These times of corporate meltdowns and increased global
risk suggest a need to share these lessons.
I don’t think that when you ask, “What type of measures
are you using?” - you should get blank stares. Many of us are not
doing the kind of proactive data analysis that is essential to our mission
and the influence we can have over our business environments. If that’s
the case, we’re failing in a basic responsibility. We’re
paid to watch the dashboard, know what the alerts mean on those gauges
and communicate effectively across the businesses we serve.
For More Information:
Campbell’s new book provides great insight into the rigorous
nature of a solid metrics program. Click the following link to order
Measures in Corporate Security: A Workbook for Assessing Performance & Demonstrating
the Value of Corporate Security Functions
https://www.csoexecutivecouncil.com/products/index.html?REFER=tnwininc
Coming Soon:
Watch for Campbell’s next workbook, which is a supplement to
this book, containing a portfolio of graphs with various categories including
business conduct and internal crime. The portfolio contains notes and
graphs that can be used by anyone who wants to enter their own data or
information.
Biography
Mr. George K. Campbell is currently a Managing Partner in the Business
Security Advisory Group, a professional security consultancy and is a
member of the Emeritus Faculty of the CSO Executive Council. He retired
in 2002 as Chief Security Officer at Fidelity Investments, the world’s
largest privately owned financial services firm. Under Campbell’s
leadership, the global corporate security organization delivered a wide
range of proprietary services including information security, disaster
recovery planning, background, due diligence and criminal investigations,
fraud prevention, property protection and security system engineering.
During the period 1989-92 Campbell owned his own security-consulting
firm and from 1978-89 was Group Vice President at a system engineering
firm supporting worldwide U.S. Government security programs. His criminal
justice career from 1965 to 1978 was spent in various line and senior
management functions within federal, state and local government agencies.
He is a frequent contributor to professional security journals and webinars
and is the author of Measures and Metrics in Corporate Security published
in 2005 by the CSO Executive Council.
Campbell received his baccalaureate degree (Police Administration) from
American University, Washington, D.C., in 1965. He is a Life Member and
served on the Board of Directors of the International Security Management
Association from 1998-2003 and as ISMA’s President in 2002-03.
Campbell has been a member of the American Society for Industrial Security
since 1978. He is a former member of the High Technology Crime Investigation
Association, the Association of Certified Fraud Examiners and an alumnus
of the U.S. Department of State, Overseas Security Advisory Council.
|
