Evaluate Organizational Health through Metrics and Benchmarking

Expert Insight from George K. Campbell

Hotlines are a key tool used to monitor and measure the health of an organization. George Campbell wrote: Measures in Corporate Security: A Workbook for Assessing Performance & Demonstrating the Value of Corporate Security Functions. We’ve asked the metrics expert to provide insight into using metrics and benchmarking information to evaluate the effectiveness of compliance programs.

Q: Based on your expertise and experience, how do you define benchmarking?

A: Benchmarking is a relative term. In benchmarking there are two extremes. One is the classical benchmarking study where you consult volumes of information, seeking best practices from a variety of sources, and then compare them to your own organizational services. It’s an incredibly extensive, expensive and long term proposition.

On the other significantly simpler end of the spectrum, you engage several colleagues from other companies, ask them for comparative data on the services you seek to evaluate and then record the results to yield your standing in the group. It’s important to make a distinction between the very rigorous business-centric process where you go out into multiple industries and search for best practices as opposed to simply doing comparative data analysis on one or a few particular factors.

Q: Why should organizations use metrics?

A: I don’t know how an organization can manage any function without looking at metrics. It’s fundamental to tracking and assessing your progress toward your planned objectives. If you have a compliance program or internal investigations, there are multiple results that can be tracked to protect the investments you’re making in those activities. If senior management has allocated a significant amount of resources they will want to see the results, because their goal is to increase profit. Compliance programs have metrics that are increasingly critical as a result of Sarbanes-Oxley standards.

Q: What advice do you have for organizations when first reviewing new benchmarking information?

A: A warning sign for any organization is when benchmarking measures and metrics are taken at face value and insufficiently analyzed. Many people are tempted to put some numbers together, put a graph up and say, "Here’s the current situation," on whatever topic they may be discussing without going into a strong, objective analysis of what these numbers mean. People tend to take the numbers at face value and draw simple conclusions without really drilling down.

Q: How do you view the roles of the Chief Security Officer, Compliance Officer and Ethics Officer - What are their responsibilities?

A: We can be accused of being the constant deliverer of bad news, but part of our job is to know what data to watch, whether good or bad, and glean meaning from it. It is increasingly imperative that these key governance functions consistently maintain a database that tells senior management if we’re healthy as an organization or if some trends suggest we’re becoming less healthy. But don’t rush into the chairman with a graph that shows a spike in hotline call volume and make a judgment that, "There’s something terribly wrong here." They will want rigorous analysis around the potential causes of the issue. They will want information as to why there is a problem and what they should do about it.

On a quarterly and annual basis, I would provide senior management with metrics on areas we track and address specific issues I know are hot buttons for each of them. Take, for instance, problems with information security regarding viruses or amount of downtime for critical systems or increases in incidents of identity theft. In some cases senior management does not know what they should look for. It is then my duty to alert them to such issues, because the business integrity issues that are left alone can leave an organization in harm's way and at a competitive disadvantage.

Q: We often engage in discussions about business integrity issues and the effectiveness of compliance programs. What are some best practices you could share?

A: You’re measuring the health of an organization by looking at the metrics provided by your hotline call data. The confidentiality of the information allows you to have a large and diverse database. If I was attempting to do a simple benchmarking exercise looking at the trends in internal misconduct cases or other confidential integrity issues, it would be justifiably difficult to get my colleagues to share this competitively sensitive information.

The benchmarking information from The Network and the CSO Executive Council, on the other hand, represents one of the very few databases that you can look at without knowing the identities of the sample. From a comparative point of view, this is an incredibly useful database. It can help us understand how we compare with regard to key reputation risk issues and suggest the need for new programs or reinforcement of those in place.

There’s a whole set of best practices wrapped around having an organizational culture that reinforces good conduct. Let’s discuss four of those best practices: analyzing the data, interdepartmental collaboration, lessons learned and communication.

Best Practice - Analysis

Having run the hotline in our company, I know that a large percentage of calls tend to be HR related. Isn’t it interesting that we see spikes in calls of this nature around annual review time? Having the data and being able to drill down to figure out why there’s an abnormality in this area of compliance or around our hotline is incredibly valuable.

What does it mean if there are twice as many issues as last year? I could draw the conclusion that people feel safe to use this anonymous vehicle to report concerns that are obviously very serious to them. Perhaps a new communications initiative provoked a spike in call volume, indicating the organization has a culture that reinforces good conduct where communication was frequent and top down support from management was apparent.

There could be other motivations as well. The union environment could have a group who, during a grievance time, decide: “We’re just going to overflow this hotline; we’re going to make things look like the sky is falling.” So, these metrics can be manipulated. It’s imperative that you drill down to understand benchmarking data and not take the information at face value.

With issues of integrity, you cannot take the data at face value. Instead, you need to review information within the broader picture of comparative benchmarking. There’s incredible value here, a picture that you wouldn’t otherwise have if you weren’t watching and only trying to understand what the numbers mean.

Best Practice - Interdepartmental Collaboration

Let’s examine how different departments within an organization might view the issue of fraud from different perspectives: Ethics, Security and Legal. These people are in a unique position to advise senior management regarding these issues. However, if they aren’t talking to one another, simply looking from their own unique perch, they are not in a good position to understand issues of honesty and integrity. The exchange among these governance colleagues yields a 1 + 1 = 3.

For example, in a situation where proprietary information was leaked, the Legal Department may not want the issue to get out, because it’s a liability matter. But Ethics and Security may feel the issue needs to take the risk of disclosure. If the issue wasn't properly addressed and later exposed, liability could be maximized.

Legal, HR, Security, Audit, Compliance and Ethics all have a strong stake in corporate integrity and honesty issues. They all bring unique perspectives and data to the table. When these perspectives and data are considered together, that collaboration provides a much clearer picture on the roots (not just symptoms) of risk and its alternative solutions. Each angle makes a richer picture of what’s going on in the company.

Best Practice - Post Incident Review

Another best practice is the incident post mortem process. OK, it’s happened and we’ve dealt with it. What are the lessons learned? What caused this incident? After an issue has been identified and addressed, do you dissect the event afterward and identify the vulnerabilities that contributed to the incident? Do you have a plan for sharing the lessons learned within your organization? Get the various players together and deal with issues proactively rather than reactively by communicating expected values and behaviors with employees and demonstrating top down support by management.

Best Practice -Communication & Awareness

If there is a benchmark of an organization that is or has been in serious reputational trouble, it is a lack of management attention on setting expectations around honesty and integrity. Organizations must make people aware of these expectations on Day One and reinforce them with action at every opportunity. Supervisors model the behavior, performance reviews reward integrity, managers have low tolerance for misbehavior, messengers of bad news are supported, and it is safe to use both open and anonymous lines of communication to report suspected problems. This is a healthy culture that reinforces good conduct.

Q: About your book …

A: My book is a 30+ year compilation of lessons on what has worked and what hasn’t for me and for others. It’s about the increasing knowledge and accountability of Chief Security Officers and their governance colleagues. We possess unique information that can influence the organization to better manage risk and our standing in the marketplace. These times of corporate meltdowns and increased global risk suggest a need to share these lessons.

I don’t think that when you ask, “What type of measures are you using?” - you should get blank stares. Many of us are not doing the kind of proactive data analysis that is essential to our mission and the influence we can have over our business environments. If that’s the case, we’re failing in a basic responsibility. We’re paid to watch the dashboard, know what the alerts mean on those gauges and communicate effectively across the businesses we serve.

For More Information:

Campbell’s new book provides great insight into the rigorous nature of a solid metrics program. Click the following link to order Measures in Corporate Security: A Workbook for Assessing Performance & Demonstrating the Value of Corporate Security Functions
https://www.csoexecutivecouncil.com/products/index.html?
REFER=tnwininc

Coming Soon:

Watch for Campbell’s next workbook, which is a supplement to this book, containing a portfolio of graphs with various categories including business conduct and internal crime. The portfolio contains notes and graphs that can be used by anyone who wants to enter their own data or information.

Biography

Mr. George K. Campbell is currently a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a member of the Emeritus Faculty of the CSO Executive Council. He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under Campbell’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 Campbell owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies.

He is a frequent contributor to professional security journals and webinars and is the author of Measures and Metrics in Corporate Security published in 2005 by the CSO Executive Council.

Campbell received his baccalaureate degree (Police Administration) from American University, Washington, D.C., in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. Campbell has been a member of the American Society for Industrial Security since 1978. He is a former member of the High Technology Crime Investigation Association, the Association of Certified Fraud Examiners and an alumnus of the U.S. Department of State, Overseas Security Advisory Council.