15 KPIs every compliance program should measure

Most compliance programs track somewhere between two and four metrics consistently. Cases received, cases closed, time to close, sometimes substantiation rate if someone pushed for it.

That's not nothing. But it's a narrow view of a program that's producing far more signal than those numbers capture.

The fifteen compliance KPIs below separate programs that can report on their own health from those that can only report on their own activity. They're organized into three groups: whether the program is being heard and trusted, whether it handles submissions well, and what the data is telling you about where risk is moving. If you want to see how your own program scores against them, the Measurement Gap Assessment at the end of this series takes around six minutes.

Theme 1: Reach and trust

Is the program being heard? And do the people engaging with it trust it enough to come back?

KPI 1: Reports per 100 employees

Measures: Reporting volume normalized by headcount: annual reports divided by total employees, multiplied by 100.

Signals: Whether the program is actually being heard. Low normalized volume rarely means a clean culture; it usually means a trust or accessibility problem. Raw case counts without normalization are almost meaningless. A company with 10,000 employees receiving 50 reports looks the same as a company with 500 receiving 50. They're not the same at all.

Influenced by: Channel visibility, manager behavior (whether managers reinforce or quietly undermine the channel), how reporters are communicated with after submitting, and friction in the reporting act itself: language barriers, accessibility gaps, whether the channel works for people who don't sit at a desk.

What good looks like: Meaningful, stable volume that tracks with your workforce. Sudden drops in specific regions are worth investigating well before the next board meeting.

KPI 2: Report intake method mix

This one measures distribution of reports across available channels: web form, mobile app, phone line, voice agent, manager-routed. It tells you whether channel access matches how different populations actually want to engage. A program where 95% of reports arrive via web form is probably missing its frontline, its non-desk workers, and anyone whose first language isn't the one the form is in.

What drives it is partly practical (which channels are deployed, how they're promoted) and partly cultural. Gen Z reaches for mobile; field workers want voice or a QR code they can scan from a warehouse floor; more hierarchical cultures lean toward manager-routed flows. Good looks like distribution across more than one modality, with uptake from the populations you'd most expect to underreport.

KPI 3: Time to report

Measures: Average days between an incident occurring and a report being submitted.

Signals: Reporter trust and psychological safety. Long delays mean reporters hesitated: usually because they doubted the channel was safe, or because an attempt to raise the concern informally went badly. This metric is harder to move than most, but it's one of the most honest indicators in the framework.

Influenced by: Manager behavior when employees raise concerns directly, anti-retaliation communications, and the visible track record of how past reports were handled. The lever here is largely cultural, which makes it a useful instrument. If you run a manager training program in Q2 and this metric compresses by Q4, you have evidence the investment actually shifted something.

What good looks like: Compression over time, correlated with cultural interventions, which tells you they worked.

KPI 4: Anonymous vs. named reporter ratio

The proportion of reports submitted anonymously versus with the reporter's identity attached. It's a trust signal. A gradual shift toward named reports over time is a positive maturity indicator. A sudden shift toward anonymous in a specific region or team points to something worth investigating.

What drives it: retaliation track record, how reporters are communicated with after submission, and whether employees understand when each option actually serves them. Named reports tend to resolve faster, generate cleaner two-way communication, and produce better outcomes for the reporter. Programs that actively help people choose appropriately (rather than just offering both options) get better results from both.

Good looks like a slow, sustained trend toward named reports across most regions over 18 to 24 months.

KPI 5: Check-back rate

Measures: Proportion of reporters who return to the platform after submitting to read updates, respond to questions, or check on progress.

Signals: Post-submission confidence. A reporter who never comes back has decided the channel doesn't matter, or doesn't trust that anything is happening on the other side. Industry benchmarks: 40%+ for anonymous reporters, 60%+ for named.

Influenced by: Handler responsiveness, how frequently reporters receive updates, and whether the experience after submitting feels like something is actually happening. The check-back rate is one of the clearest proxies for whether your case-handling quality is visible to reporters.

What good looks like: Rates above the 40%/60% benchmarks, sustained, with no sharp drops after specific case types or periods (which would suggest something about how those cases were handled).

KPI 6: Disclosure campaign participation rate

Measures: Proportion of eligible employees completing proactive disclosure during a campaign period: conflicts of interest, gifts, outside employment, related-party transactions.

Signals: Whether the program reaches people on the proactive side. Unlike most compliance metrics, this one also functions as a direct campaign effectiveness gauge. When participation rises after a comms push or manager engagement initiative, you have clean evidence the intervention worked. When it doesn't, you know that too.

Influenced by: Whether structured campaigns exist at all, how reminders are handled, manager visibility into team completion status, and how easy submission actually is for the average employee at your organization.

What good looks like: Participation rates that improve with each campaign cycle, with manager-level visibility into any teams lagging, and a process for following up with non-completers.

Theme 2: Investigation and review quality

When a submission lands (whether a whistleblowing report or a proactive disclosure), does the program handle it well? Reactive case-handling and disclosure review draw on the same disciplines: triage, workflow, decision logging, follow-through. So they're measured together.

KPI 7: Average time to reply

Days for a case handler to send a first response after submission. Slow first replies are almost always a triage or workload issue, not a motivation one. Reporters who wait more than a week for a response often disengage entirely. Good looks like first reply within 2-3 business days for most case types, with SLA tracking and escalation visibility for anything aging past threshold.

KPI 8: Repeat reporter message rate

Total back-and-forth messages between handler and reporter during a case. It's a communication clarity signal. High rates often mean confusion or process friction: reporters asking the same questions in different ways, or handlers not communicating clearly enough the first time. Low rates can mean disengagement. A healthy mid-range suggests purposeful, productive exchange.

Cross-language cases without translation support tend to produce either high-friction message loops or, worse, silence. Good looks like a stable mid-range that doesn't spike in specific regions or case types.

KPI 9: Case closure time

Measures: Median days from report creation to case closure. Industry benchmark: under 30 days.

Signals: Process efficiency. Programs above benchmark are usually losing time to documentation and administration, not to investigation itself. Closure time is also already on most board scorecards, which means improvements here travel directly into reporting without needing a translation layer.

Influenced by: Workflow design, documentation burden, and how long it takes handlers to compile evidence and write up a case at the end of an investigation. If your program consistently runs over 30 days, the bottleneck is almost always somewhere in the documentation process, not the investigation.

What good looks like: Median under 30 days, with a visible downward trend if you're currently above it.

KPI 10: Substantiation rate

Measures: Proportion of investigated cases found to be valid. Healthy range: 30-60%, depending on industry.

Signals: Triage rigor and investigation quality. This is the single most credible indicator of program seriousness for boards and audit committees. It shows you're not just processing cases; you're evaluating them with discipline. Rates below 30% suggest too much noise in the intake or insufficient triage. Rates above 60% may suggest the bar for investigating is too high.

Influenced by: Triage criteria, whether investigation standards are applied consistently across handlers, and whether decision-making is documented rigorously enough to support a clear conclusion.

What good looks like: A stable rate in the 30-60% range, with any movement worth understanding before presenting it.

KPI 11: Time to disclosure decision

Median days from disclosure submission to a final review decision. This is the proactive-side parallel to case closure time. Slow decisions create real, visible business friction: employees wait to accept board positions, vendor relationships stall, hiring decisions get delayed. Other functions notice this one. Good looks like defined SLAs per disclosure type, consistently met, with aging items visible to whoever oversees the function.

KPI 12: Disclosure outcome distribution

Measures: Proportion of disclosures resolved as approved without conditions, approved with mitigation, or prohibited.

Signals: Whether the review process is doing real risk-based work. A program where 99% of disclosures are approved without conditions either has an unusually clean population or a review process that isn't genuinely evaluating what it receives. Boards and auditors are increasingly looking at this distribution as evidence the program isn't a paperwork exercise.

Influenced by: Whether review criteria are documented and applied consistently, whether reviewers are calibrated against each other, and whether there's organizational willingness to actually impose mitigation or prohibition when the assessment warrants it.

What good looks like: A meaningful spread across all three outcomes, with rationale captured for every decision.

KPI 13: Disclosure renewal and mitigation follow-through

Two related rates: the proportion of active disclosures completing required renewal cycles on time, and the completion rate on assigned mitigation actions. This one matters because a high participation rate with low renewal and follow-through means you're running good campaigns that don't hold. Yesterday's mitigated conflict of interest may already be unmanaged risk if nobody checked whether the mitigation actually happened.

Good looks like renewal completion rates above 90%, with mitigation actions tracked against deadlines and formally signed off when complete.

Theme 3: Program intelligence

What is the data across reports, disclosures, and outcomes actually telling you about where risk is moving?

KPI 14: Issue category distribution and trend

Measures: Misconduct and concern types by volume and movement over time.

Signals: Emerging risk before it becomes a reportable incident. A sustained uptick in a particular category often shows up in this data months before it surfaces anywhere else. This is the metric that gives a compliance program genuine forward-looking intelligence rather than a historical record.

Influenced by: Taxonomy quality, whether trend analysis is a regular practice or an occasional exercise, and whether the team can ask questions across the data without having to run it through a spreadsheet first.

What good looks like: Quarterly trend reviews against a consistent taxonomy, with early-warning visibility on any category moving meaningfully in either direction.

KPI 15: Geographic and entity-level distribution

Measures: Reports by location, business unit, or function, normalized by headcount to produce comparable rates across the organization.

Signals: Hot spots and suspiciously quiet regions. When a region's share of reports is meaningfully lower than its share of headcount, something is off. It's either a genuinely healthy local culture or a program that isn't being heard there. The two explanations require very different responses, and most programs can't currently tell them apart.

Influenced by: HR data integration (without it, normalization isn't possible), regional channel localization, language support, and manager engagement at the regional level.

What good looks like: Distribution that roughly tracks headcount, with no region sitting well below its expected rate without a credible explanation, and a clear process for investigating when one does.

A note on HR data

Three of these fifteen KPIs (reports per 100 employees, disclosure campaign participation rate, and geographic distribution) require workforce headcount and location data from HR to be fully meaningful. Without that data, you have raw counts. With it, you have rates, and rates are what allow meaningful comparison across regions, entities, and time. Most compliance programs that are producing these KPIs have a working data partnership with HR: typically a quarterly headcount refresh at minimum.

What this panel is for

A compliance program that tracks these fifteen KPIs over time gains something most don't have: an instrument panel for measuring whether its own interventions actually work. Run a manager training program? Compare KPIs 1 and 3 in trained versus untrained regions in the following quarter. Roll out a new mobile channel? Watch KPIs 1 and 2. Launch a disclosure campaign? Track KPI 6 participation, then KPI 13 renewal rates in the months after.

That's roughly the difference between going into a board meeting with a story and going in with an instrument panel.

See how your program scores

The Measurement Gap Assessment scores your program across all three themes in around five minutes. You'll get an instant score, a named priority gap, and an optional full report with specific actions to close it, including a summary you can take into your next board or budget conversation.