Why most compliance programs can't prove their value

Every quarter, the same conversation happens. You sit down to write the board update. Pull your numbers: cases opened, cases closed, SLA compliance, training numbers. The data is solid, but halfway through writing, something feels off. The report reads thin. Not because your numbers are wrong. Because they don't answer what the board is actually asking.

Is our program working? That's the real question. And if you're being honest, you're probably not completely sure, because you're measuring program activity, not program health.

Your data isn't wrong. It just answers the wrong questions.

Most compliance programs were built to handle intake. Report comes in. Case opens. Investigators work it. Case closes. The system tracks what happens. That's exactly what it was designed to do. What comes out is a clear picture of workload. What it doesn't show is whether the program is working, whether people trust the channel, and whether those reports represent real risk or are mostly noise.

That gap is the problem. Your data is solid. It just measures the wrong thing.

What's your board actually asking?

The questions have shifted. They're not asking "Did your team process cases?"

They're asking:

• Is the program catching real risk?
• Do employees trust this channel?
• Where is risk moving?
• How healthy is this compared to a functional program?

Activity data won't answer any of these. A thousand closed cases tells you the team stayed busy, it doesn't tell you if those cases mattered to the organization.

The difference between "on" and "from"

Here's the distinction that matters.

Reporting on your program: "Here's what the team did." Cases handled, response times, training metrics, and workload reports. All true information but an incomplete explanation.

Reporting from your program: "Here's what the organization is telling us." Where is risk concentrating? Which regions are unusually quiet? What does the disclosure cycle reveal about culture?

One gives the board something to nod at, the other gives them something to act on. You don't need more people to make the shift, you need different metrics to help you tell the right story..

The twelve indicators that close the gap

At SpeakUp we think think that they sit in three groups:

Reach and trust: Is the program being heard? Do reporters trust it? Five metrics track volume normalized by headcount, how reporters access the channel, anonymity ratios, response time, and whether reporters come back.

Investigation quality: Does the program handle cases well when they arrive? Four metrics track first response, communication quality, how long cases stay open, and what percentage turn out to be valid.

Program intelligence: What is the data revealing about the organization? Three metrics track issue trends, geographic patterns, and proactive disclosure participation (how employees engage with structured campaigns to declare conflicts of interest and other potential issues before they become reports).

Three of the twelve need HR data: headcount (to normalize volume), location, and total workforce. Most mature programs manage this through a quarterly data share with HR.

What changes when you measure health

Compliance leaders who switch to these metrics will gain a specific advantage. The board conversation will change.

Not because the data improves, often it's the same data, what shifts is what you can say about it.

Instead of: "We processed 200 cases and closed them in 18 days." You say: "Volume is up in three regions and flat in one that represents 20% of our headcount. That pattern is worth investigating. Here's what we think it means. Here's what we're doing."

That's a different conversation, that is highlighting a different kind of compliance function.; proactive rather than reactive.

These twelve KPIs exist and this series of blog posts will cover why setting up your ethics and compliance program to measure then will help you shift the conversation.

‍