What metrics or indicators do you use to measure the effectiveness of compliance and privacy initiatives?

We worked with a couple of different outside compliance-focused consulting firms to figure out how to develop a set of metrics that communicates to our board and oversight committees whether we are operating effectively or not. It’s tough because so many metrics aren’t, and KPIs aren't output focused. It's hard to find the metrics that accurately gauge employee understanding and how the culture of compliance is embedded in the organization. Still, we have compiled a set of metrics and key performance indicators that generally track the OIG seven elements of an effective compliance program: Is our executive compliance committee meeting on a regular basis? Do we have quorum? How many employees are completing the training? KPIs on completing projects on annual work plans, etc. Another thing we've tried at WakeMed is implementing a bonus program for employees called WakeShare. The amount of money approved by the board on an annual basis for WakeShare is directly tied to compliance metrics such as the number of confirmed HIPAA violations per 100 employees, the percentage of employees who give up their network credentials during one of our quarterly phishing simulations, and the number of hotline reports per hundred employees.

I have worked in organizations that have used periodic audits and surveys to demonstrate effectiveness. There are also metrics and KPIs that can be used, which is easier to do if you have a dashboard for tracking (number of requests, number of violations, number of violations, frequency of updates, number of trainings completed by employees, etc.).