10 Compliance Metrics Every Board Should Review
Board members at regulated Indian enterprises are not compliance specialists. They have fiduciary responsibilities, limited time, and a need to understand risk exposure in concrete terms. Yet most compliance functions still present narrative updates: paragraphs about initiatives undertaken, regulations reviewed, and training conducted. Compliance metrics for board reporting solve this gap by translating operational detail into decision-grade information that directors can act on.
The shift from narrative to metrics is not about replacing context. It is about ensuring that context is anchored in measurable indicators. A board that sees “we are working on DPDP Act compliance” has no basis for follow-up questions. A board that sees “63% of personal data processing obligations mapped, with full coverage targeted by Q3” can assess pace, allocate resources, and hold teams accountable.
What follows are ten specific metrics that compliance leaders at banks, NBFCs, insurance companies, pharma firms, and IT services companies should present every quarter. Each one is designed to be measurable, comparable across periods, and directly relevant to board-level governance responsibilities.
1. Obligation Coverage Rate
This metric answers a foundational question: of all the regulatory obligations applicable to your enterprise, what percentage are actively mapped, assigned, and monitored? Consider a mid-sized NBFC operating under RBI’s Master Direction on IT Governance, CERT-In’s incident reporting directives, and the DPDP Act simultaneously. Each regulation contains dozens of specific obligations. The board needs to know how many are formally tracked versus how many remain in grey zones.
Express this as a simple percentage with a denominator that reflects your regulatory universe. An obligation coverage rate of 78% tells the board that 22% of known regulatory requirements lack formal ownership or monitoring. That is a risk conversation worth having. Track it quarterly to show trajectory.
How to calculate it
| Component | Definition |
|---|---|
| Numerator | Obligations with assigned owners, defined controls, and active monitoring |
| Denominator | Total applicable obligations identified across all relevant regulations |
| Target | 95%+ for mature compliance functions |
Platforms like eQomply that maintain pre-mapped regulatory workflows for RBI, SEBI, IRDAI, and CERT-In make it significantly easier to establish the denominator accurately, which is often the harder part of this calculation.
2. Overdue Findings and Aging
Every regulated enterprise accumulates findings from internal audits, regulatory inspections, and self-assessments. The metric that matters is not just how many findings are open, but how long they have been open. A finding that has aged beyond 90 days without remediation signals a structural problem: either the control owner lacks capacity, the issue is harder than initially assessed, or accountability has broken down.
Present this to the board as a distribution table.
| Aging Bucket | Count | % of Total Open |
|---|---|---|
| 0-30 days | 12 | 35% |
| 31-60 days | 8 | 24% |
| 61-90 days | 6 | 18% |
| 90+ days | 8 | 23% |
The 90+ day bucket deserves individual commentary. If an RBI inspection finding has been open for four months, the board should know why. This metric forces specificity and prevents findings from disappearing into spreadsheets. For compliance leaders looking to build a broader compliance dashboard for the board, findings aging is one of the most universally understood indicators.
3. Regulatory Change Response Time
Indian regulators issue circulars, notifications, and amendments with increasing frequency. RBI alone publishes hundreds of circulars annually. SEBI’s cybersecurity framework, IRDAI’s data governance guidelines, and CERT-In’s evolving directives all demand timely organizational response. This metric measures the average number of days between a regulatory change being published and your organization completing its impact assessment.
Consider a private sector bank that receives a new RBI circular on digital lending norms. If the impact assessment takes 45 days while peer institutions complete theirs in 15, that delta represents both compliance risk and competitive disadvantage. Present this metric as an average across all regulatory changes in the quarter, with outliers called out individually.
A reasonable target for most regulated enterprises is impact assessment completion within 15 working days of publication, with full implementation plans documented within 30. This is one area where regulatory intelligence capabilities, such as eQomply’s circular library and update tracking, directly compress response timelines by ensuring nothing falls through the cracks.
4. Policy Attestation Completion
Policies exist to govern behaviour. They only work if employees read, understand, and acknowledge them. Policy attestation completion measures the percentage of required attestations that have been completed against the total required within a given period. This matters particularly for regulations that mandate employee awareness, such as the DPDP Act’s requirements around personal data handling or RBI’s expectations around information security policies.
A 72% attestation rate on your Information Security Policy tells the board that nearly a third of relevant employees have not formally acknowledged the controls they are expected to follow. That is a risk the board can quantify and address through resource allocation or escalation.
Present this metric broken down by policy and by business unit. Patterns emerge quickly: a specific branch cluster lagging on attestation, or a recently updated policy that has not been redistributed for acknowledgment. Version control and attestation tracking through a centralized policy management system prevent the fragmentation that makes this metric unreliable when managed through email and shared drives.
5. Incident Response Timeliness
CERT-In’s 2022 directive mandates reporting of cybersecurity incidents within six hours of detection. SEBI’s cybersecurity framework has its own reporting timelines. The metric here is straightforward: of all reportable incidents in the quarter, what percentage were reported within the mandated timeframe?
This is a pass/fail metric at the individual incident level that becomes a percentage at the portfolio level. If your enterprise experienced four reportable incidents and met the timeline on three, your board sees a 75% timeliness rate. The one miss becomes a specific discussion point: what broke down in the detection-to-reporting chain?
Beyond external reporting, measure internal escalation timeliness as well. How quickly did the incident reach the CISO? How quickly was the compliance function notified? These internal SLAs feed into the external reporting metric and reveal process gaps before they become regulatory breaches.
6. Third-Party Risk Coverage
RBI’s guidelines on outsourcing and third-party risk management are explicit: regulated entities remain responsible for compliance even when functions are outsourced. The board needs to know what percentage of critical third parties have undergone due diligence within the current cycle, and what percentage have unresolved risk findings.
Consider an insurance company with 40 critical third parties handling claims processing, IT infrastructure, and customer data. If only 28 have completed their annual risk assessment, the board is looking at 30% uncovered exposure. This metric becomes particularly acute when mapped against data processing activities under the DPDP Act, where data processors must be contractually bound and monitored.
| Category | Total Third Parties | Assessed This Cycle | Coverage % |
|---|---|---|---|
| Critical (Tier 1) | 40 | 28 | 70% |
| High (Tier 2) | 85 | 52 | 61% |
| Standard (Tier 3) | 200 | 110 | 55% |
The board does not need to know every vendor’s name. They need to know whether the coverage program is keeping pace with the vendor universe, especially as it grows.
7. Training Completion Rate
Compliance training is often treated as a checkbox exercise, which is precisely why it should be reported as a metric. The board should see completion rates for mandatory compliance training programs, segmented by topic and by employee cohort. A pharma company’s field force may need specific training on UCPMP guidelines, while the IT team needs CERT-In awareness, and the data team needs DPDP Act obligations training.
The more interesting metric is not just completion but timeliness. If a new regulation-specific training module was rolled out on March 1 with a 30-day completion window, what percentage finished within that window versus requiring follow-up? Chronic delays in training completion often correlate with higher incidence of compliance failures in those same business units.
Present this alongside any assessment scores if your training includes knowledge checks. An 95% completion rate with a 55% average quiz score tells a different story than 95% completion with an 85% score.
8. Audit Readiness Score
This is a composite metric that answers the question: if a regulator walked in tomorrow for an inspection, how prepared are we? It aggregates several underlying factors: evidence availability (can we produce required documents within a defined timeframe?), control testing currency (have controls been tested within their scheduled cycle?), and finding closure status.
Assign weights based on your regulatory environment. For a capital markets intermediary subject to SEBI inspections, evidence availability might carry 40% weight because inspectors expect immediate document production. For an NBFC facing RBI’s annual inspection cycle, control testing currency might be weighted higher.
CROs looking to present this effectively will find value in understanding how board reporting practices for risk officers have evolved to include composite readiness indicators rather than purely backward-looking compliance summaries.
eQomply’s evidence management and audit trail capabilities contribute directly to this metric by ensuring that documentation is continuously captured rather than reconstructed before an audit, which is the pattern that creates both inaccuracy and operational strain.
9. Compliance Cost Metrics
Boards think in terms of resources. Presenting the cost of compliance activities, broken down by regulation or by function, gives directors the ability to assess efficiency and make informed trade-off decisions. This includes personnel costs, technology costs, external advisory fees, and the operational cost of compliance activities (time spent on attestations, evidence collection, reporting).
This metric is particularly relevant when requesting additional budget. A CRO who can demonstrate that compliance cost per obligation has decreased by 15% over four quarters while coverage has increased makes a compelling case for continued investment. Conversely, if cost per obligation is rising without corresponding improvement in coverage or readiness scores, that is a conversation about process efficiency.
Express it in a format boards are accustomed to: cost per regulatory obligation managed, cost per audit finding resolved, or total compliance spend as a percentage of revenue. These ratios become comparable across periods and provide the financial framing that board members, particularly those from financial backgrounds, find intuitive.
10. Trend Lines: Getting Better or Worse
No single quarter’s metrics tell the full story. The tenth metric is not a new data point but a presentation approach: every metric above should be shown with at least four quarters of history so that the board can assess direction. A 78% obligation coverage rate is concerning in isolation but encouraging if it was 52% three quarters ago. An 85% policy attestation rate looks strong until the board notices it was 92% two quarters prior.
Trend lines transform compliance metrics for board reporting from static snapshots into dynamic narratives. They answer the question every board member instinctively asks: are we getting better or worse? Present each metric with a simple directional indicator alongside the trend data.
| Metric | Q1 FY25 | Q2 FY25 | Q3 FY25 | Direction |
|---|---|---|---|---|
| Obligation Coverage | 68% | 74% | 78% | Improving |
| Overdue Findings (90+ days) | 14 | 11 | 8 | Improving |
| Regulatory Response Time (avg days) | 32 | 25 | 18 | Improving |
| Policy Attestation | 92% | 88% | 85% | Declining |
| Incident Timeliness | 80% | 75% | 75% | Flat |
This format lets the board spend its limited time on the metrics moving in the wrong direction rather than re-litigating areas of progress.
Putting These Metrics to Work
The challenge most compliance leaders face is not identifying the right metrics. It is producing them reliably every quarter without a two-week data gathering exercise that pulls the team away from actual compliance work. When obligation data lives in one spreadsheet, finding tracking in another, and policy attestations in email threads, the act of producing board-ready metrics becomes its own operational burden.
This is where purpose-built GRC infrastructure pays for itself. A platform like eQomply, designed specifically for Indian regulatory environments, consolidates the underlying data, pre-maps it to regulatory frameworks from RBI, SEBI, IRDAI, and CERT-In, and generates the metrics and trend lines that compliance metrics for board reporting require. The compliance function shifts from data assembly to analysis and narrative, which is where their expertise actually lies.
The ten metrics outlined here are not aspirational for mature enterprises. They represent the baseline of what boards at regulated Indian enterprises should expect to see every quarter. If your compliance function cannot produce these reliably today, that itself is a finding worth reporting to the board, along with a plan to close the gap.
If you are looking to move from narrative-heavy board packs to metric-driven compliance reporting, a brief walkthrough of eQomply will show you how these metrics can be generated from a single source of truth rather than stitched together from fragmented systems each quarter.



