We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Strategic commercial interventions - initiating companies in public ownership: standard operating procedures - part 2

Published
30 September 2025
From
Deputy First Minister and Cabinet Secretary for Economy and Gaelic, +2 more … Director of Economic Development, Director-General Economy
Directorate
Economic Development Directorate
Topic
Economy, Public sector
ISBN
9781836919186

Provides guidance on the critical factors needed to effectively monitor, support and manage non-departmental public bodies (NDPBs) and public bodies once under ministerial control. This supplements existing guidance rather than replacing it.

View supporting documents Supporting documents

Chapter 2: Monitoring: Metrics for Compliance & Environmental, Social, and Governance (ESG)

This guidance outlines a framework for developing metrics in measuring and monitoring compliance and ESG. Examples of metrics for collection and analysis across several key areas have been provided as a guide. Metrics can form key performance indicators (KPIs) for compliance and be included as board agenda items.

2.1. Scope

The existence of and access to sources of data from a variety of sources enables:

  • Timely monitoring of controls to identify non-compliance and detect trends.
  • Identification of gaps or vulnerabilities in both specific controls (including policies and budgets), and in the wider compliance system.
  • Informed, regular and meaningful reporting to SG sponsorship teams, SG’s senior leadership, the company’s board, and its committees.
  • Testing and auditing of controls, including policies and processes.
  • The company’s performance to be measured against specified metrics or KPIs.

2.2. Sources and Types of Data

Data can be gathered from a variety of sources, using both automated and manual methods, including software, internal audits and investigations, and registers.

Many different types of data metrics can be collected, most commonly measuring an activity, outcome, or process. Common metrics include the measurement of volume or number, accuracy, quality, time, completeness, percentage of total.

2.3. Key Factors in Determining Metrics

When determining data metrics, consider data in line SG objectives and company’s objectives, and the data required to measure the performance against these. SG and the company may consider the need to:

  • Define any regulatory or legislative requirements that will determine the metrics used.
  • Align metrics with Industry best practice or at least consider them.
  • In certain industries, there may be specific reporting requirements. There may also be requirements on particular aspects of compliance controls, such as the need to demonstrate the effectiveness of the company’s systems for monitoring and testing.
  • Identify key SG and company risks for which data can be collected, by reference to the company’s and or SG’s risk register.
  • Consider the company’s strategy and goals, size, and geographical reach to determine what data to collect and analyse, and the format required.
  • Include quantitative, qualitative, and predictive data metrics, and determine whether to break down metrics by factors to identify meaningful patterns.
  • Use a diverse mix of data metrics to maximise insights.
  • Analyse and act on the data metrics collected.
  • Setting up systems for collecting comprehensive compliance and the processes and personnel required for that data to be reviewed, reported and appropriate action to be taken in response. Consider the role of data analysis when designing and implementing compliance controls can help, particularly in relation to the monitoring and testing of those controls.

2.4. Reviewing Proposed Data Metrics

Once the appropriate metrics have been determined, consult SG Finance, Risk, Control & Assurance, SGLD and any other relevant team when considering the metrics or collecting data. Teams may provide advice on:

  • Any steps required to comply with relevant legislation and regulation and safeguards on data collection and security, particularly where this involves personal or commercially sensitive data.
  • The potential liabilities that could arise in connection with aspects of data collection, for instance, on the part of a parent company for a subsidiary.
  • The risk that data, including personal or sensitive data, could be disclosable in future investigations and litigation.

2.5. Examples of Compliance Metrics

The example data metrics provided in Annex 1 below relate to key areas of risk, and you should consider and adapt them according to the nature of your company and its needs, e.g. the information which SG’s sponsorship, senior leadership and the company’s board find helpful or need to understand, and the overarching areas of risk for SG and the company.

Contact

Email: SCADPMO@gov.scot

Back to top