Overview
Measuring SOP compliance is not the same as measuring task completion. A task can be marked done without the SOP being followed. The difference between 'we completed 100 vendor reviews' and 'we completed 100 vendor reviews that met the evidence standard on every step' is the difference between a compliance program and a compliance log. Most teams measure the former and call it the latter.
The most useful SOP compliance metric is exception rate: the percentage of runs where a step was completed without the required evidence, approved without the required sign-off, or completed out of sequence. Exception rate tells you whether the SOP is being followed, not just whether work is getting done. A team with a high completion rate and a high exception rate has a compliance problem masquerading as an operations success.
Mean time to evidence is the second metric most teams overlook. In a compliant SOP run, evidence is created at the step, in the moment, by the person executing. When mean time to evidence is high, it usually means evidence is being added retroactively, after the fact. Retroactive evidence is the single biggest predictor of audit failure: if evidence was created after the work, it proves nothing about how the work was done.
SOP compliance metrics without running a report
Cadenio surfaces exception rate, per-step adherence, and evidence quality on every run. Your SOP program's health is visible without a spreadsheet, a pivot table, or a manual audit.
Start free, no credit cardSOP adherence by step, not just by run, reveals where the gaps actually are. Most compliance failures are not random. They cluster at the same steps: the approval that gets skipped when the approver is busy, the evidence field that gets waived when the deadline is close, the sign-off that everyone skips on low-stakes runs. Per-step adherence data shows exactly which steps need redesign versus which need reinforcement.
Version currency rate tells you whether your SOP program is maintaining itself. A high version currency rate means the SOPs in active use are the current approved versions. A low version currency rate means runs are happening against outdated SOPs, which creates both a compliance exposure and an operational risk.
None of these metrics are available if SOPs are executed as documents. A PDF or a wiki page doesn't produce exception rates, time-to-evidence data, or per-step adherence rates. The measurement infrastructure is inseparable from the execution infrastructure. Measuring SOP compliance requires that execution happen in a system that records each step, each evidence submission, each approval outcome, and each version link as structured data.
The difference between completion rate and compliance rate
Completion rate answers: did the run finish? It tells you whether the workflow reached its end state. It does not tell you whether the required steps were followed, the required evidence was captured, or the required approvals were obtained. A run can have 100% completion rate and 0% compliance.
Compliance rate answers: did the run follow the standard? It requires a defined standard for each step, a mechanism to detect deviation, and a record of what actually happened versus what the SOP required. Compliance rate is impossible to calculate if your SOP runs as a document, because documents don't record deviations. They record instructions.
In an audit, the question is not 'did you complete the vendor review process?' The question is 'show me that each vendor review followed your documented procedure, with the required evidence at each step, approved by the designated role.' Completion rate cannot answer that. Compliance rate can.
The operational implication: if you only measure completion, you optimize for completion. Runs close faster, checklists get marked done, the numbers look good. Exception rates go unmeasured. Retroactive evidence goes unnoticed. The compliance program looks healthy until the audit.
The four SOP metrics that indicate program health
Exception rate: the percentage of steps across all runs that were completed without meeting the SOP's evidence or approval requirement. A healthy SOP program should have an exception rate below 5% for critical controls. An exception rate above 15% indicates a systemic problem: either the requirement is unrealistic, the step is poorly designed, or the enforcement mechanism is missing.
Mean time to evidence: the average time between step completion and evidence submission. For in-step evidence, this should be zero or near-zero. When mean time to evidence is measured in hours, evidence is likely being added after the fact. Segment this metric by step to find which specific steps produce retroactive evidence.
Per-step adherence rate: the percentage of runs where each step was completed with all required elements. This metric identifies which steps are systematically non-compliant versus which are occasional exceptions. Steps with per-step adherence below 80% are candidates for redesign. Steps between 80% and 95% are candidates for reinforcement or training.
Version currency rate: the percentage of active runs using the current approved version of the SOP. Runs against outdated versions should be rare and tracked as exceptions. When version currency rate drops below 95%, investigate why. Common causes: version updates were not communicated, the SOP was updated without a formal approval record, or the workflow tool doesn't enforce version at run start.
How to use SOP metrics to identify which controls to fix first
Start with exception rate by control, not by step. Rank your controls by exception rate. The controls at the top of that list are generating the most non-compliant runs. These are your highest-priority fixes, both because they represent the greatest audit exposure and because they indicate the SOP is systematically not being followed as written.
For each high-exception-rate control, drill to per-step adherence. Exception rate tells you a control has a problem. Per-step adherence tells you where the problem is. An approval step with 40% adherence is a different problem than an evidence step with 40% adherence. The first might be a routing problem. The second might be an evidence standard that's too burdensome.
After identifying the problematic steps, distinguish redesign candidates from reinforcement candidates. A step that has been consistently non-compliant for six months is a redesign candidate: the requirement may be unrealistic or the step may be poorly positioned in the workflow. A step that recently dropped from 95% to 60% adherence is a reinforcement candidate: something changed and the step needs attention, not a rebuild.