where to start?
Give us a call or complete the form and we'll be in touch soon
In this article, Thomas Fox, Compliance Evangelist based in Houston, TX, canvasses a number of strategies to make compliance training more effective by breaking out of the current reactive, box-ticking paradigm.
Where is compliance training headed? In the 2020 Update, the Department of Justice (DOJ) stated, “companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” While this tactical solution has proven useful, I wanted to consider the broader compliance training themes that compliance professionals have learned over the past few years to gain insight into where compliance training may be headed. I sat down with Shawn Rogers, Director Global Ethics and Compliance – Training and Awareness at Walmart, to provide some thoughts on the veiled land of the future of compliance training.
Rogers believes that one of the goals of compliance training is to evolve to be more respectful of the user’s time and intellect. This would entail making compliance training much less repetitive and that companies figure out ways to give learners credit for the training they have taken in the past. No other training discipline that makes the learner take mandatory training on the same learning objectives year over year. Rather than giving the learners credit for understanding and internalizing and applying the training they have received in the past; they keep repeating the same learning objectives. To eliminate the monotony, companies try to take different approaches, such as gamification, videos, virtual reality, but in the final analysis, they are still teaching the same basic learning objectives.
Rogers suggested embracing the concept of teaching once (or maybe twice) and then frequently remind using shorter, more focused communications. He believes, “Over-training is a waste of both company resources and employee time. If we could accurately measure learning rates, there could well be incredibly high in most compliance training programs.”
Rogers said another area is what he termed “training abuse” and by this he meant the tendency of companies and government officials/agencies to apply/require training courses/programs to problems that training can’t and won’t solve – but instead gives the illusion that “something is being done.” In other words, moving away from training as a check-the-box mentality to one that is seen as one part of a compliance ecosystem. He pointed to many state governments which are requiring companies to implement anti-harassment training, and repeat it every year (e.g., New York) or every other year (e.g., California). There are only so many ways you can train people on anti-harassment and only so many learning objectives associated with anti-harassment. Yet, in some jurisdictions, companies have to provide annual training to employees, not because the training will change anything when done for the fifth or tenth time, but because it is required by the force of law. This becomes another form of tax on the company, it annoys and frustrates the learners and it undermines carefully thought-out training strategies.
When a company is hit by a major scandal, often the first response is “we will require training.” This decision is typically motivated by a desire to send a signal that the company recognizes it has a problem and that it is going to train people into behaving properly. The problem with this approach is that it seems to follow the letter of the 2020 Update mandate to train on the lessons learned from prior compliance incidents but in reality does not follow the spirit which is to understand the failure, remediate the problem and then train on the solution so employees will act as your first line of compliance defense.
This is compounded by Rogers belief that 98% of problems a company face are caused by about 2% of its employee population. So, for 98% of the employees, the training becomes punitive rather than helpful, and the 2% of the bad actors ignore it. But there has been an illusion created that the company is taking steps to fix the problem and it gets headlines and publicity. The company then thinks it has met its requirements. It is through the variety of strategies and techniques that allow a company to identify and monitor such bad actors to either get rid of them or have controls in place that keep them between the guardrails.
There are some ethics and compliance topics that every employee in a company needs to know at an awareness level. For example, every employee needs to know that the company has a Code of Conduct, where to find it, how to search it and what it contains. Every employee needs to know about the company’s hotline and how to report issues. Every employee needs to know about the company’s non-retaliation policy and the protections it provides. Every employee needs to be aware of safety policies and procedures.
However, when it comes to some of the more serious legal and regulatory risks, not every employee has the same level of risk exposure. Take bribery, for example. Most employees need to know the company’s position on bribery and that the company has a policy. These employees need understanding at an awareness level, not at a highly technical level. However, there are some employees that are in a position to either offer bribes or be bribed because of their job function or their location. These employees need in-depth training on how to handle these situations. This approach dovetails into the 2020 Update which specified that you focus training on employees in relevant control functions; provide tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred and provide supervisory employees supplementary training.
As compliance professionals, we need to become more adept at providing training that is adapted and tailored to the risk that specific individuals or groups of individuals present to the company and to themselves. This could be accomplished by better profiling learners through HR data, by using adaptive online training and by focused training campaigns to high-risk audiences. This just-in-time training model provides training exactly when and where the employee needs the information. For example, many companies provide insider trading training as part of annual training requirements; they hope employees remember the principles when they decide to buy/sell the company stock.
However, a company might well do better to include some kind of micro training at specific times when and where the risk is highest. Perhaps certain groups are more prone to being aware of insider information – they should get frequent and targeted reminders. When an employee is traveling overseas and might be carrying company samples or might have a computer that contains sensitive company data; this is an excellent time to embed a hand carry training module or a trade controls training module into the travel booking process which would be delivered to the employees computer or smart phone.
Compliance training needs to get to the point where managers and leaders drive compliance training based on how they perceive the risks in their organizations. In other words, an awareness of risks can permeate the organization to such a degree that managers will be able to recognize when their employees need training and can call on the compliance function to provide custom training opportunities.
The Compliance Evangelist
Founder, The Compliance Podcast Network
GRC Solutions are proud to have been recognised as Highly Commended in the category of Compliance Training Provider of the Year. The judges recognised our extensive library of training content, customised training programmes developed for large banks and insurers, and a software platform that allows clients to build out their own training.
Give us a call or complete the form and we'll be in touch soon