Select training objectives
As an example let’s focus on just the privacy breach risk, examining it at a more detailed level, and with consideration for the audience numbers to be trained. (See Table 3.)
|
Risk Dimensions |
||||
| Risk Source | Likelihood | Frequency | Impact | Comments |
| Type: Leak of sensitive financial data to media | So low that it’s hard to measure | < 1 in past 5 years | Resulted in major Government inquiry costing in excess of $3.2m | Very few people have access to this type of information |
| Mechanism: Leaks occurring when information is in transit | Around 25% of staff take sensitive information out of the office or send it electronically or via post | Dozens of times daily | Massive variation, from documents going missing and never resurfacing, to laptops being stolen, and whole filing cabinets disappearing, ranging in cost from a few dollars to many hundreds of thousands of dollars | More than 3000 staff have access to sensitive information |
| Cause: Accidental leaks arising from poor filing practices | Estimated that around 40% of leaks result from accidental misfiling | Dozens of times daily | Generally small impacts as the files remain inside the premises and leakes are to other staff or departments | More than 8000 staff file documents as part of their duties |
In this analysis, just a few examples were provided and the risk was considered from multiple perspectives, including the type, mechanism, and source. This multidimensional analysis helps in understanding the nature of the risk and how best to address it. From this table our training focus and budget can be further narrowed.
For example, you might consider a training intervention for staff with access to sensitive financial information, because, while the likelihood and frequency are low, the impact is so great that it may be worthwhile.
However, this is where the analysis becomes valuable in making training decisions. One can easily imagine the finance executives being sent on intensive and expensive training courses after the previous leak in a knee-jerk response to the serious financial impacts, but it is probable that training did absolutely nothing to reduce a risk that was already vanishingly small.
On the other hand, training thousands of staff on how to prevent privacy breaches while information is in transit, offers excellent potential to reduce the likelihood and frequency of information being leaked through that mechanism. A similar, if less powerful (because the impacts are lower) business case can also be made for training to reduce internal leaks through misfiling.
Having selected some training objectives to be funded, it is critical at this point to assign some metrics. Contrary to many LMS vendors’ claims that a dashboard showing the percentage of staff that have passed a sexual harassment course is a measure of risk control, compliance training can only be measured through its actual effects on compliance, or, as previously discussed, the degree to which compliance levels are exceeded.
Training analytics is a large subject in its own right. Suffice to say that compliance training must be measured on its impact, and work must be done to isolate the metrics from other effects, so the true value of the training in moving the metric can be determined. Finally, compliance training metrics should be measurable at a sufficiently granular level to allow for highly-targeted remedial training of individuals, targeted improvements in compliance process sub-components, and targeted improvements in the training programs themselves.
Develop learning design
Having identified the training objectives, let’s work out the kinds of learning theories and activities that might be commensurate with their risk profile.
In Table 4, each control level is assigned suitable training approaches, but some cells are blank, indicating that, for example, no training is planned for avoiding low frequency/high impact risks.
|
Control Level |
||||
| Risk Profile | Avoid | Reduce | Transfer | Retain |
| High frequency/ High impact |
Certification using a blend of classroom, virtual learning environment, and workplace observation | Ongoing professional development and assessment, using a Web 2.0 portal, monthly mentoring sessions, and an annual conference | ||
| High frequency/ Low impact |
Significant online and classroom induction training and assessment | Bi-annual online refresher training and a quiz | ||
| Low frequency/ High impact |
Minor, regular online awareness-raising presentations, and a quiz | |||
| Low frequency/ Low impact |
Annual confirmation of understanding, using an e-doc with completion tracking | |||
However, this is an example only. Each organization’s table would vary depending on the kinds of risks they face and the resources available to manage them. It would also vary according to other factors such as the organization’s commitment to good corporate citizenship, its environmental policies, its branding as an employer of choice, and so on.
Whilst these factors may not be considered risks underpinned by data, they do have specific and measurable purposes, and can therefore form part of a rational compliance management strategy.
The key consideration is the level of training and assessment intensity needed to achieve the level of control desired. For example, laboratory workers required to frequently apply a new diagnostic, testing for a life threatening disease, would be good targets for a comprehensive certification program (avoid), while electrical contractors being inducted into a new building site might only need confirm their understanding of the company’s sexual harassment policy (transfer).
In this way, the costs of compliance training can be effectively controlled by assigning more funds to those risks that are both more likely to become a reality, and more likely to have serious impacts should they do so.
Costs can be further managed through the assignment of delivery channels and approaches to this same matrix. This is based on the assumption that more expensive training delivery channels and approaches are more effective, which, of course, is not necessarily true. But from a budgeting perspective, this approach allows you to control where your budget is spent, with funds being allocated based on risk and reward.
At this point it is worth mentioning the e-doc scenario. In an earlier case study the “tick and flick” approach was identified as inadequate as a risk management control. However, it has its place in our toolkit as a very low-cost response to minor risks. It can play a role in partially transferring risk to the learner, by making them aware of their responsibilities.
In wrapping up this proposed approach to compliance training strategy, it must be noted that, like any strategy, it should be regularly reviewed and reset, to adapt to changing organizational objectives, and to move training resources away from risks in decline and towards emerging risks.
Closing remarks
For small to medium enterprises, this framework, with its reliance on an evidence-based approach, may be beyond their capacity to resource. However, even a subjective analysis of the risks, using anecdotal evidence, will yield excellent recommendations for targeting compliance training for the maximum return on investment.
Larger organizations, with their dedicated compliance management departments, will already collect much of the data upon which this framework relies. For these organizations, the learning and compliance functions, while separate, most likely already collaborate in determining the risks most suitable for training interventions.
However, as the examples given show, regardless of the organizations’ size, these selections are sometimes poorly made, and based on fear of censure, or in response to socio-political agendas at work within the organization.
In part this is due to a risk management paradigm that, to some degree, is still ruled by fear. But new thinking is emerging, in which compliance is not just a mechanism to manage risk and control costs, but also contributes to brand value and revenue.
Training departments also need to recognize their proclivity towards socio-political influences when setting training agendas. With the advent of technology-enabled learning, the training department’s capacity to influence the organization’s performance, and its accountability to do so, has dramatically increased.
This is leading to a more widespread adoption of evidence-based learning and development strategy that gives consideration, but not undue power, to socio-politically driven training agendas.
