Support of socio-political agendas, or simple fear of censure, leads to much of today’s compliance training. However, designing a compliance training strategy based on a risk assessment model and treatment hierarchy can reduce these influences. It can drive a more rational, measurable, and aligned approach to compliance training. This can result in better compliance at reduced cost, but even more, it can also contribute to brand value and increased revenue.
Editor’s Note: Parts of this article may not format well on smartphones and smaller mobile devices. We recommend viewing on larger screens.
The global financial crisis (or GFC) is pushing organizations to review and consolidate their spending and business activities. The legislative environment is ripe for significant change in response to the GFC and to climate change. Now is a good time to rationalize your compliance training strategy.
Knee-jerk reactions: FAIL
Here are three examples of poorly thought-out compliance training.
A financial services company recently spent a large sum of money developing a very media-rich e-Learning module focused on unacceptable sexual harassment behaviours, the consequences for the people involved, and the impacts on the organization. The module ended with a mandatory summative assessment generating scores and completion records.
Company managers gave a range of reasons for this approach, including, “It’s important that staff understand their obligations under the law,” and, “The company has an obligation to provide a safe workplace for its staff.” When asked how many serious sexual harassment incidents they had dealt with in the last year, the answer was, “No serious incidents, and just a couple of minor ones.”
Eventually someone admitted that a generalized fear of legal action had led to the development of the module. So the question must be asked, was this expensive e-Learning module the appropriate response to the assessed risk?
In contrast, a sports and entertainment venue put together a large safety curriculum. It consisted of contractor induction modules based on a “tick and flick” approach. That is, it exposed learners to basic text and graphic screens of regulations, asked them to confirm their understanding, and recorded their responses. This venue spends massive amounts of money on insurance, they experience many small accidents, and from time-to-time a major one. All of these significantly impact their bottom-line.
In this case the risk is manifest. So why is the response so cursory? Was the cost of lowering the rate of accidents through training higher than the cost of insuring against them and compensating those who had suffered? Had anyone actually run the numbers? No.
Finally, a large Government department undertook an enterprise-wide privacy training program. This program was a reaction to direction from a senior official who was embarrassed by several high-profile breaches of privacy laws that had made national headlines. These breaches cost the Department damage to their reputation, and many thousands of dollars in investigating and fixing them. Other minor breaches were also a regular occurrence.
The Department carefully put together the training response to fit within their privacy training framework. It specifically targeted the most commonly occurring and serious breaches, and it also fit within a modest budget.
These real-life examples illustrate a very common weakness: the tendency to select and fund compliance-based training targets in reaction to perceived threats, and to internal or external socio-political pressures. But is there a more rational approach?
Rational approach
Compliance management, as a subset of risk management, usually employs two rational tools. The first is risk assessment, and the second is the hierarchy of controls.
Risk can be assessed in three ways: the likelihood that a given risk will become a reality, how often this risk will occur, and the impacts on the organization should it do so.
These risks are subject to a hierarchy of controls, with the higher controls being better than the lower ones at managing the risk. These controls are to:
- avoid or eliminate the risk,
- reduce the likelihood of it occurring, and minimize its impacts should it occur,
- transfer the risk by outsourcing the activity or insuring against it, and
- retain the risk, in which case you budget for the risk being realized.
Let’s apply this rational framework to the earlier case studies. In the financial services company, sexual harassment was fairly unlikely, fairly infrequent, and had only minor impacts on the organization. The training strategy tried to avoid and reduce this risk, and perhaps to transfer it, by recording each staff member’s score. This would allow the company to potentially transfer the liability to the individual, should an incident occur.
Generally speaking, the higher levels of control are more expensive and harder to apply successfully, so in this instance, for a pretty low-end risk, the company applied the most expensive and difficult controls. Why?
It is likely that fear of future legal costs, brand damage, and Government intervention and regulation probably played a role. Call me cynical, but it is unlikely that creating a safe workplace for their staff was much of a factor. So the driver is actually proactive, which is great, but not rational or data driven, because little evidence existed to suggest that their fears would be realized.
In the second case, the risk of a health and safety incident at the sports venue was highly likely, it happened often, and the impacts ranged from moderate to severe. Yet their primary control strategies were transfer and retain.
It is possible, given the high turnover of contract staff, that the cost of using training to avoid or reduce this risk was higher than the cost of insurance. However, given that premiums only ever go up, and generally include penalties for claims, this strategy would eventually cease to be viable.
In this case, the underpinning beliefs were multiple: learners were highly resistant to training, it would take too long, and they need to be on site quickly. And, of course, that old chestnut, “by recording their results, we transfer the liability to the contractor anyway” (a commonly held assumption, that delivers mixed results in reality). So are these reasons valid? Maybe, or maybe not, but they are certainly not founded on evidence.
Lastly, the Government department was faced with a risk of privacy breaches that was moderately likely, quite frequent, and the impacts of which ranged from minor to severe. Their response was carefully budgeted and focused on avoidance, which, as a top level of control, was appropriate to the risk. The strategy may also have employed a bit of transfer by recording the assessment results. So in this example, the department did take an evidence-based approach.
How might your organization apply this framework to create a rational compliance training strategy?
The first step in creating such a strategy is to set its scope and broad intentions. To do this, you must first understand the organization’s compliance system, operating environment, and standards for compliance.
Set scope and intentions
An organization’s compliance system comprises the regulations with which it must comply and the policies to which it has committed. The organization’s processes and procedures implement the regulations and policies. Or put more simply, the regulations and policies establish the “why and what,” and the processes and procedures describe the “who, how, and when.”
While a lot of compliance training attends to the regulatory and policy level, and therefore employs knowledge and awareness training, an effective training framework must actually target both levels.
Consider the earlier case of the Government department implementing privacy training. Typically, this kind of training focuses on building staff understanding of the principles governing privacy, with the expectation that this constructivist approach will enable staff to apply the policy in any situation.
Privacy breaches usually result from procedural non-compliance, for example, taking sensitive information home to work on at night. To be effective, the training must target both the policy and its associated procedures.
Understanding compliance through a systems approach offers a great advantage. It makes it possible to identify and target systemic failures and disconnects between policy and its operationalization, not only for training, but also for process improvement.
It is also necessary to understand an organization’s compliance environment. Often referred to as an ecosystem, the compliance environment encompasses the organization, its regulatory authorities, its suppliers, its sales channels, its partners, its customers, and so on.
An effective training strategy must consider all these stakeholders, and how their interdependence produces compliance. It must also consider how much compliance training responsibility it will hold, and how much it will push outward to its ecosystem.
Consider the cell-phone carrier that receives many customer complaints about misunderstandings over its fair use policy. Under this policy, the carrier caps charges only until the customer reaches certain call and data volumes. After that point, additional charges apply.
The company responds with a product training program across its entire direct and partner sales network. It does this at considerable cost to itself in “time away from selling.” But, upon more careful analysis, the company discovers that complaints were primarily arising from the customers of only one of its channel partners. Could this training have been more targeted? Yes, and perhaps the company could have shifted responsibility for the training to the channel partner.
Having considered the organization’s systems, the ecosystem within which it operates, and the interplay between its components, some standards for the level of compliance must be set.
Typically, the definition of compliance training involves its ability to help staff avoid non-compliance. But the benefits of exceeding minimum compliance standards are both tangible, through reduced waste, rework, and increased revenue, and they are intangible, through improved brand perception, greater attractiveness to new recruits, and so on.
Exceeding compliance standards can also save money by anticipating tightening regulatory constraints and acting to meet tomorrow’s standards within today’s cost structures. Indeed, this achievement can actually deliver a new revenue stream through selling compliance training to ecosystem members, such as product certification training to resellers, and even to the broader market.
Numerous examples of this kind of compliance training exist. These include affirmative action programs that take staff training beyond the minimum gender discrimination requirements. They include carbon reduction training programs that focus on switching off lights and appliances, reducing paper use, and so on, once again exceeding minimum environmental regulations.
Setting standards for each compliance requirement to determine if they will be met or exceeded, and to what level, helps inform your decisions on targeting and funding of compliance training.
Bringing together this analysis about the organization’s compliance system, its environment, and its standards, sets the scope and broad intentions of your compliance training strategy as exemplified below. (See Table 1.)
Armed with an understanding of the organizations’ compliance training scope and intentions, we can now apply a rational framework.
| Compliance area | Standard | Audiences affected | Strategies |
| Emission standards | EURO 2012 targets for energy efficiency | Head office staff Warehouse staff Facilities management contractors Distribution contractors Channel partner staff Customers |
Set facilities management and distribution standards and monitor compliance Train staff on energy efficiency measures Train channel partners on promoting green credentials to customers Offer fee for service training to partners on how to implement in own business |
| Anti-discrimination Act | Minimum required | Head office staff Warehouse staff |
Basic training and assessment plus annual refresher |
| Federal Privacy Act | Minimum required | Head office staff Warehouse staff Channel partner staff |
Basic training and assessment plus annual refresher for staff Specialist training programs to target areas of non-compliance Free training to channel partner staff on privacy and CRM system |
Identify risks
This framework is applied at three levels. At the highest level, it can underpin the identification of risks to be controlled through training. At the curriculum level, it can help select the training objectives to be addressed. Finally, at the learning design level, it can help determine suitable learning theories and activities. Lets begin with risk identification.
To do this, let us combine all three earlier case studies into one fictional company and examine the risks it faces. (See Table 2.) At this stage, a general analysis of all the non-compliance risks facing an organization should be conducted, and they should be as precisely defined as possible.
| Risk | Likelihood | Frequency | Impact |
| Sexual harassment | About 2% chance per year | Averaging less than 2 reports per year | Generally resolved with brief counseling and performance management interventions |
| Health and safety incidents | About 10% chance per year | Averaging about 2 minor incidents per month and 1 major per year | Minor incidents require < 3 hours on average to investigate and no medical costs
Major incidents take on average 70 hours to investigate, cost $90k on average for medical expenses, insurance premium increases, and fines. On one occasion, has resulted in union action and a site shutdown, estimated to have cost in excess of $250k. |
| Privacy breaches | About 5% chance per year | Averaging about 7 minor incidents per month and 2 major incidents per year | Minor incidents < 12 hours on average to investigate and fix
Investigation of major incidents takes on average 110 hours, costs $1200k on average, and also involves intangible costs as embarrassment to public officials are considered to be very serious. |
Already it is clear, from the table, that the sexual harassment risk, being small, might be controlled though other low cost controls such as contract clauses and performance management metrics. This leaves us with the health and safety and the privacy breach risks, both of which might be candidates for training.
