Much of today’s compliance training is developed in reaction to fear of censure or in support of socio-political agendas, but designing a compliance training strategy based on a risk assessment model and treatment hierarchy can reduce these influences and drive a more rational, measurable and aligned approach to compliance training. This can result in not just better compliance and reduced compliance costs, but can also contribute to brand value and increased revenue.

With the global financial crisis pushing organizations to review and consolidate their spend and business activities, and with a legislative environment ripe for significant change in response to the GFC and climate change, now is a good time to rationalize your compliance training strategy.

Underpinning weaknesses

A financial services company recently spent a large sum of money developing a very media rich e-Learning module focused on unacceptable sexual harassment behaviours, the consequences for the people involved and the impacts on the organization. It ended with a mandatory summative assessment generating scores and completion records.

A range of reasons were given for this approach; “It’s important that staff understand their obligations under the law”, and; “The company has an obligation to provide a safe workplace for its staff.” When asked how many serious sexual harassment incidents they had dealt with in the last year, the answer was no serious incidents, and just a couple of minor ones.

Eventually it was admitted that a generalized fear of legal action had led to the development of the module, so the question must be asked, was this expensive e-Learning module the appropriate response to the assessed risk?

In contrast, a sports and entertainment venue put together a large curriculum of contractor induction modules based on a ‘tick and flick’ approach, in which learners were exposed to basic text and graphic screens of regulations and then asked to confirm their understanding, which was then recorded. This venue spends massive amounts of money on insurance, they experience many small accidents and from time-to-time a major one, all of which significantly impact their bottom-line.

In this case the risk is manifest. So why is the response so cursory? Was the cost of lowering the rate of accidents through training, higher than the cost of insuring against them and compensating those who had suffered? Had anyone actually run the numbers? No.

Finally a large Government department undertakes an enterprise wide privacy training program, reacting to direction from a senior official embarrassed by several high profile breaches of privacy laws that had made national headlines, and cost the Department not only damage to their reputation, but also many thousands of dollars in investigating and fixing the breaches. Other minor breaches were also a regular occurrence.

The training response was carefully put together to fit within their privacy training framework, specifically targeted the most commonly occurring and serious breaches and was developed from a modest budget.

These real life examples illustrate a very common weakness; The tendency to select and fund compliance based training targets in reaction to perceived threats and internal or external socio-political pressures. But is there a more rational approach?

Rational approach

Compliance management as a subset of risk management usually employs two rational tools. The first is risk assessment and the second is the hierarchy of controls.
Risk can be assessed in three ways, the likelihood that a given risk will become a reality, how often this will occur, and the impacts on the organization should it do so.

These risks are subject to a hierarchy of controls with the higher controls being better than the lower ones at managing the risk. These controls are to avoid or eliminate the risk, reduce the likelihood of it occurring and its impacts should it occur, transfer the risk by outsourcing the activity or insuring against it, and retain the risk, in which you budget for the risk being realized.

Let’s apply this rational framework to the earlier case studies. In the financial services company, sexual harassment was fairly unlikely, fairly infrequent and had minor impacts on the organization. The training strategy tried to avoid and reduce this risk and perhaps transfer it, by recording each staff member’s score, allowing them to potentially transfer the liability to the individual, should an incident occur.

Generally speaking the higher levels of control are more expensive and harder to apply successfully, so in this instance for a pretty low-end risk, the company applied the most expensive and difficult controls. Why?

It is likely that fear of future legal costs, brand damage and Government intervention & regulation probably played a role. Call me cynical, but it is unlikely that creating a safe workplace for their staff was much of a factor. So the driver is actually proactive which is great, but not rational or data driven, because little evidence existed to suggest that their fears would be realized.

In the second case, the risk of a health and safety incident at the sports venue was highly likely, it happened often and the impacts ranged from moderate to severe. Yet their primary control strategies were transfer and retain.

It is possible given the high turnover of contract staff that the cost of using training to avoid or reduce this risk was higher than the cost of insurance, but given premiums only ever go up and generally include penalties for claims, this strategy would eventually become unviable.

In this case the underpinning beliefs were multiple, learner’s were highly resistant to training, it would take too long and they need to be on site quickly and of course that old chestnut, by recording their results, we transfer the liability to the contractor anyway (a commonly held assumption, that delivers mixed results in reality). So are these reasons valid? Maybe, maybe not, but they are certainly not founded on evidence.

Lastly, the Government department was faced with a risk of privacy breaches that was moderately likely, quite frequent and the impacts ranged from minor to severe. Their response was focused on avoidance, which as the top level of control is appropriate to the risk, and the budget was restricted, perhaps recognizing that there are other risks of a more serious nature that the department has to control. Their strategy may also have employed a bit of transfer by recording the assessment results. So in this example, the department did take an evidence-based approach.

So how might your organization apply this framework to create a rational compliance training strategy? The first step in creating such a strategy is to set its scope and broad intentions. To do this, the organizations’ compliance system, operating environment and standards for compliance must first be understood.

Set scope and intentions

An organization’s compliance system comprises the regulations with which it must comply and the policies to which it has committed. These are implemented through its processes and procedures. Or put more simply, the regulations and policies establish the why and what and the processes and procedures describe the who, how and when.

While a lot of compliance training is focused at the regulatory and policy level and therefore employs knowledge and awareness training, an effective training framework must actually target both.

Consider the earlier case of the Government department implementing privacy training. Typically, this kind of training focuses on building staff understanding of the principles governing privacy, with the expectation that this constructivist approach will enable staff to apply the policy in any situation.

But privacy breaches usually result from procedural non-compliance, for example taking sensitive information home to work on at night. To be effective, the training must target both the policy and its associated procedures.

By understanding compliance through a systems approach, systemic failures and disconnects between policy and its operationalization, can be identified and targeted not only for training, but also for process improvement.

An organizations’ compliance environment must also be understood. Often referred to as an ecosystem, it encompasses the organization, its regulatory authorities, its suppliers, its sales channels, partners, its customers and so on.

An effective training strategy must consider all these stakeholders and how compliance is achieved through their interdependence. It must also consider how much compliance training responsibility it will hold and how much it will push outward to its ecosystem.

Consider the cell phone carrier that is receiving many customer complaints about misunderstandings over its fair use policy in which charges are capped only until the customer reaches certain call and data volumes, at which point additional charges apply.

The company responds with a product training program across its entire direct and partner sales network at considerable cost to itself in ‘time away from selling’, only to find upon more careful analysis, that complaints were primarily arising from the customers of one of its channel partners. Could this training have been more targeted? Yes and perhaps responsibility for the training could have been shifted to the channel partner.

Having considered the organizations systems, the ecosystem within which it operates and the interplay between its components, some standards for the level of compliance must be set.

Compliance training is typically defined in terms of its ability to help staff avoid non-compliance. But the benefits of exceeding minimum compliance standards can be felt both tangibly through reduced waste and rework, increased revenue, and intangibly through improved brand perception, greater attractiveness to new recruits and so on.

Exceeding compliance standards can also save money by anticipating tightening regulatory constraints and acting to meet tomorrows’ standards within today’s cost structures. Indeed it can actually deliver a new revenue stream through selling compliance training to ecosystem members, such as product certification training to resellers, and even to the broader market.

Numerous examples of this kind of compliance training exist such as affirmative action programs that take staff training beyond the minimum gender discrimination requirements, carbon reduction training programs focused on switching off lights and appliances, reducing paper use and so on, once again exceeding minimum environmental regulations.
Setting standards for each compliance requirement to determine if they will be met or exceeded and to what level, helps inform your decisions on targeting and funding compliance training.

Bringing together this analysis about the organization’s compliance system, its environment and its standards, sets the scope and broad intentions of your compliance training strategy as exemplified below (See figure 1).

Armed with an understanding of the organizations’ compliance training scope and intentions, a rational framework can now be applied.

Identify risks

This framework is applied at three levels. At the highest level it can underpin the identification of risks to be controlled through training. While at the curriculum level it can help select the training objectives to be addressed, and finally at the learning design level, it can help determine suitable learning mediums and activities. Lets begin with risk identification.

To do this, let us combine all three earlier case studies into one fictional company and examine the risks it faces (See figure 2). At this stage, a general analysis of all the non-compliance risks facing an organization should be conducted and where possible they should be as precisely defined as possible.

Already it is clear from the table, that the sexual harassment risk, being small might be controlled though other low cost controls such as contract clauses and performance management metrics. This leaves us with the health & safety and privacy breach risks, both of which might be candidates for training.

Select training objectives

As an example let’s focus on just the privacy breach risk, examining it at a more detailed level and with consideration for the audience numbers to be trained (See figure 3).

In this analysis, just a few examples were provided and the risk was considered from multiple perspectives, including the type, mechanism and source. This multidimensional analysis helps in understanding the nature of the risk and how best it can be addressed. From this table our training focus and budget can be further narrowed.
For example, you might consider a training intervention for staff with access to sensitive financial information, because while the likelihood and frequency are low, the impact is so great that it may be worthwhile.

However, this is where the analysis becomes valuable in making training decisions. One can easily imagine the finance executives being sent on intensive and expensive training courses after the previous leak in a knee jerk response to the serious financial impacts, but it is probable that training did absolutely nothing to reduce a risk that was already vanishingly small.

On the other hand, training thousands of staff on how to prevent privacy breaches while information is in transit, offers excellent potential to reduce the likelihood and frequency of information being leaked through that mechanism. A similar, if less powerful (because the impacts are lower) business case can also be made for training to reduce internal leaks through misfiling.

Having selected some training objectives to be funded, it is critical at this point to assign some metrics. Contrary to many LMS vendors claims that a dashboard showing the percentage of staff that have passed a sexual harassment course is a measure of risk control, compliance training can only be measured through its actual effects on compliance or as previously discussed, the degree to which compliance levels are exceeded.

Training analytics is a large subject in its own right, suffice to say that compliance training must be measured on its impact and work must be done to isolate the metrics from other effects, so the true value of the training in moving the metric can be determined. Finally, compliance training metrics should be measurable at a sufficiently granular level to allow for highly targeted remedial training of individuals, targeted improvements in compliance process sub-components and targeted improvements in the training programs themselves.

Develop learning design

Ok then, having identified the training objectives, lets work out the kinds of learning mediums and activities that might be commensurate with their risk profile.

In the table below (See figure 4), each control level is assigned suitable training approaches, but some cells are blank indicating that for example, no training is planned for avoiding low frequency/high impact risks.

However, this is an example only. Each organization’s table would vary depending on the kinds of risks they face and the resources available to manage them. It would also vary according to other factors such as the organization’s commitment to good corporate citizenship, its environmental policies, its branding as an employer of choice and so on.

Whilst these factors may not be considered risks underpinned by data, they do have specific and measurable purposes and can therefore form part of a rational compliance management strategy.

The key consideration is the level of training and assessment intensity needed to achieve the level of control desired. For example, laboratory workers required to frequently apply a new diagnostic, testing for a life threatening disease would be good targets for a comprehensive certification program (avoid), while electrical contractors being inducted into a new building site might only need confirm their understanding of the company’s sexual harassment policy (transfer).

In this way the costs of compliance training can be effectively controlled, by assigning more funds to those risks that are both more likely to become a reality and more likely to have serious impacts should they do so.

Costs can be further managed through the assignment of delivery channels and approaches to this same matrix. This is based on the assumption that more expensive training delivery channels and approaches are more effective, which of course is not necessarily true. But from a budgeting perspective, this approach allows you to control where your budget is spent, with funds being allocated based on risk and reward.

At this point it is worth mentioning the e-doc scenario. In an earlier case study the ‘tick and flick’ approach was identified as inadequate as a risk management control, however it has its place in our toolkit as a very low cost response to minor risks and can play a role in partially transferring risk to the learner, by making them aware of their responsibilities.
In wrapping up this proposed approach to compliance training strategy, it must be noted that like any strategy, it should be regularly reviewed and reset, in this case to adapt to changing organizational objectives and to move training resources away from risks in decline and towards emerging risks.

Closing remarks

For small to medium enterprise, this framework with its reliance on an evidence-based approach may be beyond their capacity to resource, however, even a subjective analysis of the risks, using anecdotal evidence, will yield excellent recommendations for targeting compliance training for the maximum return on investment.

Larger organizations, with their dedicated compliance management departments, will already collect much of the data upon which this framework relies. For these organizations, the learning and compliance functions whilst separate, most likely already collaborate in determining the risks most suitable for training interventions.

However, as the examples given have show, these selections regardless of the organizations size are sometimes poorly made. In part this is due to a risk management paradigm that to some degree is still ruled by fear. But new thinking is emerging in which compliance is not just a mechanism to manage risk and control costs, but is also contributing to brand value and revenue.

The training department also needs to recognise its proclivity towards socio-political influences when setting training agendas. With the advent of technology enabled learning, the training department’s capacity to influence the organizations performance and its accountability to do so, has dramatically increased.

This is leading to a more widespread adoption of evidence-based training strategy that gives consideration, but not undue power to socio-politically driven training agendas and is good for all us eLearning and blended learning consultants who are sick of developing the same OH&S course over and again;)