For example, if a healthcare provider suffers a data breach that exposes patient records, they can be hit with fines for violating HIPAA rules, plus they will need to spend money to clean up the breach, shore up cybersecurity, offer free credit monitoring, and so on.
That’s bad, but the reputational damage can be much worse. Consumers suddenly don’t feel comfortable trusting the provider. Patients are more apt to leave bad online reviews for doctors who had nothing to do with the breach—even if the physicians delivered quality care. People who might have become new patients will instead choose other, perceptibly more trustworthy providers in their networks. And perhaps most distressingly, publicly traded healthcare companies can lose millions in value because shareholders don’t want to be associated with such a non-compliant organization.
A PR disaster occurred … because a careless employee didn’t follow a cybersecurity best practice and data, was breached. The consequences of noncompliance can last far longer than companies can stomach.
Compliance PR disasters aren’t limited to IT. Embarrassing corporate sexual harassment incidents have led to consumer boycotts. High-profile corruption cases make headlines on business news sources and make people think the offending organization are a bunch of crooks. Employees don’t understand intellectual property, leading to embarrassing lawsuits and the organization being branded as thieves.
Compliance training is supposed to thwart these incidents and scandals, yet organizations still find themselves burned and publicly chastised. The problem isn’t with training as a compliance strategy, but rather how that training is designed and administered. With top-notch, adaptive training that produces behavioral intelligence, the risk of a PR disaster can be greatly reduced.
Organizations across a wide range of industries understand the importance of compliance training and provide such education to their employees (sometimes because they are mandated to). Workers participate in the training and usually complete it, but this should be far from a “Mission Accomplished!” moment. Finishing a course doesn’t necessarily mean a user will retain information, understanding, and muscle memory. Some employees participate only begrudgingly and barely bother to pay attention; others tune out because they already know what’s being taught (or took the same course previously). Still others take the course seriously but find the material doesn’t apply or appeal to them and, subsequently, don’t achieve a true understanding. All these users need something more to make the training stick. Without that something, the risk that they will commit a violation increases—as does the overall risk to the organization. So, are current compliance training methods effective? A 2016 survey by Deloitte and Compliance Week found that 30 percent of firms aren’t even trying to measure the effectiveness of their compliance programs.
Organizations wish it was that easy, but giving compliance training to employees isn’t enough in itself to stave off a PR disaster. The courses you provide must excel by being:
Rethinking compliance training as an opportunity rather than a requirement (even if it’s required) builds real skills and muscle memory for employees, who get more from the experience than just a bunch of rules and admonitions. This transformation can make all the difference; when faced with a decision that potentially runs afoul of good compliance, employees will make the right choice thanks to the engaging, relevant training they received.
Sexual harassment and workplace harassment violations are rarely the results of employee ignorance—even with training, offenders usually know something is wrong and choose the bad behavior anyway. However, in other areas, such as cybersecurity, data privacy, electronic communication, and money laundering, the difference between right and wrong isn’t always so clear-cut.
For example, Learning Pool research found that with our sexual harassment training modules, all users across all industries averaged a 94 percent performance score. In contrast, the score for appropriate electronic communications was 82 percent. The numbers suggest employees know what is proper in interacting with coworkers more than they know what a strong password is.
These examples strengthen the importance of data in building, maintaining, and enhancing a compliance training course. Even with engaging courses, gaps may still exist in what employees are internalizing and not internalizing. Robust data—including average performance, time spent on a course, time spent on key questions about policy and best practices, and what questions are proving especially befuddling to employees—identifies those gaps. For example, in our electronic communications scenario, we know passwords are a problem area because only 45 percent of users answered a key question about passwords correctly.
Besides automatically adjusting training mid-course, thorough data helps organizations and compliance officers spot trouble and predict future areas where problems may arise or continue. And learning where gaps exist and taking action before something bad happens is obviously preferable to learning about those problems after a PR disaster has damaged your company’s reputation.