“Less is more” compliance training per the DOJ Guidance

How can we issue less training and still be aligned with DOJ Guidance?

I have the great pleasure of talking about compliance training strategy in my daily work and this is one of the most frequent questions.

Well, I have great news. If you’ve read the guidance (and checked out the latest interview our partner Ricardo from Broadcat did with Hui Chen), the DOJ does not mandate specific amounts of training time. Rather, it looks at training as a prevention tool. So how do you take all that training of yours and create a more thoughtful, efficient program that reduces training time so employees can do what they were hired to do in the first place? Start by doing these three things:

1) Take a step back and evaluate

Think about all the training you deploy. If it isn’t laid out on a spreadsheet or organized into a training plan already, put it all down (message me if you want a handy template). Then, think about your training as one of the most important tools you have as an organization to help prevent potential corporate crime. What type of training are your organization’s employees receiving, and why? If it helps them do their jobs well and provides resources they need, great. If not, it’s time to either (i) change the approach, (ii) target the right audience, (iii) reduce cadence, or (iv) cut it altogether. Evaluate by asking questions like:

• Cadence: How often is training deployed?
• Coverage: Is it going to everyone?
• Scope: Does training cover risky behaviors or abstract concepts and legal definitions?
• Risk: Has the risk rating for this topic changed in the last year (up or down)?
• Alignment: Are you seeing patterns in helpline and investigations data?
• Applicability: What has changed in your business? What no longer applies? (e.g., travel policies in light of COVID, M&A)

You can often find this data in places like your compliance risk assessment, helpline data, audit findings, and by talking with risk area owners and business partners around the organization. Remember – you’re not on an island. You may not own all the risks for which you oversee training, so it’s important to bring the experts who live it every day “into the room” on this.

It’s also important to be cautious of the all-too classic ‘defensibility approach’ that looks like this: You launch everything and the kitchen sink to all employees just to say you’ve deployed it and have a bunch of meaningless check-the-box records that don’t tell anyone anything…just in case a prosecutor comes knocking (which btw, they have now said is a hallmark of a paper program and not what they are looking for – a program that works in practice). Three points here – it won’t impress the regulators, it doesn’t make your employees understand how to do their jobs the right way, and the compliance team will feel less of an ally because they’re making employees sit through endless training that has nothing to do with their actual jobs.

2) Consolidate smartly

Now that you’ve gathered your training lineup and answered the questions, it’s time to consolidate. That means identifying what’s in (aka what you train on) and “who’s in” (aka who specifically you’re training). Based on the information you devised from the evaluation questions above, you should be able to assign audience criterions based on demographics including role, function, authority (both managerial and financial), and geography. If you can’t, you still don’t have the right people in the room who are helping you answer the evaluation questions.

This is also where behavioral insights from prior compliance training events if you have a data-rich adaptive solution can support by adding risk readiness as dimension for each risk topic. For example, if your year-over-year behavioral insights indicate employees are performing strongly in conflicts of interest concepts, consider consolidating it into your upcoming code training or issuing a micro-learning, communication or job aid instead. This step alone should yield thoughtful reductions in training while driving a risk-based approach. You may be wondering what about the x% that didn’t do so great, why am I giving them the ‘out’ – and answering that thought the right way means a lot of painful manual mapping, this is where you need to consider step 3.

3) Automate

Once you’ve evaluated and consolidated, it’s now time to automate. That is, employ technology that creates a more efficient, tailored experience. We’re in 2021 people (1/4 of the way through actually). Most things we experience in our day-to-day includes technology that recognizes us and tailors experiences to us. Instead of compliance training evolving with the rest of tech, it’s been more like a conversation where you ask someone what their name is every time you see them, no matter how often you’ve met. The following is a dramatization: