Our Compliance 101 series continues with another subject sure to take up plenty of a corporate compliance officer’s time as you develop a program: compliance training.
A compliance program won’t be effective without training. The U.S. Sentencing Guidelines cite training as one of the seven elements of an effective program and the Justice Department devotes a section to training in its guidelines to evaluate corporate compliance programs. The importance of compliance training is discussed everywhere. But, you already know this.
So, how does one actually build a compliance training program, especially if your company has never had one before? What are the important building blocks you need to understand?
Who should you train?
First, the people. Of course, you will want to train employees (and third parties, although we’ll use “employees” for both here for the sake of concision) who might consider breaking the law to do their jobs, that they shouldn’t break the law. So, executives who oversee foreign markets or sales to government agencies — they should receive training about anti-bribery statutes. Marketing executives would get trained in data privacy law. Training for those groups is a given.
Compliance officers also need to look beyond those obvious groups. For example, the Justice Department guidance stresses “control function employees,” who might recognize bribery or other misconduct as those suspicious transactions work their way through the enterprise. That could include employees in accounting or finance, HR, the legal department, or similar functions. They should be trained on how to report misconduct when they suspect it.
Then come the more senior executives, “approvers” who might authorize specific transactions, certify standards of business conduct, or demonstrate behaviors that other employees model. These supervisory people need their own training, too.
What should you train them on?
Second, the material. Much has been written about the need for relevant, understandable training material for employees. For example, the materials should be written or presented in an employee group’s local language. The material should use examples and metaphors the students understand, or might encounter in their daily routines.
At a more abstract level, compliance officers also need to think about how they can deliver training appropriate to the level of risk — and how to do that with pesky practical considerations, like budget and staffing levels.
For example, for employees who are at low risk of violating the FCPA, it might suffice to deliver computer-based online training courses once per year (or whenever new hires arrive). But in remote regions where computer facilities are scarce, you might get better results by hiring a local person to deliver the training in person, in the local language.
On the other hand, senior sales executives could probably ace an online course in 30 minutes — and then disregard the material an hour later, and violate the FCPA anyway. In that case, they might be better served by more frequent in-person discussions about ethics and compliance. (Say, at sales conferences, with the CEO also devoting a few minutes in his or her welcome speech to the importance of anti-corruption.)
There’s also the question of guidance beyond training: internal newsletters, policy manuals posted online, or even interactive apps that guide employees through compliance questions they have. Modern technology can increasingly blur the line between formal training and tools employees can use to guide themselves through difficult questions. Consider how you could take advantage of that fact. What delivers the most impact to each group, within whatever budget and resources you have? That’s what you want to understand here.
What is your training strategy?
Third, the strategy. Compliance officers have many other details to consider about training programs, beyond what happens “in the classroom”.
For example, all training programs should include a periodic review by you and other senior executives to assure that your training is still relevant to the risks the company has and that the training material and methods actually work. What process would you use to connect your compliance risk assessments to training? What process would you use to evaluate the effectiveness of training? What metrics would identify “success” in your mind?
Compliance officers also need to think about potential allies elsewhere in the enterprise to deliver strong, effective training. That might include the HR team since they also work on training programs, or local business managers who could lead training themselves or exert influence with employees taking the training.
And as always, compliance officers should document their thinking on these matters; as well as the results of periodic reviews and any other evidence that shows how your training program is working. The day may come when regulators want to see it.
To learn more about training, get your copy of The Anatomy of an Effective Compliance Training Program. This guide will help you thoughtfully design and implement a compliance training program that meets the needs of your audience and mirrors the specific risks your organization faces.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.