In this guide, we will be discussing:
- Why is Compliance Training so Important?
- What Should be Included in Compliance Training?
- Putting Compliance Training Issues Into Content
- How to Optimize Your Compliance Training
- How to Deploy an Effective Compliance Training Plan
- 3 Compliance Training Elements You Should Be Addressing
Why is Compliance Training so Important?
A compliance program won’t be effective without training. The U.S. Sentencing Guidelines cite training as one of the seven elements of an effective program and the Justice Department devotes a section to training in its guidelines to evaluate corporate compliance programs. The importance of compliance training is discussed everywhere. But, you already know this.
From time to time it’s essential to review the importance of having an effective compliance training program and updating it regularly. One way of going about this could be to significant enforcement actions or regulatory changes that have happened over the past year, and dissect how those events might affect your compliance training priorities in 2020. In fact, companies should undertake that exercise, because numerous events happened this year that your compliance program ignores at its peril.
However, listing the hot new compliance issues of 2020 is only half the battle and the lesser half at that. Compliance officers also need to understand how those issues affect your company, including the possibility that they don’t affect your company at all.
A smart, successful update to compliance training takes the current issues and connects them to business operations—including changes in business operations that can shift who needs training on what issues. Only then can you adjust your training program to be the most impactful and up-to-date.
Let’s explore both halves the equation to better understand the tools that you as a compliance officer, can leverage to improve your training program.
What Should be Included in Compliance Training?
Several compliance issues became more prevalent in 2019, and show no signs of receding in 2020. In no particular order here are some compliance training issues you should be considering as you plan for the year ahead.
Earlier this year the Office of Foreign Assets Control (OFAC) published extensive guidance on what constitutes an effective sanctions compliance program. A key theme in the document, and in several enforcement actions, was the importance of funneling sanctions questions through a central group that had the expertise to answer those questions wisely. So employees will need a better understanding of what a sanctions issue is and the proper way to handle it.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, with extensive new compliance burdens imposed on companies doing business in California (which include most if not all large companies). In some ways the CCPA is similar to Europe’s General Data Protection Regulation(GDPR) and in other ways, it varies—so compliance training here is not a matter of dusting off your GDPR training from 2018. It’s a whole new challenge that requires a new strategy to ensure compliance.
The #MeToo movement transformed anti-harassment training into a major concern in 2018, and the issue has lost little of its urgency since. More and more often, we see companies embrace a policy that encourages anyone to report harassment, even if they only witness such behavior rather than experience it themselves. So there’s a need to train employees on what harassment looks like, and how to properly report it when they see it.
4. Whistleblower Protection
Whistleblower protection has been a staple of corporate compliance training in the United States for years, but now the issue is going global. The European Union will have strong new whistleblower protections going into effect by 2021. Other nations are adopting similar laws around the world. Thanks to the transparency of social media, even in jurisdictions with historically weak anti-retaliation standards are having an easier time pressing accusations of retaliation in the court of public opinion. Businesses need to be better at addressing and reducing that risk.
Those are only four examples of pressing issues in compliance that may need more attention from your training program in 2020. We didn’t touch on cybersecurity, antitrust, or ethical sourcing but those are subjects that shouldn’t be ignored, either.
Putting Compliance Training Issues Into Context
For all our talk about new issues in compliance, the much more likely scenario is that in 2020 your organization will confront mostly the same issues that it did in 2019. The real challenge will be understanding how your company’s own operations have changed—and therefore, how your compliance training priorities should change too.
For example, anti-bribery is not a new issue in compliance training. But your company’s internal operations can change in all sorts of ways that could necessitate new training attention to the old issue. The company might have adopted a new sales model that relies more on employees at headquarters working with local agents overseas. It could have launched an internship program, and slots in that program might be a tempting bribe to offer a sales prospect with a child in college.
What is your company doing that’s new? What compliance risks accompany those new activities? Which people need to complete additional training to manage those compliance implications? These are all key questions the compliance team should be discussing internally and with other internal stakeholders.
By answering these questions, you connect the issues in business news and industry publications to practical, effective adjustments that will improve your compliance posture in the year to come.
How to Optimize Your Compliance Training
Where should a compliance officer look to find the new topics they should be training employees and third parties? Here are a few cohorts of people you will want to ensure you engage.
New hires always need compliance training, including in the basics of your company’s corporate workplace culture and ethical values. A large volume of new hires might also mean changes in how you deliver that compliance training.
Employees in New Roles
These employees might know the culture and ethical values, but they may not know the finer points of compliance for specific regulations or risks. Be especially vigilant for employees shifting into any gatekeeper role (working in accounts payable, for example) or employees moving into management for the first time.
New technologies can be great, but they often bring new challenges in access control or data security. As the compliance risk changes, policies and procedures to address the risk may change too—and those changes may require new training efforts, even on an old issue.
Expansion Into New Lines of Business
New products, new services, new geographic markets, new customer targets; any expansion of the business can introduce employees to corruption or sanctions risk for the first time. They will need a training plan on what their duties are and how to fulfill them.
That’s the path forward to an effective compliance training program: one part attention to issues unfolding outside the company; one part attention to shifting strategies and operations inside the company; and a heaping dose of good judgment about how to balance the two as you update your compliance program—for 2020 and all the years after that.
How to Deploy an Effective Compliance Training Plan
Compliance training plans are the lifeblood of an effective corporate compliance plan, and the same logic that lies behind the success of a compliance program applies for training: Successful compliance training plans must match the risk a company has to employees and third parties. It should clearly communicate the policies governing that risk and provide employees with the appropriate tools to avoid it. Seems simple, but building a training program that can achieve these goals in the real world is far more complicated.
Your compliance training plan should spring from an assessment of the type and level of risk your target audience contend with. Employees dealing with high-risk operations should receive training tailored to their needs and learn about appropriate procedure to manage these risks, they may even be required to take more frequent training than others in the company. And just as it is important to develop company policies and procedures to reflect a high standard of ethics, designing innovative and creative training to translate these policies into behavior is crucial.
- Your training program must fit employee’s working environment: Ensure that your training program is accessible and understandable, whether it be provided in the local language or through different devices.
- Your training program should be engaging: Think out of the box, and move away from the typical ‘check the box’ exercises to capture your employees and motivate them to not only take the training, but to adopt the messages communicated in the program.
- Administer your training program: To guarantee successful implementation of your training program will have to account for which training is delivered to which audience and how often.
- Measure the impact of your training: Integrate concrete means by which you can track the impact of your training program, such as whistleblowing lines.
Strategic alliance for successful implementation
Even if you are tempted, rolling out a compliance training program is not a one-person-job. Successfully deploying your training program certainly depends on how well you, as a compliance officer, cooperate with other stakeholders in the process. For instance, allying with the human resources department will prove valuable in ensuring the proper administration of the training program. Senior management buy-in will ensure credible ambassadors to your program, while independent audits can provide you with concrete assessments of the effectiveness of your training.
Assess the impact of your training
There may be many ways to measure whether your training program has served its purpose. One solid proof is a high turnout of internal whistleblowers. Some would perhaps shake their heads at the rising number of reports of misconduct, but remember that this indicates heightened awareness amongst employees and the accessibility of the reporting tools. More importantly, it allows the compliance department to effectively and rapidly address cases and avoid potential violations before authorities come knocking at the door. Over a longer period, another outcome might be curtailing the number of high-risk third parties working on your company’s behalf, if they fail to complete required training or refuse to follow proper policies.
If embroiled in a corruption investigation, however a company might try to answer questions, without training, the explanation will prove to be inadequate. You need to be able to quickly show investigators a track record of your training program. In fact, it’s one of the main reasons why the quest to build an effective training program is so important.
3 Compliance Training Elements You Should be Addressing
How does one actually build a compliance training program, especially if your company has never had one before? What are the important building blocks you need to understand?
Who should you train?
First, the people. Of course, you will want to train employees (and third parties, although we’ll use “employees” for both here for the sake of concision) who might consider breaking the law to do their jobs, that they shouldn’t break the law. So, executives who oversee foreign markets or sales to government agencies — they should receive training about anti-bribery statutes. Marketing executives would get trained in data privacy law. Training for those groups is a given.
Remember to look beyond those obvious groups. For example, the Justice Department guidance stresses “control function employees,” who might recognize bribery or other misconduct as those suspicious transactions work their way through the enterprise. That could include employees in accounting or finance, HR, the legal department, or similar functions. They should be trained on how to report misconduct when they suspect it.
Then come the more senior executives, “approvers” who might authorize specific transactions, certify standards of business conduct, or demonstrate behaviors that other employees model. These supervisory people need their own training, too.
What should you train them on?
Second, the material. Much has been written about the need for relevant, understandable training material for employees. For example, the materials should be written or presented in an employee group’s local language. The material should use examples and metaphors the students understand, or might encounter in their daily routines.
At a more abstract level, compliance officers also need to think about how they can deliver training appropriate to the level of risk—and how to do that with pesky practical considerations, like budget and staffing levels.
For example, for employees who are at low risk of violating the Foreign Corrupt Practices Act (FCPA), it might suffice to deliver computer-based online training courses once per year (or whenever new hires arrive). But in remote regions where computer facilities are scarce, you might get better results by hiring a local person to deliver the training in person, in the local language.
On the other hand, senior sales executives could probably ace an online course in 30 minutes—and then disregard the material an hour later, and violate the FCPA anyway. In that case, they might be better served by more frequent in-person discussions about ethics and compliance. (Say, at sales conferences, with the CEO also devoting a few minutes in his or her welcome speech to the importance of anti-corruption.)
There’s also the question of guidance beyond training: internal newsletters, policy manuals posted online, or even interactive apps that guide employees through compliance questions they have. Modern technology can increasingly blur the line between formal training and tools employees can use to guide themselves through difficult questions. Consider how you could take advantage of that fact. What delivers the most impact to each group, within whatever budget and resources you have? That’s what you want to understand here.
What is your training strategy?
Third, the strategy. Compliance officers have many other details to consider about their training programs, beyond what happens “in the classroom”.
For example, all training programs should include a periodic review by you and other senior executives to assure that your training is still relevant to the risks the company has and that the training material and methods actually work. What process would you use to connect your compliance risk assessments to training? What process would you use to evaluate the effectiveness of training? What metrics would identify “success” in your mind?
It’s also good for you to think about potential allies across the enterprise who can deliver strong, effective training. That might include the HR team since they also work on training programs, or local business managers who could lead training themselves or exert influence with employees taking the training.
And as always, make sure you document your thinking on these matters; as well as the results of periodic reviews and any other evidence that shows how your training program is working. The day may come when regulators want to see it.
To learn more about training, get your copy of The Anatomy of an Effective Compliance Training Program. This guide will help you thoughtfully design and implement a compliance training program that meets the needs of your audience and mirrors the specific risks your organization faces.
What is compliance risk management?
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Why It’s Important to Have Policies and Procedures: 4 Reasons