Increase your Compliance Culture by implementing a real effective Compliance Training Program

In these times many organizations are evolving their Compliance Culture to ensure a high level of integrity and compliance with regulatory requirements in all processes and among all employees. Compliance Training should be a key part of the Compliance Program to support the culture change.

Compliance Functions spends 7 % of their time on Compliance Training (source; Danish FSA about risk- and compliance in midsize and large banks[1]).

For many years there have been regulatory requirements that the  compliance competence of employees is adequate considering the company risks. However, the past years requirements and expectations have evolved with increasing or new specific requirements in GDPR, Money Laundering and Insurance Mediation legislation.

In our view, a check-the-box e-learning and time minimal approach will no longer cut it.

Today, there  shall be a greater focus on delivering targeted, risk-based training programs and developing metrics to measure the effectiveness of the training including employee comprehension.

• Let’s test your program Is your Compliance Training targeting the right employees with the right messages, or is it just giving all employees the same messages regardless of risks associated with their jobs?
• Is it determined which training topics must be mandatory during new employee on-boarding and which training topics should be targeted to a specific job function?
• Is certain job functions or personnel present in heightened risk areas participating in specialized Compliance training? Does the Compliance training address how the specific compliance topic applies to the overall business of your company, i.e. are you focusing on the key issues considering the inherent risks of the business?
• When it comes to re-training, are your Compliance Training giving employees the same 45-minute e-learning module year after year, i.e. not considering last year’s big risk events impacting business?
• Is your Compliance Training mainly delivered via e-learning or are you receiving training with different learning techniques, i.e. gamification, working in groups, case studios?

Compliance Departments should, from time to time,  support their Board with a review of the effectiveness of the Compliance Training Program to make sure that it is meeting regulatory expectations and is updated regularly to ensure risk-based approach.

One way of evaluating your Compliance Training Program is to use the U.S. Justice Department report[2] on how to evaluate a Corporate Compliance Program from 2019.

Compliance Departments should as a minimum consider significant enforcement actions or regulatory changes that have happened over the past year and dissect how those events may affect compliance training priorities.

Another simple analysis Compliance Departments could consider is reviewing Operational and Compliance Risks events from year to year to understand if there are areas where human error occurs.

Finally a targeted employee questionnaire can support the Compliance Department understanding if training has been effective.

A Compliance Training Program should entail;

• An assessment of needs, aligned to the annual Compliance Risk Assessment Training, categorized to each specific department and in some areas each job function
• A Risk-based training plan updated frequently, i.e. annually, every second year etc.
• Compliance Training Evaluations, providing data from each training on the effectiveness of the training provided to employees
• Compliance Training KPI’s making Compliance able to track on the status of effectiveness of the program
• Assessment to Board included in the Annual Compliance Report.

Finally, training do not have to be  time consuming or complicated. All organisations should consider if there are areas where other sorts of employee engagement might be  more  effective . For example, would a 5-minute video-based learning module be a good alternative to a longer interaction that requires an employee to read loads of on-screen text (often, the same text they read last year)?

And of course like all other Compliance tasks, the Compliance Training Program should be owned by HR – not the Compliance Department, especially not if they are assessing its effectiveness – so that they can support each manager in the organisation ensuring that their employees are always capable of managing risks the business processes that they hold responsibility for.

Written by Heidi Gliese Hylleborg

[1] God praksis for compliance og risikostyring i kreditinstitutter af 3. februar 2020

[2] U.S. Department of Justice Criminal Division – Evaluation of Corporate Compliance Programs – April 2019, section C.