In these times many organizations are evolving their Compliance Culture to ensure a high level of integrity and compliance with regulatory requirements in all processes and among all employees. Compliance Training should be a key part of the Compliance Program to support the culture change.
Compliance Functions spends 7 % of their time on Compliance Training (source; Danish FSA about risk- and compliance in midsize and large banks[1]).
For many years there have been regulatory requirements that the compliance competence of employees is adequate considering the company risks. However, the past years requirements and expectations have evolved with increasing or new specific requirements in GDPR, Money Laundering and Insurance Mediation legislation.
In our view, a check-the-box e-learning and time minimal approach will no longer cut it.
Today, there shall be a greater focus on delivering targeted, risk-based training programs and developing metrics to measure the effectiveness of the training including employee comprehension.
Compliance Departments should, from time to time, support their Board with a review of the effectiveness of the Compliance Training Program to make sure that it is meeting regulatory expectations and is updated regularly to ensure risk-based approach.
One way of evaluating your Compliance Training Program is to use the U.S. Justice Department report[2] on how to evaluate a Corporate Compliance Program from 2019.
Compliance Departments should as a minimum consider significant enforcement actions or regulatory changes that have happened over the past year and dissect how those events may affect compliance training priorities.
Another simple analysis Compliance Departments could consider is reviewing Operational and Compliance Risks events from year to year to understand if there are areas where human error occurs.
Finally a targeted employee questionnaire can support the Compliance Department understanding if training has been effective.
Finally, training do not have to be time consuming or complicated. All organisations should consider if there are areas where other sorts of employee engagement might be more effective . For example, would a 5-minute video-based learning module be a good alternative to a longer interaction that requires an employee to read loads of on-screen text (often, the same text they read last year)?
And of course like all other Compliance tasks, the Compliance Training Program should be owned by HR – not the Compliance Department, especially not if they are assessing its effectiveness – so that they can support each manager in the organisation ensuring that their employees are always capable of managing risks the business processes that they hold responsibility for.
Written by Heidi Gliese Hylleborg
[1] God praksis for compliance og risikostyring i kreditinstitutter af 3. februar 2020
[2] U.S. Department of Justice Criminal Division – Evaluation of Corporate Compliance Programs – April 2019, section C.