This is a guest post from Ramsey Kazem, Spark Compliance Consulting’s Vice President, East Coast.
Does this sound familiar? At companies all over the world, when it’s time for the annual compliance training, they develop generic training materials, disseminate them to a wide audience, and track attendance. Training done. Mission accomplished. The training materials go back on the shelf until next year. We know we can do better than this.
In recent years regulatory expectations of what is considered proper and effective training have evolved. A check-the-box approach will no longer cut it. Today, there is a greater focus on delivering targeted, risk-based training programs and developing metrics to measure the effectiveness of the training including employee comprehension. In this article, we will discuss the training expectations as articulated by the Department of Justice (DOJ) and the Office of Foreign Asset Control (OFAC) in their respective guidance documents. In addition, we will share some best practices to refresh your company’s training programs and take them to the next level.
Last year, the DOJ and OFAC issued guidance documents outlining their respective views and expectations of an effective compliance program. Both documents include employee training among the essential components of a compliance program. The guidance documents emphasize three key principles as it relates to employee training: (1) the training must be risk-based, (2) the training must provide job-specific knowledge, and (3) the effectiveness of the training must be measured. Each principle will be discussed in turn:
Risk-based. Instead of generic training presentations disseminated to a wide audience, the guidance documents articulate a preference for targeted training sessions that address specific risks within certain job categories or functions. The DOJ guidance document, for example, explains that prosecutors will evaluate whether “the company provided tailored training for high-risk and control employees”. In addition, the prosecutors expect “supervisory employees to receive different or supplementary training.” Likewise, the OFAC guidance states that “training should be further tailored to high-risk employees within the organization.”
Relevant. In addition to addressing specific compliance risks, the training sessions should also be directly relevant to the audience and explain how a given topic applies to their day-to-day job responsibilities. In other words, upon completion of the training, an employee should understand how to integrate the training material into his or her daily job activities.
Measurement. The guidance also reminds companies that they are expected to measure the effectiveness of the training session(s). This includes testing employees on what they have learned.
In addition to the above principles, the guidance notes that companies should include real-world examples (e.g., prior violations or instances of misconduct) in the training sessions and identify the lessons learned. Moreover, a company should provide resources and materials to reinforce key principles.
To take employee training to the next level and meet regulatory expectations, some or all of the following best practices should be implemented in your company’s training program.
Needs Assessment. A company should perform a needs assessment on a periodic basis. A needs assessment is an organizational review that determines a company’s training needs. In performing such a review, it is critical to consider key personnel or job functions to identify unique risks and any special training needs that may apply.
Risk-based training. Using the results of the needs assessment, a company should develop a training strategy using a risk-based approach. That is, a company must determine which training topics must be mandatory during new employee on-boarding, which training topics must be included in an annual refresher training, and which training topics should be targeted to a specific audience (e.g., by job function) or refreshed on a less regular basis (e.g., every three years). Moreover, for each training topic, the company must determine whether certain job functions or personnel present a heightened risk to warrant specialized training. In accordance with these preliminary decisions, a company should then proceed with developing the individual training session ensuring it is tailored to the audience’s size, sophistication, area of expertise or local language and customs.
Tailor the training sessions to the business. In addition to tailoring the training sessions to the job function, risks and sophistication of the audience, the training should be relevant to the company’s business activities. Specifically, the training session should address how the specific compliance topic applies to the overall business of the company. For example, a training session on Data Privacy should not just include a generic or statutory definition of personal data but should identify the specific types of personal data the company regularly handles. Moreover, the training session, when appropriate, should include examples, case studies, and prior incidents (sanitized) of misconduct occurring within the company to demonstrate real-world application of the topic to the business.
Develop an annual training plan. A company should develop annual training plans documenting when and to whom the compliance-related training will be delivered throughout the year. The training plan should include: (1) the title(s) of the training course(s) to be delivered, (2) the required attendees by job responsibility or function, (3) how and where the training will be delivered (in-person, e-learning, webinar), (4) date(s) when the training will be offered, and (5) goal participation rate.
Vary the methods of delivering the training content. There are a variety of methods and techniques by which a company can deliver its training content including in-person/live training, eLearning, webinars, meeting-sharing software, slide decks, and video. Using a combination of these methods is a best practice – even within a single training session.
Engage the audience. Effective training sessions engage an audience
and cause them to interact with the speaker and each other. Live presentations can engage the audience by asking open-ended questions, including group breakout sessions, and incorporating games and contests. Web-based training sessions can engage the audience by including interactive slides that require the learner to answer questions, click on images/graphics for additional detail, and selecting “Dos and Don’ts” relevant to the training topic.
Experiment with Different Techniques. Many compliance training programs are using adult learning techniques to present the information. Some of these techniques include:
Microlearning. This technique deals with providing relatively small learning units or training modules. Microlearning usually refers to training five minutes long or shorter.
Gamification. This technique applies game-design elements and game principles to employee training courses.
Brainstorming. This technique promotes the involvement of the learners by encouraging them to express their ideas freely and spontaneously.
Working in Groups. This technique encourages the learners to collaborate with each other to complete an exercise or discuss a topic and then share their results with the larger audience.
Case Studies. This technique uses real-world examples or hypotheticals to describe a problem or challenge. The audience is then encouraged to study the issue and propose solutions to the problems described.
Multi-disciplined training. This technique presents a scenario or fact pattern with red flags for a variety of compliance-related issues in a single session (e.g., bribery, modern slavery, data privacy, etc.)
Companies should experiment with some of these techniques and determine which is most effective in increasing audience engagement and the overall effectiveness of the training session.
Measure the effectiveness of the training sessions. Measuring the effectiveness of employee training sessions is critical. For example, a company should solicit feedback about the training sessions from the audience through evaluation forms or questionnaires, selective interviews with participants, focus groups, and independent observations and analysis. In addition, a company should collect data and develop metrics to measure the effectiveness of a company’s overall training program. For a detailed discussion on developing training-related metrics, please see the prior blog post on this topic.
Develop a corresponding communication strategy. For certain higher-risk training topics, a company should develop a corresponding communication strategy to be deployed before, during and after the training sessions are delivered. These communications should be designed to raise awareness and reinforce the key points presented in the training.
As reflected in last year’s guidance documents issued by the DOJ and OFAC, a check-the-box approach to employee training is insufficient to meet a company’s compliance obligations. Instead, these regulatory agencies make clear that they expect companies to deliver targeted, risk-based training sessions and develop metrics to measure the effectiveness of the overall training program. Following the best practices discussed above, will not only ensure your company complies with the expectations of these regulatory agencies, but it will take your compliance training to the next level of effectiveness.