Complaisant or Compliant: Training Employees to Care

In compliance, a focus on technical security can eclipse human factors. Particularly in IT compliance, a focus on technical security tends to eclipse human factors, with serious compliance implications. Good training programs need to be measured, controlled, and incorporate feedback loops so that the people responsible for the rulemaking getinput from the enforcers and (more importantly) from the employees who are subject to them.

Getting employees to sit up and pay attention to compliance training can be tough, but that's only half of it. The other challenge is getting top management to take training seriously—and budget accordingly—by demonstrating its benefits. But neither challenge is insurmountable, though it does take planning, monitoring, and reporting. Here are five tips for shaping training programs, building in feedback loops—and documenting a return on investment.

1. Use feedback loops and metrics

Compliance training, of course, isn't a one-time event; it's a never-ending process that differs depending on the employee's responsibilities. It may need to be repeated on a regular basis to keep the message fresh and as new laws arise; new employees need to be looped in as well. In order to make training meaningful for everyone as it's repeated over and over, you need feedback mechanisms to allow employees to comment on and help shape the program. You'll also want to track results, which will help in calculating a return on investment for upper management that can show what all this training is accomplishing.

Feedback can be gathered and incorporated in a variety of ways. First, your training vendors themselves should provide some resources, including customer service representatives that compile and supply reports with feedback. According to Shanti Atkins, president and CEO of ETL, a company that specializes in ethics and compliance training, vendors should work with customers to help measure the effectiveness of training and to provide useful statistics, such as adoption rates for new programs the training covers.

2. Measure and document progress

Just as in school, exams are essential to give training focus. They not only measure whether employees understand content, but create a written record of participation. Another objective method for determining when new training is working, though it may not seem so at first, is a jump in calls to the company compliance hotline. "I think that's one of the most effective ways to measure the effectiveness of your education program," according to Katrina Campbell, general counsel for Brightline Compliance, a company that provides consulting services and programs on workplace ethics, harassment prevention, and other compliance topics.

If hotline calls surge right after a new program begins, it's not necessarily a negative, although management may think so at first. Rather, it may indicate that at the very least, employees now know where to go to report a problem—and feel comfortable doing so. Compliance hotlines that are quiet are not an indication of smooth operations and lack of issues; rather, they mean employees don't know enough to spot a problem, or don't trust the mechanism enough to report it.

Having a record of the results of training programs is also important when questions arise—with auditors, for example, or in the course of a lawsuit. "You can show that you've done what you need to do to educate people [and] to try to prevent [compliance breaches]," Campbell says.

Another good feedback mechanism is tracking actual changes in behavior. As training programs progress, ETL's Atkins says, those in charge of purchasing them—often the HR department, working with other departments—should be documenting employee behavior for long-term trends. Ethics and legal compliance training, for example, should result in a demonstrable reduction in the number of lawsuits, claims, and damages paid out, she says—although that can take time to surface.

In the long term, those numbers can help when it's time to review the training budget. "This is where there's an opportunity in the buying cycle to help point out where the bottom-line business impact lies, in order to present the return on investment from training," Atkins says.

3. Save with online training

Although companies often believe that in-person classroom training lends a certain importance to compliance issues, the reality is that online training works just as well in most cases. It also lowers costs tremendously and offers much more flexibility. According to an October 2006 report from the Aberdeen Group research firm, online training programs for governance, risk, and compliance are rapidly growing in popularity as companies ratchet up training efforts, and as training vendor offerings mature.

One big reason for that is price. The cost per employee for compliance training can fluctuate wildly depending on the size of the company (large companies can spend far less per employee because of economies of scale) and the scope of the training, but online training is far less costly than in-person courses.

ETL's Atkins says online training costs vary widely, but might run "anywhere from under a dollar per person, up to as much as $20 per person annually, for a very small organization." Contrast that to live training, where even at the low end, Atkins says, "you could pay anywhere from… $60 to $80 per person if you pack people into a room." An intensive eight-hour workshop for a group of senior executives could be much more expensive than that.

What's important in setting training costs and avoiding "cost creep," Atkins stresses, is to set a training budget and then document the results. After shopping around and pricing training options, you should "have a firm budget in place going in," she suggests. "That will help get [training] appropriately budgeted at the board level over and over again."

4. Optimize your training budget

An initial trend in online compliance training was to buy hundreds of courses in a sort of "cover all the bases" approach. But that can waste money. "I can't stress enough," Atkins says, that companies need to "buy what you need and use what you buy."

Rather than buying many hours of training programs, each of which covers a specific topic—SOX, say, or privacy issues—Atkins suggests a smarter approach, and one she's seeing more lately as buying habits around training programs mature. "Instead of an hour-long course on this, and a 45-minute course on that," she says, companies can buy "umbrella" courses that address numerous compliance requirements across groups of employees through a single course.

For example, a company might purchase an "ethics and code of conduct" program with small vignettes that cover a range of compliance concerns. "The program has a little primer on insider training, and on confidentiality, and on bribing and fraud," Atkins says, allowing companies to consolidate training needs for various topics under a single umbrella—and save considerably.

5. Look to the Federal Sentencing Guidelines

Never heard of the Federal Sentencing Guidelines? (They're spelled out here.) Plenty of companies haven't, although ETL's Atkins says she's seen much more of an awareness lately. Along with Sarbanes-Oxley, however, the guidelines are starting to help shape what compliance training covers.

In suggesting how judges set sentences for corporate bad behavior, Chapter 8 of the guidelines, revised in 2004 to specifically address compliance specifically, makes it clear that organizations can be held liable for employees' unethical or illegal conduct. But the guidelines also suggest that judges need to consider whether the company has an effective, ongoing compliance effort in place—which includes training workers on a firm's code of conduct and ethical standards. "I can't wait to see what happens with the Federal Sentencing Guidelines, and with the standard that they seem to be setting generally," Campbell says. Over the next ten years, she predicts, the guidelines will be instrumental in deciding court cases regarding compliance violations. "It will be what the Supreme Court harassment cases were in the 80s and 90s. They're going to have a similar impact."

"We're seeing [the guidelines] used first with the federal government as the customer, but we'll see it more with privately traded companies," Campbell predicts, as prosecuting attorneys use them to decide how severe an alleged misconduct is, what charges to bring, and whether or not to settle a case before trial.

Given the importance of the guidelines, how can you use them to shape training? At the very least, familiarize yourself with their core principles, Campbell suggests, which consist of seven steps. "Go through the seven steps and say, am I doing that here?" The steps are basic enough that managers who read through them will probably find that they aren't that tough to apply; it just takes awareness and effort. For example, Step 4, which pertains to training efforts, suggests that companies communicate their standards and procedures by requiring participation in training programs, or by distributing publications that explain in a practical manner what is required.

"Most companies I talk to aren't [following the guidelines] simply because they never have," Campbell says. "They haven't made a concerted decision either way; they're just too busy and preoccupied." But in five years or so, she predicts, the guidelines may well end up as a set of best practices or baseline expectations that the courts use for judging compliance.