So here's the thing: we think saying "you need to do formal, annual compliance training" is overblown.
...but we made an annual compliance training course anyway.
In this post, we’re going to walk through why we think that, why we made it anyway, and give you a path to getting away from doing annual check-the-box training in the long-term.
Do you really need it? No.
First things first: we are very skeptical of the belief that annual compliance training actually accomplishes anything.
And to be clear, we're supportive of compliance training (duh) and doing compliance training very frequently; what we're attacking here is the idea that this requires an all-employee, mandatory, formal annual course.
We think this for a bunch of reasons:
The timing is arbitrary and untethered to what people actually do.
Anything that applies to everyone is too high-level to be really risky.
The amount of content is impossible for any human to remember.
And all of those are bad things.
Because what they do is reinforce the belief that compliance is not part of your job, but some external, check-the-box type activity that you just have to suffer through every so often.
That is, all of those features communicate to employees that the primary goal of annual training is . . . doing annual training.
That's a check-the-box activity; you're doing it for the sake of doing it.
And the sad part is that the more money you throw at annual training (videos! animations! games!) the more it will look like an internal PR exercise instead of a serious effort at compliance. Because all of the money and effort is going into something that signals “just get it done so we can say you did it.”
So, actually, it's not just that we're skeptical of annual compliance training accomplishing anything; it's more than that.
We think it works against you, undermining your program and your culture, by signaling the opposite of what you want.
And that's why it's taken us so long to make it.
(Now, this is the part where someone will say “but I'm in Industry X and my regulator makes me do a formal, once-a-year course!”
And if that's the case, then sure. And I'm sorry, that stinks.
But this article isn’t for you—it’s for the companies that don’t have an annual check-the-box legal requirement but have gotten browbeaten into doing it by the “best practices” crowd.)
Why we made some anyway.
So, boo annual training. But we made some anyway.
We made this because you choose your battles. And we’re not talking about us—we’re talking about you.
That is, Courtney and I have worked at big companies. It takes a heroic effort to do literally anything at a big company, because everything takes FOREVER at a big company.
So you’re probably not going to kick down the door to your boardroom, slap a binder on the table, and snarl at your audit committee:
"LISTEN UP, NERDS: we’re going to go full-bore on operationalization, and that means we’re not doing any of this goofy stuff anymore, effective today. Any questions?”
I mean, you should definitely do that if you can pull it off, and then let us know how it went.
But more likely, you will have to ease into it.
So you will stop doing the anti-corruption mobile e-learning and augmented reality antitrust burst learning first, because that's just silly, and you will replace that with real training on your actual controls and business process.
And then you will go on the next thing.
But that will take time. And if you go too fast, people will get nervous and want to form exploratory committees on evaluating the potential for a decision to maybe make a change—you know, the kind of meetings where people just say the word "stakeholder" over and over again.
To avoid that kind of meeting purgatory, you're gonna need to ease people into it.
And a powerful tool for that—the most important artifact of the Old Ways to keep people calm as you move towards real, gritty compliance—is annual training.
So, that’s why we made it.
Not because we’re hedging on operationalization, but because we’re all-in on making operationalization actually happen—and that means giving you a bridge from here to there.
Here's what we did.
That said, if we were going to do it, we were still going to make the best version of it ever.
Obviously. So here's what we did.
(If you’re on board with getting rid of annual training cold turkey, skip this section—just scroll down to the section titled “Kill it! Kill it with fire!")
First, we set parameters. Since our goal here was tactical, we needed to build something that looked enough like “normal” annual compliance training to help folks manage the transition to operationalization.
That is, we needed to create something our customers could show their board and say “see, we’re not changing everything, we’re still doing annual training.”
And basically, here’s what “annual compliance training” typically looks like.
It’s about 45 minutes long
It starts with stuff on values/ethics and a CEO message
It covers compliance process like the Code and hotline
It has some substantive, risk-oriented compliance guidance
Then, we wanted to preserve enough of that format to check the “hey, we’re not changing everything” box—while cutting out the fluff and bloat that makes annual compliance training even worse than it has to be.
Practically, here’s what that looks like.
It’s dramatically shorter.
We took a hard look at what everyone at the company really needs to know—and stripped it down to that. Because if this course is going to everyone, all of it should apply to everyone.
We kept a small amount of the values/ethics and leadership stuff, and then got right to the meat of what actually applies to everyone:
Knowing what the Code is and when to use it
Knowing how to use the Hotline
Basic risk stuff that applies to everyone
That is, we covered compliance process (Code, hotline, and disclosures) and then boiled down all of the “risk modules” you’d normally use into what genuinely applies to every single employee.
We grouped that substantive stuff into three buckets, articulated as employees’ responsibilities for “what you know,” “what you approve,” and “who you engage.”
All-in, this should cut down the time for annual training from 45 minutes to about 10-15 minutes.
And that matters, because don’t forget: employees are getting paid to sit through your training.
Bureau of Labor Statistics data for big companies puts the cost-per-hour of employee time at around $50, give or take—which means that cutting out 30 minutes of bloat would save you $25 per employee.
$25 doesn't seem like a lot. But when you start multiplying it by your employee base, the numbers get big.
Cutting out 30 minutes across 5,000 employees saves $125,000.
Cutting out 30 minutes across 10,000 employees saves $250,000.
Cutting out 30 minutes across 25,000 employees saves $625,000.
So, that’s the first thing we did: keep the same structure, but cut out all of the bloat and get right to business.
That said, that “10-15 minutes” is just how long it took Xinia to go through it. (It actually took her 9 minutes, but we added some buffer.) The actual time will be person-specific.
This is because our annual training course is self-paced, because people learn at different paces.
And this should not be controversial, but it is.
That’s because some compliance professionals worry that letting employees go through training at their own pace will mean they just click through really fast, so they want to add in a bunch of videos and audio to slow them down.
But news flash: bad employees will ignore you no matter what.
If you try to slow them down with video or audio or games, they’ll just screw around on their smartphone while your expensive e-learning plays on mute. You can only reach employees who want to learn in the first place, so focus on them and use your controls, monitoring, audits, investigations, and discipline to manage the bad ones.
It works with memory (ish).
Finally, we made the training to work with how people learn and remember things—as much as we could in this instance, at least.
Here’s what I mean: normally, we'd want to leverage principles from social science and design and learning theory when making something like this.
But because a key goal of creating our annual compliance training was tactical—having it look like what people expect of annual training—our hands were tied a bit.
One principle we tried to address, however, was working memory.
Wildly simplified, working memory is the concept that you can only hold so many pieces of information in your head at a time—like, 4-ish to 7-ish pieces. The problem here is that even our ultra-lean version of annual compliance training has WAY TOO MUCH stuff.
(Again, a problem with the once-a-year format.)
The biggest problem area is the substantive risk stuff: there’s way too much of it, even after we’ve hacked it down and grouped it.
So instead of giving people a quiz at the end—which flags that we expect them to remember it, which is probably impossible—we created a companion one-pager that has all of it in there.
And then we tell them to not worry about memorization, because that substantive content is covered in the Code and in the one-pager, too. Basically, we shift the expectation from "memorize all of this" to "know how to look it up when you need it."
And that's it! The training is seriously very good and you should use it to help lighten the load on your employees while you pursue operationalization.
And then, as soon as possible, you should...
Kill it! Kill it with fire!
Our annual training is the best ever, for all the reasons you just read. But it is not operational compliance and you should still do your best to get rid of it—because even the best annual training suffers from the limitations of the format.
That is, "the best annual compliance training ever" is kind of like "the best sinus infection ever." The category is still pretty bad.
So, let's look what we cover in our course, and how you can train on that same stuff in a more useful, operational way.
These are easy, because these things are not training. They are communications.
Lots of folks seem to fixate on length and format (long/formal = training, short/informal = communication), but that’s not right.
The most meaningful difference between training and communications is function: training should teach you HOW TO DO something specific, communications should tell you ABOUT something.
That's why a lot of e-learning modules are not training at all. They are just painfully long communications, because they go into great detail about a subject but never actually tell you how to do anything specific with it.
So for your hotline and Code, low-touch, high-frequency awareness campaigns can get the job done—emails, intranet articles, posters, whatever—because these are communications as a matter of function. You are not really learning how to do anything here; these are basically advertising campaigns that push employees to a reference document (the Code) or a tool (the hotline).
And that's the right approach. Trying to turn these into meaningful training pieces (how to do stuff under the Code, how the hotline investigation process works) would make them so long that no one would be able to remember any of that stuff—again, that's working memory.
Instead, just push employees to actually go to the Code and the hotline, and once they’re there focus on having well-designed, easy instructions that tell them what to do.
Messaging on values, tone-at-the-top/leadership stuff
Again, these are communications. No one is learning how to do anything specific from a CEO message. Hit these with low-touch, high-frequency methods.
Or better, have your managers do it in their team meetings, because employees are and should be appropriately skeptical of ultra-sanitized corporate communications. Either way is more believable than a message in an annual training course.
This is a little more complex, but still easy.
We cover both conflicts and gifts in our course, but let's just take the trickier one: conflicts. Still not that bad—because you know when conflicts create a problem for you.
So before someone:
(1) puts a new vendor into your system, or
(2) makes a hiring decision, or
(3) issues a PO or a contract, or
(4) whatever (you get the idea),
they need to be hit with a certification that says “my conflicts of interest disclosure is up to date and I have no conflicts that impact this decision.”
The challenge is mapping the “whatever,” of course, but any effort here is better than the arbitrary annual thing.
Think of it this way: you might miss a few circumstances where conflicts happen that you couldn't contemplate, but the arbitrary annual cycle misses ALL of the circumstances because it doesn't even try.
And yes, there are logistics here, and you’d need to deal with new employees, and you'd want that certification to trigger an opportunity for employees to get ad hoc training . . . and we cover all of that in our book so just go read that. (And this sort of guidance is what we do for our subscribers through our advisory component, too.)
Our book is awesome, you should read it.
Finally: actually risky stuff.
Actually risky stuff is a fundamental weakness of annual compliance training: it can’t really handle it. Anything that you can send to everybody is too high-level to be really risky—and if that's not true for your company then you have bigger problems because you apparently have no controls.
For your real risks, annual training is not the approach. Or module-based training. You need to think hard about what you’re worried about, who does the things that make you worry, and give them training on how to do those things compliantly when they're actually doing them.
As a practical matter, this will mean that you'll probably end up training your seriously risky people on your seriously risky business processes more often; it'll just be a ton more useful for them because it will be integrated into their actual job.
I’m keeping this section high-level because we just wrote a book on it. And also this. And this. If this is the first time you’re hearing about it, have yourself a nice little weekend reading all of that.
Seriously, think this over.
We tend to get strong reactions when we talk about annual training.
And honestly, if this post has struck a nerve—good. I don't want you to feel bad, but I do want you to think about why it bothers you and process it and decide for yourself.
I'm OK with you disagreeing with us—but I want that to be because you thought about it, not just because everyone else does it and so you figured you should do it too.
Because at the end of the day, you're in a position of trust.
It's not your money that's being spent on training. And it's not your money that's being spent to pay employees to sit through training. But you have been entrusted with that money.
And our view is that you should not be spending hundreds of thousands of dollars in company money to do something unless you believe it makes sense and achieves your goal—and that's something you have to decide for yourself.