how do you make defensible compliance training

How do you make defensible compliance training?

February 6, 2019 8:28:32 AM CST / by Ricardo Pellafone

Does scoping out compliance training feel overwhelming?

Do you get bogged down in the complexity of format and tracking and technology while constantly having this low-level fear over what will happen if you have to defend it?

Take heart: you're not alone.

And there’s a simple fix, too: three questions to help you focus on the right things and set the right priorities, so that you can feel prepared to defend your work.

Ready? Here they are:

1. Imagine our company is getting grilled by a prosecutor. Why?

2. Who did the thing that put us in this situation?

3. What training will we show the prosecutor to prove we tried to prevent that person from doing that thing?

That’s it.

Simple, but effective. They cut through the noise and help you work backwards to make sure your training focuses on what really matters.

And if you're more focused on reputation than the law, don't worry, this works for you too. Just replace "prosecutor" with "investigative reporter" or "social media."

Got it? Good. Let’s unpack each question.

 

1. We’re getting grilled by a prosecutor. Why?

This question forces you to articulate the actual reasons why you might have a compliance or ethics failure. It makes you dig below concepts and risks and get down to what type of events will get you in trouble.

You will probably have a bunch of different answers to this question, and that’s OK—articulate all of the reasons that have a reasonable chance of occurring, and then prioritize them from there.

Your answers should sound something like this: 

“Our channel manager did not require supporting paperwork for how our partners spent marketing development funds. As a result, we can’t account for where some of the money went for a project that involved a state-owned entity, and we end up having to deal with a books and records issue.” 

"Our engineers pushed an update to our product without running it by the privacy team. As a result, we collect personal data we aren't aware of, don't guard it appropriately, and end up with a consumer privacy issue." 

And not like this: 

“Anti-corruption.” 

"Privacy."

I know: that's a lot of detail.

Here's why it's important: no one cares if your employees have a lot of anti-corruption knowledge; they care a lot if they actually get involved with bribery.

The same goes for every other law and ethical concept: knowledge is important, but behavior is what actually gets you in trouble. 

Articulating the specific causes of how you could end up in front of a prosecutor forces you to identify the trainable behaviors that will help prevent the thing from happening in the first place.

Like, "here's how to review an invoice for red flags of bribery" (example here). Or "here's what to do when you're collecting personal data."

That is the type of stuff you want to train on, and the type of stuff you'll want to be prepared to show to the government/media if you have a problem.

 

2. Who did it?

Our second question forces you to identify the target audience. It helps you train the right people on the right thing, instead of just educating everyone about a concept and hoping they figure it out. This sort of targeting is what the Department of Justice talks about in their Evaluation of Corporate Compliance Programs (see here for more).

This is pretty straightforward, but warning: do not get hung up on whether you can identify every single person that you want to target and therefore do nothing.

Having bad HR data is not an excuse for doing nothing; everyone has bad HR data.

It is far better to say “we didn’t catch that person due to bad HR data, but here’s all the stuff we did to try to target people who do that job” than shrug and say “we had bad HR data so we didn’t train anyone on this at all.” 

 

3. What will we show the government we did?

Finally, our last question makes clear that you will need to be able to tie your training to events and audiences. That is, when you sit across from a prosecutor (or reporter), the question will not be “show me all of the interactive e-learning you did."

The question is “this thing happened, and this person did it. What did you do to try and prevent it?”

Of course, that might be interactive e-learning. Or manager-led training. Or a checklist.

Or whatever: as long as it actually addresses the thing that happened.

That is, we worry way too much about format and not enough about whether we are able to answer the basic questions that we can expect to be asked if we need to defend our work. 

And for that reason, these questions are format-agnostic: do your training in PowerPoint or do it with lasers, but make sure it substantively addresses the things that are going to get you in trouble.

 

Are you doing this?

Moment of truth: is this how you do things?

If not, why? And how can you recalibrate? Because here's the truth: this is the most absolutely basic thing to do.

Whatever format you are using, whatever technology you deploy, make sure it addresses the things that are likely to get you in trouble, not just general risk education.

That is what will make your training defensible, because it will ensure you've designed it by working backwards from the moment where you've been asked to defend it to the government or the public, focusing on the people and behaviors that matter.

Oh, and bonus? That's what will make your training effective, too.

Ricardo Pellafone

Written by

Ricardo Pellafone

Ricardo used to be in-house compliance, leading investigations for a sovereign wealth company in Abu Dhabi and a Fortune 500 tech company in California. He has degrees in psychology and law.