How do you allocate your compliance training budget? Does the majority go to high-level, all-employee stuff?
Or do you focus it where you have the highest risk?
This is important. Because the way you answer this question gets at what you’re actually doing when you do compliance training and how things will go if the situation goes south.
Your resources reveal your priorities.
The fastest way I can determine how a compliance team views training is to look at how they use their resources.
For example, let’s say we have a team that spends $80,000 on high-level e-learning. They spend months negotiating with a vendor, customizing SCORM modules, and writing quizzes.
But when it comes time to train their finance team and salespeople on how the company's risks apply to their specific jobs, they either do nothing or just throw together a few PowerPoint slides and wing a live presentation.
Does that sound familiar?
If so, stop and think about that.
What does it say about how you view training? Does it say that you think it's a tool to mitigate risk—or does it say that you think it's a check-the-box activity that you have to do?
And is that what you really think?
I think there are a good number of programs where the team views training as a tool to mitigate risk, but what they are actually doing says something totally different. And that is a problem.
Protect your company—and yourself.
Put otherwise, your training budget and resources should follow your risk.
That is, keep it simple. Tackle the biggest threats to your business and then go from there.
Pretend that your absolute worst-case scenario has happened, whatever that means for you.
Just think of the top risk from your risk assessment going the worst possible way. It’s public and it’s ugly and your CEO is being called in front of Congress so that they can be publicly shamed.
You are asked to help prep your CEO for their testimony. You find yourself in your boardroom with your CEO and Audit Committee and whatever crisis management agency your company has hired.
And they ask you this: what training did we do to try to prevent this from happening?
One answer is this:
“This was the top risk from our risk assessment, so it was our first priority. And then we targeted our training to the employees with the most exposure to it, addressing the business processes that trigger or control the risk.
Specifically, we trained the front-line people who create the risk on how to minimize it, and the control people who review the front-liners' work on what to watch out for.
That is, we gave training to 'high-risk and control employees that addressed the risks in the area where the misconduct occurred'—just like what it says in the DOJ's Evaluation of Corporate Compliance Programs.
And then we audited the business processes we trained on to see if the training worked. Here, I put together a binder of the results for you.”
And another answer is this:
“This was the top risk from our risk assessment, but we had a limited budget so we spent it on some e-learning instead. We didn't get to this specifically.
You definitely can tell Congress that we spent $80,000 on training though. Also, there was a quiz and everyone passed. Does that help?”
The first answer is better.
And that answer still lets you do high-level awareness and Code training and annual courses, by the way.
My point is not that you should never do that stuff. My point is that it is not the most important stuff and your budget, headcount, and time should reflect that.
Here's the takeaway: you know that you are supposed to be taking a risk-based approach to training. No one in compliance disputes this.
But lots of people agree with that statement and then allocate their resources in a way that doesn't reflect that.
A risk-based approach means that you should be putting your time and money into preventing the things that are most likely get you in trouble, and then work your way down to everything else from there.
That is what will give you credibility and defensibility when the chips are down—everything else is a nice-to-have.