Time-based compliance training requirements—like "you have to do 3 hours each year"—are terrible and counterproductive.
They are the best way to make sure your compliance training is an awful waste of time.
Here's an analogy to explain why.
Imagine that the government wants you to visit New York City once a year to boost tourism or patriotism or because, I don't know, Hamilton is just so good that EVERYONE NEEDS TO SEE IT BEFORE THEY DIE.
But then, imagine that instead of requiring you to prove that you actually visited New York, Congress passes a law requiring you to prove you spent two hours trying to visit New York.
Is that a good law?
No, of course not. It focuses on the wrong thing.
If you live in Jersey City, for example, that's way too much time; you'll end up standing in the middle of Times Square, waiting to run down the clock while contemplating the meaning of your existence. Like, say, this:
On the other hand, if you live in Kansas City, you're not going to actually visit New York—it takes longer than two hours to get there. Instead, you're going to find the cheapest way to spend two hours showing that you tried so you can get on with your life.
If our goal is to get people to visit New York, "time spent trying to get to New York" is a terrible proxy. It punishes people who can meet that goal more efficiently, and it creates incentives for everyone else to find the cheapest way to do the bare minimum without meeting the real goal.
Doing training isn't the goal.
In our analogy, "trying to get to New York" is compliance training.
That is, doing training isn't the goal; the goal is complying with whatever law, policy, or ethical standard the compliance training is about. Training is just one possible way to get there. (Check out this in-depth interview with the Department of Justice’s former in-house compliance expert to unpack what this looks like.)
And so requiring people to do two hours of training (or whatever amount) is goofy, because just doing training doesn't matter; achieving actual compliance matters.
We don't truly want people to take two hours of harassment training and four hours of CMS training and four hours of FCPA training; what we really want are harassment-free workplaces and less fraud and less corruption. Those are our real goals.
And to achieve those real goals, some organizations might need to do very little training, and some might need to do a lot. And the same applies to individual people—some people will need no training, and others might need massive amounts.
The right amount of training depends on the issue and the audience; requiring quantity instead of quality is bonkers.
It doesn't help. It hurts.
These time-based policies and laws mean well, but they are focusing on the wrong thing.
You can't assume that exposing people to information for X hours will result in them changing what they do; that's how a very optimistic nine-year-old views human behavior. People are more complex than that.
That said, if that was the only problem with these time-based requirements—that a "time = behavior" assumption is silly—it'd be one thing.
But it's worse than that, because they are counterproductive. They send the wrong signals and messages about what we really want:
They frame compliance as a check-the-box activity that sits outside of how you do your job—as a separate task that you have to do for X hours a year, not a method for how you do work.
When used as part of a corporate remediation, they frame compliance training as a punishment, because adults are required to sit through X hours of it in response to a Very Bad Thing That Happened. In parenting, that is called a "time out."
They give a false sense of security, because the required task (sit through training) has been done, and the real goal (apply the training) is only given lip service.
They boost compliance fatigue, lowering budgets and tolerance for more meaningful work by blowing the compliance team's political capital on check-the-box junk.
And finally, they make the training itself worse by focusing not on whether it works, but whether the format meets arbitrary proxy requirements. That's how we ended up with a training industry focused on goofy technical requirements instead of on attempts to show efficacy.
Cool, what's next?
OK, so time-based requirements are bad. Honestly, you probably already thought that.
What do you do about it? Well, it depends who you are.
If you're a legislator, prosecutor, or regulator, the answer is pretty easy: knock it off.
Stop creating requirements like this in laws and remediations and regulations. You are not helping promote compliance; you are endorsing a check-the-box focus on liability reduction by sending the signal that what you care about is going through the motions.
It doesn't matter if you rail against "paper programs" if you keep putting these goofy requirements in resolutions; how you actually enforce the law matters a lot more than some scripted speech you gave at a compliance conference.
Look: if you want people to do X, require them to show X—not an efforts-based, check-the-box proxy of X.
If you're in-house or some other type of compliance practitioner, on the other hand, it depends on what you're dealing with.
If you don't have a legal requirement to do X hours of training, DON'T MAKE ONE UP ANYWAY. That probably sounds obvious, but people definitely do this, and I get why it's tempting, but it will lead you down a dangerous path.
If you do have a legal requirement, that stinks and I'm sorry. Do your best to chop it up into chunks that people might actually be able to process in one sitting, but the reality is you are going to suffer through this because the legal requirement is rough stuff.
Either way, remember that the goal of compliance training is not to do some magical number of hours of training; it's to prevent problems that can be solved by training (vs controls or incentives or whatever).
Instead of trying to check off a bunch of mythical boxes, you need to:
1. Identify the problem behaviors
2. Frame your training around those behaviors
3. Tie the delivery of your training to when the behaviors occur
4. Measure efficacy based on how the behaviors change
Here is a free book that walks you through how to do it. Start there.
Want compliance training that focuses on the right things? Join Compliance Design Club!
Also, because I recognize I used the word "goofy" a bunch in this post, here's a post-script: a Vine of someone dressed as Goofy singing Evanescence's Wake Me Up.
(It's great. You're welcome.)