Time-based compliance training requirements—like "you have to do 3 hours each year"—are terrible...
2 minute read ·
The problem with compliance awareness week...
FUN FACT: nothing is perfect.
Everything has costs, externalities, and unintended consequences. The challenge isn't finding something that's perfect, but understanding the costs of doing something so you can deal with them.
That even applies to rah-rah stuff like corporate compliance awareness week—we see a lot of folks talking about these events, but very few people taking a more balanced view that takes their pitfalls into consideration.
So, we asked you guys: what problems do you see with them? And then we compiled your answers and some thoughts of our own into this video:
Special thanks to Marcy, Karen, Heini, Scott, Deb, and Mary for the input! You guys are the best.
A couple production notes!
I've thought repeatedly about taking down that "two easy games" blog, which is consistently one of the most popular pages on our site, because I thought the nuance of why those worked got lost more often than not. And then I realized that taking down a page of stuff that works and is really popular because people might miss why it works is stupid, so instead we've just updated that post to point here for more analysis.
The game I *don't* talk about in the video, because it didn't lend itself to any dumb sight gags, is a confidentiality game based on an episode of The Office which was in turn borrowing from Willy Wonka. It's about handling sensitive info in the wild and follows a similar real-world use case. Go check it out if you're doing stuff for Privacy Day—and that's subject to all the same analysis in this video, natch.
The crummy, clearly-made-in PowerPoint logo in the original SCCE blog post, which you see at the beginning of the video, was from the first few months of the company. It predated Broadcat and is affectionately known as "the blobcat" around here. (You would also be justified in thinking it was an owl or a sentient turd.)
If you ask me if I think you should generally try and think up games for these events, my answer will be "no." The amount of time you need to make a good one is gargantuan, and it's crazy easy to get wrong.
Once again, I'm doing math. Fun story: I once had someone call that type of cost calculation—you know, cost of employee time, multiplied by amount of employee time—"irrational." Yikes.
Big-picture, most people doing these events are probably fine. They're in the early stages of a program or rebooting it, and sometimes you just gotta do stuff to get attention. Where I'd start to worry is if your event gets bigger every year; that's when the line between PR and actual compliance starts to get blurry.