Broadcat announces sustained investment to build content supporting privacy professionals According...
5 minute read ·
What is 'compliance training,' anyway? A simple explanation of what it is—and isn't.
One of the tough things about ethics and compliance is that it involves a lot of relatively complex, abstract concepts. As a result, it's really easy to get stuck with fuzzy definitions for things—the kind that sound inspirational and uplifting but are actually pretty hard to put into practice because they're not really fleshed out.
The antidote for this type of thing is to have both a positive and negative definition—what the thing is, as well as what it isn't, so you can define the boundaries of the concept. That forces you to really understand it on a deep level.
Today, I want to provide that type of clarity for "compliance training."
What compliance training is.
In one sentence, compliance training is (1) a tool (2) that you use to drive behavior (3) of willing people (4) by helping them make decisions.
Let's unpack that.
Compliance training is a tool.
Compliance training is a tool. This means you can use it to solve specific types of problems, but it isn't valuable in itself.
Here's a metaphor: think of compliance training like a jackhammer. A jackhammer is a really powerful tool for a very specific purpose, but just owning a jackhammer doesn't accomplish anything—and if you use it for the wrong purpose, it makes a big mess.
Compliance training is the same way. If you use it for the right purpose, it is very powerful. But just "doing training" doesn't add value in itself, and using it for the wrong purpose results in upset employees and a bad reputation for the compliance team.
This is different than thinking of compliance training as an activity, or something that has value just because you do it; there are things that fall in this category (say, annual certifications), but compliance training is not one of them.
Instead, compliance training is a tool; it is only valuable as a means to an end, and it is not an end in itself.
That you use to drive behavior.
The point of compliance training is to get people to do things the right way. The point is not just to tell them about laws and ethics, but to get them to actually behave a specific way. This is what makes it training and not education—more on that below.
Of willing people.
Compliance training is for people who are willing to comply. You cannot train someone who does not want to do the right thing in the first place; they will just ignore the training.
If you are targeting bad actors, training is not the right tool. You have monitoring, auditing, investigations, and discipline for those people.
By helping them make decisions.
Finally, compliance training is about human decision-making; it applies when there are multiple ways to do something, and you need to empower employees to do things the right way.
That could be as simple as "how should I mop the floor safely" or as complex as "when should I be concerned with what this JV partner is doing;" the key element is that there is a necessary degree of human choice that you can't eliminate.
This is what makes training different than a control—and to go deeper into that, let's switch to talking about what compliance training isn't.
What compliance training isn't.
OK, that's the positive definition—which, to be fair, had a little negative definition woven into it as we unpacked it. Let's add some more negative definition here to round things out.
Compliance training is not a control.
A control is a process for making sure you are compliant. It can be a paper process, an environmental element, or something done with software. Training is not a control.
For example, training is saying "lock the door when you leave;" a control is having a door that automatically locks itself.
Hear me on this: controls are better than training.
When we do our own internal compliance at Broadcat—and we do a lot, way more than we probably should for a company our size because we're run by a compliance nutjob—we always go for controls first.
That said: you still need training, and you will always need training, because not everything can be controlled; training picks up where controls end, usually where someone has to make some kind of decision. And sometimes you have to train people how to perform a control itself, because the control involves decision points.
The reason you cannot use training as a substitute for controls is because it is asking people to do and remember way too much, and asking them to remember things that you could instead handle with a control is a waste.
Instead, you need to address as much as possible through controls, because that frees up employees' attention and decision-making resources for issues that truly require human judgment.
Compliance training is not discipline or incentives.
Compliance training can tell someone what to do, but it cannot make them do it. If someone knows what to do and isn't doing it, the solution isn't training—it's discipline or incentives, depending on why they're not doing it.
Do not keep training people who know what to do already; at this point, you have a different problem and need a different tool.
Compliance training is not education.
Finally, education and training are different. Education is about broad-based knowledge and analytical frameworks; training is about skills and behavior. You need to do compliance training, not compliance education.
Here's why: the purpose of compliance training is to get people to do their jobs the right way, not replicate your skill set as a compliance professional or attorney. You—the compliance professional or lawyer reading this—need to have a broad education on compliance concepts and analytical frameworks; your employees just need trained to do their specific jobs the right way.
If you are not clear on this, you will default to doing compliance education.
Why? Because it's easier.
When we are an expert on something, it is easier to try and educate someone to be an expert like us than train them on how it applies to them—because we can just work from our perspective and expect them to conform to it.
Training them, on the other hand, requires understanding what they need to know for their purpose, based on what they do, and there's a lot more work that goes into thinking through how we distill, frame, and explain the necessary information to be useful.
And of course: yes, it would be great if everyone went through compliance education and had the analytical skills of a compliance officer.
But...it would also be great if every compliance officer was a cybersecurity expert. But we're generally not, and we honestly don't want to be; instead, we want our cybersecurity guy to tell us how long our password needs to be and what we need to watch out for, because we just want to do our job and that's already hard enough.
It's not because we don't think cybersecurity is important; it's because no one can be an expert in everything, and that's why we hire cybersecurity people in the first place. We just need to know enough to do our own job the right way and then let the experts do the rest.
It's the same for all other employees, too—and that's why they need compliance training about their jobs, not compliance education in general.
Why this matters: remember the jackhammer.
To understand why this matters, remember the jackhammer metaphor. When you use a jackhammer the right way, it's really powerful. When you don't, you make a big mess—which means you have to know that a jackhammer is used for breaking concrete and not fixing a squeaky door hinge or hanging a picture.
It is the same for training.
Done well, compliance training feels like part of someone's day-to-day job, a helpful guide to making critical decisions. Done poorly, compliance training can damage the compliance brand by fostering a reputation that the compliance team doesn't "get it" or that compliance is a bolt-on, check-the-box-type activity.
To know the difference between doing it well and doing it poorly, you have to know what compliance training is and isn't, so you know what to use it for—and that's why this matters.