Compliance training plan. The methodology of its improvement.
An effective compliance training plan for each type of regulation is a must-have, as regulators create more and more robust rules governing different aspects of companies’ operations. We have reached the point when some companies have a department dedicated to compliance in addition to a legal department. Even the individuals from non-regulated industries have to follow at least data protection regulations. To minimize the possibility of a breach, employees should know the rules and internal policies addressing them. It is not enough to follow a “tick-box” approach and simply send a PDF document containing all the policies to an employee to achieve compliance.
The article focuses on the question ‘how is it possible to make compliance training more effective?’ in a broader sense. A typical UK investment bank has to comply with at least a financial market and services conduct, anti-money laundering (AML), and anti-bribery rules. Each set of rules has the best practice for each subdivision provided by national regulators, intergovernmental organizations, and industry associations. For instance, FCA Handbook FCTR 6.3.2 provides examples of good and poor practices related to training of employees focused on the financial crime risks arising from poor data security. While a company can achieve the effectiveness of compliance training within a specific area (e.g., data security risks in an AML policy), specific examples of best practices for specific areas are not discussed in the article.
What is compliance?
There is no uniform definition of compliance, and the term can be understood to include compliance of all the employees or narrowed down only to the board-level issues. The term “compliance” can relate to a specific piece of legislation such as the FSMA, MAR, PSD II, MiFID II, MiFIR, EMIR, UKBA, MLR 2017, GDPR. Alternatively, it can refer to an industry (e.g., financial services compliance, health care compliance) [Mills, 13].
For the purpose of the article, compliance is the function of identifying relevant legislative, regulatory, and best practice requirements and implementing the necessary arrangements, systems, and controls to facilitate adherence to these obligations [Sokol, 401].
Compliance training and compliance training plan explained
A compliance training session is a single event of training for the employee(s), contractors and/or business partners related to the explanation of rules he/she(them) must adhere to. Training sessions include the situation when employees are required to read particular material or complete a course. Compliance training, in a broader sense, is an ongoing process dedicated to achieving compliance of all the relevant employees with internal policies and rules to minimize the chances of a company breaching regulatory and other related standards (e.g., ethical). The term can also refer to a specific area (e.g., AML training).
A compliance training plan usually created by the Chief Compliance Officer (CCO) and Compliance Department (CD).
When training is completed?
Compliance training is an endless process, as regulations are constantly changing, and it is tough to achieve an understanding of all internal policies. You can constantly improve a compliance training plan. However, there is a theoretical example when an employee is absolutely trained:
- The employee is aware of all the requirements applicable to him/her and the result of non-compliance. The employee is also aware of the company’s risk appetite. Additionally, the employee is aware of the functions of the CD and how it can help the employee with compliance questions.
- The employee has learned and understood the principles and the rationale behind the requirements. In addition to merely following the applicable instructions, the employee can use principle-based decision-making and make a compliant decision without looking into a rulebook. Effective compliance training activates the staff thinking process. It is especially relevant for the jurisdictions such as the UK where regulatory bodies took the route of so-called More Principles-Based Regulation and outcomes-focused regulation [Mills, 335].
- The employee internalized the rules, meaning that he/she understands the value of them for him/herself and the company. It would be naive to think that moral and ethical values are dominant for the internalization of practices. Compliance should be a part of a company’s strategy that employees believe in. Employees should not see compliance as a regulatory burden but rather as a protection against sanctions for non-compliance and reputational damage that, in the long-term, will bring value to the employees (e.g., by way of the increase in the company’s share price). The task of a CCO and CD is to persuade employees and other stakeholders (mainly shareholders) that compliance can bring value, and certain risks are not tolerable.
Action research methodology to improve a compliance training plan
As we concluded, training is an ongoing process. This process is unique to each company. Not all the methods suggested to improve the effectiveness of compliance training will suit all the companies. A company should listen to its employees. It can use the action research methodology to assess and improve the effectiveness of a compliance training plan. You can use the method to create a new compliance training plan or to improve the existing one.
Training people in compliance to a certain extent is not much different from teaching students or children. Thus, it is appropriate to use the methodology of research applied in social sciences. Briefly, the key aim of action research is to understand, improve, and reform the practice.
A CCO and CD can apply the approach to individual training sessions, a series of training sessions, and a compliance training plan as a whole. We can divide the compliance training cycle based on the action research methodology into three phases.
Generally, the idea of the compliance training cycle suggested is to collect information from internal and external sources and to create an annual compliance training program (plan) that is expected to be effective as much as possible or more effective than the previous one. After the plan is executed, the CD assesses whether it was successful and whether the assumptions on which it was based are correct. Each year the process is repeated. If you do not want to do it yourself, you can always hire a professional that can help you with improving your compliance training.
Phase 1. Collecting information and planning
During Phase 1, based on the information collected, the scope, the aim of, and the methods of compliance training are defined, and the CCO and CD create an annual compliance training plan. The plan is based on the assumptions on how to make training more effective.
Identifying the scope and the aim of a compliance training plan
During Phase 1, it is necessary to identify:
- areas where comprehensive training sessions are mandatory (e.g., identification of ML red flags);
- areas where there is no need to have comprehensive training sessions (e.g., gift policy).
For correct identification, it is critical to collect information about previous breaches, weaknesses of the company, breaches of other companies in the same industry, matters that have the most reputational damage. After the data collected and analysed, it is clear that certain areas require more training than the others. Even a gift policy might require specific attention if, for example, there were precedents of previous breaches.
The following sources should be used:
- own internal investigation and assessment of policies and external audits;
- news from a regulator or relevant media related to compliance issues;
- employee surveys and interviews that can help to identify the current state of awareness and understanding of the policies;
- statistics provided by the company’s CD related to the most common enquires by the employees.
Identifying how and when compliance training sessions should be conducted
There are two useful sources: interviews and surveys regarding employees’ previous experience and preferences, and various research materials related to compliance training plans.
Listening to employees
It is essential to analyse the experience of employees related to previously conducted compliance training sessions. It is not a secret that training plans are considered burdensome. It is not efficient to make somebody learn something. To help the employees, the CD can at least consult with the employees to determine the best time holding training sessions and create an appropriate schedule. For example, tax departments in audit companies are extremely busy during the yearly tax report preparation.
Moreover, complexity and preferred training methods should be discussed with the employees. They know the problems of existing training material or encountered some problems in the past. For instance, during interviews related to the assessment of Information Systems Security policy manuals, one company found that some employees criticized usefulness, clarity, accessibility, and format (Word document) of the manuals. According to the employees, the instructions were too bureaucratic and verbose, with a lot of technical details [Puhakainen 767]. Hence, by fixing the format (e.g., interactive PDF document followed by a live presentation or video recording, instead of Word document) and making instructions less complicated, it is possible to make compliance training more effective as it will be easier for the employees to study and understand requirements applicable to them.
Utilization of research materials
In addition to listening to the employees, the compliance officer and CD should use findings and advice from industry specialists and researchers of compliance training. Some studies already analysed the experience of the employees related to certain training sessions. Such studies can help to ask the right questions during the interviews and the surveys. However, not every piece of advice is worth implementing, unless it is theory-based and provides empirical evidence of its success.
For instance, European Bank used a gamification element in its training plan. Nevertheless, the effectiveness of gamification of a training session is questionable. One study describes gamification as a valuable tool for improving anti-corruption training. However, it also provides that training was successful in improving employees’ knowledge if employees had been at the company less time, but not in improving knowledge of more experienced employees.Another research suggests that basic gamification in IT security and data privacy training does not outperform learning relative to other types of training.
Some ideas may work in one company and not work in another company. It may be impossible to use the gamification approach to explain complex rules. That is why it is critical to use the action research methodology and identify the most effective training methods and features for a compliance training plan.
Phase 2. Delivering training/implementing a compliance training plan
The CD can train staff themselves in different ways. It can make presentations, workshops, and practical sessions or require staff to read certain material or complete internally or externally made e-course. E-mails with regulatory and internal updates is a type of training too. Additionally, an external party can be invited to conduct compliance training sessions.
During Phase 2, the CD collects the information for analysis during the next phase. The following data should be collected:
- whether an employee downloaded training material or opened an e-mail;
- opinions of the employees regarding suitability, helpfulness, appropriateness, and relevance of compliance training sessions and training materials;
- how employees’ results were improved.
It is important to make employees complete short-surveys after each training session and a comprehensive survey at the end of the compliance program year. To evaluate the results of a training session it is common for the companies to conduct online quizzes [Rassmussen 14]. In addition to short quizzes, after a certain amount of training sessions related to one topic, the CD may decide to conduct an examination. Additionally, an anonymous peer-to-peer review can be used after team workshop sessions.
The CD should liaise with the HR department to ensure that all the employees including temporary staff are trained [Mills, 137].Additionally, it is vital to find a way how to identify all the business partners requiring training.
Raising awareness and promoting compliance culture
In addition to formal training, there should be more or less informal events dedicated to compliance. In some companies, there are ‘compliance days’ dedicated to certain topics when the CD builds stalls, shows videos, and gives leaflets devoted to the topic. Some companies even have compliance board game evenings.
Internal compliance reports can also help to raise awareness and promote compliance culture. The CD can present the achievements of the company and its compliance efforts to the employees and various stakeholders. Appealing posters with a relevant summary of the report can be placed on the walls in different departments.
Phase 3. Evaluating success
During Phase 3, the CD will evaluate the effectiveness of each assumption (when possible) and the compliance training program as a whole. The results are used during the next Phase 1 of subsequent training.
Generally, Phase 3 is collection and analysis of data obtained during the Phase 2 (especially surveys, quizzes, exams), data from the CD (e.g., data on employees’ requests related to clarification for a specific policy) surveys and interviews related to specific questions (e.g., opinion of employees on schedule), data on breaches, data from the anonymous whistleblowing reporting system. At the end of Phase 3, there is a transition back to Phase 1, as the new plan and the assumption should be underpinned by the results obtained during previous cycles.
Fewer breaches, positive test results, and elimination of knowledge gaps that existed at the beginning of the compliance plan can indicate that the training plan is effective, and the scope of the compliance training plan was identified correctly. Additionally, the CD will evaluate the effectiveness of the plan based on what they see on a daily basis (e.g., compliance questions it receives).
Usually, an assumption is correct and was implemented correctly if the desired result is achieved. For example, the statistics may show that the attendance was higher than during the previous years when the top managers were not involved. However, it is not always possible to test assumptions correctly without conducting experimental studies. Even when a correlation is spotted, causation is not implied. The involvement of the top managers may correlate with the increase in the attendance of the employees. However, it should be studied separately to be sure that the senior managers increased the attendance of the employees. Even asking the employees anonymously may not help to understand whether to seek the top managers’ involvement next year. In some situations, it is better not to change anything if there is a positive result.
Phases 2 and 3 can be conducted in parallel. Both the success of each training and compliance training plan should be assessed as a whole. The CD should continuously collect the information to be able to make an immediate change to the compliance training program. For instance, during the compliance program plan, it may be noticed that for certain areas there are more questions, or it is immediately clear that certain training methods are ineffective or annoy the employees too much. In such situations, the CD should make appropriate changes to the compliance training program.
1. Mills et al., Essential strategies for financial services compliance (2nd edn., John Wiley & Sons 2015) <https://www.wiley.com/en-gb/Essential+Strategies+for+Financial+Services+Compliance%2C+2nd+Edition-p-9781118906132>
2. Sokol, ‘Teaching Compliance’. (2016) U. Cin. L. Rev 84 399 <https://www.tandfonline.com/doi/full/10.1080/1743727X.2010.484549>
4. P Puhakainen, M Siponen, ‘Improving employees’ compliance through information systems security training: an action research study’  MIS quarterly 34(4) 757 <https://www.researchgate.net/publication/220260086_Improving_Employees’_Compliance_Through_Information_Systems_Security_Training_An_Action_Research_Study>
5. Neil Cullen, ‘Case Study: An Effective Learning Programme for a European Bank’ (Interactive Services, 3 June 2019) <https://www.interactiveservices.com/latest-news/case-study-an-effective-learning-programme-for-a-european-bank/>
6. See Baxter et al., ‘The effects of gamification on corporate compliance training: A partial replication and field study of true office anti-corruption training programs’  Journal of Forensic Accounting Research 2(1) A20. <https://aaajournals.org/doi/10.2308/jfar-51725?mobileUi=0>
7. See Baxter at al., ‘Applying basic gamification techniques to IT compliance training: Evidence from the lab and field’  Journal of information systems 30(3) 119 <https://aaapubs.org/doi/abs/10.2308/isys-51341?journalCode=isys>
8. M Rasmussen, ‘Seven habits of highly effective compliance programs’  Forrester Research publication <http://www.atlantaresources.com/articles/sevenhabits.pdf>