Today we continue our seven-week blog series on effective compliance programs with an analysis of the fourth hallmark on training and communication. While many organizations and compliance departments think they handle this hallmark well, they often fall short of their full potential in this arena.
In this blog, we’ll break down this hallmark, expose exactly where organizations fall short and provide clarity on regulators’ expectations in this space. If you haven’t already, be sure to read the first part of our series, which covers written policies and procedures, program oversight and ethical due care.
According to the Federal Sentencing Guidelines for Organizations, organizations should take steps to regularly communicate their standards and procedures in a practical manner. This means organizations should communicate their compliance and ethics programs through effective training and sharing information appropriate to individuals with specific roles and responsibilities.
Organizations often fall short of this goal due to their interpretation of this hallmark and the amount of care and detail they give to it. Typically, organizations fail to meet the requirements of this hallmark in four key ways:
- Lack of periodic review and continuous communication
- Not ensuring training and communication of policies are relevant to the employee
- Incorrect or lack of measurement of the effectiveness of training and policies
- Not considering the risk prioritization of training
Periodic Review and Continuous Communication
Firstly, many organizations roll out all their policies and training programs at once and host the material on a corporate intranet for employees to visit at will. In a sense, simply making this information available to employees removes a sense of ownership and responsibility for compliance and ethics enforcement from leadership. Many organizations think that, because the information is now available, their work is done since their employees have been informed.
However, informing employees is just the first step towards effective training and communication of a compliance program. Companies should regularly review, update and redistribute policies and training materials to ensure their relevance. Even when there is no need to change content, organizations should remind employees of their duties and the behavior expected of them.
To highlight this issue, we look to the DOJ’s whitepaper on the “Evaluation of Corporate Compliance Programs.” This paper provides clarity on the types of questions enforcement officers ask when evaluating effectiveness.
Per the whitepaper, the DOJ not only reviews periodically-released subject matter training, but also looks for what senior management does to let employees know the company’s position on any occurrences of misconduct.
For example, the DOJ wants to know what communications went out after an employee is terminated for failure to comply with the company’s policies, procedures and controls. Employees need to clearly understand the consequences of inadequate and unacceptable behavior.
Relevant Training and Communication of Policies to Employees
Another common issue organizations fail to address is the need to disseminate information appropriate to an individual’s respective roles and responsibilities. Training and communication should be targeted and relevant. Failure to provide this targeted training leads to failure at being effective.
The next question the DOJ asks is whether training is offered in a form and language appropriate for the intended audience. They search for evidence that policies and trainings are communicated in the native language of a recipient, and that they are appropriate to a recipient’s location, geography, function, role and responsibility area.
Measuring the Effectiveness of Training and Policies
The objective of ensuring communication is relevant to the employee is to increase the effectiveness of training. The measurement of effectiveness is an area of great debate, and one that former enforcement consultant to the DOJ, Hui Chen, feels passionately about.
“Often, when companies talk about a robust tone, they are just using the wrong metrics and measuring the wrong things,” Hui Chen states. “People often ask me what they should measure in training and my response is for them to tell me what the purpose or goal of their training is. What exactly do you want your training to accomplish? I think it goes back to the ‘why’ questions. Why are you doing this training? If your training is successful what would be the result? I don’t think people are asking the ‘why’ question enough.”
Risk Prioritization of Training
The ‘why’ question leads us to the final shortfall for many organizations in this hallmark — risk based training.
“If you don’t even know what the risks are, how are you supposed to address them?” questions Chen. When asked what she looks for from risk based training, Chen replies, “Are you allocating your resources— whether it’s time, money or control systems—in a way that’s proportionate to the potential damages it could cause?”
The “Evaluation of Corporate Compliance Programs” also supports this view. The DOJ wants to know what analysis a company undertakes to determine who should receive training and on what subjects.
Once again, as with many of the hallmarks, regulators ask organizations to go past the tick box exercise of simply delivering compliance training. In order to be truly effective, training and communications needs to be reinforced, relevant, measured and risk based.
Check back next week for our exploration of the fifth hallmark of compliance — monitoring and effectiveness.
Need help bringing your compliance program up to par? Contact a Mitratech representative and find out how our solutions can help your compliance program become truly effective.