Effective Ethics and Compliance Training

Thomas Fox - Compliance Evangelist
Contact

In a recent Slate article, entitled “Ethics Trainings Are Even Dumber Than You Think”, author L.V. Anderson railed against what she termed box-checking training where companies put on training not to actually train employees but simply to check the box that training has occurred. She also spoke against “dumbed-down nature of most compliance courses”.

Part I-Why put on training?

Certainly recognizing that inane training is simply that - inane training, Anderson missed the larger picture of what constitutes a best practices compliance program. Training is one part of a larger component of how companies manage their compliance with laws, regulations and, most importantly, the ultimate barometer of their value - their corporate reputation through compliance. The role of compliance in corporations was born in 1992 with the enactment of the US Sentencing Guidelines, which laid out the initial standards for corporate compliance and ethics programs, of which training is one part. It was only after these Sentencing Guidelines were put into effect that corporations moved to create Codes of Conduct to publicly state their values.

These Sentencing Guidelines provide a very general outline of what would constitute an effective compliance program. In the latest amendments to the Sentencing Guidelines, in 2010, the stated purpose of training is to “(6) Training - Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, high level personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program”.

One of the most significant areas of the law, where the government has provided specific guidance on compliance programs including training, is the 2012 publication entitled “FCPA - A Resource Guide to the U.S. Foreign Corrupt Practices Act”, which was issued jointly by the Criminal Division of the Department of Justice (DOJ) and the Enforcement Division of the Securities and Exchange Commission (SEC). This FCPA Resource Guide provided the government’s views on what constituted an effective compliance program under the Foreign Corrupt Practices Act of 1977 (FCPA) in the form of the Ten Hallmarks of an Effective Compliance Program.

Hallmark No. 5, Training and Continuous Advice, which says, in part, “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” This Hallmark goes on to state that training should be appropriate for the risk of the persons being trained and tailored to the situations they might find themselves at risk in for their company.

Whether you consider the language of the Sentencing Guidelines or the much more specific FCPA Resource Guide, the proper context to review ethics and compliance training is as a part of an overall holistic approach to compliance and ethics, compliance can be seen in its proper role as a communication tools. The reason a company puts on compliance training is not to solely stop unethical or non- compliant conduct. The role of training is to communicate the standard of values the company wants to set forth.

The training itself should be tailored to risks involved with those employees receiving the training. My wife works at a major oilfield service company in Houston, as an SAP integration specialist in the IT department. The risk that she could engage in non-compliant, unethical behavior, that could put her company at legal risk, is relatively low. So basic training for her on the company’s ethical values is an appropriate reminder.

However, in the same company there are thousands of employees who are in positions oversees which are at much higher risk for non-compliant behavior, particularly under the FCPA. For those employees more focused, specific and in person training is the preferred method. So more than simply asking is something illegal, such training would focus on the specific requirements under the law, what an employee should do if a foreign government official demands a bribe and how to seek help or report such conduct through the company hotline.

Training is not and never has been the all-encompassing way to stop illegal or even non-compliant, unethical conduct. It should be seen as a part of the overall corporate compliance program. Enron is the prime example that simply having one part, the Enron gold standard Code of Conduct and even training on that Code of Conduct, is not enough. It all starts at the top with the tone from the top. If your top management are crooks, in the case of all the former Enron senior managers who are now convicted felons, that speaks to the tone management creates. No rule, regulation, company policy or certainly compliance training should get in the way of the next deal.

Yet even after management sets an appropriate tone, that tone must be communicated to the employees. A corporate Code of Conduct sets out the general values and the policies and procedures lay the specifics of how employees can comply with laws, regulations and ethical concepts. After this communication, a company must set out appropriate incentives and discipline (carrots and sticks) to reinforce these behaviors. Finally, there should be internal controls baked into to all of this, which not only reinforces these concepts but also allows a corporate compliance department to monitor compliance to hopefully prevent any incidents before they become violations and detect them if they occur.

Anderson does get one thing right. If a company is putting on training simply as “just a form of legal ass-covering” then it is probably the type of company which does not put a high value on doing business either (1) ethically or (2) in compliance with existing laws. That alone puts a company in the Enron zone for compliance.

Part II: Risk Ranking and Design of your Compliance Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to help ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” Viewed from the perspective of what a company needs to do to work towards ensuring compliance and ethical behavior, training can be seen as a communications tool. But it should only be seen as one tool.

Anderson stated that for compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk.

The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk ranking process, you have internalized the admonition that “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. You should be now ready to design your compliance training.

The first step is to define what you are trying to achieve in your compliance training. This certainly means more than simply ‘check-the-box’ training and when implementing compliance training you have put some significant time and thought into it. It should be well designed to the targeted group of employees who will receive it. Your compliance training can and should have several business-related goals, in addition to specifics of anti-bribery laws such as the FCPA. These include identifying the business objectives of engaging in commerce in a legally compliant manner; managing threats which may come to employees you have identified as high-risk and the business opportunities afforded if you have sufficient compliance systems in place to prevent bribery and corruption. Moreover, you can present tangible business benefits if you address these issues in a positive manner. Finally,

such focused training can and should help to ensure integrity and the company’s reputation by strengthening your business culture and ethical conduct.

You are now ready to design your compliance training, with the above goals in mind. You should include the development of curriculum using a risk-based model and set uniform methods for acquiring content, maintaining records and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Lastly, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who your audience is and what their characteristics might be. For the high-risk employee, you will need focused training so that they will be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements and penalties. For the medium risk employee, compliance training should include scenarios so that they know the risks, requirements and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. For the low risk employee, they should be made aware of the risks, requirements and penalties as well as your entity’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

Now you need to determine the most appropriate mechanism to deliver the content of your compliance training. You can use a variety of methods for each of the designed risk based rankings. The delivery of compliance training for high-risk employees should be repeated frequently using several methods of delivery. You can include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises. Additionally, you should work to determine the effectiveness of your compliance training to this group through testing and certification. For your medium risk employees, your compliance training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, both live and online, and have methods to demonstrate evidence of understanding. To address the content required for low risk employees it can be done largely through online training, again you will need to make sure the material is reviewed and updated on an as needed basis.

Lastly, and please do not forget this step, you need to ensure that the compliance training content is timely and the instructors are effective.

Part III: Effectiveness and Evaluation of Your Compliance Training

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which can be used to evaluate ethics and compliance training.

The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?

  2. What is a facilitation payment and does the company allow such payments?

  3. How do you report compliance violations?

  4. What types of improper compliance conduct would require reporting?

  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non- compliance?

What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Leona Lewis explored this issue recently on her podcast Masters of Disaster, where she interviewed Joel Smith, the founder of Inhouse Owl, a training services provider. He advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and

compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation.

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.”

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions.

  1. Figure out what you want to measure (i.e. what’s the “benefit”?)   Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations. So your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures rules so you avoid liability related to actions. Therefore the benefit to calculate for ROI purposes is the total amount saved by the company because employees now understand (due to the training) not to engage in unethical and non- compliant conduct around bribery and corruption.   

  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. Smith believes you can get data on employee engagement through a quick post- training survey. Although this factor does not produce a quantitative number to use in the ROI calculation, it will help you isolate and qualify the training benefit.

  3. Did employees actually learn anything? Smith believes that a critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre and post training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.

  4. Are employees applying your training? Smith says that for this point you will need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

  5. What’s the quantitative business impact of your training? At this point you are ready to determine the numerical business impact of your ethics and compliance training. Smith has an approach he calls the “Best Guess” approach. Smith believes there are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Smith provided five questions he would pose.

  1. How often could a noncompliance event occur?

  2. How much revenue would be involved?

  3. What is the profit margin on the revenue?

  4. What are the other costs?

  5. What are the noncompliance hard costs?

The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro- economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%.

6. ROI: bringing it all together. Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided - Total FCPA Training Program Costs ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.”

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more

robust assessment and calculation laid out by Smith provide you with formulae you can use going forward.

Part IV: What’s in the Future? The Gamification of Compliance Training

Kyle Turco, in a Technological Advice article, entitled “How Gamification Can Improve Employee Training”, wrote “Gamification, or the use of game dynamics in a non-game context, will yield powerful results for employee training. One of the most beneficial aspects of gamified training is that it adds fun and excitement to a previously boring procedure. While arduous training programs can discourage incoming employees, game dynamics can increase engagement and morale.” Moreover, “By increasing interest and engagement during training, trainees are able to better understand the nature of the company.”

Turco went on to explain that it is the dynamics of gaming, which brings increased effectiveness to such employee training. These dynamics not only increase the communication component to training but also add to its effectiveness through a more complete user experience. Turco said one way to do this is “to add points and badges as prizes for completed courses. Adding incentives is a simple way to encourage participation. In addition to rewarding completion, there is an advantage to taking it further and rewarding mastery and knowledge. If the training program requires, assigning performance based status or rewards will encourage trainees to perform at a higher level.”

Even a concept as simple as competition can improve the experience by adding a “social dynamic to training.” Turco wrote, “By publicly rewarding completion or mastery, trainees will feel driven to compete. This is specifically powerful in the training process because incoming employees may feel especially driven to show their capabilities. Furthermore, it can foster positive social interactions among new employees. Instead of losing productivity because new workers are alone or intimidated, a gamified training process can get them accustomed to the company culture and feeling comfortable right out of the gate. Additionally, it can put them directly in-touch with existing employees and tasks.”

He pointed to the example of SAP, which “added gamification to their college recruitment process. SAP implemented a MindTickle platform that included badges, points and leaderboards. When the newly-gamified hires were compared to their predecessors, SAP noticed a 75% increase in awareness about the company and related products. The MindTickle platform helped remove four classroom training sessions and created 70% savings in senior management coaching time and a 60% reduction in administration costs.”

Tying these concepts directly to ethics and compliance training, OCEG President Carole Switzer, in an article entitled “Playing the Game of Risk in Workplace Education”, noted, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and

application of the information. Situational decision-making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

I recently had the chance to chat with Sam Claxton, Product Manager over Training and Education Products for the Red Flag Group (RFG, who sponsor this blog). Claxton came from the world of gaming before he joined RFG and continues to actively participate in that sport. He explained that through this gaming concept of dynamics you are bringing to your ethics and compliance training the concept of scoring. Employees will consider how their “scores compete with other people's score in a leaderboard or if you do a certain number of clicks or wrong answers, right answers you get a reward or a score or a star. I think that’s actually not as effective as other gaming mechanic because are 2 people going to sit down and really look at, “Oh I completed my compliance training at this time and with this score. What was your score? What was your time?””

Another concept from gaming is that of viewer engagement, which means engaging the ethics and compliance training so that users want to do compliance training and spend their time engaged with the content. He provided two examples on how such engagement can be accomplished. The first is through story telling. Any engaging training should have a large amount of focus on creating characters and creating a world to fit the compliance training so that people are engaged. This is because people care about the characters. Engaging ethics and compliance training will provide each character with a back-story so you pick up those nuances as you go through the training. This entices the employee in training to want to go “to the next bit to see how these characters interact with each other. When one character finds out a secret about another character, you want to know how the other character will react but at the same time, not dramatizing it because content must always be king.”

The second major lesson from gaming is the quality of the visual experience or the animation. Claxton said, “by using 3d Pixar animation, which is a high quality visual, “the user can be a lot more immersed in the world because it’s not just text on a slide. They’re not just surrounded by text. We live in a colorful, vibrant world, that should be reflected in the training so that they’re immersed and see the content in a real life example.”

The next step past these lessons learned from the world of gaming is to create a platform that will provide adaptive training to clients. This means that each user will have their own individual course so, based on the risk profile of that user, they will get a course tailored to their risk areas. Indeed it can be specific to a potential situation that might have a higher risk for bribery and corruption. This can be accomplished through short and impactful mini-trainings. For instance, if a high-risk employee is going to a location, such as one with a high propensity for corruption, dealing with a foreign government official or third party sales representative, they can select a succinct 2 to 3 minute training to enhance their knowledge. This can certainly be effective for their ongoing development and awareness of compliance. Finally, through a technological solution, there will be an audit trail so that you can Document, Document, and Document.

I hope that you have enjoyed this series on ethics and compliance training and that it responds to Anderson’s original assert that ‘ethics trainings are even dumber than you think.’ Never forget that the US government considers training important, as reflected in the US Sentencing Guidelines and the Ten Hallmarks of an Effective Compliance Program. There are mechanisms in place that allow you to provide a more focused, effective training through risk ranking and design. You can evaluate the value of your training through estimating your return on investment (ROI). And finally, one should never lose sight that training is another way to communicate your company’s values. If you say it enough, tied to a culture of compliance, people will do the right thing.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox - Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox - Compliance Evangelist
Contact
more
less

Thomas Fox - Compliance Evangelist on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide