Compliance Training – Part II: Risk Ranking and Design

Compliance Training – Part II: Risk Ranking and Design
27.06.2016480 Mal gelesen
Yesterday I began what I thought would be a two-part series on compliance training.However, or perhaps more accurately, as usual, I got carried away so I am now off on a multi-part series on how to design, implement and assess an effective compliance and ethics training program. This series was inspired by an article in Slate, entitled “Ethics Trainings Are Even Dumber Than You Think”, by L.V. Anderson. Her article was generally dismissive of compliance and ethics training, panning it as a mere ‘check-the-box’ exercise so corporations could use it as a CYA defense if any government regulators ever came looking. In spite of her dismissive attitude, she did have some useful nuggets that you should incorporate into your Foreign Corrupt Practices Act (FCPA) compliance program.

The communication of your anti-corruption compliance program is something that must be done on a regular basis to help ensure its effectiveness. The FCPA Guidance explains, "Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, Department of Justice (DOJ) and Securities and Exchange Commission (SEC) will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners." Viewed from the perspective of what a company needs to do to work towards ensuring compliance and ethical behavior, training can be seen as a communications tool. But it should only be seen as one tool.

Anderson stated that for compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk.

The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk ranking process, you have internalized the admonition that "one size does not fit all in deciding the content and intensity of training needs for each role or individual". You should be now ready to design your compliance training.

The first step is to define what you are trying to achieve in your compliance training. This certainly means more than simply 'check-the-box' training and when implementing compliance training you have put some significant time and thought into it. It should be well designed to the targeted group of employees who will receive it. Your compliance training can and should have several business-related goals, in addition to specifics of anti-bribery laws such as the FCPA. These include identifying the business objectives of engaging in commerce in a legally compliant manner; managing threats which may come to employees you have identified as high-risk and the business opportunities afforded if you have sufficient compliance systems in place to prevent bribery and corruption. Moreover, you can present tangible business benefits if you address these issues in a positive manner. Finally, such focused training can and should help to ensure integrity and the company's reputation by strengthening your business culture and ethical conduct.

You are now ready to design your compliance training, with the above goals in mind. You should include the development of curriculum using a risk-based model and set uniform methods for acquiring content, maintaining records and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Lastly, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who your audience is and what their characteristics might be. For the high-risk employee, you will need focused training so that they will be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements and penalties. For the medium risk employee, compliance training should include scenarios so that they know the risks, requirements and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. For the low risk employee, they should be made aware of the risks, requirements and penalties as well as your entity's expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

Now you need to determine the most appropriate mechanism to deliver the content of your compliance training. You can use a variety of methods for each of the designed risk based rankings. The delivery of compliance training for high-risk employees should be repeated frequently using several methods of delivery. You can include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises. Additionally, you should work to determine the effectiveness of your compliance training to this group through testing and certification. For your medium risk employees, your compliance training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, both live and online, and have methods to demonstrate evidence of understanding. To address the content required for low risk employees it can be done largely through online training, again you will need to make sure the material is reviewed and updated on an as needed basis.

Lastly, and please do not forget this step, you need to ensure that the compliance training content is timely and the instructors are effective.

Tomorrow, I will consider the evaluation of your compliance training.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016