Wednesday, 15 August 2012

Compliance Training: does it really work?

Sea Pool_1Until relatively recently I’d bought into the argument that organising regulatory and compliance training is one of the important and necessary tasks for an L&D department.

Virtually every organisation has regulatory and compliance requirements it needs to meet. In highly regulated industries even more so.

So it seemed sensible then that part of the obligation should fall on L&D to train employees to understand what’s expected of them to be compliant in their work.

However in light of experience I’ve come to ask myself whether compliance training has any real effect at all. Or is it mainly a waste of time, effort and the (vast amount) of money spent on it?

The answers I’ve found have been quite enlightening.

One way in which compliance training works

Compliance training undoubtedly works in one way. That is to ensure the right ‘boxes are ticked’ should something go awry.  Rather as support for the ‘we followed orders’ defence.  This is often the situation found in the wake of some non-compliant act that had led to an unwanted occurrence. The question as to whether the organisation has followed statutory or relevant professional body compliance training guidelines is often the first one raised.  Organisations produce their records of compliance training to be used as part of the defence.

In other words compliance training is useful as a back-stop to help avoid financial sanctions and, at worst, the CEO or Chairman ending up in front of a jury and possibly in prison (in the past a number have). Sometimes this ‘defensive compliance’ strategy works. Increasingly it doesn’t.

But does it actually improve compliance and lower the number of non-compliant acts?

The evidence

Certainly the evidence seems to indicate that the related domain of diversity training has little or no effect. Peter Bregman’s March 2012 article on the Harvard Business Review certainly states the case that diversity training doesn't extinguish prejudice. In fact, it promotes it. Bregman cites a study of 829 companies over 31 years that showed diversity training had "no positive effects in the average workplace."

If diversity training has no impact, or even negative impact, is compliance training in the same boat? If so, what are the alternatives?

A study by Yassi, Bryce, Maultsaid, Lauscher, and Zhao in the Canadian healthcare service showed that requiring completion of an online compliance module, rather than simply encouraging completion and allowing voluntary access, generated a higher intention to comply. So this might suggest that mandatory compliance training is a good thing.  But the difference was simply in the intention to comply, rather than compliance itself.

On the other hand Jeff Kaplan, a US lawyer and national expert in compliance and ethics, reports major problems with compliance training, especially online training. Kaplan found:

“An employee of a global company recently told me “In Europe, people pay their children to click through it” and at another company the phrase “mind numbing” was used to describe such training.  (Indeed, a lawyer whose full-time job had been developing on-line Compliance and Ethics training recently told me he doubted its efficacy.)   And, not infrequently, in-person training is criticized as well.”

Kaplan goes on to say:

“None of this should be surprising.  From a design perspective, training is often created in an utterly wholesale manner, so that, for instance, salespeople, those in finance and senior managers are all being given the same FCPA training even though their risks and responsibilities differ significantly.  Perhaps worse, from a deployment perspective, training is often disconnected from risk-causing events or other contexts in which Compliance & Ethics messages could be more effectively conveyed.”

There’s also another set of fundamental problems I’ll discuss below. But before getting into those, it’s worth thinking about environments where compliance is seen to be critical – in highly regulated industries.

Highly Regulated. Highly Compliant?

standard charteredEven in the recent past our press reports have been littered with highly regulated industries behaving in absolutely non-compliant ways on a huge scale. Just this week Standard Chartered Bank has agreed to pay a $340m fine for its alleged breaches of US sanctions that US regulators claimed left the financial system vulnerable to corrupt regimes and weapons and drug dealers. And there may be more sanctions and fines still to come for Standard Chartered.

BarclaysBefore Standard Chartered came Barclays (‘Barclays had a culture of gaming – and of gaming us’ said Andrew Bailey, the top banking regulator at the UK Financial Services Authority). Along with HSBC and others with their manipulation of the LIBOR rates. A damning report by the US Senate concluded that HSBC had a “pervasively polluted” culture, and that the bank’s Head of Compliance warned the CEO of non-compliant activities, but Lord Green, the then-CEO, took no action.

In July the economist David Blanchflower declared that in the wake of the interest rate fixing scandal “there are no longer any UK bankers who are credible candidates to become the next Governor of the Bank of England.

And it’s not just the banking industry.

There’s the Energy industry, with the disaster and fines encountered by BP and its sub-contractors in the Deepwater Horizon spill. The death of 11 men and extensive damage to marine and wildlife is simply another example of disasters resulting from non-compliance in what is supposed to be a highly regulated industry.

The report on the causes of the spill by the White House Oil Spill Commission blamed BP and its partners for making a series of cost-cutting decisions and the lack of a system to ensure well safety. The Commission also concluded the spill was not an isolated incident caused by "rogue industry or government officials", but that "the root causes are systemic and, absent significant reform in both industry practices and government policies, might well recur".

BP set up a $20billion compensation fund which has had more than one million claims to date, with more still coming in. 

The pharmaceutical industry, another one where regulation and compliance is held as paramount on every executives’ lips, has its share of high-impact non-compliance incidents. Just last month GlaxoSmithKline was instructed to pay $3bn in the largest healthcare fraud settlement in US history. GSK pleaded guilty to promoting drugs for unapproved uses and failing to report safety data to the Food and Drug Administration. Does GSK have a comprehensive programme of compliance training?  You bet it does.

The list of non-compliance incidents in highly regulated industries could go on almost ad infinitum.

Non-compliance is equally rife in not so regulated industries. It’s hardly worth starting on issues encountered in the media industry, in Mr Murdoch’s empire and elsewhere.

But what does all this tell us?

Just a waste of time, effort and money?

Actually, it tells us a lot. It gets to the heart of of what effective compliance training and approaches should be all about.

In his HBR article Jeff Kaplan reported a study that found the ‘decoupling of compliance training from sales activities’ in financial services firms was at the heart of many of the problems and was seen as having contributed to the misconduct at issue.

We need to step back from the standard knee-jerk response that compliance training is a necessary and effective way (and often the only way) of improving levels of compliance, and that there is no alternative open to us. There seems to be little evidence to support the link between compliant behaviour and current standard compliance training approaches. In fact some of the evidence indicates the contra-argument.

In other words it is likely that most of the time, effort and money spent on compliance training is simply being wasted. At best it’s a security blanket. At worst it promotes non-compliant behaviour. Even paper-waving training records in front of judges and national commissions no longer holds much sway.

Existing evidence points to a situation where most companies would be better off simply ditching their existing compliance training efforts wherever they can, and making mandatory training as fast and simple as possible. Maybe even encouraging the behaviours Jeff Kaplan reports above – getting children to click through the training to get a tick in the LMS box with as little thought and effort as possible.

So, is there a better way?

Effective compliance training

There is, and it involves something other than running endless compliance training courses.

First we need to start thinking about ways in which compliant behaviour is best encouraged.

The main objective for any organisational learning is to engender behaviour change. After all what is ‘learning’ if it isn’t changing and adapting behaviour to achieve different and, hopefully, better outcomes of action? Many seem to have forgotten this when they think about compliance challenges. When dealing with compliance training often the process becomes more important than the results, and training becomes the only club in the bag to deliver the process.

If training is to be used, it should be focused on changing behaviours. Testing short-term recall following some compliance training event won’t do that no matter what the regulatory bodies who define the ‘compliance curriculum’ say.  We need a different approach.

Compliance training needs to be top-down

There seems to be a common thread that runs through almost all high-profile compliance catastrophes. It is that the top-tier executives and middle managers in the organisations simply didn’t model the behaviours that would lead to a culture of compliance.

Take perceived value of employees. If you’re working in an organisation where the CEO is being paid many $millions and where the differential between top executive remuneration and bottom-tier worker pay is huge, why would you expect a culture of compliance to exist? Humans don’t work that way.

If you’re driven by extremely challenging targets and eye-watering potential rewards if you deliver value and profit for your organisation no matter what, why should your organisation expect you to be 100% compliant? If you can cut corners it’s likely that you will. Humans often work that way.

What about where employee treatment is differentiated on rigid hierarchical lines – where ‘masters of the universe’ rule, or where there is a culture of ‘it’s OK to say one thing and do another’? If people see their leaders as ‘different’ and disengaged from them they themselves are less likely to be engaged with the organisation. Less engaged workers are less likely to be compliant with standards and regulations.  That goes for senior as well as junior team members.

Organisations where leaders model the compliant behaviours they would like to see across the workforce are far more likely to display those behaviours across all levels.

Take the John Lewis Partnership in the UK, for example. This is an organisation that’s been built on the concept of fairness. ‘Never knowingly undersold’ is one credo that John Lewis has lived by since 1925. But behind that is a successful employee-owned business. More than 28% of stock ‘shrinkage’ in UK retail is due to internal theft – employees taking things. At John Lewis employees are ‘partners’ and own a share in the company. Even if you’re simply stacking the shelves you share a common goal with the company to safeguard profit. Low levels of internal theft are the result at John Lewis. Far below the average for the retail sector as a whole. I recall a John Lewis employee speaking about a colleague who had been discovered removing items from the Shepherd’s Bush, London, store. Her view was that the colleague was ‘stealing from us all’ and the policy of instant dismissal, with all shares and other benefits removed, should be enacted forthwith.  ‘We don’t do that stuff around here’ she said.

This view is common across the John Lewis partnership. Employees are engaged, so they value compliant behaviours, and will speak up when they see others being non-compliant. 

In the recent banking scandals, even senior managers didn’t speak up when they knew about non-compliant behaviour.  No amount of compliance training will change that. 

So where does this leave compliance training?

It certainly doesn’t mean compliance training isn't necessary at all. But it does mean that it’s likely to be far removed from the vast majority which currently exists, and that much of the future activity and focus to improve compliance won’t be through ‘training’.

Firstly, any formal compliance training should be led by senior managers and actively supported by executives. Not simply by leaders issuing homilies from afar, but by them ‘walking the walk’ and ‘talking the talk’. By modelling compliant behaviour themselves. By ensuring that everyone understands that employee fairness and ‘doing the right thing’ is at the core of their organisations. By ensuring that fairness is demonstrated across their workforces. Not by employees being told that’s the case, but by them seeing it with their own eyes.

Together with any formal training, at the top of every executive and manager’s priorities should be the encouragement and participation in awareness-raising about compliance and expected behaviours. If it isn’t then they shouldn’t be surprised to find non-compliance rife no matter how many compliance training programmes employees have been compelled to attend or complete.

The implications

As Ross Dawson points out in his ‘12 Themes for 2012’, reputations are more visible and vulnerable than ever before. We all know that. Reputations can and will be trashed in moments, especially with the increased pervasiveness of social media as a way for individuals to get a hearing. The era where the powerful controlled the distribution of information is well and truly over. Organisations large and small will increasingly have their innermost secrets washed in public.  Organisations that behave badly will be exposed. Compliant behaviour will become even more critical for survival for many organisations. And non-compliant behaviour will become ever more difficult to brush under the carpet.

So, we’d better get our approaches to compliance right. Some training may be needed, but it will never be sufficient.

To give Jeff Kaplan the last word on the training element:

What, then, will the future of Compliance & Ethics training and other communications look like?   Very possibly, the “same as it ever was” – because many companies simply do not push for excellence and innovation in Compliance & Ethics program matters (the way they do for corporate functions more traditionally seen as mission critical, such as sales).  Indeed, it is not only businesses actively engaged in bribery that pursue Compliance & Ethics “half measures.”

“But for organizations with a dynamic – and truly risk-focused – view of Compliance & Ethics programs, the path is clear: training should be developed in a far more granular way than it currently is and deployed when, where and how it can make the most difference.  After all, if Compliance & Ethics risks can evolve – which they do all the time – so can training.”