What Is the Future of Compliance Training? A Q&A with Neha Gupta


What Is the Future of Compliance Training

We sat down with Neha Gupta, CEO of True Office Learning, to discuss the future of compliance training, including how the industry has been impacted by the COVID-19 pandemic.

This interview has been edited for clarity.

How has the compliance world changed since the COVID-19 pandemic? How can compliance become more humanized?

Neha Gupta: We are a lot more comfortable sharing our personal lives now in work conversations than we ever were before. Now, most people will tell you that anybody they do regular conferences with now, they know all their kids, and their pets, and their preferred house robe, you name it. It's really because we're in a new world order. We are in a world where suddenly, no matter who you were, no matter what role you were in, no matter what company you work for, you realize we're all fairly susceptible to the same thing.

There's a shared thread of, hey, if you're out there, you're at risk. So everybody sheltered in place, and that's connected the world in a very different way, but also changed how we look at what's important, how we prioritize and what we are dealing with.

That has huge ramifications for ethics and compliance, because traditionally, for the longest time, compliance could get away with just telling people, "Here's the rule book. Here's the black-and-white letter of the law. This is what our policy says. You're an employee for this company. Your job is to follow policies." That message in today's world would … probably be viewed with a little bit of revolt. It's a little bit like, "Really? A rule book is all you can think about right now, when there is so much going on?"

Now, more than ever, compliance still needs to communicate those messages, still needs to make sure employees recognize that just because we're in the middle of a global pandemic doesn't mean you can bribe people now, or you can harass somebody, or you can not care about the confidential information you may be handling for]a customer or another employee. All of those obligations still exist, and frankly, some new ones have cropped up. I may be concerned about you, but I can't say to somebody for example, "Person X got COVID-19, so they're staying indoors," or "Their family member had this condition for a prolonged time," or "They are immunocompromised, so they're not supposed to be at work, so that's why they're working remote.”

There are a lot of new challenges, both in privacy and discrimination, and unconscious bias. As some people come back to work and some people continue to be remote, it'll be important for all of us to harmonize for that.

Now, humanizing those messages is no longer a choice. It's just, either you are truly going to get ostracized for sticking to what you believed before, or you're going to really wake up and say, "I need to think differently about how to deliver the same information to people, and at the same time, get their attention in what's a very distracted world." I think most of us have somebody or other—family, or a furry friend—running across our screens every now and then, right? Our worlds are inherently more complex and more distracted, our mindshare is much more limited; but how do you trade all that, and still make sure that the message sticks?

A big part of this humanizing compliance is the shift from policy to values, right? And it's going to become really important for people to orient their messages less around saying, "Well, the anti-bribery and corruption policy says you cannot do this," and shift to actually saying, "Doing business ethically, doing it in a way where it's fair and correct, and in accordance with something that we would be comfortable reading in the news about.” That is a much better message now than just focusing on the technicalities of the term.

People are going to continue to talk about risks, continue to talk about the specific things that somebody needs to learn, but it's going to need to be wrapped into this human layer of communication, because now we've opened a door that's very hard to shut again. We finally acknowledged that every employee is as human as they get. They have lives, they have complicated worlds that they're a part of, and we need to make sure that all of compliance's next steps are acknowledging that. 


How does this impact or change compliance policies and training?

This has massive implications for all parts of compliance, including how we think about establishing policies, updating them, and communicating them. Right now, if you send the check-the-box message of, "Here's a policy. We've updated it. Attest that you've read it and you comply with it"—you can go ahead and do that, but I can tell you that the success of that is going to be nonexistent.

It's going to become really important to make sure we make messages very focused, fairly short or fairly simple. And most importantly, we want to make sure that all of the program initiatives become really oriented around behaviors. 

Right now, you don't necessarily want to know a bunch of random information about the disease genealogy of COVID-19. But if somebody sent you an article that says, "Here's how to wash your groceries effectively to avoid COVID-19," you'd probably look at that information very quickly. They're both on the same topic, but the difference between one and the other is [that] the second one is much more about behaviors. What is something you can do differently to make a change? What is something that you can do better or simply, or how can you learn to make a difference in what the outcome is? 

I think compliance has to make that shift as well in all communications, where it's no longer about the policy. It's purely about, "Hey, here's what you can actually do to help protect yourselves and us during this time." That shift into really relevant, real scenarios and situations that people are probably encountering every day is what's going to be the most effective at this time.


How has the pandemic changed risk assessments?

Earlier compliance risk assessments were much more just, "Here's the macro landscape. Here's what's happening in our industry. Here's what's happening in this geography." And they would just stick to that. Now, you actually need to look at your population and make conduct risk a much more significant portion of your risk assessment. 

For example, we're a New York-headquartered company. If we're going to end up having a much larger percentage of our workforce remote, conducting risk is a much bigger challenge for me than somebody who's going to have everybody back in the office in another 30 days. For them, workplace safety risk is a bigger risk than conduct risk, because they're more worried about how they]make sure people stay safe when they come back. So risk assessments have to become much more dynamic, but also much more personal.

There is no longer this broad swath of, "Well, here are the five legal risks we have." It's really, what is your culture? What is the level of unconscious bias in it? What is the kind of remote versus on-site presence you will have? 

These questions are going to drive what's your true risk landscape: Do I have a set of operations where people can truly just stay six feet apart? How will I manage my talent strategy if I have a culture where everybody is in the room around the table, and now I won't allow that? Are there going to be managers that are going to put undue pressure [on] or discriminate against somebody who has a compromised family member and can't show up at that room? How do I guard against that to not have essentially a major discrimination lawsuit on my hands down the line? So we're going to see that lens. 

The reason why the humanizing angle is important is it's not just in getting the employees to listen to you. It's also about you beginning to listen to employees. You want to strike a conversation now. It has to be two-way so that when that manager is struggling, or when that employee says on that conference call, "Hey, there is something happening that shouldn't be happening," they don't just put it aside, but they actually reach out to you and say, "Hey, this looks like a gray area to me. What should really happen here?" 

Because earlier, just by function of being on-site, there could be a lot more oversight, and people kind of [watched] over each other. Bystander intervention is still a little bit harder because it's less of an effort. You could knock on your manager's door and have a conversation confidentially. Now, you have to set up a phone call, get on a video conference, have a conversation and say, "Hey, I think I heard this, which might not be right." So how do you help empower people, as well? The more human the approach to compliance, the easier it will be for people to take that value system on board.


Where can compliance teams balance investing in content with investing in technology?

When you start talking about humanizing compliance, suddenly it seems like the content really counts. The message becomes so much more important now than just making sure that it gets to somebody. 

The ideal world is still that you have the right content using the right delivery method because what's going to increase is the appetite, but the bandwidth for people to consume information is going to be lower. Measurement is going to become that much more important in figuring out what message you need to get to people.

Now it's not, "Let me do one email a week on a random topic and send it to everybody—about antitrust, and then about conflicts of interest, and then about anti-corruption," and so on. What you want to do now instead is actually use technology … package up all those messages into one module, or one experience, but let the role-based or risk-based mapping that technology can handle. … Technology can do all that, where all three of us don't get hit with messages that aren't relevant to us. 

I think getting smarter in using technology to help us manage that workflow will become more important. Risk-based mapping is going to be so critical. You can do it manually, but it's just really painful to do it manually, which is why most people prefer a one-size-fits-all [solution]. Let's just spray and pray, and hope it works. The challenge is now, with such limited bandwidth and attention span, the spray and pray is really just not going to work. You're going to lose the audience very, very quickly.


How do you do this effectively? What actionable steps can you take to make this shift? 

I think very few people will disagree that they need to do this. Most people don't do it because they don't know how to do it. The easiest way to humanize the message right now is to ask: Is it relevant? Is it something that draws emotion or action? Is it to the point? 

So think about the first question, “Is it relevant?” That's where something like a job aid [can help], right? Or a quick infographic on "Here's how to do this in ..." or "Here are three [red] flags to watch out for," for that conflict of interest situation or for truth in marketing. For example, we offer Broadcat for that reason … Here's something that's very relevant, that's ready so you can actually use it for operations, to understand very quickly what are the things to do and avoid.

The second question is, “Is it short and is it to the point of evoking emotion or action?” We're leveraging Gary Turk, who's a spoken word artist out of the UK, to create a values-based message. Not [to say], “You should do this because this is the law, and you'll get in trouble if you don't do this by the law,” but to say, "Don't you want to live in a world that's fair and that's doing the right thing? And how important it is for each of us in our actions?" That changes the world when it comes to speaking up, when it comes to making the right ethical choice, when it comes to avoiding unconscious bias, when it comes to avoiding that conflict by using these mediums that are nontraditional.

Often, it's easy to say, "Everything should be a 10-slide PowerPoint," or, "Oh, no, we should just do a one-hour WebEx," and just talk at people. We want to shift that and start talking to people, providing them with more tools rather than providing just information. 

I think the ... biggest way to answer the third question, “Is it to the point?” is to leverage the concept of using, again, ideally AI-enabled, but at minimum measurable microlearning, right? And I say measurable because you may think this message is important, and an employee needs that information on conflicts of interest. That employee may know that information already really, really well. When you see that measurement come back, don't just keep drilling that now. Ideally, use technology to say, "Nope, that message has already really hit home. The employee really knows that. Let me focus on what's the next biggest risk for them, instead."

Our hope is that those organizations are there already. These things are not going to be able to replace the need for formalized training and learning around the important topics that one needs to cover. 

It's really important, if their approach to training isn't already fully scenario-based or simulation-based—if it isn't already taking risks into account or using performance and behavioral insights trends—that they really make that shift now. If the learning journey is personal and they can reduce the amount of time somebody has to spend in training, right now that's going to be worth its weight in gold. Because again, people are so short on time and attention span [that it would be counterproductive to] make them go through unnecessary training.  

About 35 percent of all compliance training people take is actually not meaningful for them. It's either because they really know it or it's one-size-fits-all. It's not even relevant to them. It's going to become really important to get rid of that.

And if you don't want to use adaptive learning, even if you're doing this series of burst-learning, there are a few ways to do it. Obviously, adaptive is less manual. It uses technology more to your advantage to drive that journey. Otherwise, one of the other things that a lot of organizations can do to humanize compliance—it's very intensive if they want to [and may not be] tactically possible for everybody—is to open up more informal collaboration forums. 

A lot of compliance teams can do web-based, open Q&A sessions, or weekly power hours, or something where a few of the compliance teams in different rooms and different businesses are just available to answer questions, or they're sharing insights about a couple of stories that have really resonated. So those are the things that would be the most critical.


You spoke about risk-based mapping earlier, tell us more about how technology can help teams be more efficient and effective in the current environment.

Without technology, it's almost impossible for a modern organization to track efficacy. Even a really low-level metric like completions, 99 percent organizations track that through a technology portal called the LMS, because just tracking that across tens of thousands or hundreds of thousands of people across so many geographic locations, there's just no good manual way to do it right. So technology is absolutely the first step in being able to do anything at scale.

But if you're using true software, it opens up the journey for it to not just be a one-way dialogue where you're just presenting information. Now, it's a two-way dialogue, because the software is also intelligently making decisions based on what the learner’s doing in the experience as a learner-centric learning journey. Everything that the learner’s doing is now available for the software to capture, to analyze, and to really utilize to give you trends and insight about that learner that you previously would never see or know about. Also, more importantly, now that data can be used in a way where it doesn't just end with that learning experience. The next time the learner engages in a learning experience, that data can help inform what that learning experience for each individual learner should be like. 

It’s where you can use a lot of artificial intelligence; when you have that kind of technology, data is that next learning experience, even though you deploy the same learning experience to everybody. It automatically looks up the learner’s past and changes what components the learner sees in real time. Now, imagine trying to do that manually. You couldn't measure the effectiveness or personalize it that way for 10,000 people, forget hundreds of thousands of people around the globe.

That's one of the reasons why, again, the emphasis on the biggest shift in the compliance training industry has to be from the focus on great content packaged up for just being able to play to great technology combined with great content. The foundation has to now be technology, rather than content. 


It seems we're talking about people actually learning something, but also connecting to something emotionally and raising their sort of emotional intelligence (EQ) around certain work topics in a very different way.

We've really gone from the information age to the behaviors age. That EQ journey is going to be the difference between successful leaders and companies and failing leaders and companies.

Compliance Training Program Guide


Subscribe Here!