Noncompliance can cost organizations money in terms of regulatory penalties and direct losses. For example, if a healthcare provider suffers a data breach that exposes patient records, they can be hit with fines for violating HIPAA rules, plus they will need to spend money to clean up the breach, shore up cybersecurity, offer free credit monitoring, and so on.
That’s bad, but the reputational damage can be much worse. Consumers suddenly don’t feel comfortable trusting the provider. Patients are more apt to leave bad online reviews for doctors who had nothing to do with the breach—even if the physicians delivered quality care. People who might have become new patients will instead choose other, perceptibly more trustworthy providers in their networks. And perhaps most distressingly, publicly traded healthcare companies can lose millions in value because shareholders don’t want to be associated with such a noncompliant organization.
A PR disaster has occurred … all because a careless employee didn’t follow a cybersecurity best practice and data was breached. The consequences of noncompliance can last far longer than companies can stomach.
Compliance PR disasters aren’t limited to IT. Embarrassing corporate sexual harassment incidents have led to consumer boycotts. High-profile corruption cases make headlines on business news sources and make people think the offending organization are a bunch of crooks. Employees don’t understand intellectual property, leading to embarrassing lawsuits and the organization being branded as thieves.
Compliance training is supposed to thwart these incidents and scandals, yet organizations still find themselves burned and publicly chastised. The problem isn’t with training as a compliance strategy, but rather how that training is designed and administered. With top-notch, adaptive training that produces behavioral intelligence, the risk of a PR disaster can be greatly reduced.
Participating vs. Understanding
Organizations across a wide range of industries understand the importance of compliance training and provide such education to their employees (sometimes because they are mandated to). Workers participate in the training and usually complete it, but this should be far from a “Mission Accomplished!” moment. Finishing a course doesn’t necessarily mean a user will retain information, understanding, and muscle memory. Some employees participate only begrudgingly and barely bother to pay attention; others tune out because they already know what’s being taught (or took the same course previously). Still others take the course seriously but find the material doesn’t apply or appeal to them and, subsequently, don’t achieve a true understanding. All these users need something more to make the training stick. Without that something, the risk that they will commit a violation increases—as does the overall risk to the organization. So, are current compliance training methods effective? A 2016 survey by Deloitte and Compliance Week found that 30 percent of firms aren’t even trying to measure the effectiveness of their compliance programs.
Maximizing Engagement and Relevance
Organizations wish it was that easy, but giving compliance training to employees isn’t enough in itself to stave off a PR disaster. The courses you provide must excel by being:
- Engaging: A typical, boring course comprised of reading a slide or watching a dry video, clicking “next,” and reading the next slide can bore even the most optimistic user. Even quizzes that are meant to introduce some interaction into the training fall short if they are too simple or boring. Great compliance training fully engages the employee and immerses them in the learning experience through active, scenario-based learning.
- Relevant: A rank-and-file employee won’t treat cybersecurity compliance the same way an IT specialist does, just as an IT employee may approach conflict-of-interest training much differently than someone in sales would. Yet, in many compliance tracks, every employee, regardless of role, department, or demographic, receives the same training—and the lack of engagement or comprehension becomes predictable. To get the most from compliance training, employees must feel the content is relevant to their everyday responsibilities.
- Adaptive: Here’s where organizations can really take compliance training to the next level. Courses that automatically and immediately adjust to how the user is interacting get everyone closer to a similar—and advanced—understanding via individualized paths. If someone is struggling with certain compliance concepts, the training delivers additional, more focused material to compensate. If someone is clearly breezing through the course, the training adjusts to fast-track the user through or provoke deeper interaction.
Rethinking compliance training as an opportunity rather than a requirement (even if it’s required) builds real skills and muscle memory for employees, who get more from the experience than just a bunch of rules and admonitions. This transformation can make all the difference; when faced with a decision that potentially runs afoul of good compliance, employees will make the right choice thanks to the engaging, relevant training they received.
Finding the Gaps
Sexual harassment and workplace harassment violations are rarely the result of employee ignorance—even with training, offenders usually know something is wrong and choose the bad behavior anyway. However, in other areas, such as cybersecurity, data privacy, electronic communication, and money laundering, the difference between right and wrong isn’t always so clear-cut.
For example, True Office Learning research found that with our sexual harassment training modules, all users across all industries averaged a 94 percent performance score. In contrast, the score for appropriate electronic communications was 82 percent. The numbers suggest employees know what is proper in interacting with coworkers more than they know what a strong password is.
These examples strengthen the importance of data in building, maintaining, and enhancing a compliance training program. Even with engaging courses, gaps may still exist in what employees are internalizing and not internalizing. Robust data—including average performance, time spent on a course, time spent on key questions about policy and best practices, and what questions are proving especially befuddling to employees—identifies those gaps. For example, on our electronic communications scenario, we know passwords are a problem area because only 45 percent of users answered a key question about passwords correctly.
Besides automatically adjusting training mid-course, thorough data helps organizations and compliance officers spot trouble and predict future areas where problems may arise or continue. And learning where gaps exist and taking action before something bad happens is obviously preferable to learning about those problems after a PR disaster has damaged your company’s reputation.