In this episode of Excellence in Training, Tom Fox and Shawn Rogers consider just how does a company create a comprehensive compliance training program that covers its complete risk profile? Many large company faces many legal and regulatory risks, and often many of those risks are “owned” by organizations that are outside of the compliance function. This is a huge challenge for a company the size of GM. But I think this is probably faced by most companies.
A large company will inevitably have a broad risk portfolio, and, typically, many of the risks will not be “owned” by the Corporate Compliance Function. This presents a real challenge when you are trying to create a comprehensive compliance training program that covers all of the legal and regulatory risks faced by a company.
To illustrate the challenge, consider some of the companies that have been in the headlines recently. First, Walmart. As we know, Walmart’s issues were relating to violations of the Foreign Corrupt Practices Act. In all of the companies I’ve worked with, compliance with the FCPA was the responsibility of the corporate compliance function.
But then there’s Boeing. They are in hot water right now, but their issues are with the safety of its airliners. I can almost guarantee that the product safety risk is not directly “owned” by the compliance function. Then there’s Facebook with their issues relating to data privacy. That risk is probably managed by a separate privacy function.
So, how do you create a risk-based compliance training program that addresses ALL of a company’s legal and regulatory risks, including the risks that are “owned” outside of the established compliance function.
One possible approach is to establish a corporate compliance training governance committee that looks at the company’s overall risk profile and builds a cross-functional and comprehensive multi-year training plan that effectively addresses all of the risks in a company’s risk portfolio. This is what we’ve tried to do at GM.
What advantages does a formal governance structure provide?
The biggest advantage is that you end up with a program that truly covers all of the company’s main compliance risks. In other words, you establish a truly risk-based program. (You don’t want a gap in your compliance training program. That will come back to bite you if you have a violation that wasn’t addressed by the training program.)
Second, it allows every individual risk-owning stakeholder to see how their risk stacks up against the entire risk portfolio. They understand that while their specific risk topic is vitally important, there are also other risks that are equally or more important. This lends to a negotiated and coordinated solution for the risk managers, and it leads to a measured and balanced program for the learning audience.
Third, it lets you drive standards across all of the courses. One of the biggest frustrations for learners is taking multiple required courses, all done by different vendors, all with different interfaces and different approaches to presenting the material. A governance team can agree to all use the same vendor, translate the courses into the same languages, follow similar presentation styles, and present a united front to the learning audience.
Finally, it promotes efficiency by eliminating redundancy across the courses and allows for cross-course coordination. For example, we found that there are some common learning objectives that cut across cybersecurity, data privacy, and information lifecycle management.
How do you set up a cross-functional governance team?
First, you need to identify your leaders — the individuals who will have ultimate decision-making authority. At GM, we identified co-chairpersons for the compliance training governance committee — our Chief Compliance Officer and Chief Talent Officer. The CCO brings expertise about the company-wide risks, and the CTO brings expertise about quality training programs.
Second, you need to identify the representatives of the various risk-owning organizations. For GM, that means we selected representatives from the Compliance organization, Product Safety, Workplace Safety, Information Technology, Data Privacy, Human Resources, Marketing, and Legal. These representatives were typically the individuals tasked with training responsibilities in those organizations, and either served as subject matter experts or were well-connected to subject matter experts.
Third, you need to identify representatives to sit on the committee from the supporting organizations. At GM, that meant we brought in representatives from the organization that manages the Learning Management System and the Communications team. These groups are critical, because without effective deployment, management, reporting, and communications, you can’t run an effective training campaign.
So, with the members selected, how do you actually run the governance program?
I think it starts with a charter that clearly sets out the objectives of the governance teams, the roles and responsibilities, and the meeting cadence.
We created a formal charter that the group agreed on. We meet quarterly for an hour. As the counsel for compliance training and communications, I act as the secretary to the committee. I work with the stakeholders to come up with the agenda and I run the meeting. Typically the topics will include:
- Review and approve the rolling three-year training calendar
- Discuss any new emerging issues that might need to be addressed in the training program
- Receive completion reports for the current training campaign
- Discuss system issues, changes, and upgrades
- Review and approve any changes and waivers of training requirements
- Evaluate training vendors
- Review learner feedback
- Suggest improvements
So, does it really work?
Yes! Emphatically yes!
With the leadership and cooperation of the stakeholders, we have been able to effectively establish a multi-year training plan, select some excellent vendors, and create some high-quality courses. (That’s not my opinion, that’s what our course surveys are telling us.)
One of the biggest benefits has been the predictability that it has brought to the compliance training program. Every stakeholder from a risk-owning organization knows exactly when his or her function will have their course deployed over the three-year calendar. They can plan resources, they have a long lead-time to develop the courses, and during their off-years they can do communications campaigns and events to keep their risk top-of-mind.
This also helps us “swat down” what I call “rogue courses” that will always pop up in a company. For example, a function will want their specific specialized course to be deployed to all employees globally. We can kindly explain that this request needs to go through the governance process, we can clearly explain the requirements to get their course in the program, and we can suggest alternatives if their specific topic does not really rise to the level of criticality required to ask all employees to take the course.