One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. While it seems axiomatic that compliance training is a mainstay of any best practices compliance program, the conversation around training has evolved over the years. The 2012 FCPA Guidance started the conversation stating:
Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.
Beginning in the fall of 2016, through the announcement of the FCPA Enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This conversation continued with the 2017 Evaluation where it asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training. It evolved further in the 2019 Guidance with the mandate that training must be “truly effective”. Finally, the training must be presented in a language in which the employees understand, which means in a local language, if the training is outside the US or other non-English-speaking countries.
Also raised in the 2017 Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. This added two requirements. The first was to assess your employees for risk to determine the type of training you might need to deliver by risk ranking your employees. Obviously, the sales force would be the highest risk but there may be others who are deserving of high-risk training as well. From this risk ranking, you were required to develop tailored training for the risks those employees will face.
The 2019 Guidance spells this out in greater detail. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. Under Training and Communication, the following questions were posed by the DOJ:
Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?
I would suggest that you start at the beginning with an evaluation of your compliance training and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and Board members have attended compliance training. You should review the documentation and confirm attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.
Some other metrics you should consider in the post-training evaluation phase include an increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance? Is there a decrease in compliance violations or other acts of non-compliance?
Consider using surveys to provide feedback on not simply compliance training but to determine effectiveness of a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.
The importance of determining effectiveness of your compliance program has been enshrined by the DOJ. The 2017 Evaluation and 2019 Guidance demonstrates that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein, the more robust assessment and results provide you with a start to fulfill the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward.
Three key takeaways:
- How and why have you tailored your compliance training?
- The DOJ has mandated demonstrating the effectiveness of compliance training.
- How is your training presented: both in languages and media?