Gartner senior research director Chris Audet discusses compliance training’s shortcomings here, suggesting a well-designed framework of embedded controls can better mitigate risk by reducing employee burden.
Recently, we at Gartner made the prediction that compliance training budgets will fall 50 percent by 2025. If true, compliance teams must find better ways to achieve compliance objectives. In fact, we’re already seeing a shift from compliance training in favor of increased use of embedded controls. Embedded controls start with a clearer understanding of both risks and employee decision points and can therefore help employees better understand, remember and execute against compliance tasks.
Why Does Traditional Compliance Training Fail?
Let’s define the objective: The purpose of compliance training is to increase employee awareness of compliance obligations and therefore reduce the number of compliance failures. Sounds good on paper, but the fundamental problem with compliance training is that it places a burden on employees. Workers can be vulnerable to forgetfulness. They may lack an understanding of when the guidance applies or how to execute. Moreover, the effectiveness of both compliance controls and organizational training has, in many cases, been reduced owing to process changes, remote working and other responses to the pandemic.
An April 2021 Gartner survey of 755 employees found that where training is the main method of ensuring compliance, about one in five employees tend to miss at least one compliance obligation in their day-to-day work. We also learned that 32 percent of employees who missed a compliance obligation said they couldn’t find relevant information. A further 20 percent said they didn’t even recognize they required any additional compliance information at that point. Nineteen percent simply forgot altogether. The remaining 29 percent of employees who missed a compliance step said they either didn’t understand (16 percent) or simply failed to execute the step (13 percent).
Here are some of reasons annual training falls short:
- Over time, employees begin to forget essential issues.
- Employees rarely refer to lengthy training documentation.
- As time passes, employees tend to revert to the most streamlined way to perform their key workplace objectives.
So, the effectiveness of training just once per year, often using remote tools, slowly erodes. But what about training more than once a year? Here the evidence suggests that even if the idea could be sold to functional leaders, additional training tends to lead to assurance fatigue among employees and leadership.
The key issue is that both compliance controls and training create employee burden. The greater the burden, the more employees will fail to understand, remember or execute on the guidance at hand. In short, a reliance on compliance training may create greater risk for an organization.
Why Embedded Controls Are a Better Approach
Embedded controls are built-in, process-based mechanisms that shepherd employees to compliance within their workflows and may be detective, preventive or corrective. Think of a simple nudge, for example.
In other words, the compliance control isn’t something that must be remembered and understood based on a few hours of training taken months ago. The guidance on compliance obligations occurs at the precise moment it is relevant to the employee and the role.
For many compliance teams this is not a new idea; many typically embed controls into processes relating to the most high-risk employee functions, seniority levels and tasks. This is sound logic: Target embedded controls at the areas of greatest risk potential for an organization.
The most compliance-burdened functions from our survey were engineering and research and development, followed by supply chain/procurement and corporate strategy and planning. The most burdened roles were general managers, and the most burdensome tasks were creating marketing requests and third-party risk management. Certainly, these functions and roles are receiving close attention from compliance.
But in designing embedded controls, it will be important to consider potential unintended consequences. For example, when an organization focuses solely on its highest impact risks, employee burden and risk of control failure become greater in other areas.
How to Balance Risk Against Employee Compliance Burdens
The key takeaway is that in the design of control frameworks, compliance teams need to balance both risk and burden. While important to cover the top risks adequately, a singular focus on top risks may in fact ignore burden, and therefore risks, in difficult-to-spot areas.
This comes back to the three user experience principles mentioned earlier: Help employees to remember, understand and execute their compliance obligations.
Using an embedded control framework guided by both risk and burden, compliance leaders can:
- Help employees understand their obligations by removing elements that require unnecessary judgement calls. For example, give employees choice-based questions that allow compliance to make an automatic decision or flag the issue for review. Further, embed exception management so employees can loop in compliance if their situation isn’t covered by the control. Also, consider providing multiple compliant options for employees in a control that suit different business preferences.
- Help employees remember by providing controls closer to their decision-making points. That could mean in-the-moment nudges to support decision-making at critical moments. But it could also be achieved by building controls that are well-aligned to the language, style and functional outcomes of the business.
- Help employees execute by baselining compliance requirements that are common to most/all employees, and then allow employees to self-select into more requirements based on their activities, their experience and their roles.
The Best Approach: Training Plus Embedded Controls
The need for training is not going away. But by reducing the compliance burden on employees not only will less training be required, but organizations should also experience reduced overall compliance risk. Rates of control failure will be significantly reduced, and compliance teams will be better able to meet their risk mitigation objectives, while at the same time reducing assurance fatigue.