No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

Well-Designed Control Frameworks Balance Risk While Reducing Employee Burden

by Chris Audet
March 30, 2022
in Compliance
Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

Gartner senior research director Chris Audet discusses compliance training’s shortcomings here, suggesting a well-designed framework of embedded controls can better mitigate risk by reducing employee burden.

Recently, we at Gartner made the prediction that compliance training budgets will fall 50 percent by 2025. If true, compliance teams must find better ways to achieve compliance objectives. In fact, we’re already seeing a shift from compliance training in favor of increased use of embedded controls. Embedded controls start with a clearer understanding of both risks and employee decision points and can therefore help employees better understand, remember and execute against compliance tasks.

Why Does Traditional Compliance Training Fail?

Let’s define the objective: The purpose of compliance training is to increase employee awareness of compliance obligations and therefore reduce the number of compliance failures. Sounds good on paper, but the fundamental problem with compliance training is that it places a burden on employees. Workers can be vulnerable to forgetfulness. They may lack an understanding of when the guidance applies or how to execute. Moreover, the effectiveness of both compliance controls and organizational training has, in many cases, been reduced owing to process changes, remote working and other responses to the pandemic.

An April 2021 Gartner survey of 755 employees found that where training is the main method of ensuring compliance, about one in five employees tend to miss at least one compliance obligation in their day-to-day work. We also learned that 32 percent of employees who missed a compliance obligation said they couldn’t find relevant information. A further 20 percent said they didn’t even recognize they required any additional compliance information at that point. Nineteen percent simply forgot altogether. The remaining 29 percent of employees who missed a compliance step said they either didn’t understand (16 percent) or simply failed to execute the step (13 percent).

Here are some of reasons annual training falls short:

  • Over time, employees begin to forget essential issues.
  • Employees rarely refer to lengthy training documentation.
  • As time passes, employees tend to revert to the most streamlined way to perform their key workplace objectives.

So, the effectiveness of training just once per year, often using remote tools, slowly erodes. But what about training more than once a year? Here the evidence suggests that even if the idea could be sold to functional leaders, additional training tends to lead to assurance fatigue among employees and leadership.

The key issue is that both compliance controls and training create employee burden. The greater the burden, the more employees will fail to understand, remember or execute on the guidance at hand. In short, a reliance on compliance training may create greater risk for an organization.

Why Embedded Controls Are a Better Approach

Embedded controls are built-in, process-based mechanisms that shepherd employees to compliance within their workflows and may be detective, preventive or corrective. Think of a simple nudge, for example.

In other words, the compliance control isn’t something that must be remembered and understood based on a few hours of training taken months ago. The guidance on compliance obligations occurs at the precise moment it is relevant to the employee and the role.

For many compliance teams this is not a new idea; many typically embed controls into processes relating to the most high-risk employee functions, seniority levels and tasks. This is sound logic: Target embedded controls at the areas of greatest risk potential for an organization.

The most compliance-burdened functions from our survey were engineering and research and development, followed by supply chain/procurement and corporate strategy and planning. The most burdened roles were general managers, and the most burdensome tasks were creating marketing requests and third-party risk management. Certainly, these functions and roles are receiving close attention from compliance.

But in designing embedded controls, it will be important to consider potential unintended consequences. For example, when an organization focuses solely on its highest impact risks, employee burden and risk of control failure become greater in other areas.

How to Balance Risk Against Employee Compliance Burdens

The key takeaway is that in the design of control frameworks, compliance teams need to balance both risk and burden. While important to cover the top risks adequately, a singular focus on top risks may in fact ignore burden, and therefore risks, in difficult-to-spot areas.

This comes back to the three user experience principles mentioned earlier: Help employees to remember, understand and execute their compliance obligations.

Using an embedded control framework guided by both risk and burden, compliance leaders can:

  • Help employees understand their obligations by removing elements that require unnecessary judgement calls. For example, give employees choice-based questions that allow compliance to make an automatic decision or flag the issue for review. Further, embed exception management so employees can loop in compliance if their situation isn’t covered by the control. Also, consider providing multiple compliant options for employees in a control that suit different business preferences.
  • Help employees remember by providing controls closer to their decision-making points. That could mean in-the-moment nudges to support decision-making at critical moments. But it could also be achieved by building controls that are well-aligned to the language, style and functional outcomes of the business.
  • Help employees execute by baselining compliance requirements that are common to most/all employees, and then allow employees to self-select into more requirements based on their activities, their experience and their roles.

The Best Approach: Training Plus Embedded Controls

The need for training is not going away. But by reducing the compliance burden on employees not only will less training be required, but organizations should also experience reduced overall compliance risk. Rates of control failure will be significantly reduced, and compliance teams will be better able to meet their risk mitigation objectives, while at the same time reducing assurance fatigue.


Tags: Internal ControlsTraining
Previous Post

LogicGate Risk Cloud Adds Black Kite Integration for Third-Party Risk Management

Next Post

Corporate Liability Reform in the UK is Accelerating: Your GRC Teams Need to Future-Proof Compliance  

Chris Audet

Chris Audet

Chris Audet is a Senior Research Director within Gartner’s Assurance Practice. He is an experienced researcher and advisor across legal and compliance leader initiatives. In his current role, he is the primary research director for compliance leaders, covering topics that include compliance program management, corporate ethics and integrity culture and risk management. Prior to joining Gartner, Chris served general counsel and in-house legal departments in the legal resources department and large law department of the Association of Corporate Counsel.

Related Posts

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

classroom

When It Comes to Compliance, Should We Educate or Train?

by Calvin London
November 16, 2022

A Gallup survey last year found that among employees who had received training on ethics and compliance, fewer than one...

Anti-Kickback, Fraud, Stark And Marketing – Where Are The Landmines

Anti-Kickback, Fraud, Stark And Marketing – Where Are The Landmines

by Christina DiPinto
October 31, 2022

OVERVIEW This webinar will provide an in-depth understanding of the Federal False Claims Act, Federal Anti-Kickback, and Stark laws, and...

checklist

5 Tips to Gain Compliance on Your Compliance Training

by Stu Sjouwerman
October 12, 2022

We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a...

Next Post
Corporate Liability Reform in the UK is Accelerating: Your GRC Teams Need to Future-Proof Compliance  

Corporate Liability Reform in the UK is Accelerating: Your GRC Teams Need to Future-Proof Compliance  

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT