4 core elements of compliance training that meets regulator expectations

Michael Volkov

A compliant-conscious culture has long been recognized in industry literature as an indispensable component of organizations operating at a higher caliber.

Creating — and maintaining — a culture of compliance, where concerns are voiced, countenanced and addressed, engenders employee trust and creates an atmosphere that largely prevents both ethical and legal infractions.

It is justifiable, then, that so much of industry literature encourages organizations to view compliance as a core operational consideration, as opposed to a commercial impediment. In this vein, compliance is seen as driving efficiency, integrity and cooperation — all hallmarks of a thriving organization.

But none of this would be possible without proper training. While sometimes overlooked, regulator and enforcement authority guidance has repeatedly emphasized the import of training to the overall effectiveness of a corporate compliance program.  

Emerging regulator expectations 

Among other things, the U.S. Department of Justice (“DOJ”) Criminal Division’s much-heralded guidance concerning the Evaluation of Corporate Compliance Programs (“CCP Guidance”) — last updated in March 2023 — gives voice to federal government expectations of all corporations operating in the United States or with any nexus thereto.  

In this vein, the CCP Guidance is empathic in stating that a signature feature of a “well-designed compliance program is appropriate tailored training and [related] communications.” A well-designed program in this regard consists of:  

  1. Risk-based training customized to the actual function of the employee in question, along with more specific training for “high-risk and control employees,” and appropriate training for supervisors and senior management;  

  1. Training that is customized to the corporate audience in terms of language, accessibility, the opportunity for real-time interaction, and assessment involving employee retention and feedback;   

  1. Communication of instances of internal misconduct that resulted in disciplinary action of an organization’s personnel (especially those occupying positions of authority) if need be, in anonymized form; and  

  1. The availability of resources to employees requiring guidance concerning any facet of the organization’s ethics and compliance program, along with periodic evaluation of whether employees know when to seek advice, and if they would, in fact, be willing to do so.  

U.S. government expectations are not the only considerations that organizations with international exposure should pay heed to. As the European Union (“EU”), Norway and Germany (among others) implement their own due diligence directives with respect to visibility into organizational supply chains and the reduction or elimination of human rights and environmental abuses, an organization’s personnel must be trained to identify those abuses by conducting more in-depth due diligence, and where necessary, using contractual means to obligate third party partners to end the abusive practices altogether.

As the administrative agencies responsible for the enforcement of these new directives deal with the practicalities of the legislation, we can expect the issuance of concrete guidance that instructs organizations on how to fulfill their obligations under those regimes.

A key consideration that precedes the implementation of training is planning. As the CCP Guidance emphasizes, organizations must undertake a detailed analysis to ascertain who should be training and on what subjects. The most reliable source of this information is likely to come from an organization’s own periodic risk assessment, from analysis of reports elicited from a company’s confidential reporting hotline, and consideration of recent enforcement actions in areas closely related to an organization’s area of expertise.

Simply adopting training for its own sake is an ineffective strategy that will not satisfy regulatory expectations. Even where the pace of implementation is fragmented due to fiscal or operational constraints, the compliance function — in tandem with the organization’s senior leadership and members of the board of directors — are charged with developing and documenting areas where employee training is critical to mitigate the potential for regulatory or legal infractions. 

The 4 core elements of effective training 

As mentioned above, one core element of corporate compliance training is materiality. What may be relevant for one organization may be totally irrelevant for another. For example, a domestic manufacturing company that produces components distributed wholly within the United States is unlikely to need export control training, unless the company plans on international market expansion at some point in the future. Similarly, a domestic company operating on a local basis with no branches in foreign jurisdictions need not prioritize anti-bribery and corruption concerns — primarily in relation to the applicability of the U.S. Foreign Corrupt Practices Act (“FCPA”) as staples of their training programs. Conversely, a manufacturing organization with significant international ties should prioritize both export compliance and anti-bribery and corruption training as foundational concerns that should be addressed on an initial and recurring basis.

The second concept to consider in the context of training is meticulous planning. As previously discussed, regulator expectations are that organizations consciously consider what training to implement, when to adopt it and to whom it should be directed. Merely adopting a one-size-fits-all suite of trainings is insufficient to satisfy government expectations and could even serve as an aggravating factor, should an enforcement action find that a root cause of a compliance failure is deficient training. Rather than unveiling a portfolio of training regimens that are too generic, or worse, wholly inapplicable or inappropriate for the corporate audience in question, the compliance function, aided by members of the human resources team, should carefully construct a training plan that accounts for the content to be covered, the intended audience for the content and the format in which the content will be delivered.

A third consideration in relation to training is availability. Given the fact that organizations increasingly operate at global scale, the ability to conduct real-time, in person training is a challenge for compliance functions operating across multiple time zones. While compliance functions with regional presences can more easily adapt to different schedules, best practices dictate that compliance training should be administered via state-of-the-art interactive content that can be hosted on an organization’s learning management solution (“LMS”) or via an external portal. Increasingly, robust resource libraries developed by compliance content providers can be adopted and configured for specific use in line with an organization’s operations and expectations. The best of these platforms thus combine in-depth coverage of the topic with real-time scenarios that engage the learner with situations they are likely to encounter in their daily occupations.

Finally, it goes without saying that training can be implemented gradually. Organizations are frequently tempted to adopt a full course of materials that may or may not be relevant to their operations. However, for organizations operating under fiscal constraints, a more prudent course of action involves identifying the core compliance needs of the corporation, and implementing a regimen of training around those areas. The compliance function can then work with the business to adopt a multi-year plan to phase in other training deemed desirable or even required of an organization operating in a particular sector. Having access to a customizable library of training content to select from makes this gradual rollout easy to manage and track. The key here is not to make perfect the enemy of the good. While regulators and enforcement authorities are expecting action, they are not expecting perfection.  

The bottom line for training 

Generally speaking, an ounce of prevention is worth a pound of cure. But in a compliance context, an ounce of prevention is now worth a treasure trove of gold.

Organizations that can demonstrate a commitment to continuous improvement by adopting appropriate training and delivering it effectively can qualify for mitigation credit in the context of any enforcement proceeding.

Businesses can further mitigate the risk of a regulatory infraction in the first place by partnering with reputable compliance training solution providers who offer the most up-to-date training that can be configured to meet an organization’s needs, can be accessed electronically, and can be every bit as interactive – and effective – as in-person training.

Learn more about increasing the defensibility of your compliance training program. 

Forge a Path to Better Decision-Making
This guide outlines best practices for risk, audit & compliance professionals to communicate with their boards.
Background image
Related Insights
Michael Volkov
Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption, sanctions, trade, antitrust and AML compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, export-import, securities fraud and other issues. Prior to launching his own law firm, Michael was a a partner at LeClairRyan (2012-2013), Mayer Brown (2010-2012) and Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).