Compliance training has a bad reputation, and that’s on us as learning designers or commissioners. For too long, people have focused on the need to tick a box to say training has been delivered. But that ticked box is of little consequence in the face of the huge and long-lasting consequences of a compliance breach. What we should be focusing on is reducing threats, mitigating risks and preventing those breaches happening in the first place. And the only way to do that is with an effective compliance training strategy that engages employees and changes behaviors.
Compliance is a behavior and performance issue
Changing behaviors, you say? Absolutely. That’s the key to doing this well. Most safety incidents, bribery fines and cyber-attacks are the result of human error. What’s more, in many cases those errors are not just unfortunate one-time incidents, but everyday bad habits.
An effective compliance training strategy is one that gets employees on board so that they can identify those bad habits, want to form new behaviors and make the right choices, and are equipped to do so. A people-centered strategy, not a rulebook-led strategy.
Throwing a compliance manual at them is going to hurt (even in a fancy interactive format) and have no lasting impact. Here’s a better way.
Open their eyes and make them care
Ethical decision-making is really at the heart of true compliance. Decisions between doing the right thing and the wrong thing, decisions between taking action and doing nothing, decisions between speaking up and staying quiet. This isn’t about people being able to recite the rules, it’s about individuals taking personal responsibility for their actions and ethical boundaries.
The first challenge to overcome is making people realize that compliance breaches aren’t just something that happen to other people.
Let’s take data protection as an example. Two of the top causes of data security incidents in the UK are sending emails to the wrong person and leaving paperwork or data somewhere insecure. We’ve all done it, right? Instead of subjecting someone to the entirety of the Data Protection Act, ask them outright if they’ve ever sent a message in the wrong WhatsApp chat, hit Reply All instead of just Reply on an email, or forgotten their phone at a friend’s house. This kind of easy, small mistake we all fall victim to is precisely the kind of thing at the root of most data breaches.
Then, make them care. For the vast majority of us, the consequences of these errors are nothing more than a moment of panic and perhaps a little embarrassment. But do it in the wrong context and that small, slip-of-the-finger mistake can cause a whole heap of trouble. In our data protection demo, we use real cases taken from the Information Commissioner’s Office website to share stories of individuals (not businesses) who have drummed up huge fines with exactly that kind of simple error.
This approach works because it taps into emotions. Stella Collins, a learning psychologist, talks more about this in our interview with her, but in a nutshell:
“Emotions make things real…if people don’t have emotions about stuff they find it really hard to make decisions as to whether that’s important or not important. Our emotions help us with that decision-making about what’s worth learning and what’s not worth learning … If you can get people to think ‘wow, that’s a bit scary; I don’t want to do that’ and then give them the steps out – the escape method – that’s a really powerful tool. The next time they see, for instance, a fire door that’s blocked, if they know what the consequences of that could be, they’re going to make sure they remove the obstacle.”
Help them make good choices
So you’ve made your employees sit up and take notice: oh, this matters – this could happen to me. Now it’s time to capitalize on that and create things – experiences, interventions, activities, resources – that will help move them away from everyday habits that expose them and the business to risk, towards actions and behaviors that don’t.
Think about it:
- Will taking a quiz on compliance laws stop someone clicking a dodgy link in an email?
- Does someone need to know GDPR inside-out to stop them being careless with data?
Probably not. Instead, give them that escape route Stella mentioned. Offer up practical tips and genuinely useful materials to help them make the right choices in their role. For example:
- Emails highlighting how to identify rogue communications and what to do instead of clicking on the dodgy link.
- Posters above the office printer asking people if they really need to print that customer data, and reminding them to shred it rather than bin it afterwards.
- A small number of carefully-chosen, action-focused tips in the elearning, directly related to the everyday errors you’ve already described (see our data protection demo again or this risk assessment demo for examples).
You could even find ways to let them make small changes directly within and from the elearning – this privacy module from Facebook lets you review and change your own privacy settings without navigating away from the content.
Give them a chance to practice
Sometimes, of course, you do want to test those choices and behaviors in a safe environment – performance support and job aids alone are not enough. Use realistic, succinct scenarios and a test-first approach – like in this cyber-security module from Savv-e or our personalized compliance assessment – to see how employees respond to situations and then offer up feedback, advice and tips that either reinforce their good choice or redirect them from a bad choice.
This instructional design approach is so much more effective at actually making sure learners know what to do (or not do) than drowning every person in all the content from the outset. This great post from Cathy Moore goes into more detail about why you should present challenges, not policy, in employee training.
Sustain the behavior change over time
When designing your compliance training strategy, take a long term view and consider a campaign approach. These are important topics: you don’t want people to only think about cyber-security or health and safety when they’re sitting in front of your elearning content. You need this to become part of the culture, something that’s visible and embedded. Sustained messaging and spaced practice help with this.
- Create a memorable slogan, character or mnemonic and splash it around liberally – intranet banners, email footers, posters on toilet doors, wherever people will see it.
- After an initial elearning module that provides the affective context, email out interactive challenges every few weeks. Short and straight to their inbox, this can be a frictionless way to reinforce the right behaviors and encourage habit changes.
- Use social polling to broaden people’s minds, like we do in our demo – seeing that most people consider something to be much riskier than you did could spark that ‘aha!’ moment that prompts behavior change.
- Where possible, personalize the way individuals experience the campaign. Let them identify the risks that are most relevant to them or the errors they’re most susceptible to, and then focus the incentivization and practical tips they receive accordingly.
- Consider tackling compliance topics holistically, rather than individually. Most are underpinned by common questions of personal reflection and responsibility and ethical decision-making. A campaign focused on this, rather than the specifics of each topic, could be instrumental in changing attitudes and behaviours.
“If a learner can be persuaded of the significance of something then they will engage in pull-type learning and the need to deliver large amounts of information in formal contexts (such as classroom or online courses) largely disappears … In practice, this means that organizational learning would do better to focus more on the affective context – the reasons why the target audience might care – than the informational content itself, especially in a world where information is freely available” – Nick Shackleton-Jones
Final thoughts on compliance training strategies
Compliance training is not about proving you’ve told your employees something is important and given them the rulebook. It’s about persuading them of the importance of avoiding breaches and of their role in that. It’s about helping them to really understand where and what the risks are and equipping them to minimize and avoid those risks. And it’s about making sure that they will react appropriately if they do see something going wrong.
Personal reflection and recognizing your own ethical boundaries is key to all of this; so a click-through information dump certainly won’t cut it.
For more tips on how to create a winning employee training program, check out our Ultimate Guide to Employee Training!
We can help you do it!
If you think it’s time to breath new life into your digital learning and development strategy, download our free best practice guide. And if you’d like to know more about how Elucidat can help you deliver compliance elearning that engages learners and makes a difference to your business, get in touch today.
- 8 tips to drive performance through scalable learning - March 17, 2020
- Retail staff training ideas for 2020: Five awesome examples - January 10, 2020
- Alternatives to LMS: what, when and why? - November 7, 2019