You may have heard of Siemens, Germany’s mammoth technology conglomerate with a wooly paw in everything from power plants to trains. They are described in many ways, such as the international energy giant pioneering new electric highway technology. Or the global industrial behemoth using AI to create futuristic factories operated by robots.
Back in the late-aughts, the Department of Justice and the Securities and Exchange Commission charged Siemens with violating the Foreign Corrupt Practices Act, also known as FCPA. The FPCA makes clear that it is not ok to bribe government officials outside the U.S. for business gain.
The government claimed that Siemens intentionally and methodically paid officials across the globe to help them get or keep business in their countries. Projects like metro transit lines in Venezuela, power plants in Israel, refineries in Mexico, mobile telephone networks in Bangladesh, national identity cards in Argentina, power stations and equipment in Iraq, medical devices in Vietnam, China, and Russia.
All this amounted to around a billion dollars in profits for Siemens. Roughly the same amount they settled on paying in fines to the U.S. and Germany.
What does this have to do with compliance training programs, you wonder? The charges exposed Siemens’ failure to implement an effective FPCA compliance program, specifically calling out their deficient global compliance training. Rarely do regulators shine the spotlight on compliance training, so when they do, it tends to make headlines. In this case, compliance training took center stage for its role—or lack thereof—in establishing and reinforcing a culture of compliance at Siemens.
Regulators referred to Siemens’ approach to compliance as a “paper program”—talking the talk with its policies but not walking the walk by providing adequate compliance training.
So, how can you analyze your corporate compliance training programs to keep your company in compliance and out of trouble with regulators? Not without collecting data and identifying metrics for analysis.
Data & Metrics
Dig up the data that matters: metrics. The metrics used to measure your program should reflect two things. One, the quality of a training module—how appropriate and valuable the content is relative to the learners, training goals, or objectives. And two, the effectiveness of the training.
Effectiveness doesn’t mean how much employees learn from the training. Regulators don’t mandate training so that employees gain the ability to recite policies. Regulators mandate training to ensure employees put policies into practice, to execute the tasks and activities that perpetuate a compliant workplace. In the case of Siemens, so employees learn how to prevent, detect, and report misconduct.
The right metrics will tell you whether or not your training is decreasing risk and improving outcomes. But how do you select those metrics let alone find the data that provides them? Start with the first part of that question—figuring out what to measure.
- How does your organization define “decreased risk” and “improved outcomes?”
- What does decreased risk look like to you?
- What outcomes do you want to improve?
For measurement to be meaningful, it needs to connect to a specific result. For Siemens, this meant measuring employees’ understanding of anti-bribery policies as demonstrated by their ability to detect bribery and report misconduct. Decreased risk looked like their employees’ ability to spot corruption red flags and then inform appropriate personnel. The outcome they needed to improve was their management’s ability to investigate and respond to those red flags.
This isn’t rocket science. As we’ve mentioned before, when dealing with regulatory requirements, you start with the words. Read what the regulation says about minimizing risk or appropriate outcomes. Then, review what your regulator publishes on an annual basis regarding their audit or inspection focus areas. The U.S. Securities and Exchange Commission (SEC) publishes its examination priorities at the beginning of each year. The Occupational Safety and Health Administration (OSHA) also releases a regulatory agenda annually.
Regulatory documents like these tell you what regulators will look at if they show up at your door. If you want your compliance curriculum to decrease risk, make sure it covers these topics.
Next, review anything your regulator publishes on a quarterly or more recent basis regarding your peer companies’ bad behaviors. These might include disciplinary actions, enforcement cases, compliance directives, letters of interpretation, and industry alerts. Not only does this help you anticipate where your regulator might focus next, it also provides insight on which metrics regulators pay attention to at companies like yours.
The bigger challenge comes once you’ve settled on measures. Hunting down company data that helps you measure compliance can be hard. Gathering that data can be harder. Find the point people in your legal or compliance departments who track internal and external audits and inspections and ask them to share those reports with you. This data is excellent for pinpointing specific areas of improvement that can be impacted by training. Other useful sources of internal data include accident or injury reports, incident investigation reports, and misconduct reports.
Take these five steps to ensure your compliance curriculum is not just a “paper program.”
In Siemens case, they needed to measure their employees’ ability to identify and report red flags and the company’s ability to investigate and respond. Here’s how a compliance training manager might tackle this challenge:
- A compliance training manager starts by looking at the data associated with the employee reporting mechanisms identified in the company’s policy.
- How many calls did employees make to the compliance or ethics hotline?
- How many emails did employees send to the associated inbox?
- What was the quality of those reports—did employees correctly identify red flags as defined in the policy and covered in training?
These metrics indicates whether compliance training adequately teaches employees how to identify red flags. If the answer is no, use this data to understand what new or different information or instructional strategies will help.
- It doesn’t stop there. It’s just as important to look at data that shows whether the company followed up on those reports with incident investigations. Find out how many investigations were initiated compared to the number of reports filed, then how many of those initiated were completed.
This metric indicates whether or how well employees conduct incident investigations. It also suggests where an intervention is needed, such as a change to the training, policy, or procedure.
- Of the incident investigation reports completed, find out how the company responded. Study the responses. Was the company able to prevent misconduct before it occurred? If not, what can be learned from the incident to make compliance training more effective?
- When data analysis is complete, review your findings to discover areas for improvement in your compliance curriculum. Are there gaps at the curriculum level? If so, are there also gaps in the associated policies or procedures that could require change?
- Drill down to the training module level. Compare your findings with the modules’ learning or performance objectives. To what extent do they align? Assess whether gaps can be resolved by revising existing modules with the help of subject matter experts. Determine whether entire lessons or modules need to be tossed, and if so, replaced with new content. Identify the new content. Can you buy online compliance training off the shelf? Does it need to be customized?
The answers to these questions translate to the line items of your compliance curriculum revision plan that you can start executing immediately. Tactical? Yes. Effective? Also, yes.
The path you took to answer these questions demonstrates to compliance leaders and regulators that your compliance curriculum is not just a “paper program.” You can confidently say that yours not only educates employees on the substance of your company’s compliance program, but also decreases risk and improves outcomes.