The Five States of Compliance Maturity: Building a Strong Training Strategy

Written by

Even though many businesses invest in useful compliance training to help reduce the liability and legal risks they face, for some, integrating that training with their business strategy means overcoming some significant barriers.

In the most serious situations, training is side-lined to the detriment of stakeholders across the business, and as a result, compliance can fail. Conversely, a comprehensive training strategy can result in major, long-term dividends.

Ideally, an organization’s compliance training will navigate a maturity model to grow from an initial awareness objective, to a mid-cycle focus on behavior and culture, to a mature state, in which compliance learning becomes a fully embedded part of business strategy.

In the process, progression along this lifecycle also shifts the focus of compliance investment from an emphasis on just avoiding negative consequences of non-compliance, to gradually placing the spotlight on a creating a healthy compliance culture. This places organizations in a virtuous win-win position where compliance becomes a self-sustaining part of the business long term.

Achieving this cultural shift can deliver powerful business benefits, from positive brand recognition and an improved ability to attract top talent, to increased competitiveness and contribution to employee loyalty. Looking at these five ‘states’ of compliance maturity more specifically can help businesses identity where they are and how they can develop a better strategy.

Stage One: There is Minimal Awareness of Compliance Requirements

Organizations in this situation pay little attention to compliance and ethics requirements and provide employees with minimal resources to meet baseline standards. They do so in the hope problems will not occur, but when issues do arise, these businesses typically end up paying steep fines, penalties and other damages while the risk of employees suffering from injuries, illness, and discrimination is greater than it should be.

These organizations may or may not make any compliance training available to employees because, in their view, it is too expensive. If they do provide training, it is implemented only after a major violation has occurred, to show they are trying to meet compliance standards. Even then, it is implemented as a tactical response to a serious problem, rather than a strategy for permanent improvement.

Stage Two: Ticking the Box – Using Training to Meet Minimum Requirements

At this stage of development, companies acknowledge that the only way to get the message of compliance organization-wide is to ensure that all employees are afforded appropriate access to training materials. Businesses emphasize successful completion of course materials so the business can provide a record demonstrating an effort was made to meet regulations and standards.

In other words, they check the box on compliance training in an attempt to avoid the damages that Stage One companies can face.

Some organizations at this level will establish rudimentary programs targeted to managers only. The problem is that this puts the responsibility on each manager to ensure that his or her direct reports are made aware of the various requirements that apply to each of them. It lacks both clarity and transparency to prove whether or not an employee has been effectively trained.

Other organizations may take a ‘shotgun’ approach and assign the same training to all employees without regard to specific job roles, areas of responsibility or other role-unique attributes. While this approach ensures that everyone receives training and there is a record of completion, employees can easily become disengaged when training is irrelevant to their day-to-day functions and covers topics that they will never encounter.

Stage three: Top-Down Behavior Change Through Training

At this level of maturity, organizations understand how training affects the fundamental behaviors of their employees in the processes and tasks they undertake. Here, companies begin to affect a ‘top-down’ cultural change in working to incorporate compliance-led practices. It’s understood that it is the job of executives to enforce training among managers, and the job of managers to do so with employees.

As a result, training is seen as more strategic across more levels of the business. Assignments are made based on job roles and responsibilities. Important details such as site-specific information, including local policies and procedures, in addition to regulatory requirements, are properly addressed.

The problem is that many organizations stop here on the maturity model because there is perceived accountability on all levels. However, this is not true accountability, as there is no belief in the program. Compliance is maintained through avoidance of being punished. A key question remains: if managers never witness wrongdoing, how can they enforce policies?

Stage Four: Self-Motivated Behavior Change

When an organization’s approach to compliance becomes more mature, the focus shifts to empowering individual employees to make informed decisions to reinforce the company’s lawful and ethical culture. This occurs as a by-product of establishing a culture with high compliance awareness.

In this situation, everyone in the company at all levels shares accountability for following a higher standard. Employees are self-directed to make the ‘right’ decisions because everyone else is making these same decisions. Policies are understood and the reasons behind the policies are clearly explained. Engagement is high at this level because all members of the organization are now responsible for the success of the program.

Stage Five: Compliance and Business Strategy are Fully Integrated

Achieving this level of maturity means organizations see a seamless integration of compliance with business strategy, and it is measured as a component of business performance. In raising the level of sophistication, compliance programs are aligned to assist organizations in accomplishing their business goals as opposed to serving merely as a function of risk mitigation.

To reach this stage, an organization must have a comprehensive view of learning, but it cannot happen overnight. By keeping focus on continued development and maintaining momentum, a company can continually improve its processes and realize meaningful results along the way.

Employees, managers and executives alike see and understand their responsibility to the company by ensuring the success of the compliance program. It’s no cliché to say failure is not an option, because that would mean a fundamental failure in wider business strategy. Honesty, accountability, respect and leadership are principles of these organizations, and transparency is a default.

As with any mission-critical endeavor, commitment is key. This is a process that may often require a conscious investment of time and money, and where the benefits might seem remote and intangible, but results in a situation where the organization collectively wonders how they ever succeeded before.

What’s hot on Infosecurity Magazine?