Live and Let Comply - how compliance training can be improved

Live and Let Comply — How compliance training can be improved

As a teenager I applied for a job as a cashier at a major high-street pharmacy. The first round of assessment, with compliance in mind, was an online quiz on good practices and ethics. We had thirty statements and had to give a true or false answer to each. One of the statements was:

True or false: “It is always wrong to steal.”

Quite a stupid question to offer a generation that grew up on Aladdin!

And so, within minutes of interacting with an employer I was being trained to lie to them. Rather ironic for a test designed to ensure quality of character. In comparison, I applied for a similar position at a popular British department store. They had an excellent test that put you on the shop floor with day-in-the-life challenges. I tried to follow the same line and rightly failed. Their ethics test was good, it filtered for dishonesty and heartlessness.

And yet, even as good Instructional Designers, we all too easily fall into the trap of writing compliance interactions like this:

Rebecca: Hey there, Sorry to be a pain. I’ve got to send our trading accounts to Richard today but I’m locked out of my account on the secure laptop. I’ve got to make a few changes first, can I borrow your username and password?

Learner [Decision point]
[Correct] I’m sorry, it’ll have to wait until tomorrow.
[Incorrect] Sure. You’re already leaving that late.

If [Correct], Rebecca: Okay. I understand. It’s my fault anyway, it’ll have to wait.
If [Incorrect], Rebecca: Are you sure? It’s a little risky.

We think we’re innovative for writing it as a conversation rather than a simple question, and yet 80% of the time that this situation occurs in real-life, the password will be given out, training or no training. Why? Because talk is cheap. And the economics are in favour of being non-compliant in this situation. On average:

(Risk of annoying colleague) + (Risk of annoying boss) > (Risk of being caught x Personal impact of being caught)

And very few jobs have this equation balance out in favour of compliance on a personal level. On a corporate level, the equation is often quite different.

So what can we do?

Let’s look at Rebecca’s conversation again, noticing how Rebecca is very understanding of the learner’s decision. Now compare that with the real world. Are people who are stressed out, running under a deadline and have messed up always calm and well-reasoned when you refuse to help them? Not always.

So let’s try something different:

Rebecca: Hey there, Sorry to be a pain. I’ve got to send our trading accounts to Richard today but I’m locked out of my account on the secure laptop. I’ve got to make a few changes first, can I borrow your username and password?

Learner [Decision point]
[Incorrect] Sure. You’re already leaving that late.
[Correct] I’m sorry, it’ll have to wait until tomorrow.
If [Correct], Rebecca: Umm… (learner’s name). This has got to be in by 17:00 this evening. We have 40 minutes and your name is on it too. Just help me out. We’ve been working together for 2 years now, if I wanted to have done silly things to your documents I’d have done it by now.

Learner [Decision point 2, both correct]
[Option 1, Correct] I know, but I can’t give you my password. We’ll send it tomorrow. Mistakes happen, I’m sure Richard will understand. We can discuss tomorrow.
[Option 2, Correct] I can’t do it. Sorry Rebecca. It’ll have to wait until tomorrow. I can phone round and tell everyone it’ll be late.

Rebecca: (Learner’s name), you know I’ve been stressed recently, what with all the building going on at the house. Please, I’m exhausted. We’ve been working really hard on this. I just want to get it in on time. I want the win.

Learner [Decision point 3]
[Option 1, Correct] I’m not particularly comfortable with this Rebecca, I’ll send an email to Tony in IT so we can discuss properly tomorrow.
[Option 2, Correct] You know I can’t do that Rebecca. Sorry. We’ll talk tomorrow, I’ll buy you a coffee.

We then have an advisor figure appear to provide feedback and the company’s viewpoint:

Follow-up from an advisor: Well done. One of the hardest things about data protection is learning to say no to very simple tasks, where the chances of a negative consequence are often low in each individual instance but great when averaged over longer periods of time and multiple departments.

In this instance Rebecca was clearly stressed, which is understandable. And she also indulged in a little emotional blackmail, which you resisted. We trust you to sort out issues like this either by talking to her or by sending a note to the compliance department.

Where we must draw a line is if Rebecca repeatedly violates data protection, even after being corrected. There is an entire industry around stealing companies’ data and selling it to criminals. The less we have to deal with that world, the better.

If a colleague makes a mistake, correct them. If that colleague continually makes the same mistake you need to let the compliance team know.

Finally, the learner will get an email from Rebecca that admits her fault and thanks you for doing the right thing:

Rebecca: Hi (Learner’s name),

Sorry for yesterday. I’m sure you can guess that I was having a bad day and was just terribly worn down. I’ve had a good night’s sleep and am feeling far better now.

Thanks for the discussion you arranged, it was helpful. We can talk more when we see each other later.

Best wishes,

Rebecca.

Rebecca is happy
Rebecca is happy

A master manipulator

Note how I’ve written Rebecca. She’s manipulative, but in a way that’s earnest and quite understandable:

She calls you by name whenever she can. Names are powerful motivators.
She makes the issue about you. “We have 40 minutes and your name is on it too”.
She makes it seem like you are being unreasonable, not her. “Just help me out. We’ve been working together for two years now”
She uses humour to deescalate. “If I wanted to have done silly things to your documents I’d have done it by now.”
She stands behind very empathetic excuses. “You know I’ve been stressed out recently, what with the building on the house”
She pleads. “Please, I’m exhausted.”
She invokes comradeship. “We’ve been working really hard on this.”
She makes it about doing right for the company. “I just want to get it in on time.”
And she makes herself emotionally vulnerable. “I want the win.”

So how do you counter this? You could just insist employees recite the policy, but then you’d be denying them their humanity. And it wouldn’t win anyone’s heart.

What we need to do is teach the learner to say “no”.

Rebecca is being unreasonable. This doesn’t have to be about company policy, it’s an interaction between people where one is being out of order.

So what I’ve done is let the learner practice how to say no.

Note how two-thirds of the questions have no correct or incorrect answer. The learner’s options are equally valid depending on context, relationship and personality. My job as a designer is to let the learner think about the best way to challenge Rebecca, as informed by their own life experience. That way they can react calmly with a real colleague.

We ask: Do you put yourself out and ring around as a personal favour to Rebecca? Or do you state more matter of factly that the situation is thus and cannot be changed? Do you escalate it to compliance? Or do you take Rebecca aside for a quiet talk? All valuable questions.

Yes, this is not going to work all of the time. But if you give people space to draw their own conclusions, and appear reasonable, then you can sway the majority towards your camp. Plus we’ve still mandated the correct course of action for the regulators, just with a little more tact.

The company voice

Central to this is the company voice, as provided by the advisor. The company is reasonable, we admit that the learner’s most common objection is valid, “where the chances of a negative consequence are often low in each individual instance” but we’re also firm and explain why it’s not an excuse “but great when averaged over longer periods of time and multiple departments.”

Note how we always uses words that denote individuals rather than the company as a monolith. I’ve said “multiple departments” rather than “the entire organisation” and “compliance” rather than “the relevant authority.
I’ve also tried to massage the “us vs them” dynamic in the company’s favour. Compliance courses often have a line saying “If you don’t do this, you could lose your job”. Or more ominously “If you don’t do this, there could be repercussions.” This is sometimes okay, especially in fast-moving, highly competitive jobs such as trading or marketing where you REALLY, REALLY need to set a hard limit or ambition will drive employees up the wrong path. But for general compliance work it’s near-always a mistake.

The great antagonist

Why is it a mistake? Because it seeds the idea of the company as an antagonist. And people like to fantasise about beating an antagonist. My dad is a 55 year old, slightly pudgy, church-going master bureaucrat; he named me James because he thought James Bond was cool. That’s the level we’re working at.

So, let’s reframe our compliance. We still need an antagonist to rail against, that’s just human nature. Let’s say “There is an entire industry around stealing companies’ data and selling it to criminals.” AND ONLY YOU CAN SAVE US. Then we make employees feel accountable for the fate of their employer.

And we’re also firm: “Where we must draw a line is if Rebecca repeatedly violates data protection, even after being corrected… If a colleague makes a mistake, correct them. If that colleague continually makes the same mistake you need to let a specialist know.”

We’re going for Judy Dench’s “M” here, firm, a little mothering and just the right amount of being involved. When we need to clamp down we do but we respect our employee’s autonomy. If something becomes an issue and you don’t act on it, well that’s you being irresponsible. You need to do something. THE WORLD IS AT STAKE.

Bond Do I Look Like I Care
Make sure to keep your learner engaged.

Our third act pay-off

Bond saves the world, so our learner needs to too. How? We get an email from Rebecca, she tells you the risk has gone BECAUSE OF OUR BRAVE ACTIONS (we organised a discussion and she saw our point of view). A human was in a bad place, we had to make a difficult choice, they may not have appreciated what we did at the time, but at the end of the day they’re happier because of it.

Our narrative has come full circle, balance has been restored, and we walk into the sunset compliant ever after.

We’ve earnt our license to instil.