A recent survey of 800 employees has found that (a) compliance processes are often considered burdens rather than enablers, and (b) training seems ineffective. Even despite the fact that the work was sponsored by case management vendor CaseIQ, I couldn’t agree more – except, speaking as someone who spends a lot of time helping organizations do compliance better, I think they buried the lead.
According to the report, “Some employees view compliance processes often as a burden rather than an enabler. Similarly, training seems ineffective, possibly due to its lack of relevance to employees’ actual day-to-day roles.” From where I sit, there’s no “possibly” about this, for employees generally are motivated more by self-interest than the greater corporate good. Failing to acknowledge and address this, in day-to-day guidance and through formal training, turns what should be helpful into a hindrance.
Communication, Collaboration, and the Criticality of Good Information
For the most part, employees are not resisting compliance; they are resisting irrelevance. They want to understand why what matters to you should matter to them, what risk they personally carry if they don’t comply, and what “good” looks like in the moment they are making a choice. Fulfilling this need demands that you dedicate effort to improving communication, collaboration, and the quality of the information people must have to do the right things. Among the key criteria to meet are:
- Relevance over completeness. Policies and training must map directly to real business workflows, not theoretical risk scenarios.
- Timeliness over formality. Information delivered after the fact – or delivered out of context, or buried in a policy repository – does not reduce risk.
- Accessibility over control. If guidance, reporting paths, and escalation options are not easy to find and use, they will not be heeded.
- Enablement over punishment. As proud-to-call-my-friend Lewis Eisen has long argued, policies framed primarily as enforcement mechanisms create avoidance, not adherence, precisely the opposite of what we’re trying to achieve.
Executing upon these principles when furthering compliance – or any aspect of GRC, for that matter – requires working closely with the lines of business to create a program rather than developing one within your own department and simply rolling it out. And then once it is built, it must be tested against real-world behavior and continuously refined based on how work actually happens – not how the process maps say it should.
Your Challenge, Should You Choose to Accept
If you suspect your employees are among those who think your compliance processes hinder more than they help, and who feel your training leaves them ill-prepared, then I challenge you to take these three actions in the next 90 days:
- Shadow real work. Sit with frontline employees and observe where compliance guidance is complicated, late, or even missing.
- Redesign one critical process. Choose a high-risk workflow and rebuild the compliance touchpoints around the way people actually make decisions, not the documentation they’re supposed to read.
- Measure what happens afterwards. Go beyond policy volume, training completion rates, and audit artifacts by tracking whether employees have the right information, at the right time, to reflexively make the right decision – without having to work around the system.
In the end, doing compliance right is about more than providing good information according to the rules, though that certainly is critical. No, it requires equipping your employees to make risk-aware decisions in real-time, in advance of audit deadlines, discovery motions, or other operational prompts. Reaching this level of excellence requires that they know what’s in it for them.
–––
Make sense? Want to talk about it? Need help doing it? Email me at steve@hollygroup.com.