For compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk. The Justice Department’s Evaluation of Corporate Compliance Programs asks the following question, What analysis has the company undertaken to determine who should be trained and on what subjects?
The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk, and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium-risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low-risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk-ranking process, you have internalized the admonition that one size does not fit all in deciding the content and intensity of training needs for each role or individual. You should be now ready to design your compliance training.
In addition to the risk-based approach to identifying employees in the three-tiered ranking, you should also identify those employees who are in “control functions” as the evaluation requires you to list the training such employees has received. This is beyond the gatekeeper function and moves into the operationalization of compliance in an organization. This exercise will help to make your compliance program more robust as it allows you to determine who is involved in the oversight/approval process of internal controls and where there may be pressure points.
Finally, these steps must be documented so if a regulator ever comes knocking, you can demonstrate you have a well-thought out, operationalized compliance program.