Broadcat announces sustained investment to build content supporting privacy professionals According...
5 minute read ·
How should you document compliance training for the Department of Justice?
If you’ve read our interview with the Department of Justice’s former compliance counsel expert, you know that there is no substantive difference between “defensible” and “prevention-focused” compliance training from the Department of Justice’s perspective. To be defensible, you simply focus your compliance training on preventing misconduct—and then document what you did. These are not two separate substantive things, just two steps in the same process.
But how are you supposed to document it?
That’s a very boring-sounding question, but getting that answer wrong can cause all kinds of mayhem. And most likely, that mayhem will look like you overcomplicating things for no reason.
So while we’ve previously covered how to focus on prevention in your substantive training, today we’re going to break down how to document your compliance training so you can finish the job and get credit from the Department of Justice.
Haven't read the full interview with Hui Chen yet?
There is no specific way you’re required to document it.
First things first: there is no specific way you are required to document your compliance training. Here’s the quote from the interview:
Note that the goal here is to simply provide a record that is better than you and the employee arguing over who had the better memory—like, basic evidentiary stuff.
Note also that the method is not limited to “an attestation at the end of an online course,” which is a weird belief that folks have. And by “weird,” I mean that’s not even consistent with the old and now very out-of-date Morgan Stanley declination, which is generally the source of dumb training overkill. Even there this wasn’t true: the DOJ gave Morgan Stanley a nod for stuff like distributing a tone-at-the-top memo.
So, even if this isn’t exactly news—it’s, like, how evidence works—it’s important to see it laid out because it gives you a ton of flexibility on what to do.
And that’s great. But it doesn’t tell you what to do; it just gives you more options.
Let’s go beyond the interview, then, with some practical advice on how to pull this off.
Document it in a smart way.
We have freedom to document our training in a way that makes sense, so let’s do it in a smart way. Here’s the headline: we want to keep all records in a centralized platform—like a Learning Management System—but we don’t need to actually deliver all of our training through that platform.
A “centralized platform” basically just means a database where you keep all of your records of who you trained, on what, and when. You want to keep your training in a centralized platform to:
* Make it easier to pivot on a single employee if you have a hotline issue
* Enable you to produce data for an audit
* Avoid over-training by being able to see what an individual or population has received
* Answer someone who thinks they’re being over-trained with data that shows what they’ve actually received
* Respond to litigation or government inquiries quickly and thoroughly
None of this is a big surprise: it’s a good idea to be organized. Your “centralized platform” could be as simple as an Excel spreadsheet, and if you’re using Excel or a database program—like, say, you’ve commandeered an instance of Salesforce—then you can skip this next part.
If you’re at an organization that’s big enough to pay you to read this blog, though, odds are you’re going to be using some type of Learning Management System—or “LMS”—software.
And that’s where things get tricky.
Why? Because you can use an LMS to both document and deliver content, and the temptation is to confuse those two things so you start thinking everything has to be delivered by your LMS or it won’t count.
And that’s a problem, because your average LMS system makes it unnecessarily hard to deliver anything other than long-form e-learning to people. They tend to be slow, clunky, and not well-integrated into your systems, which practically means it takes employees a decent amount of time to just log in to see what you want to show them.
That’s not universally true, but be realistic: if someone has to log into a separate system with a separate password and click through 5 screens to access what you want them to see … they’re not going to do that. And if you try to force it, you’ll end up frustrating both employees and yourself.
Instead, treat your LMS as serving two different needs: as a delivery mechanism for e-learning and as a general database. For anything you do outside of e-learning—which should be the vast majority of what you do, practically—just upload your records into the LMS so everything is in one place.
And to pull that off, here’s what to do. First, engage with your LMS provider or in-house LMS expert to understand what your capabilities are. You want to learn:
1. What kinds of data can be uploaded (name, department, etc.)
2. What file formats your LMS will accept (Excel, Outlook, etc.)
3. What type of data your LMS usually captures when you do e-learning (similar as #1, but this will help you match up offline data with what your online data normally says so you don’t go too crazy in your offline data collection)
4. What type of reports your LMS can run (e.g., “everything for a single employee,” “all training in March 2020,” “all training for sales employees,” whatever)
Next, use this information to set up templates for your other records using these fields. For example, if your LMS can take a CSV file from Excel, you’d make a template spreadsheet you’d use for recording who attended a live training. You’d capture the fields that the LMS can parse and that make sense for the type of reports you want to run, then you’d just upload the file and let the LMS take it from there.
Put otherwise, instead of just having hard-copy sign-in sheets that capture random bits of information, you want to work backwards from the type of reports you want to use, make templates that make recording that data in a structured way that the software can understand, and then let the software do its job.
This allows you to document all the great stuff you do without requiring that it be delivered through the LMS, making it massively easier for you to prove that it happened without making employees jump through a million hoops.
Why this matters.
The reason this is so important is that in the vast majority of compliance use cases, the right tool is something that is a lot more agile and robust than a school-style course. You might use a system pop-up, an email that distributes a compliance checklist on a high-risk task, or a live town hall session that lets you interact with your employees.
If you think that only a certain type of record will count, though, or that everything has to be pushed through your LMS for you to get credit, you’ll end up leaning way too hard on e-learning instead of these other methods. You’ll ask e-learning to do things that it can’t do, and then get frustrated when it doesn’t perform—which isn’t fair, because that’s like trying to use a sledgehammer to drill a hole in the wall and then blaming the sledgehammer when it doesn’t work.
Fortunately, that’s not the case. You can keep any type of record that makes sense for you, which frees you up to use the right tool for the job—which will often be something that solves a problem in a simpler way, like the checklists and flowcharts you can get through Compliance Design Club.