What is 'defensible' compliance training for the Department of Justice?

So: you’ve been made responsible for compliance training at your company. You know you want to make sure that if your company ends up in front of the Department of Justice and you have to explain your efforts to a prosecutor, you get (at minimum) a passing grade on your work.

Fair enough. This is what folks refer to as “defensible” training, which simply means that you could successfully defend it to the government if you had to do so.

What does that look like?

Well, this is an area with a lot of weird myths, so we interviewed the U.S. Department of Justice’s former compliance counsel expert on it. You can download that here. And in this post, we’re going to unpack this one point in more detail.

What isn’t defensible compliance training.

It’s helpful to start with what is not defensible compliance training to a prosecutor.

“Defensibility” is not a specific format, length, or way of documenting what you did. This is a pretty common belief that sells a lot of stupid compliance training—that prosecutors are just looking for you to satisfy a bunch of training parameters, and as long as you do that you’re good. And conversely, that unless you satisfy those parameters, it doesn’t matter what you do because you will not get credit.

We sometimes call this way of thinking the Hogwarts School of Compliance Wizardry, because it’s basically this idea that there is a magic spell that you can cast to get the job done. Get it right and you’re good; get it wrong and your house explodes.

And: it’s not true. Like, there’s an entire page in the interview that just blows all this up. Here’s an excerpt:

So: that's not it. "Defensible" training is not a matter of format or length or whatever.

Moreover, "defensibility" is not separate from "prevention." That is, the traditional myth of "defensible" compliance training kinda works like this: 

Basically, under this myth there’s a set of things you do with compliance training because you think it will actually keep you out of trouble, and there’s a separate set of things you do because that’s the stuff prosecutors care about. Sometimes they overlap, but most of the time they're two separate sets of things.

To give you a practical example, under this myth “prevention” looks like giving your salespeople a compliance checklist on what to do before closing a deal, because it makes it way less likely you’re going to have a problem in the first place. On the other hand, making your salespeople sit through an hour-long e-learning course on the FCPA once a year would be considered “defensible,” because it shows a lot of effort and expense even though no one expects it will actually accomplish anything.

If you embrace this myth—or your boss or General Counsel does—you will end up spending all of your time on the stuff you think counts as “defensibility,” because that’s just human nature. And ironically, this makes you more likely to get in trouble in the first place since you’re spending all your time on generating records on the assumption that the compliance program will fail, instead of actually trying to prevent misconduct in the first place.

And then, when you *do* get in trouble, you’ll find out that this was a myth and you haven’t done anything “defensible” at all. Again, here’s a quote from Question 3 in the interview:

To sum up: defensibility is not a specific type, format, length, or style of training. Nor is it something separate from “prevention.”

So, then, what is it?

“Defensible” compliance training is prevention-focused.

When we’re talking about “defensibility,” we’re talking about the law. And prosecutors care whether you broke the law—and if your company did break the law, what you did to try and prevent that from happening.

That is, prosecutors do not require you to do compliance training for the sake of compliance training; it’s a tool to avoid breaking the law. Here’s a quote from Question 1 in the interview:

Practically, this means that, to be defensible to a prosecutor, your compliance training has to be focused on prevention—there’s no specific method, format, or amount that is required, but you have to be able to explain why you thought it would actually work to prevent the thing that got you in trouble. No one is asking you to do it for the sake of doing it; it’s a means to an end.

Now, we’ll unpack what “prevention-focused” practically means in a later post—like, what it looks like—but it’s also covered in the interview, so head there now if you haven’t already. Same goes for how to “document” your training—it’s in the interview, but we’ll do a practical breakdown later.

What you need to know right now is that this is very good.

Here’s why: employees know when you are checking a box, just like you know when someone is making you do something dumb for the sake of saying that they did it. Like, you have to pay taxes and “sign” contracts when you rent a car and click “I accept” on every website you visit and such; you know when you’re being asked to go through the motions. Employees do, too.

And the main way any given employee is going to interact with your compliance program is your training—if we’re honest, we all know that most employees will never use the hotline, never be involved with an audit, and never read your policies.

So, if the main way most employees interact with you is through training that they identify as a check-the-box, do-it-so-we-can-say-we-did-it exercise, how do you think they will view you and your program? As something the company seriously cares about, or as something that they can just ignore as long as they’re willing to go through the motions too?

Of course, if you had to do this stuff because it’s what was necessary to have defensible compliance training, then you’d just be stuck. But it’s not, and you don’t.

Instead, the government just wants you to do what you want to do, too: focus on what you think actually works. That’s what “defensible” means.