Skip to content


How to Optimize Policy And Training Programs

By Matt Kelly (Updated )

The need for optimization is clear within policy and training programs. As risks keep proliferating within large organizations, more policies become necessary to manage those risks. That means more training, so employees and third parties know the policies and what steps they should take to follow the policies properly.

While that may seem like a straightforward compliance theory, it can easily break down at scale—too many policies and too many employees, which no compliance program can oversee manually. Your training capabilities end up falling behind your training needs.

Hence the need to optimize policy and training programs. It allows your training program to handle the demands placed upon it—that is, to work efficiently at scale. Let’s consider a few steps to get there.

Start By Understanding Risks

First, as always, begin with a clear understanding of the organization’s risks. Without an understanding, a compliance officer can’t even start to develop thoughtful policies and training materials.

More precisely, the compliance officer needs to understand the residual risk for each risk it has: the chance of an unwanted outcome that your organization is willing to accept even after all the internal controls are in place. The residual risk is important to know because policies and training help the company bring its risk of misconduct down to the lowest level. A compliance officer needs to know where that level is, so you can create the right mix of policy, training, and other internal controls.

Identify Who Is Involved

We need to get nerdy for the next step: identify all the people who participate in a business process that relates back to a policy. This will tell you who needs the training for the policies you adopt.

Again, this sounds straightforward in theory, but it can be tricky in practice. You might need to work with the HR department, clarifying roles and job descriptions. Keywords in those descriptions might become the markers your compliance technology uses to decide which people receive what training.

For especially high risks such as anti-bribery or data breach disclosure, you might want to talk with operations leaders, too. They tend to have a sharper sense of who really gets a process done on a practical, daily basis.

Optimize Policy and Training Programs Via Automation

Third, automate the ties between your policy development and training rollout. As you identify a new risk and develop a new policy to address it (step 1, above), that should trigger new training requirements pushed out to all parties identified as working on business processes affected by the new policy (step 2, above).

I know the phrase “that should trigger” oversimplifies a complex IT challenge. You need to connect different business needs, with data often stored in different formats, so everything cascades in a certain way. Your regulatory change management process must connect to your policy development process; which must connect to a database of relevant business procedures; which must connect to an HR database of employees and job roles; and so forth.

That might be the most important point here: optimization requires planning. It’s a business process unto itself, really; one which requires other business processes to be groomed so they can fit together in an optimized way.

A complicated task for compliance offices? Possibly. But then, so is a manual approach keeping policy and training in step with company risks—and that one ultimately won’t work, to boot.

third party risk rating

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.