Skip to content


How to Optimize Policy And Training Programs

By Matt Kelly (Updated )

The need for optimization is clear within policy and training programs. As risks keep proliferating within large organizations, more policies become necessary to manage those risks. That means more training, so employees and third parties know the policies and what steps they should take to follow the policies properly.

While that may seem like a straightforward compliance theory, it can easily break down at scale—too many policies and too many employees, which no compliance program can oversee manually. Your training capabilities end up falling behind your training needs.

Hence the need to optimize policy and training programs. It allows your training program to handle the demands placed upon it—that is, to work efficiently at scale. Let’s consider a few steps to get there.

Start By Understanding Risks

First, as always, begin with a clear understanding of the organization’s risks. Without an understanding, a compliance officer can’t even start to develop thoughtful policies and training materials.

More precisely, the compliance officer needs to understand the residual risk for each risk it has: the chance of an unwanted outcome that your organization is willing to accept even after all the internal controls are in place. The residual risk is important to know because policies and training help the company bring its risk of misconduct down to the lowest level. A compliance officer needs to know where that level is, so you can create the right mix of policy, training, and other internal controls.

Identify Who Is Involved

We need to get nerdy for the next step: identify all the people who participate in a business process that relates back to a policy. This will tell you who needs the training for the policies you adopt.

Again, this sounds straightforward in theory, but it can be tricky in practice. You might need to work with the HR department, clarifying roles and job descriptions. Keywords in those descriptions might become the markers your compliance technology uses to decide which people receive what training.

For especially high risks such as anti-bribery or data breach disclosure, you might want to talk with operations leaders, too. They tend to have a sharper sense of who really gets a process done on a practical, daily basis.

Optimize Policy and Training Programs Via Automation

Third, automate the ties between your policy development and training rollout. As you identify a new risk and develop a new policy to address it (step 1, above), that should trigger new training requirements pushed out to all parties identified as working on business processes affected by the new policy (step 2, above).

I know the phrase “that should trigger” oversimplifies a complex IT challenge. You need to connect different business needs, with data often stored in different formats, so everything cascades in a certain way. Your regulatory change management process must connect to your policy development process; which must connect to a database of relevant business procedures; which must connect to an HR database of employees and job roles; and so forth.

That might be the most important point here: optimization requires planning. It’s a business process unto itself, really; one which requires other business processes to be groomed so they can fit together in an optimized way.

A complicated task for compliance offices? Possibly. But then, so is a manual approach keeping policy and training in step with company risks—and that one ultimately won’t work, to boot.

third party risk rating

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.