Transcript for The Role of Training in Effective Compliance
Matt Kelly: All right. So, hello to all the attendees at our ComplianceLine masterclass here who I see are logging in. I know we are going to, today, have a very good discussion. I’m Matt Kelly, I’ll be your host. We are here today to talk about training and all of the challenges around effective compliance training and how a company or a compliance program can think about that. We have a very good panel. I’ll introduce them in a moment. But first, I always like to also welcome our sponsor here, Nick Gallo, the co-CEO of ComplianceLine. Nick, I don’t know if you wanna say hi and say a few words.
Nick Gallo: Yeah. Welcome to our webinar. I’m pretty pumped for today. A couple of my compliance heroes are on. Matt, you always are the host with the most. As always, we’re gonna do one of our world-famous ComplianceLine book giveaways to some great comments and great participation. So, let’s dust off those fingers and maybe everybody can jump in the chat and say where they’re in from. We’ll be selecting some of the best comments to send a link around to the ComplianceLine library. We have a whole collection of books from our friends who are from ethics and compliance, people that have great ethics books and things like that that you can use to get your ethical mind sharpened. So, with that, I’ll pass it back to you, Matt. Super pumped for today, though.
Matt: All right. So, we are going to talk about, as I said, compliance training, where we have probably three big themes that we’re going to try and explore here. Number one would be just to talk about what some of our big compliance training goals are, where do they come from, how do you figure out what are the goals that you want to declare with your training so employees can understand it. Number two, talk a bit about the training methods that you want to try and use to inculcate all of your ethics and compliance messages into employees’ brains, especially if we still have a lot of work from home environment going on.
And then maybe third, talk a bit about how other elements of a compliance program such as the code of conduct, such as case management and internal reporting. How do these things supplement or support training and vice versa? Because all of these are pieces of a whole. So, the speakers that we have with us are, let’s see, number one, Scott McCleskey, who is the executive director of compliance training at Sumitomo Mitsui bank. Scott, hello.
Scott McCleskey: Hello.
Matt: And also Kortney Nordrum. And Kortney is chief compliance officer at Deluxe Corp., which is a payments processing business. So, if you’ve ever written a check, thank you for Deluxe for inventing the check. All right. So, I am going to throw out maybe just a general question for everybody first, about what you think are the most important points about training, like the most important ingredient to get right. Because there is an awful lot that goes into training, what the message is, what the delivery method is, how you assess whether it’s working.
And we all talk so often about how important training is. But, Scott, I’ll start with you and then Kortney and then maybe, Nick, if you have other thoughts. Scott, what would you see as, like, the most important ingredient to get right as you’re looking to build out a training program?
Scott: Sure. Thanks. And I’m gonna start with the usual disclaimer that what I say, these are my crazy ideas, not necessarily those of my bank, but they are hard-won over the course of a few years. I think if I have to pick one thing that is easy to get wrong but really, you have to get right, it’s targeting the training. When you’re running a training program and, you know, you’ve got internal customers that, you know, they have policies or other requirements, it’s easy for them to want to take the easy way out and say, “Let’s train everybody on this.”
And I think that’s also sometimes the safe thing to do. Let’s just make sure everybody gets training on whatever the case may be. But when you do that, you’re shooting yourself in both feet because you are overtraining people, which means that after a while, they’re just gonna click through the trainings and… as another administrative burden. So, you don’t wanna over-train people. But also, when you’re trying to train everybody, you can’t really target the content either. If you’ve got really well-targeted training, training that goes to only those people to whom it’s relevant, you can get into more detail and give more relevant examples than if you’re just giving it to everybody.
I mean, you could put in all the details and they’re just gonna go in one eye and out the other, if you will. But no training is really gonna be successful if it’s not well-targeted and it’s not relevant. And I think the other thing is engage…the training has to be engaging. And I think those of us that have been in training for a while understand that. A lot of times, we think of that in terms of instructional design. You know, that is an important element of it but no matter how many graphics and gadgets you’ve got going across the screen, you have to think about engaging content as well.
And I’ll just take a couple of seconds and give you my pet peeve. It is when you go through a law or a regulation and say, “Okay, you know, the Foreign Corrupt Practices Act,” okay, and then you start citing to the nth degree, you know, what section and you quote it, and you say, “The maximum penalty.” They don’t need to know that. You know, let them know what the law is, let them know what it says you can do and you can’t do, you break the law, you’re going to the slammer, you know, and then move on. Otherwise, people start to drown in the details. So, when we’re talking about engaging, it’s about the content and both the design.
Matt: And Kortney, what do you think about all this? And I kind of like how Scott riffed off this, not necessarily what is the most important ingredient but the thing that maybe, you know, is most difficult to achieve or the thing that might go wrong most often when you’re talking with your peers. You know, what are your thoughts?
Kortney Nordrum: I totally agree with Scott. We, in our population, have two very different populations of workers. We’ve got manufacturing workers, frontline hourly employees, and we’ve got more white collar behind a computer employees. And we have found that we need to even tailor the same topic to those different populations. We have to give them context. So, if you work in HR, you’re getting a full HIPAA training, you’re gonna understand PHI, you’re going to understand what it really means as far as your job in HR.
If you’re on the frontline in our manufacturing where we might be printing reimbursement checks for insurance companies, which is technically PHI, we’re actually training you saying, “This is private. If you see it on the floor, pick it up and shred it.” And it’s not that we’re dumbing it down, we’re just giving you the information you need to know without all of the extra things. And that’s what I really think is the basics of the training and what we try to do is, don’t over-train people. Give them what they need to know in a way they can digest it and then don’t give them any more than that. Because as soon as you start training everyone on everything, you’re diluting the message in every one of your trainings. So, give…
Scott: If I can just…
Kortney: Go ahead.
Scott: Sorry. I was just gonna amplify that and say, you know, one thing that you need to understand is a lot of SMEs, subject matter experts, will treat the slide and the storyboard like it’s reference material. It’s not reference material, you know. You can do that separately. Training means, you know, make it digestible.
Matt: And, Nick, let me circle back to you. Give me some thoughts particularly around how to make things, material, engaging. And I know that you talk about that a lot. I see a lot of your LinkedIn posts, you know, that I find them engaging because they focus on a couple of really key uplifting themes. But what do you see as important to make sure that the employees are, you know, like they’ve got their head into the game?
Nick: Yeah. I think, you know, it’s kind of interesting how people, like, we all go through school and there’s classes we love and there’s classes we hate and we, like, forget about all those experiences when we’re in the workplace and trying to convey information to other folks. And if you have kids or you have nieces and nephews, think about how you, like, you know, you cook a dish, well, you’re gonna cut that dish up differently for the different ages. And I think what Kortney talked about and, you know, what Scott also alluded to is super critical.
Like, you have to… At the end of the day, this is a game of persuasion, right? Like, we’re trying to persuade people to act in a different way or act in accordance with whatever policy or whatever, you know, hopefully not reference material, you know, the things that are on the slide. That’s only gonna happen if they are able to digest the food. So, if that means you have to cut it up into smaller pieces, you have to space that out over time, then great. If it’s somebody who’s super dialed in, like Kortney said, to, you know, knowing what that PHI is, well, then maybe they’re able to hold a fork and a steak knife and cut their own food and you can give them sort of a more fulsome meal.
You know, so that’s kind of one piece of it. And then the other piece is like, what do they need to know? I mean, as I was thinking about this, like, if I was teaching my 6-year-old and I was teaching my 9-year-old how to make eggs, I’d probably teach them very differently, you know. I mean, the basics for my 6-year-old are heat up the pan, crack the egg in, you know, flip it over, make sure that there’s no shells in it. With my son, maybe I’m talking more about seasoning and things like that because he’s a little bit older. But like, what are the bare bones basic things that somebody needs to know without having to become a subject matter expert themselves to act in accordance or act in compliance with whatever we’re talking about?
Matt: Go ahead.
Kortney: I was gonna say, let me throw in not only that, but the different kinds of training. When we think training, we usually think modules, here’s your assigned training every year, get it done by quarter. We still have a ton of materials that are just in time training. So, I’m gonna give you annual training. The whole point of training is, here are the rules, here’s how we expect you to follow them, right? Don’t lie, cheat, steal, etc. Well, I’m going to give you that training once a year, once a quarter, but then, I’m also going to give you a website to go to or a one-pager or a sign that says, “Wash your hands before returning to work,” as reminders to key into that training. And so, it’s not feeling like such a burden. It feels like a message coming and permeating the entire organization.
Matt: So, I wanted to ask a question along the lines of how you figure out targeted training. Before I do, I should just stop and interrupt. We have fantastic, as always, discussion going on in the chat feature here and we will try and weave in some of these points that people are making right now. But by all means, everybody listening, keep it coming. But I wanted to say that if you want to do targeted training, which absolutely makes sense, it implies that you really have to do something of a risk assessment for what your training needs are.
Do we know all of the regulatory obligations we have? Let’s pick FCPA. You might train salespeople on the don’t do it part, but you’ll have to train accounting people on here’s how to look for the fishy stuff the salespeople are doing anyways. But, you know, you have to think through do we know everybody who is in what roles in our company that they will need this sort of training because they’re exposed to this sort of conduct risk? So, I’m wondering how you do, I guess, the conduct risk assessment or the training risk assessment? Scott, let me pick on you first because you’re at a bank. I assume you are regulated up to your eyeballs and you’ve got a lot of different threats you’re trying to juggle. So, how do you do that kind of exercise?
Scott: Yeah. I think, it’s a pretty formal process we have and it’s probably similar in other financial institutions because, as you say, we are very highly regulated. So, generally speaking, there is an annual training needs assessment that’s performed. And that will start with the compliance risk assessment. And a lot of the ingredients that you mentioned are in that compliance risk assessment. And that is where you identify your inherent risks, your residual risks, which is what happens after you apply your controls. And that is done across the business. And that’s kind of the main starting point.
But then, you also will take into account things that should be in the compliance risk assessment, but you don’t want to assume that. So, you look at things like new regulations, new enforcement actions that have come out since your last training needs assessment, audit findings, and a crucial ingredient is to engage with the business leaders or the leaders of the various internal customers, if you will, so other parts of compliance, for instance. This usually takes a few months to do. One problem is that the compliance risk assessment is also done on an annual basis and it’s not always done when you’re trying to do your TNA, your training needs assessment.
So, you use the most recent one, but then you also update at least on a quarterly basis. You update it so that you’re not just saying, “We did this once a year.” And so, you incorporate all these things. But you raised another great point, and this is a real difficult bit, which is how do you know who, you know, gets this training? So, we all have a learning management system, you know, that actually sends out the training, if it’s e-learning anyway, and that is dependent upon having good HR information being fed into your system. Or even if you’re doing instructor-led training, you still need the HR system to be able to identify that for you.
Even the best HR system is gonna have difficulty serving you with things like who’s a people manager, who’s customer-facing, and things like that. So, part of it is, again, engaging with the policy owner or whoever else may be there. And inevitably, you’re probably going to draw that circle a little bit wider than you might otherwise, but again, you wanna try to avoid, you know, giving it to everybody. And there have been instances where they just say, “Give it to everybody.” And I think probably Kortney, people who are attending the session virtually also realize that sometimes, it’s out of our hands. You know, we have to listen to the policy owner. If they say, you know, “Antitrust, everybody gets antitrust,” and then you stand by and wait for the emails to come in.
Matt: Kortney, how does it work at Deluxe? How do you work with either business unit, team leaders, or HR, or something to try and figure out who is going to be doing what and therefore, they have these conduct risks matching up with the training? How does all that work at Deluxe?
Kortney: So, we do our annual compliance risk assessment and then we take our…we work with HR to take our job family library and try to match it up that way. But in the end, because our systems can’t be that granular, we end up having HR and our training person go pretty much director by director to determine who is getting what training. So, we have 6,500 employees, so it’s not a huge Herculean task. But because we really want to make sure that we are training the people we need to train and we’re not overtraining people who don’t need it, particularly on the frontline, when training people means taking them off of the machines, it means cutting production, right? So, we do go director by director and assign in our learning management system based on who your director is.
Matt: Okay. And, Nick, give me some thoughts from your perspective, you know, like, frankly, as a CEO, because I think a big part of the problems here, the challenges that companies have, it’s about defining roles and responsibilities and making sure that, you know, we actually know who does what. And I think sometimes at either very large companies or hyper-growth companies, that can be hard to do, to keep track of who knows what’s going on and, you know, who does what. And without that, everything else is kind of…gets a bit rickety. But what do you think about what you’re hearing here?
Nick: I mean, I think what I’m hearing is interesting and these are definitely the best practices. I think, if I cut that against what I’m seeing, is that most people do a one-size-fits-all thing, most people do a check-the-box thing, most people say, “Okay, this is all going for everyone.” And I think, you know, we’re spending all this money and all this time and all these efforts to, you know…we know we have to train, we know that there are these important things that we have to color within the lines of, and yet, it sort of, like, devolves to this sort of elementary, almost like pedestrian approach to training that doesn’t…
Like, if it doesn’t come across as thoughtful, people aren’t gonna pay a lot of attention to it. And so, that’s really where I see a lot of it kind of falling flat. We got a great comment from Holly, and she says that we use real stories from the business, which is great because then, we get people involved in the development of the training and can take it up to their teams. And so, I’m just trying to tie that back to what you just asked, Matt, and I think a little bit of thoughtfulness on the frontend and a little bit more, like, integration and collaboration with other folks does a couple of things.
It lets you kind of know who knows what and where kind of problem areas are. Because, to Scott’s point, you’re not gonna get that straight out of an HRS system. It also allows you to, like, get a couple of more voices to sing the same harmony if you can, you know, crowdsource some of this messaging, whether that’s in a recorded thing or if it’s, you know, just peppered throughout the year in other messaging from other leaders. And then, if you can tie that down to an actual story, like, there’s a reason that Aesop was so famous. You know, he’s great with fables, right?
We remember all those fables, we remember those stories, and there’s a lot of, like, persuasive power and a lot of memorable power if we can leverage those things. So, there’s this really cool model that I think everybody should utilize. And, you know, Scott alluded to this, like, not everybody has to be a subject matter expert. This is not reference material. You’re not gonna get audited on what’s on your slide. You need them to get the basics of it, so that they can apply those new behaviors and, you know, not get the company in trouble.
So, they don’t have to digest it all, they don’t have to, you know, memorize it, they, in fact, just have to skim what’s the high-level of it. And so, that acronym of SCIM, S-C-I-M, is a great model. So, a story, get a story for how this applied inside or outside of your organization, somebody who did it right, somebody who did it wrong. I for image, like, what kind of imagery can you take with that. M, what’s a metaphor that can help articulate this thing? And, what did I miss? S, C, oh, the C. The C is the concept. So, I’m sorry. So, the story, the concept, the image, and the metaphor.
If you can get that kind of a cadence with the concepts that you’re trying to apply, put some imagery around it, put some metaphors, put some stories around it, that’s gonna make that concept, which is what we’re really trying to, like, convey to folks actually sink down into their brains. And the odds of that happening or the odds of those right behaviors happening is just gonna be increased a lot. But again, it takes thoughtfulness, you know what I’m saying? It’s really easy to go on the DOJ or whatever, you know, copy something straight out of the pronouncement, or put the full text of the policy on and say, “Okay, guys, I’ll give you two minutes to go ahead and read this slide.”
You think you’re gonna get any actual compliance? You think you’re gonna get any behavior change from that? You’re absolutely not. And it’s harder now than ever. I’m sorry to kind of nerd out on this, but, like, this is kind of a big point.
Matt: Go ahead.
Nick: Like, it’s harder now than ever. Like, our grandparents used…our great, great grandparents used to go down and listen to, you know, a Chautauqua, a six-hour debate between Lincoln and Douglas. They would sit in a room for six hours and they wouldn’t leave and they would just be enthralled by the six-hour debate. Our kids are watching 20-second TikToks and if it’s longer than that, they’re flipping to the next one. So, like, the attention spans have collapsed. So, what are we doing to, like, play that game right now and take advantage of this new normal and stop employing these old techniques that just continue to fall flat?
Matt: So, let me weave in two comments that I saw stream on by here from the chat. One person was basically asking, “What about the scenario where a regulator is basically ordering you to teach this specific material? And that’s fair if you’re in, say, healthcare or probably banking or other highly-regulated fields. Some of what the regulators are going to make you train on, boring is gonna be part of it, or precise or mundane or whatever, but you’re not gonna have much discretion.” And somebody else who I thought made a great point, Helena here, she said, “To comply with or compliance really is inferring,” or, I guess, implying that they are imposing something on employees.
And that’s gonna be a turnoff. So, it’s much more…they’re trying to invert this into how you diffuse that kind of, you know, this is what you have to do, very dry material. I guess my questions, I’ll ask Scott first and then you, Kortney, how do you deal with trying to make regulatory compliance material interesting but also about the wisdom here, that it’s not necessarily about the regulation. You know, trying to tie it to broader core values. And there’s a lot of ethics and compliance messages that aren’t…they’re not regulation-specific, it’s just more anti-discrimination is a good thing to do. So, maybe that’s a bit easier. But Scott, what do you think of all of that?
Scott: Let me answer the second bit first, you know, how do you make it seem a little bit less like, you know, there’s a gun to your head, you know, you’ve got 30 minutes to do this. You’re never gonna get fully away from that. I mean, let’s be realistic. You know, there will be an element of that no matter what you do. But I think one of the things to do, starting with senior management, but you can also communicate this more broadly, is to say, at the beginning of your year, here is our compliance program. Here’s, broadly, what we’re going to teach and why we’re going to teach it.
When you do that, at least it has some context, because otherwise, what they get is they come into work and they get an email that says, you know, “Do your harassment training, or, “Do your, you know, Reg. W training, you’ve got 28 days, go.” And 27 days later, they’ve got another one, whatever the case may be. If they’ve at least got the context, you know, they may agree with it or not agree with it, but they see that it’s part of larger goals. And I think that’s what’s missing, whether you’re talking about culture, ethics, regulatory requirements, is that context.
Because otherwise, it’s like filling out your timesheet or something else, it’s just something you gotta do. And you’ve gotta get away from that as much as possible. With respect to, you know, what do you do when, you know, you’ve got dry material imposed upon you, yeah, you know, the regulators will do that. They don’t necessarily…they’ll talk out of both sides of their mouth. They’ll say you gotta teach this but you gotta make it, you know, tailored and effective and take into account the skill level of your staff. You know, and so you can gussy it up a bit.
One thing that I think is easy to fall into but we should start to avoid or try to avoid, is we give our “real life examples.” So, here’s an AML law. Okay, so we all go look for something in the newspaper that’s fairly recent, fairly topical, and where the person was seriously, you know, penalized and didn’t just get, you know, a year. And then we put up, you know, this is what happens, so don’t violate this. Here’s somebody who did it and they got three years and two years’ probation. Again, that goes in one eye and out the other.
If you really want… People can’t associate, you know, I will go to prison. Put in a scenario where, you know, it’s somebody who screwed up, whether it’s an ethics thing or a violation of a law, and walk them through the day they got caught. Walk them through, okay, all of a sudden, you’ve got no job, you’re gonna ride the train home thinking about how you’re gonna tell your family. Guess what, we don’t have any money now, I’ve got no career, and daddy is going away for three to seven years. That’s a gut punch. That’s something where people can actually picture that scenario, having to go and tell their family or their friends or neighbors, and know that they’re never gonna look at you the same way again. And that’s a lot more effective than so and so, you know, violated it and got three years.
Nick: I used to hate history class in high school. I hated it. It was so unbelievably boring. It was all these dates to memorize. And then I got this teacher and this guy loved history. And he would tell these stories, like Scott is talking about, and he would really, like, humanize these people. And they translated from, like, words on a page to actual people and to actual human beings that were actually going through things and that were cold and that were hungry and that were scared. And that humanization of these things brought all that stuff to life.
I mean, we have to back up. Like, behind a regulation that we’re forced to, like, train on is a bunch of, like, human stories. A bunch of things have happened to rise to the level of a regulator to say, “Hey, we gotta do something about that.” Tapping into those things is, like, the most critical emotional piece of the puzzle. People are only gonna act when your emotions are pricked. I mean, everybody knows that smoking is bad, right? We all know smoking is bad. People still smoke. Why? Because they don’t feel like they wanna quit yet.
We have to make them feel something different, and the best way to do that is by humanizing these things. I gotta share this real quick. Matthew shared me this quote, my guy, Matt Perkins. This is a quote from Robert Shank in this book, “Tell Me a Story. It’s this, “We can tell people abstract rules of thumb, which we have derived from prior experiences but it’s very, very difficult for other people to learn from these. We have difficulty remembering such abstractions, but we can more easily remember a good story. Stories give life to past experiences. Stories make the events in memory memorable to others and ourselves. This is one of the reasons why people like to tell stories.”
It’s exactly what Scott was just talking about, humanizing it, bringing it to a story, or just creating something human around this abstract concept that we’re trying to push is our fastest way to do it, our most effective way to do it, and if we don’t do it, we might as well not be doing anything.
Matt: So, Kortney, what do you think about all this? And I really like this idea that it’s about bonding the lesson with the person basically.
Kortney: Right. And I think one of the things that we try to do in our program is there’s a concept of TLDR, too long, didn’t read, right? So, I try to start from there and then build out training and resources and awareness around that. So, don’t lie, cheat, or steal, TLDR. What does that mean? Well, that means we have to follow these rules. So, every time there’s a regulatory update or every time there’s something that our broad teams need to know, we’ll send an update with some training, but it’s usually written in a really kind of, I’ll say, sarcastic tone. It’s funny, we use GIFs.
We engage and say, “Hey, if we sell something to someone, we have to actually mail it to them.” Like, mail order rule is really complicated and it’s really boring, but we distill it down to, if someone buys something from us, we have to actually send it to them or we don’t get to keep their money. And so, it sounds like we’re dumbing it down but I like to think of it as really distilling what you need to know. You don’t need to be a lawyer. My entire team is full of people whose job it is to know this stuff.
Your job is to know what rules you have to follow and what you have to do to keep us out of trouble and keep yourself out of trouble. And so, I’ve shared on LinkedIn a few times before kind of our quarterly compliance updates, and we write them, we’re snarky. We’re trying to be authentic and trying to get a message across that doesn’t feel like we’re talking down to people, but engages them to not only keep reading but to get some sort of understanding of what we’re trying to get across.
Matt: You know, I wanted to also ask a question. What training do you give specifically to middle managers? Because they always strike me as the glue throughout the whole organization. At least for rank and file employees, you’re telling them what to do or not to do, but with middle managers, you also need to tell them, “And when there’s a violation, you need to bring it to our attention. You can’t bottle this up. This is how you have to handle misconduct that might be happening on your team.”
Like, they are so critically important even if the training is just, and please talk about the need for good ethical behavior a lot. So, you know, let me, again, I’ll ask Scott first and then Kortney and then Nick, whatever you think. But middle managers, you know, how do you capitalize on that valuable resource? How do you make sure they’re getting the right training about the role they’re supposed to play?
Scott: Sure. So, depending on what the training is, we would typically divide into three different tranches, if you will. So, top management, that we’re really talking about communicating the message and how to set the right example, tone from the top, middle managers, and then the staff, the non-management staff. And I have to agree that the middle manager, they’re really critical there because when you’re thinking about what you’re trying to include in the training, you want to do a little bit of both or a lot of both, the operational, you know, here’s the meat of the requirements, if you will, but also, here’s how you message it.
And in some cases, there’s some mechanical, if you will, stuff about it. Okay, if you get this complaint, this is where you send it. But this is not just a compliance thing. This is part of being a manager. And for that reason, you need to work with the HR people because the HR people will generally have some sort of training about how to be a middle manager, how to communicate the message. And a lot of it is probably focused on compliance anyway. And you may add that to your curriculum.
You may have a middle manager curriculum that will include, you know, the things that are specific that you’re putting out and your middle manager modules or instructor-led, as well as some of these things. You may require them to take some of these HR courses. One other quick point is that this may be an audience where instructor-led training is more appropriate than e-learning, you know, because that’s one of the things that we always think about. And, to me, ILT, instructor-led training, is really there for when you want to have some give and take, some Q&A. And this may be one of those areas where you may say everybody else gets e-learning but ILT goes to the middle managers.
Matt: Okay. Kortney, what do you think? How does it work at Deluxe? How do you think about middle managers?
Kortney: So, we do have middle manager training that is targeted toward the muddle in the middle. So, they’re the first ones usually to see problems, they’re the first line of reporting for almost everyone, if you look at the data that says people are more likely to report to their manager than anyone else. And they’re also the ones dealing with making sure the job gets done because their frontline is people doing the work. And so, we try to give them custom, here’s management tools, here’s explanations, here’s guidance.
But we do also rely a lot on our HR department and our HR business partners to reach out and really build those connections. We make ourselves accessible all the time to everyone, but our HR folks really build that connection and the freedom of flow of information in both ways with our middle management and loop us in as, we’ll say, trusted advisors on compliance issues.
Matt: And, Nick, give me your thoughts. I guess, especially maybe somebody here brought up a good point that, you know, middle managers are sort of the vessels for the corporate culture. You know, you, the CEO, define it but somebody else is gonna have to go and carry it out to the rank and file. That’s the middle. So, what do you think about how to handle them and approach them the right way?
Nick: Yeah. I think, that comment is spot on. And I think, you know, we all love alliteration, so everybody wants to, like, just tone at the top, tone at the top, tone at the top. It’s, like, it’s stale. The tone at the top is gonna be the same. Okay? No CEO is gonna say, “I don’t care about people and I don’t want an ethical organization.” Even the ones that are psychopaths are gonna be saying those things. So, the tone at the top, I mean, you know, I guess we can get into the whole debate of words and actions and so forth, but, like, nobody sees those actions.
There are people who don’t even know their CEO if they were standing in the elevator with them depending on their organization size. So, those guys in the middle, those folks at the middle, I would argue, you know, kind of in line with this comment that you just alluded to, Matt, those are the true arbiters of the culture. Those are the true guardians of it and those are the ones who are actually carrying it forward. If you go to a Wolfgang Puck restaurant, he’s not back there cooking. There’s some cook there and there’s some server that’s actually kind of determining your dining experience.
That’s the picture of the middle managers. And the culture is much more an amalgamation of all these little teams and all these little pods of people and all of their little localized experience than it is on the new values that the CEO just decides to put on the website. So, that is such an untapped resource, engaging those folks. I love Scott’s sort of, like, hybrid approach to, you know, the e-learning and the in-person to really, you know, get those generals, I’m not an army guy obviously, but get those generals or lieutenants or whatever, like, super lined up with, like, what the battle plan is, and getting them to sing that same battle cry throughout the year.
That’s gonna go 10 times further than picking the right vendor or, you know, convincing your CEO to record a 30-second TikTok about, you know, whatever the, you know, ethical quote of the year is, you know what I mean.
Matt: You know, let me also ask another sort of mechanics question about training. How are you assessing its success or what you might need to do to change it. That is something the Justice Department is talking about all the time these days, is testing your internal controls. Training is a control, it’s an important one, but, you know, that’s the message from the regulators, is you have to assess, you have to adjust, you have to test. Training is no exception to that. So, how do you get that done? I don’t know if it’s easier to do in a remote work environment. In theory, we’re all getting online learning. So, is that more subject to data analytics? Or, how would you do it for in-person training? How do you assess that? But Scott, I’ll ask you first and then Kortney. What do you think?
Scott: Yeah. You’re right. I mean, everywhere you see DOJ and other regulators saying, you know, you have to assess the effectiveness of your training and then they stop. You know, they don’t tell us, well, how exactly do you do that. And it’s a tough one. So, we produce metrics but we have to get away from… You have to educate sometimes other people in the organization that on-time completion ratings, you know, is not the same thing as effectiveness of the training. It’s the effectiveness of your escalation process.
If you really want to know whether your training is effective, you’ve got to see if it’s changing behavior or reinforcing good behavior. And so, probably, I try not to overthink this. You know, you can take a look at…we gave the training on this date, let’s take a look. You know, you have to incorporate it into the other metrics within your compliance department or audit, and compare it to breaches. Now, that is fraught with difficulty. Number one, you know, there are other things that influence behavior and it could just be a coincidence.
Number two, I think everybody here recognizes that sometimes, if you give training, it’s a success if the number of breaches goes up because it means now people are recording it. So, you can only go so far with that. But, you know, at least you can say we’re at least looking at it. And you can draw some inferences anyway. But I also would like to take a look at question-level data. And this is why we’re using, you know, e-learnings. You can get a lot of intelligence from that. And that includes, you know, are there areas where people are clearly not getting it?
And first thing you have to do is, is it a bad question? But you can say, okay, there’s Question 7 about outside business activities and only 54% of people are getting that one right. And then, you can start to take a look at it and, you know, say, of those 46 that aren’t getting it, most of them are in the Boston office or most of them are managers. And you can start to provide intelligence, you know, to the rest of the organization that says, look, you know, we’ve got a hotspot here. Now, that’s not the same thing as demonstrating the effectiveness of your training by giving it a metric, but you can show that it’s effective in that it is helping the rest of the organization.
And I’ll just throw in one, just very briefly, one of my favorite metrics from when I was a chief compliance officer was we would put out our attestation for the code of conduct but also training and, you know, everybody had to get it done. And after a while, I realized two things. Number one, literally, the first person in an organization of about 40,000 who usually got this done was the CEO, which made me wonder what he does all day, but that’s a separate question. But literally, the last people to do it were his direct reports.
And that was only after they had the chief compliance officer standing in their doorway saying, “Get this done.” That’s a very interesting cultural metric. Not necessarily one you wanna, you know, advertise but that tells you, you know, forget your tone at the top, this tells me whether compliance or compliance training is being taken seriously by those that drive the message.
Matt: Okay. Kortney, how do you try and get beyond the effectiveness of the training and what’s the metrics you look at, the things you study?
Kortney: So, we’re a little, I’ll say, touchy-feely here maybe, where our team, our compliance team, is engaged very deeply in the business and through our change management and other pieces. Pretty much, the business can’t make changes, can’t do much without our blessing, without coming to us and letting us know. And so, through this, we call it a liaison model, we can really get good data. It’s not numbers in a spreadsheet data but it’s more, hey, people are actually understanding this. They’re coming to us with questions about this. They’re making fewer mistakes in this area.
Those kinds of things where we’re really…it’s an informal survey of who’s understanding what, what they’re missing, and what we can do to fill in those holes. A really good example recently is when Russia invaded Ukraine and the OFAC and the sanctions exploded. So, we have OFAC scanning because we’re a business and we do that but there was a bunch of people both in our IT and our business side that didn’t really understand why and what it meant and why we had to change it and re-up the processes.
And so we went, I did a little session that said, “Hey, OFAC is bad people. We’re not allowed to sell stuff to bad people. Now, these people are on the list and so we need to be really careful not to do X, Y, and Z.” And that resulted in business leaders coming back and saying, “Oh, I’ve never understood that before. I get it. I understand the context. Now, we’ll be on the lookout for that.” And so, I think because metrics and training can be so focused on completion, we do try to kind of just take a pulse and react as real-time as we can to any gaps that we’re finding with our interactions.
Matt: Nick, what do you think? And a couple of people were in the chat there talking about, really, we’re asking for KPIs for employee engagement, which is, and I think a good way to phrase it. I’m still stuck on how one can easily or accurately measure employee engagement. What do you think?
Nick: I mean, it’s a tough problem to solve. I think if we can kind of zoom out from this problem a little bit and ask, like, “Well, why do we care about this?” I think we care about it because at some level, we wanna make sure that our efforts are kind of being fruitful. And on another level, we wanna make sure that, like, if we get in trouble, we can prove that we’re being effective.” So, I don’t know if folks were at Compliance Week last week. There was a really great speech by Kenneth Polite, I hope I’m pronouncing his name right, but he is the assistant attorney general in the Criminal Division, a former chief compliance officer.
And it was, like, one of the most insightful conversations that I’ve heard. You should download that speech if you haven’t heard it. I’d love to do something with him at some point. But he gave some great insights into, like, the mind and heart of the DOJ as they’re coming into organizations that are having a problem. And the thing that I kind of took away, I’d love to hear, you know, anybody else’s reaction in the chat or who were, you know, perhaps there, he’s really… It seems like what they really care about is, like, are you trying? Are you actually trying to be effective?
And if you’re actually trying, you’re probably gonna have some things to point to. So, I mean, anything that Scott just said, clearly, you’re trying to be effective here, you’re trying to look at it from a couple of different angles, you’re looking at KPIs, you’re looking at, you know, am I having, you know, are we having more reports. Are you looking at it? And I think if you can point to those things authentically, your case is going to be made. And I think if you’re just in that pursuit on that journey toward, like, actual effectiveness, you’re gonna see what’s working and what’s not working in your particular, you know, tech stack, in your particular organization, in your particular workforce, and so forth.
So, I’m not trying to, like, sidestep the question, I’m just saying, like, a genuine desire to, like, roll up your sleeves and kind of get your hands dirty and think about, well, what is actually gonna show me that this is working? In A/B test and scientifically test, the data that you’re pulling out, some of it is gonna to be subjective, some of it is gonna be objective, some of it is gonna be anecdotal, whatever those things are. But if you can document those things, at least in your mind, and have a story that you’re kind of testing along the way to make sure that this car is on the road of effectiveness, you’re going to be…you’re going to get closer to the goal.
Matt: You know, one question… Oh, go ahead, Kortney, if you have…
Kortney: I was gonna say, and this underscores kind of the whole philosophy of, I call it GOYA compliance, Get Off Your Tush, only another word for tush, compliance. Be out there. Be part of the program. Be part of the organization more than just sitting in an office and issuing edicts and assigning training. So, if you’re not walking around, if you’re not…and your team aren’t engaging with the people doing the work regularly, you’re not gonna have an accurate depiction of what’s going on in your organization in my opinion. You can’t get much from an ivory tower. And so, be part of it, be embedded into the organization to the extent you can, and then you’re going to get a ton more feedback.
Matt: You know, I did just wanna pick up on one thing, Kortney, you said that I thought was really good when you were talking about OFAC compliance. And you might have people in your enterprise who have no idea what OFAC is, and you simplified it to, we don’t do business with bad guys. And I think that’s important to tie the compliance lesson or simplify it or distill it down to the core ethical message. With FCPA, you could very easily tell salespeople, “We don’t cheat to win a contract.” I have never in my life met a good, enthusiastic salesperson who wants to cheat.
They want to get the contract because they are the best, because they are so hyper-competitive. And it’s that sort of stuff that really suddenly makes everything resonate much more. Yeah. I don’t know if any of you have any thoughts about the importance of, like, tying the lessons back to the core ethical values. I don’t know if it’s something you do or something you try for. But, Kortney, since you put the idea in my head, what do you think of it first, and then I’ll ask Scott and Nick too?
Kortney: I think it’s great, and our code of ethics starts with, and I wrote it, so this is purely a plug, but it starts with make good choices. That’s what we put on paper, make good choices. And then, we tell you what good choices means. We tell you what, for Deluxe, what that means. Making good choices means we’re going to act ethically, means we’re not gonna show up to work drunk. It means we’re not going to hug people who don’t wanna be hugged, and we’re not gonna lie, cheat, and steal. And so, we’ve really broken it down and I tried to break it down into simple concepts.
This comes from me trying to explain to my grandmother what my job is and it’s nearly impossible. And so, it’s really, I help people follow the rules and make good choices. And that is the overarching goal of our ethics and values system. So, if we can tie everything into, here are the rules, here’s how you can make good choices, here are the tools you can use when you’re not sure what the choice should be, that’s what we’re really trying to give people.
Matt: And Scott, what do you think, especially when a lot of regulation and banking is more arcane than it is, you know, basic bare ethical principles? But, yeah, how do you try and solve that sort of a challenge?
Scott: Well, I think the one that, to me, is really easy and really critical are the regulations that, you know, OFAC. So, this is a money laundering terrorist financing sanctions. I gave instructor-led training, 42 sessions, to several thousand senior-level people at a bank around the world. And it was the same session each time. And they wanted to give me… They gave me some slides and it was the usual numbers and laws and things like that. And instead, so, as you know, Matt, I used to be in law enforcement and I was a federal agent.
And I drew on that to say, “Those bad guys out there, yeah, they fear the FBI, but they really fear the bankers.” Because, you know, we have to follow… Agents have to follow the rules and it takes years and, you know, maybe you’ll get off or whatever. The bad guys are doing what they’re doing for the money. And what keeps them up at night is that the banks will catch them and stop the flow of money, you know, and then they’ll have to go legit or something boring. And so, I would get up there and, you know, like a preacher telling these people, “There are bad guys out there right now that are counting on you not doing your job well.”
And I also put it in the context of, who are the victims? You know, and I go through, you know, examples of, you know, child abuse, human trafficking, the affect of drugs and things like that. And I do it pretty dramatically. And, you know, so again, we’re going back to connecting them to something that they have an emotional connection to and, excuse me, you know, taking it from that point of view and letting them know, we don’t want them to think that what we do is important. And to motivate these people to know that every day you go in, there’s somebody who’s counting on you not being motivated and doing your job.
And at the same time, there are people out there that you will never meet whose lives you’re gonna save by doing your job well. You know, that’s how you get that message across. A little bit more difficult with Regulation W but it’s an easy one when it comes to AML terrorist financing and sanctions.
Nick: You just gotta get a little more creative with that one. That’s all.
Scott: Thank you. Anybody have any ideas, let me know.
Nick: Yeah. Put them in the chat, please. Okay. I love what you just said and I think many times… So, you know that Simon Sinek famous speech about start with why and there’s the golden circle and it’s, like, what on the outer ring, and it’s how in the middle, and it’s why at the core, many times, our trainings are focused on that what and maybe sometimes they’ll get down into the how. A lot of our questions are like, well, how do we get people to behave this way? And I love the way Kortney kind of described her job to her grandmother and I love those stories that you were talking about in that 42-session training, Scott, because if you can tie that down to the why, of, like, why is this important?
Why am I sitting through this hour learning about, you know, OFAC, and, you know, all these other things? There’s a reason behind it and that why is usually pretty compelling and it’s usually something that overlays with all of our values. Like, if you look at, like, the important values across cultures across the world, like it’s some semblance of the same synonyms, you know what I’m saying? So, tapping into those things, those base-level things that people care about, and giving them that why anchor point allows for that how and that what ultimately to, like, naturally, logically stem from that route if you can establish it.
Kortney: We do that directly. Every time we have a regulatory change, we send an email about, we say, “What is the change? Why should I care?”
Nick: Yeah. Amazing. Amazing.
Kortney: And you’re literally right. Why should I care?
Nick: That’s what people actually care about. Great.
Kortney: Or why does this matter to me?
Kortney: Okay. Because then, we’re getting straight to the point, not because I have to send an email but because here’s why you need to care.
Nick: We have to humanize everything we’re doing. We’re talking to human beings. We have to speak human to other humans if we want these humans to act in the right way. It’s simple…
Kortney: Call for authenticity as well. So, you don’t need formality.
Nick: Yes. You put a little snark in there. Put a little snark in there.
Kortney: Yes. You don’t need formality to be taken seriously. You can be who you are because that’s gonna read so much more authentic and be picked up on so much better than I am your chief compliance officer, here are the rules, and here’s why you’re gonna follow them or get fired. No, be who you are and incorporate that into your program.
Nick: Incorporate your own why into it. Sorry, Matt. Incorporate your own why. You’re passionate about these things. Why? Well, share that. Again, that authentic connection, if you wanna build actual relationships, you wanna build actual behavior change, you have to have that authentic connection point human to human. Sorry, Matt.
Matt: Well, I did wanna sneak in one question about the other things that must exist in the compliance program to support the training, and I’ll pick up on it. So, Kortney, speaking of getting fired, when people get fired, that is a wonderful way to inculcate the importance of something to others. So, I am thinking through that, you know, you also…your broader enterprise and corporate culture do need to actually enforce the policies that you’re having, a strict disciplinary policy. You know, you need to be able to show people that we’re not doing training for the sake of training, we’re training because we expect certain outcomes.
And if you deliberately deviate from it, there are going to be consequences. So, I’m wondering, you know, how your program handles that? How do you talk maybe with HR or legal or the C-suite about it is important that we take a dedication to ethics and compliance seriously and that’s gonna help the training that we’re inculcating. But, you know, Kortney, I’ll ask you first, and then Scott. You know, how do you fit all of those pieces together?
Kortney: I’ll say I’m lucky. Our CEO wants our input from the very beginning. But one of the things I think most companies struggle with, and I’ve seen it in my past, is high performers that make bad choices, and they get away with it because they’re raking in the big bucks. And so, one of the things that we’ve built in our partnership with HR and the C-suite is we have to, across the board, be consistent. We have to be consistent about what we care about and we have to be consistent in our choices on how to enforce what we care about.
So, that is a really key piece that we have when we go to the, like, senior leadership training. So, if we’re going to fire a frontline worker for doing X, we have to fire a C-level for doing the same thing. And alternatively, if we’re not gonna fire this one, we shouldn’t fire this one, not only because we’ll get sued and there’s discrimination and all of these other things, but also because if our values are going to be our values, they need to apply across the board. So, that’s kind of where we come from but this is a challenge, I think, that everyone struggles with.
Matt: And Scott, what do you think? And I love Kortney’s point about consistency although, you know, really, it’s more up to senior leaders to demonstrate and communicate the consistency more than, say, a compliance officer. But, what’s your observations?
Scott: Yeah, I think to that point, looking at that narrow aspect of it, training is more playing a supporting role in terms of, you know, it’s more for the CCOs of the world to ensure the consistency of the disciplinary actions. But having said that, I think that the key thing is to connect training to this whole idea of your culture of compliance. Because, there’s two elements here. One is, you know, we need to…as compliance training people, we need to encourage the compliance leaders and the executive leadership to communicate this culture of compliance.
And then our role is, you know, we put out a cultural compliance, I hesitate to even call it training. Just think of it as communication, you know, dressed up as training. But don’t stop there. People also have to communicate the message that all this training you’re doing is part of this overall effort. So, we’re telling you do the right thing, there are rules and policies that you’re gonna have to follow, but we’re not gonna leave you in the wilderness. We’re gonna provide you training that guides you in terms of making those right decisions.
So, you know, you have to be part of a good team, which is sometimes not always within your control. But a team that recognizes that they need to communicate… Training is not just tick the box. It is part of this broader effort. I think what we suffer from is the evolution of compliance training. You go back far enough, it really was tick the box. It was somebody screwed up… I remember when I was CCO, somebody screwed up, the first thing the CEO asked me was, “Are we covered? Did we train him?” You know, I get the point, but, you know, we’ve moved on since then. And now, we have to move everybody else from, you know, that attitude about training so that they see that this is an integral part of the overall culture of compliance.
Matt: All right. And, Nick, I’ll let you take a minute or two for the last word here because I know we’re pushing up to the top of the hour. But, you know, yeah, any thoughts about how you leverage training for a better corporate culture and vice versa? How do you make sure those things fit?
Nick: I think, you know, that reframe that Scott just talked about of it’s not training, it’s communication, kind of opens my mind up to, like, what we’re actually doing. Like, if we have a symphony, all the different instruments are playing the same song, right? Unless it sounds like a massive cacophony. So, getting that song played throughout the year by all the different instruments is how we can really have the right harmony and create this right culture that we’re talking about. It’s not just an amalgamation of a bunch of rules, it’s a way of being.
You know, it’s how we do business. You know, Judy brought up a great point. And, you know, part of why I love this game that we’re in is we have such a unique opportunity just being in ethics and compliance. Our greatest resource is each other and our greatest resource is the authenticity with which we can engage with each other. And that’s why I love these webinars, because they’re such a great sort of exchange of ideas and thoughts and perspectives. And Judy brought this thing up and she said, “You know, I respectfully disagree with the statement that the tone at the top is always the same. I’ve worked with senior members who make it known that compliance is an expectation, even if that means paying back a bunch of money, and I’ve worked with others that have called compliance, the showstopper or the fun stopper, which to quote a hospital CEO. And they make it known that the perception of compliance throughout their conduct and their words.”
And I think that brings up a really interesting point. I’m glad that she felt, you know, comfortable enough to share that disagreement. Through this debate and through us kind of chewing on these different topics, I think it opens up a lot of opportunity. But using communication in the right way and shifting those perspectives from the folks at the top, if they have these wrong views of ethics and compliance, is such a massive opportunity for us to utilize this leverage point that we all have by the nature of the industry that we’re in. So, you know, reaching out to other folks who you’ve seen a speech of, you’ve seen a post of, you have, you know, people that are, you know, on this panel now, everyone’s so willing to help each other.
And to develop capabilities and develop talk tracks to start to change the behaviors of folks, whether they’re at the C-suite who have the wrong view of ethics and compliance because they’ve got their fingers snapped in the, you know, mousetrap or those who are just kind of spinning their wheels in a compliance team of one. So, as you can tell, I’m super passionate about this. This panel, once again, round of applause for Matt, round of applause for Kortney and Scott. You guys really brought a great discussion to bear today. And everybody who participated in the chat.
I mean, I can’t wait to go back through it and read everything, but this is the magic that can come from an ethics and compliance community if we engage in it and if we share because we’re all fighting the same fight. We’re all fighting to try to make our workplaces better. We’re all fighting to try to make…to, you know, stem the tide from the great resignation. And, you know, we all wanna work in workplaces that are built on authentic integrity. So, I’m honored to be part of this whole thing. Super thankful for, you know, Kortney and Scott and Matt once again for guiding us through what was an amazing discussion once again.
Matt: Well, in that case, yep. Kortney Nordrum and Scott McCleskey, thank you both, and thank you to everybody who’s been participating for the last hour.
Scott: Thank you.
Matt: Thank you.
Nick: Take care, everyone.
Matt: Have a good rest of your day, buddy.