To measure the effectiveness of a compliance training program, you can’t come up with a metric that measures how many violations it prevented. Everybody knows intuitively that training helps prevent compliance violations. Again, that measurement is too far removed from the purpose of the compliance training program. However, it would be a good metric for the overall training program if you could figure out how to do it.
But how often do you see companies reporting the number of classes that were delivered? Or how many hours of compliance training were completed? It happens all the time. It could be a completely accurate statistic. It could be a measure of compliance program efficiency. It could be an indicator of an active compliance training program. But it in no way shows if the compliance training is effective.
But there are ways to measure training effectiveness. You can show that the training was aligned to the company’s risk profile. With user surveys and focus groups you can measure whether the learners feel that the training is applicable to their role and you can measure user satisfaction. You can ask learners to give examples of how they have changed the way they do their jobs.
Why don’t companies do a better job in measuring the effectiveness of compliance training? Because it’s very challenging to do. But there are ways to do it. Shawn conclude with one of his current ‘most favorites’ implemented at GM this year.
At GM there is a cybersecurity course that explains how to avoid phishing email scams. It is required of all employees that have a GM email account. To measure how effective the training was, the IT function came up with a method of sending out emails to random batches of employees that should have been recognized as phishing emails if they had paid attention to the training. If the employee recognized that the email was suspicious and clicked on the “Report Phishing” button, they were congratulated on reporting the email as suspicious. However, if they clicked on the link in the email, the IT team knew that the training had not met its objective. And, those employees that clicked on the link were kindly informed that they had failed the competency test and were provided with immediate feedback on how to avoid phishing scams.