We know a lot about what the feds expect from compliance training. For example, from the Evaluation of Corporate Compliance Programs and the FCPA Resource Guide, we know training is a hallmark of a well-designed compliance program. We know directors, officers, employees, and maybe even third parties should receive periodic training, with a special focus on gatekeepers. And we know training needs to be appropriately tailored to fit the company’s operations and workforce. What we don’t know, however, is how much training is enough.
I’ve struggled over the years to figure this one out. Maybe you have, too. The end game of compliance training is to prevent bribery and, if bribery happens, for the company to be ready and able to demonstrate that it appropriately tailored its compliance training to prevent and detect bribery. That sounds fairly simple.
But how much training is enough? Does appropriately tailored equate to five hours of training a year? Or ten hours? And who says so? On what authority can a chief compliance officer say, “Our compliance training is enough”?
In his 2007 bestseller, Outliers, Malcolm Gladwell famously articulated the 10,000-hour rule. Using the example of violinists, he said those who practiced 10,000 hours rose to be soloists, while those who practiced less were either supporting players or teachers. Gladwell said he found the same outcomes with chess players, writers, composers, and others.
Few people can devote themselves full time for five years to learn something new. And clearly, not everyone in a company needs to be a top-level compliance expert. The CCO does, and maybe a few deputies. But does anyone expect the HR manager, CFO, or chair of the board’s audit committee to know that much about compliance?
After Gladwell freaked people out with the 10,000-hour rule, another writer, Josh Kaufman, calmed things down. He came up with the thesis that it takes only 20 hours to learn a new skill. His idea was to reach a level of competency, not total mastery, and then develop the skill further by using it, eventually hitting the highest level desired.
Kaufman field-tested his ideas. He found the key to learning anything new in 20 hours (in his case, coding) involves a few common steps. First, committing to practice at least 20 hours without quitting. Second, learning core concepts and practicing them by immediately doing actual work instead of “canned tutorials.” Third, breaking the new thing into small parts, so the 20 hours of practice are focused on specific tasks, where small mistakes can be self-corrected.
Would Kaufman’s 20-hour approach work for compliance training? I think if it was appropriately tailored, it could work. One immediate benefit is that it would make decisions about training durations less arbitrary and more concrete.
Beyond that, it could bring real change. If companies asked directors, officers, and employees (and especially gatekeepers) to commit an hour a day to learning and practicing ethics and compliance for 20 consecutive workdays each year, all those little sessions would add up. They’d bring new and more permanent awareness. It’s the opposite of the firehose approach. Lots of small sips instead of a gushing torrent.
I don’t know if any company uses the 20-hour approach or something like it for compliance training. Conventional training — one, two, or three longer sessions a year, depending on the role of the target trainees — seems to be the usual practice. That works too. And there’s always something to be said for sticking with the conventional wisdom if it works.
But maybe the 20-hour approach works better. Who knows? I hope someone using it now or willing to give it a try will let the rest of us know how it’s going.