Anticipating risk: Create your own e-learning compliance programmes

Over the past few years, there has been increasing regulation of commercial undertakings, and nothing seems to indicate that this development will change. Regulation
is becoming more intense in the areas
that have been subject to regulation for quite some time, and still new areas are
being regulated. This has led to the consolidation of both the financial and
legal services sectors.

Regulation takes the form of both hard law (such as binding rules and regulations, the non-compliance with which immediately trigger formal sanctions, typically in the form of a fine) and soft law (recommendations, good practice instructions, codes and the like, the non-compliance with which may trigger negative reactions from the undertaking's surroundings - the public, customers and other stakeholders). Empirical evidence shows, with a fair degree of certainty, that the soft law of today is the hard law of tomorrow. For this reason, it is definitely advisable to pay a considerable amount of attention to soft law.

For law firms, a special feature of the requirement to display compliant conduct within their area (as opposed to meeting general professional requirements in the services they provide to clients) is that, whereas any claims arising as a consequence of having provided services that fail to meet clients' legitimate expectations will, to a considerable extent, be covered by liability insurance, the consequences of non-compliance will typically affect the firm's reputation.

The consequences of negative press coverage can be severe - so severe that many people believe that this type of risk is among the most important risks faced by service providers. The internal and external costs of handling negative press - both warranted and unwarranted - can be high, and such costs are not covered by any kind of insurance.

Compliance agenda

Accordingly, it is with good reason that identifying and managing business risks have, to an increasing degree, become an area of focus of law firm management. The need to improve risk management and internal compliance - and the documentation thereof - may also be
due, in some firms, to client pressures.

It is well known that financial institutions increasingly expect their service providers (including law firms) to be able to document that they are processing sensitive data
with the same level of confidentiality as
that applied by financial institutions.
Law firms are also being expected to comply with requirements that clients have created for themselves, even when such requirements are more extensive than those posed by legislation.

While it may seem relatively easy to deal with these issues in small enterprises, it goes without saying that, in an undertaking of some size, it is impossible to centrally monitor and ensure that everyone's conduct is compliant at all times. Consequently,
there are very good reasons to consider how best to ensure that knowledge of the rules which the firm is subject to, as well
as its value statements, reaches all parts
of the organisation and that they are complied with.

The object of placing compliance on a firm's strategic agenda is twofold:

1. to increase employee awareness of the importance of the firm acting in compliance with the rules and to address any situation which amounts to a problem or an issue to be addressed - an attitude-training process; and

2. to increase the general skills of employees within the area, such that they are capable of adequately handling the problems which quite naturally arise - in other words, perfecting their skills.

It is essential that the firm's senior management team are willing to place internal compliance on the strategic agenda and that this willingness is evident across the organisation. This means that information about the implementation of a compliance programme should come from senior management, at least to start with. The implementation and more technical information can come from the part of the organisation responsible for launching the project (see box: 'Internal communications on e-learning programmes').

E-learning compliance

In principle, there are no sub-topics in the compliance arena that are not suitable for inclusion in an internal compliance training programme. To begin with, it will be natural to focus on the most business-critical areas and, of course, the areas in which, due to statutory requirements, there is a need for constant focus, for instance in the form of continuous supplementary training.

It will thus be natural for law firms to include topics like anti-money laundering, conflicts of interest, duty of confidentiality, and handling of client data and documents in a compliance programme. Most law firms are structured with some degree of specialisation and, consequently, there will likely be certain topics or questions in such a programme - which must necessarily be the same for everyone - which fall outside the scope of what some individual employees deal with on a daily basis.

There is nothing to be done about that, however. It is a statutory obligation to conduct certain learning and development activities for all employees (such as regular training on anti-money laundering). Furthermore, it is important that all employees have a certain level of knowledge of the types of problems that
the organisation on a whole is faced with.

When choosing the nature of the programme, it is important to realise that traditional face-to-face training courses, which will undoubtedly be the easiest to launch, provide only limited knowledge of the benefits derived by participants, just as it is rather inflexible to expect all participants to be in the same place at the same time.

By contrast, a course conducted through e-learning gives management deep insight into the skills of employees - both as a group and as individuals. It is also possible to see which topics stand out - negatively or positively. It is, of course, a prerequisite that you know right from the planning stage what data you want to be able to extract, so as to create the right specifications for the software.

Such an e-learning process - which is basically a test included as an element in the overall programme - is a management tool. It is therefore important that the firm's management are, in advance, quite clear about the demands they want to pose as to when the test has been passed and what the consequences are for people who do not pass the test.

To avoid reactions if the pass-rate changes from year to year, it is also important that information about pass rates remains with the management and is not announced within the organisation. Against this background, you may ask if it is in fact necessary to apply the criteria 'passed' and 'not passed'. I think it is necessary, simply because anyone taking a test wants to get feedback on his or her performance.

It is also important for management to consider how and when to give participants feedback on their performance. To avoid any trading of passed tests, it is advisable that feedback on whether the answers are adequate is not given until after expiry of the period in which the test can be taken.

It is also advisable to think about who is to draft the questions - if it will exclusively be employees who, on a daily basis, work with compliance issues, there may be a risk that the level will be too high. This concern is naturally greater if the organisation announces in advance that a specific percentage of correct answers is required as a condition for passing.

To enhance democratic legitimacy, it is a good idea to carry out a quality assurance of the questions before they are released. Suitable products are currently not offered in the Danish market, so we developed our own product for our firm. Pains should then be taken to ensure communications about the e-learning programme are adequate and effective (see box).

 

---

Internal communications on e-learning programmes

The initial information from management to employees should include:

• information about the background for launching the compliance programme;

• the individual components of the programme;

• general information about the practicalities of taking the test;

• the percentage of correct answers required to pass the test; and

• communication that the details of the training will be provided by the person responsible for the project.

The person responsible for the programme should then communicate additional information about the background and the benchmark for the test, based on statutory and client requirements. They should also provide answers to standard questions about taking the test, including:

• How long is the test expected to take?

• Is there only one correct answer to a question?

• Can I go back and correct the answers already given if I think of something better?

• Will I occasionally need information from previous questions that I have already answered?

• For how long will the e-learning programme be open?

• Can I close the programme without having completed the test and then resume the test at a later time?

---

 

Hindsight improvements

The procedure I have described is that which we wish we had followed. It is a combination of the things we actually did with the feedback received from our colleagues on what must be included next time. In our firm, there is no doubt that such tests included as part of various programmes will recur on a regular basis. In particular, with respect to anti-money laundering and legal ethics, this test procedure will be conducted annually.

There was some scepticism among various employees in the launch phase: Why do we have to do this? Is it relevant at all? We know this - we do it every day! However, the tests and the course of events leading up to the tests showed that the activities were actually quite useful. It turned out that, in the period during which tests were conducted, employees actually talked to each other about the questions and, more generally, about the topics of the test.

The ideal scenario is that these topics are the subject of general awareness, hopefully in order to make employees capable of independently-solving problems that arise in their general work. To at least the same extent, it would also increase their awareness of when to seek internal assistance with tackling a difficult situation.

The feedback we received was all positive, even from the small group of employees who did not make the cut we had introduced.

Continued support

We are on an ongoing basis conducting courses on compliance issues for new employees. We have also arranged for a quite intensive programme of brush-up courses shortly after the period in which employees could take the e-learning test. The object of this is to support the employees who had not passed the test, without this being perceived as unnecessarily uncomfortable for them. We are not applying any other sanctions in respect of these employees. Other law firms who apply e-learning tests let employees who have not passed a test to take it again until they pass.

A further argument for implementing internal compliance programmes is that deep knowledge about how to organise such a programme is a significant advantage when meeting clients' requests for such services. Demand for this, which is on the rise, can be seen within the areas of data protection and competition law.

Such an approach contributes to the creation of strong relationships between a law firm and its clients. Clients will perceive their lawyer not just as someone to call when things have gone wrong, but as someone who is actually able to provide advice about their business in a way that helps to reduce the risk that things get out of control.

However, it is evident that this kind of advice requires insight into each client's business activities - insight that not all lawyers possess. So, it will require a not insignificant investment to go down this road, but I think it will turn out to be the right decision.