Stepping into a new compliance leadership role, particularly one overseeing an established training program, is a monumental task. The temptation for any new leader is to arrive with a predetermined playbook, ready to implement strategies that brought success in previous positions. However, this approach is often counterproductive. Every organization has a unique cultural fingerprint, a distinct risk profile, and a complex history of what has and has not worked. The first 30 days should not be about implementing change; they should be about deep listening, methodical observation, and humble inquiry. Your primary objective is to understand the “why” behind the “what.” Why is the training structured this way? What institutional knowledge shaped these policies? What are the unspoken rules that govern employee behavior? By adopting a mindset of an anthropologist rather than a revolutionary, you build the foundation for informed, sustainable improvements that are respected and adopted by the organization, rather than rejected as an outsider’s ill-fitting mandate. This period of active listening is also critical for building political capital and trust with your new colleagues.
Your initial 90-day plan must be front-loaded with diagnostics. Before you can propose optimizations, you must develop a comprehensive understanding of the current state. This means resisting the urge to critique or offer solutions immediately, even if glaring deficiencies are apparent. Instead, focus on gathering information from every available source. This includes formal documentation, system data, and, most importantly, the people who interact with the compliance program daily. Your team will be watching closely to see if you take the time to understand their work and their challenges. Demonstrating that you are there to learn first will make them significantly more receptive when you eventually do propose a new direction. This initial phase of immersion is the most critical step in ensuring that the changes you make in the subsequent 60 days are the right changes, targeted at the organization’s actual needs rather than perceived problems.
The Stakeholder Interview Tour: Mapping the Human Element
The most valuable data you can collect in the first 30 days will not be found in a spreadsheet. It will be found in one-on-one conversations with key stakeholders across the organization. Your first priority should be to map out these individuals and schedule time with them. This list must extend far beyond the legal and compliance departments. Include leaders and managers from Human Resources, Operations, IT, Finance, and Sales. Each department interacts with compliance risk in a different way and will have a unique perspective on the effectiveness of the current training. HR can provide insight into patterns seen in exit interviews, employee complaints, and onboarding feedback. Operations leaders can speak to the practical realities of safety training on the factory floor or in the field, highlighting where training may be disconnected from the actual job tasks. IT can discuss data privacy and security training, while Finance can speak to internal controls and fraud prevention.
When conducting these interviews, your role is to ask open-ended questions and listen. Avoid questions with simple yes-or-no answers. Instead of asking, “Is the compliance training good?” ask, “Can you walk me through the compliance training you and your team receive, and tell me what parts you find most and least effective for your daily work?” Ask about their biggest compliance-related concerns, the “gray areas” their teams face, and what resources they turn to when they have an ethical question. It is also vital to interview your own team members, the compliance professionals who have been managing the program. Understand their frustrations, their perceived limitations, and their own wish lists for improvement. These internal experts often hold the keys to understanding historical context and identifying low-hanging fruit for quick wins. This qualitative data from stakeholders provides the texture and context that quantitative data alone can never capture, revealing the cultural nuances of the organization.
Deciphering the Documentation: A Paper Trail Audit
While stakeholders provide the “why,” the organization’s documentation provides the “what.” The next crucial step is a thorough review of all existing materials related to the compliance and EHS programs. This process is often a forensic exercise, piecing together the formal program from its written components. Begin with the highest-level documents: the Code of Conduct, the employee handbook, and any board-level compliance committee charters. These establish the organization’s stated values and governance structure. Then, move to the specific policies and procedures. Are they easily accessible to all employees? When were they last updated? Do they clearly state expectations, or are they written in dense, impenetrable “legalese”? Look for version control to understand how frequently these documents are reviewed and revised. An outdated policy is a significant red flag, indicating that the training based on it is also likely outdated.
This document review must also include the training materials themselves. Collect and review everything: eLearning modules, slide decks from instructor-led sessions, quizzes, takeaway guides, and video scripts. Evaluate them for more than just accuracy. Are they engaging? Do they reflect the company’s current branding and technology? Are they relevant to the modern workplace, or do they use dated scenarios? Pay close attention to the translation and localization process, if one exists. A program that simply translates English content without regard for cultural or local legal nuances is fundamentally flawed. This deep dive into the written record provides a baseline understanding of what the program intends to achieve, which you can then compare against the reality you hear from stakeholders and see in the data.
Reviewing the Record: Incident Reports and HR Data
An organization’s past failures are often its most valuable teachers. A critical part of your initial audit is to review the data related to compliance breaches, safety incidents, and employee feedback. Request access to any systems that track EHS incidents, data breaches, hotline reports, and internal investigations. Analyze this data for trends. Are certain types of incidents recurring? Are they concentrated in specific departments, job roles, or geographic locations? This analysis directly points to the “weak spots” in the current program. If, for example, the factory floor has a high rate of minor safety incidents despite a 100% completion rate for safety training, you have identified a clear disconnect. The training is “checking the box” but failing to change behavior or address the root cause of the risk.
Simultaneously, you must connect with Human Resources to review aggregated data from employee surveys, exit interviews, and formal complaints. Exit interviews, in particular, can be a source of candid, unfiltered feedback about the company’s culture and the perceived effectiveness of its programs. Are departing employees citing a lack of resources, a confusing policy, or a fear of retaliation as reasons for leaving? Do employee engagement surveys show a low score on questions related to ethics and integrity or a lack of confidence in management? This data provides a crucial reality check. A compliance program may look perfect on paper, with beautifully designed courses and high completion rates, but if the incident data and employee feedback paint a picture of a disengaged or fearful workforce, the program is failing in its primary mission.
The Initial Gap Analysis: Identifying the Obvious Deficiencies
After several weeks of listening, reading, and analyzing, you will begin to see clear gaps between the program’s intended state and its actual state. The final step of your first 30 days is to synthesize this information into a preliminary gap analysis. This is not the final, comprehensive strategy, but rather a high-level assessment of the most significant risks and opportunities. This analysis helps you identify and categorize the problems that need solving. The gaps will likely fall into a few key categories. The first is regulatory gaps, where the training program is simply not addressing a current legal or regulatory requirement. This could be a new data privacy law, an updated EHS standard, or a new anti-bribery provision that has not yet been incorporated into the materials. These are often the highest-priority items to fix.
Another category is relevancy gaps. This is where the training technically exists but is so outdated, generic, or poorly delivered that it has no impact on employees. This includes the “one-size-fits-all” training that forces a sales executive in a remote office to sit through detailed factory safety procedures. You might also identify knowledge gaps, which are exposed by your stakeholder interviews and data analysis. These are areas where employees are genuinely confused about a policy or procedure, and the current training is failing to provide clarity. Finally, look for communication and accessibility gaps. Are policies stored on an intranet site that no one knows how to find? Is the hotline number buried in a 100-page handbook? Simply organizing and centralizing this information can be a powerful, immediate improvement. This initial gap analysis becomes the foundational document from which you will build your 60 and 90-day action plans, allowing you to prioritize your efforts on the issues that matter most.
Why One-Size-Fits-All Training Fails
The temptation for any organization, especially one looking to manage costs, is to deploy a generic, “off-the-shelf” compliance training program. The logic seems sound: the law is the law, and a pre-packaged course on a topic like anti-harassment or data privacy should suffice. However, this approach is fundamentally flawed and represents a significant missed opportunity. Compliance training is not merely about information dissemination; it is about behavioral change. For information to stick and for behavior to change, the content must be perceived as relevant, credible, and directly applicable to the employee’s daily experience. When an employee encounters a generic training module filled with abstract legal concepts or scenarios that bear no resemblance to their actual job, their brain files it under “irrelevant.” They may complete the course to “check the box,” but the knowledge is not retained, and no meaningful learning occurs.
This generic approach also fails to address the unique risk profile of the organization. A software company’s data privacy risks are vastly different from a healthcare provider’s. A global construction firm faces anti-bribery risks that a small domestic retailer does not. A “one-size-fits-all” program cannot possibly address these specific nuances, leaving the organization exposed in its highest-risk areas. Furthermore, generic content does nothing to reinforce the company’s specific culture, values, or internal procedures. It fails to communicate “how we do things here.” Employees are left knowing what the law says in a general sense, but not how to apply it using the company’s specific reporting tools, where to find the company’s specific policy, or who to contact internally with a question. This is how gaps in understanding are created, and it is in these gaps that compliance failures occur.
The Customization Spectrum: From Light Tailoring to Fully Bespoke
When new compliance leaders hear the word “customization,” they often envision a costly, time-consuming, and resource-intensive project to build every single course from scratch. While this fully bespoke approach has its place for high-risk, highly specific topics, it is not the only option. It is more productive to think of customization on a spectrum. At one end, you have the purely generic, off-the-shelf content. At the other, you have the fully custom-built, internally-produced training. The vast majority of effective training programs live somewhere in the middle, leveraging a strategy of “tailoring” or “branding” that offers the best balance of cost, speed, and relevance. This approach is often the most practical and impactful area to focus on in your first 90 days.
Light tailoring can be surprisingly effective. This can involve working with a content vendor to insert your company’s logo, branding, and a message from your CEO into a pre-built course. It might mean adding a single slide that links directly to your internal policy on the intranet or provides the specific contact information for your compliance hotline. This simple act connects the generic lesson to the company’s specific resources. A more advanced level of customization might involve swapping out generic scenarios for vignettes that reflect common dilemmas your employees actually face. For example, a generic anti-bribery course might discuss briefcases of cash, while a tailored version for your sales team would discuss overly expensive client dinners, lavish gifts, or requests for “consulting fees.” Determining which courses need which level of customization is the key strategic decision.
Analyzing Roles and Risks to Prioritize Customization
You cannot customize everything, nor should you. The key is to apply your limited resources to the areas of highest impact. This requires a risk-based analysis of your workforce. Start by mapping your employees into different risk categories based on their role, geography, and level of access. A senior executive in a high-risk country, a salesperson with contract-signing authority, and a factory manager handling hazardous materials are all in high-risk categories, though their risks differ. These groups require the most intensive and highly customized training. Their training should be scenario-based, rigorous, and directly tied to the specific legal and ethical challenges they will encounter. They are the priority group for any bespoke or heavily tailored content development.
In contrast, a part-time administrative employee in a low-risk domestic office has a different risk profile. Their training on topics like data privacy or code of conduct can be more standardized, as their exposure is lower. This is not to say their training is unimportant, but rather that a well-selected, lightly tailored vendor course may be perfectly sufficient and a more efficient use of resources. The goal is to “right-size” the training to the risk. Your data analysis from the first 30 days is critical here. If your incident data shows a high volume of minor safety infractions on a specific production line, that is a clear signal that the generic safety video is not working. This specific group needs targeted, customized training, perhaps delivered in person by their direct supervisor, that addresses the exact hazards they are encountering. This role-based risk analysis allows you to move beyond a “one-size-fits-all” assignment and create a truly intelligent, risk-based training plan.
Leveraging Vendor Content as a Strategic Tool
Many organizations view their relationship with third-party content providers as purely transactional. They buy a library of courses to fill gaps they cannot build internally, assign them, and consider the job done. This misses the strategic value a good vendor partner can provide. In your first 90 days, you should review your existing content library and your vendor relationships. Are these courses truly “critical tools,” or are they just shelf-ware? An ideal vendor library should provide the foundational, universal lessons that do not require deep customization. Courses on general topics like soft skills, functional skills like using common software, or basic concepts of workplace professionalism are perfect examples. Using vendor courses for these topics frees up your internal resources to focus on building the high-value, bespoke content for your high-risk areas.
When evaluating vendors, look beyond the size of their library. Ask critical questions about their customization capabilities. Can you easily brand their courses? Can you insert your own policies, links, or introduction videos? Can you edit or replace their scenarios with your own? The best vendors operate as partners, providing a platform and a set of tools that allow you to blend their generic content with your specific needs. They should provide courses that are modern, engaging, and built on sound instructional design principles. Your job as the compliance leader is to be a curator. You must select the best courses from the vendor library for your low-to-medium-risk needs, and then supplement them with your own custom-built content for your high-risk, company-specific needs, creating a blended curriculum that is both comprehensive and efficient.
Integrating Culture and Values into Every Module
Perhaps the most powerful form of customization has less to do with legal specifics and more to do with your organization’s culture. Effective compliance training should feel like it comes from your company. It should use your company’s language, reflect its stated values, and align with its mission. If your company’s public-facing brand is all about innovation, speed, and agility, but your compliance training is a slow, tedious, and legalistic lecture, it creates a cognitive dissonance. Employees will immediately sense that compliance is “separate” from the “real” business, an obstacle to be endured rather than a partner in success. Your 90-day plan should include an initiative to review and align the tone and feel of the training with the company’s cultural identity.
This can be achieved in several ways. Use internal case studies and “hero” stories of employees who made the right ethical choice in a tough situation. Feature messages from senior leaders, not just the General Counsel, but from business-line leaders who can speak authentically about why integrity matters to their specific division’s success. Frame compliance not as a list of “don’t”s, but as a guide for “how” to achieve the company’s goals the right way. When you customize training to reflect your company’s unique values and voice, you transform it. It stops being a generic legal requirement and becomes a powerful tool for reinforcing the culture you want to build. This alignment is what moves a program from “checking the box” to genuinely influencing employee behavior and decision-making.
Moving Beyond Completion Rates: A Flawed Metric
For decades, the primary metric for a compliance training program’s success has been the completion rate. Leadership receives a report showing that 98% of employees completed their annual Code of Conduct training, and the compliance officer gets a pat on the back. The box is checked. However, this metric is fundamentally flawed and dangerously misleading. A completion rate tells you only one thing: that an employee clicked “next” enough times to reach the final slide and perhaps passed a simple quiz. It tells you nothing about whether they were paying attention, whether they understood the material, whether they retained the information, or, most critically, whether the training had any impact on their actual behavior. Relying on completion rates as your key performance indicator (KPI) is like measuring a restaurant’s success by the number of empty plates, not by whether the customers enjoyed the food or will ever return.
In your first 90 days, one of the most significant shifts you can champion is to move the organization’s focus beyond completion rates. This does not mean you stop tracking them; they are a necessary data point for auditing and legal defense, proving that the training was delivered. But they must be recognized as the absolute bare minimum, the starting line, not the finish line. Your task is to start asking more sophisticated questions. What other data can you look at to measure the effectiveness of the program, not just its deployment? This shift in thinking is essential. You must re-educate stakeholders that the goal is not 100% completion, but 0% misconduct. This requires a new way of looking at data, piecing together disparate sources to create a mosaic that reveals the true state of your compliance culture.
Identifying Your Data Sources: The Compliance Data Ecosystem
The good news is that your organization is likely already sitting on a goldmine of data. The bad news is that it is probably scattered across multiple systems, owned by different departments, and not currently being looked at through a compliance lens. A key project for your first 90 days is to identify and map this data ecosystem. Your Learning Management System (LMS) is the most obvious source. Beyond completion rates, what else can it tell you? Look at how long employees are spending on a course. If a 30-minute module is being completed by everyone in 5 minutes, you know they are just clicking through. Look at quiz scores. Are there specific questions that a large percentage of employees are getting wrong? This is a flashing red light indicating that a specific concept is not being taught effectively.
But the LMS is just the beginning. As explored in Part 1, you need to forge strong partnerships with HR, IT, and Operations to gain access to their data. HR Information Systems (HRIS) can provide the demographic and role-based data needed to segment your training assignments. Exit interview and employee survey data from HR provide invaluable qualitative feedback. Incident management systems, whether for EHS, data privacy, or ethics, are your most critical source for “lagging” indicators—they tell you where your controls have already failed. Hotline and case management systems show you what employees are worried about and whether they trust the system enough to report. Even data from IT, such as audits of access logs or failed phishing tests, can serve as powerful, real-time metrics for the effectiveness of your security training. Your job is to become a data detective, finding these sources and connecting them.
Analyzing Data to Identify Risks and Gaps
Once you have identified your data sources, the real work begins: analysis. You are looking for patterns, correlations, and anomalies that tell a story. Start by overlaying your data. For example, take the department with the lowest employee engagement scores on “ethics and integrity.” Do you also see a higher-active rate in that department? Is it also a department with high employee turnover? Now, look at their training data. You might find that their managers have overdue training on leadership and anti-retaliation. This convergence of data points tells a powerful story: low engagement and a lack of trust in management are likely leading to unreported misconduct, and the training gap for managers is a probable root cause. You have now identified a high-priority, surgical training intervention.
This analysis is also the best way to identify gaps in your current program. If you are launching a new product in a high-risk country, but your LMS data shows that none of the sales team members assigned to that launch have completed the advanced anti-bribery training, you have identified a critical risk before it becomes an incident. You can now intervene with targeted, mandatory training for that specific group. Look at the questions your employees and managers are searching for on the intranet. If there is a high search volume for “gift policy” or “FMLA,” but you have no microlearning or job aid on that topic, you have an appetite to learn that you are failing to meet. This data-driven approach allows you to move from a reactive, “one-size-fits-all” annual training schedule to a proactive, predictive, and targeted compliance education strategy.
The Correlation Challenge: Training vs. Business Outcomes
The holy grail of compliance data analysis is to draw a direct correlation between your training program and a decrease in negative outcomes (or an increase in positive ones). This is also the most difficult challenge. It is notoriously hard to prove a negative; you cannot easily measure the number of bad things that didn’t happen because an employee remembered their training. However, you can look for strong correlations. For instance, after rolling out a new, highly customized, scenario-based safety training program for a specific factory line, did you observe a measurable decrease in injury rates on that line over the next six months? Compare this to a control group—a similar factory line that did not receive the new training. This is a powerful way to demonstrate the tangible return on investment (ROI) of your program.
This same logic can be applied to other areas. After implementing a new data privacy microlearning campaign, did your IT department’s phishing test failure rate go down? After targeted training for managers on wage and hour laws, did the number of complaints related to overtime pay decrease? Building these correlations requires patience and a long-term view. You will not see results overnight. But in your first 90 days, you can set the stage by establishing these baseline metrics. Identify the key business outcomes you want to influence—be it injury rates, hotline report quality, or data breaches. Start tracking that metric before you implement your new training initiative. This allows you to build a powerful case to leadership that compliance training is not just a “cost center” or a legal defense, but a strategic driver of business value that measurably reduces risk and improves operational performance.
Building a Data-Informed Program
The ultimate goal is to create a virtuous cycle where data informs every aspect of your compliance training program. This is a significant shift from the traditional “set it and forget it” model. This data-informed program uses data to determine who needs training, what they need to be trained on, and when they need to be trained. Instead of a single, massive “annual training” event, you move to a continuous learning model. For example, data from your case management system might trigger a “just-in-time” microlearning module. An employee who submits an expense report with a red flag (like expenses for a spouse) could automatically receive a 2-minute video refresher on the Travel and Entertainment policy. This is relevant, timely, and non-confrontational.
In this model, your analysis of quiz data and employee surveys feeds directly back to your content development team (or vendor) to continuously improve the courses. If 30% of employees fail a specific knowledge check on conflicts of interest, that section of the course is immediately flagged for review and clarification. Your 90-day plan should include the creation of a “compliance dashboard” that brings these disparate data points into one place. This dashboard, which you can share with leadership, would show not just completion rates, but also hotline reporting trends, incident rates by location, engagement survey data on ethics, and phishing test results. This transforms your role from a training administrator to a strategic advisor who can provide leadership with a real-time, data-driven view of the organization’s ethical health.
The Fallacy of the Static Program
For many years, compliance programs were built like monuments. They were designed to be comprehensive, unchanging, and permanent. A company would spend a year rolling out a new Code of Conduct, and then expect it to remain the unquestioned standard for the next decade. This mindset is no longer just outdated; it is dangerous. The modern risk landscape is not static; it is a dynamic, constantly shifting environment. New technologies like artificial intelligence create ethical “gray areas” that did not exist last year. Regulatory bodies are more active than ever, issuing new guidance and launching enforcement actions at a rapid pace. Geopolitical shifts can change your bribery or sanctions risks overnight. And as the COVID-19 pandemic demonstrated, a global crisis can instantly upend every aspect of how we work, moving entire workforces from physical classrooms to remote online environments.
A compliance program that is not built for agility is a program that is destined to fail. In your first 90 days, you must assess the current program’s ability to “pivot.” How quickly can the organization update a policy, create a new training module, and deploy it to a targeted group of employees? If the answer is “six to nine months,” you have identified a critical vulnerability. One of your core priorities must be to build agility into the DNA of the compliance function. This means shifting the mindset from “annual training” to “continuous education.” It means developing processes and adopting technologies that allow for rapid content creation and deployment. A successful compliance program is not a stone monument; it is a living, breathing organism that adapts to its environment.
Building Effective, Multi-Channel Lines of Communication
A willingness to pivot is useless if you do not have the channels to communicate that pivot effectively. An agile compliance program relies on a robust, multi-channel communication strategy. Too many programs rely on a single channel: the annual training module pushed out via the LMS. This is not communication; it is a broadcast. Effective communication is a two-way street. Your 90-day plan must include an audit of all the ways employees can both receive compliance information and, just as importantly, provide it. This means looking at the designated compliance officer or team. Are they visible and approachable? Do employees know who they are and how to contact them? Or are they seen as an internal police force, only to be contacted as a last resort?
Beyond the designated officers, you must evaluate the formal reporting mechanisms. Is the hotline well-publicized? Is it available in all the languages your employees speak? Does it allow for anonymous reporting? But do not stop there. What about informal lines of communication? Do managers feel equipped to answer compliance questions from their teams? Do they know how to escalate an issue? Your analysis should also cover “push” communications. Do you have a compliance intranet page? Is it updated and easy to navigate? Can you use internal newsletters, digital signage, or team meetings to deliver timely updates and reminders? A truly effective program meets employees where they are, providing multiple, easily accessible avenues for them to ask questions and raise concerns before they become major incidents.
The Power of Internal Monitoring and Audits
You cannot pivot effectively if you do not know when to pivot. Agility requires awareness, and awareness is built through continuous internal monitoring. While your data analysis from Part 3 provides a high-level, system-wide view, you also need “on-the-ground” intelligence. This is where internal monitoring and auditing become indispensable. These are not the same as the large-scale, formal investigations that occur after a major failure. Rather, these are smaller, more frequent checks to see if the compliance program is working as intended in practice. This can be as simple as “compliance surveillances” or spot checks. A compliance team member might visit a factory floor to observe if EHS procedures (like wearing personal protective equipment) are being followed correctly, just as the training dictated.
This monitoring can also take the form of knowledge checks and pulse surveys. Instead of waiting for the annual survey, send out a two-question “pulse” survey after a new training rollout to gauge immediate comprehension and relevance. Conduct “desk audits” with managers to review their team’s training records and ask how they are reinforcing the concepts in their one-on-ones. These monitoring activities are not about “catching” people doing something wrong. They are about identifying gaps in understanding or process failures in a low-stakes environment. They are data collection in its purest form. When you discover that a team is not following a procedure, the first question should not be “Who do we punish?” but “Why is the program failing this team? Is the training unclear? Is the policy impractical? Do they lack the right tools?” This feedback is the trigger that tells you when and how to pivot.
Enforcing Standards and Responding to Problems
Agility is not just about proactive changes in training; it is also about a swift, consistent, and fair response when problems arise. A compliance program, no matter how good, will not prevent 100% of issues. An organization’s response to an issue, however, speaks volumes about its true commitment to ethics and integrity. Your 90-day assessment must include a thorough review of the company’s investigative and disciplinary processes. When a report comes in through the hotline, what happens next? Is there a clear, documented process for triage and investigation? Are investigations conducted by trained, impartial professionals? Is the process timely, or do reports languish for months?
The other side of the coin is enforcement. You must investigate whether the standards you have set are actually being enforced, and whether that enforcement is applied consistently at all levels of the organization. If a frontline employee is fired for a minor infraction while a high-performing executive is excused for a major one, your entire compliance program is rendered meaningless. This “hypocrisy gap” is the fastest way to destroy trust and create a culture of cynicism. Your review should look at anonymized data from past disciplinary actions. Is there consistency? Is the response proportional to the offense? A willingness to pivot also means a willingness to enforce the rules you have set, demonstrating to the entire organization that the policies are not just words on paper, but are the real, enforceable standards of conduct.
Case Study: The Post-Pandemic Pivot
The most universally understood example of a necessary pivot was the COVID-19 pandemic. Organizations that had relied entirely on in-person, instructor-led training for decades were suddenly faced with a 100% remote workforce. Their compliance training plans for the year were instantly obsolete. The agile organizations thrived. They did not simply cancel training; they adapted. They quickly found platforms to move their instructor-led sessions to a virtual, webinar-style format. They accelerated the adoption of eLearning modules. They recognized the new risks of a remote workforce—like data security vulnerabilities from home networks, increased phishing attacks, and manager-employee disconnects—and rapidly deployed new, targeted microlearnings to address them.
The less agile organizations faltered. They either “paused” all compliance training, creating a massive gap in their legal and ethical defenses, or they simply uploaded their 8-hour PowerPoint decks to the intranet and told employees to “read it,” resulting in zero engagement or learning. The key takeaway is that the effective pivot was not just about technology (moving from classroom to online). It was about a mindset of responsiveness. The successful programs boiled down to the same main ideas: they identified the new risks, they developed clear policies and procedures for the new “normal,” they communicated those standards effectively, and they monitored for new problems. This event was a stress test for compliance program agility, and the lessons learned should be embedded into the permanent design of your program.
The Problem with Vague Intentions
A new compliance leader, fresh from their 90-day assessment, is often brimming with ideas for improvement. They might present a plan to leadership that includes ambitious goals like “improve the compliance culture,” “increase employee engagement,” or “modernize the training program.” While these are admirable intentions, they are fundamentally useless as managerial objectives. Why? Because they are vague, unmeasurable, and lack a clear timeline. How do you know when you have “improved the culture”? What specific, tangible outcome signals that the training is “modernized”? Without clear definitions, you cannot measure progress, you cannot secure resources, and you cannot hold yourself or your team accountable for results. This is where many well-intentioned compliance overhauls fail. They collapse under the weight of their own ambiguity.
The most critical and most practical step you can take to make an impact is to translate these broad ambitions into a set of achievable, structured goals. This is not just bureaucratic “make-work”; it is the essential act of turning a high-level strategy into an executable plan. This plan becomes your roadmap for the next year and your “contract” with leadership. It allows you to demonstrate forward momentum with concrete evidence, building your credibility and securing the buy-in needed for larger, more complex initiatives down the road. The most effective framework for this process is the one that has stood the test of time: setting SMART goals. This framework forces you to bring clarity, focus, and rigor to your planning, ensuring that every action you take is purposeful and directed toward a defined outcome.
Deconstructing SMART Goals for Compliance: Specific
The ‘S’ in SMART stands for Specific. This is the “who, what, and where” of your goal. A specific goal leaves no room for interpretation. For example, the vague goal “improve harassment training” becomes a specific goal: “Update the company’s anti-harassment training module for all 500 US-based managers.” This goal immediately defines the who (500 US-based managers) and the what (the anti-harassment training module). It is clear and concise. Another vague goal, “make policies more accessible,” becomes “Migrate the 10 most-referenced compliance policies from the old intranet share drive to the new, searchable, mobile-friendly policy portal.”
When setting your ‘Specific’ goal, you must answer the key questions. Who needs to be involved in this? What exactly are we trying to accomplish? Where will this work be focused? Are there any specific constraints or requirements? For compliance professionals, this step is often about moving from a general risk (e.g., “data privacy”) to a specific action (e.g., “Roll out a 5-minute microlearning on the company’s new WFH data security policy to the 250 employees in the IT department”). The more specific you can be at this stage, the easier it will be to define the other elements of your goal.
Deconstructing SMART Goals for Compliance: Measurable
The ‘M’ in SMART stands for Measurable. This is the “how” of your goal. How will you track progress and how will you know when you have succeeded? This is where you define your key performance indicators (KPIs). For the goal “Update the company’s anti-harassment training module for all 500 US-based managers,” the measurement is straightforward: “Achieve a 100% completion rate by the end of the second quarter.” But you can and should go deeper. You might add a second metric: “Achieve an average score of 90% or higher on the post-training knowledge assessment.” This measures not just completion, in but comprehension.
For the goal of migrating policies, the measure is “10 policies are successfully migrated, and old links are redirected by January 30th.” A more advanced metric could be: “Reduce the number of employee searches for the old policies to zero within 30 days of migration.” This “measurable” component is what separates a wish from a goal. It forces you to define your data sources upfront. If you cannot measure it, you cannot manage it, and you certainly cannot prove its value to the organization.becomes your toolbox for setting meaningful, measurable targets.
Deconstructing SMART Goals for Compliance: Attainable and Realistic
The ‘A’ and ‘R’ in SMART stand for Attainable and Realistic. These two concepts are closely related and serve as a critical reality check. A goal is attainable if you have the necessary resources (time, money, people) to achieve it. A goal is realistic if it is relevant to the organization’s broader objectives and can be achieved within the current environment. For example, is setting a goal to “Eliminate 100% of safety incidents” attainable? No, in a large industrial setting, that is an aspiration, not a goal. A more attainable goal would be “Reduce the incident rate on Line 3 by 15%.” Is your goal to “Roll out a new, custom-built global LMS in 90 days” attainable? Probably not, given the time required for vendor selection, implementation, and content migration. A more realistic goal would be “Complete the vendor selection and needs analysis for a new LMS within the first 90 days.”
This is where your 30-day assessment is so crucial. You must have a firm grasp of your team’s bandwidth, your available budget, and the organization’s tolerance for change. Is the time and effort required of employees to complete your proposed training reasonable, or will it be met with massive resistance from business leaders? Is the training relevant to their jobs and delivered in a way that is easy to comprehend? Setting goals that are wildly optimistic is a recipe for failure and a fast way to lose credibility. Your first set of goals in a new role should be challenging but achievable “wins” that build momentum.
Deconstructing SMART Goals for Compliance: Timely
The ‘T’ in SMART stands for Timely (or Time-bound). Every goal needs a deadline. Without a target date, there is no urgency, and the task will invariably fall victim to the “tyranny of the urgent”—the daily fires that consume all your time. Adding a deadline creates a sense of accountability and provides a clear framework for planning. The goal “Update the anti-harassment training” is incomplete. The goal “Update the anti-harassment training by the end of Q2” is a real objective that you can build a project plan around. It answers the critical question: “When do employees need to know this information?”
In your first 90 days, you can use this “Timely” component to structure your entire plan. You can set 30-day goals (e.g., “Complete stakeholder interviews and initial gap analysis”), 60-day goals (e.g., “Finalize customization of the 3 highest-risk training modules”), and 90-day goals (e.g., “Present the finalized 12-month compliance training roadmap and budget to the leadership team”). This time-bound approach demonstrates to your new colleagues that you are organized, methodical, and focused on execution. It transforms you from someone who is just “observing” to someone who is “achieving.” By setting and, more importantly, hitting these early, achievable SMART goals, you establish a track record of success that will be invaluable as you tackle the larger, more complex challenges of building a world-class compliance program.
Beyond the Checkbox: The True Goal
Your first 90 days are a sprint. It is a critical period of diagnosis, planning, and executing “quick wins” to establish your credibility and address immediate risks. You have audited the existing program, identified customization priorities, harnessed the power of data, built a framework for agility, and set clear, SMART goals. You have successfully laid the foundation. But this is not the end; it is the end of the beginning. The true, long-term goal of your role is not to simply manage a training program. It is to do something far more complex and far more valuable: to build and sustain a genuine culture of compliance. A culture of compliance is what happens when employees continue to “do the right thing” even when they believe no one is watching.
This culture is the organization’s ultimate defense. A strong culture can self-correct; it is where employees feel psychologically safe to ask questions, to challenge questionable directives, and to raise concerns without fear of retaliation. In this environment, colleagues hold each other accountable, and leaders are measured by their integrity as much as their profit-and-loss statements. This is a profound shift. It moves compliance from a “police” function to a shared “ownership” function. This long-term, cultural work is your true mandate. The training program you have been hired to manage is not the goal itself; it is merely one of the most powerful tools you have to achieve it. Your focus must now shift from the 90-day plan to the 3-year vision.
Leadership Buy-In and Modeling Behavior
A compliance culture is not built from the bottom up. It is, and always will be, a top-down endeavor. You can have the world’s most engaging training and the most accessible policies, but if employees see a “say-do” gap—where leaders say one thing about integrity but do another—your entire program is nullified. The “tone at the top” is the single most important factor in a compliance program’s success. Therefore, your first priority beyond the 90-day mark is to secure and maintain active, visible leadership buy-in. This is more than just having the CEO sign off on your budget or record a 30-second introduction to the annual training video. It is about integrating compliance and ethics into the regular cadence of leadership.
This means encouraging leaders to talk about ethics in their all-hands meetings and team huddles. It means providing them with talking points and scenarios to discuss. It means ensuring that compliance and integrity are a formal part of the performance review and promotion process. Are you promoting managers who hit their targets but leave a trail of HR complaints in their wake? Or are you promoting leaders who demonstrate integrity, foster psychological safety, and build ethical teams? You must become a trusted advisor to the executive team, helping them understand that their every action is being scrutinized by the workforce. When a leader openly praises an employee for stopping a project to resolve a compliance concern, it sends a more powerful message than a thousand eLearning modules ever could.
Integrating Compliance into the Employee Lifecycle
To build a sustainable culture, compliance cannot be a “once a year” event. It must be woven into the fabric of the employee’s entire journey with the company. This means moving beyond a “one-and-done” onboarding module and integrating compliance touchpoints into every phase of the employee lifecycle. It starts before they are even hired. Does your recruitment and interview process screen for integrity? Do your job descriptions explicitly mention the company’s commitment to its values? Once hired, the onboarding process is your first and best chance to set expectations. This should be more than a “click-through” of the Code of Conduct; it should be an engaging discussion about the company’s values and how to navigate ethical gray areas.
But it cannot stop there. You must partner with HR and functional leaders to integrate compliance into ongoing career development. When an employee is promoted to their first managerial role, they should automatically receive targeted training on their new responsibilities: how to handle employee concerns, how to avoid retaliation, and how to create an open and ethical team environment. When a salesperson is assigned to a new, high-risk international territory, they should receive a “just-in-time” briefing on the specific anti-bribery and sanctions risks they will face. By integrating compliance into these key career milestones, you reinforce the message that as an employee’s responsibility grows, so does their personal obligation to uphold the company’s standards.
The Continuous Improvement Cycle: PDCA
A static compliance program is a dying one. The risk landscape, as discussed in Part 4, is always changing. Your program must evolve with it. The most effective way to manage this long-term evolution is to adopt a continuous improvement mindset, often modeled on the Plan-Do-Check-Act (PDCA) cycle. This framework formalizes the agile processes you began to build in your first 90 days. First, you Plan: you use your data analysis and risk assessments to identify a new risk or a gap in your program. You then develop a SMART goal and a plan to address it, such as creating a new microlearning module. Next, you Do: you execute the plan, developing and deploying the training to the target audience.
The next two steps are the most critical. You Check: this is where you go back to your data. Did you hit your completion rate goals? More importantly, did you see a change in the related metrics you were tracking? Did quiz scores improve? Did hotline reports on that topic become clearer? Did the related incident rate decline? This “check” phase is where you measure the effectiveness of your intervention. Finally, you Act: based on your data, you act. If the training was a success, you standardize it and add it to your permanent curriculum. If it was a failure—if no one understood it or the metrics did not move—you analyze why. Was the content confusing? Was the deployment flawed? You then take this new knowledge and go right back to the “Plan” phase to create a better intervention. This cyclical process ensures your program never grows stale and is always adapting to be more effective.
The Future of Compliance Training
As you look beyond your initial triage, you must also keep an eye on the horizon. The field of compliance and learning is evolving rapidly, and the tools available to you are becoming more powerful. The future of compliance training is not 8-hour marathon sessions; it is targeted, personalized, and data-driven. You should be exploring innovations like microlearning: delivering training in 2-to-5-minute, highly focused bursts that can be accessed on a mobile device right when an employee needs it. This is perfect for “just-in-time” performance support, like a 2-minute video on “How to approve a gift request” that pops up when a manager opens the approval system. You should also explore gamification, which uses game mechanics like points, badges, and leaderboards to make learning more engaging and to encourage friendly competition around positive behaviors, such as reporting “good catches” in a safety environment.
In the near future, technologies like AI and adaptive learning will allow for true personalization. An adaptive learning system could assess an employee’s baseline knowledge and “test them out” of content they already know, while providing remedial exercises for concepts they struggle with. This respects the employee’s time and treats them as an individual, not a data point. As the new compliance leader, your long-term role is to be not just a guardian of the rules, but a strategic innovator, constantly scanning the horizon for better tools, better techniques, and better ways to build a company that is not just compliant, but demonstrably ethical from its core. This is the ultimate goal, and the work you did in your first 90 days was the first, essential step on that journey.