The Hidden Problem in Corporate Compliance

Here's what typically happens: Legal or HR identifies a compliance requirement and someone creates or buys generic training content to meet it. Everyone gets the same course, regardless of their role, and employees click through as fast as possible to get back to "real work." The completion report goes into a folder somewhere. Box ticked.

The problem is bigger than just a lack of employee engagement. When training feels irrelevant, employees mentally check out – and when they mentally check out, they don't retain information. This means information isn't retained as well by teams and can't be put into practice. When teams can't apply this crucial information, your compliance programme becomes what it was designed to prevent: a risk. 

There's also a secondary effect that rarely gets discussed. Boring, mandatory compliance training sets the tone for all future learning in your organisation. If the first impression employees get is that "training" means clicking through tedious slides, they'll approach every other development opportunity with the same enthusiasm, hampering genuine skill development. 

According to McKinsey's 2025 Global GRC Benchmarking Survey, companies see room for improvement across governance, risk, and compliance, with an average maturity score of just 2.6 out of 4.0 for risk management and 2.9 for compliance management. Translation: Most organisations know their compliance approach isn't working, they're just not sure what to do about it. 

Most compliance failures can be traced back to predictable mistakes in how training is designed and delivered.

Mistake one: Treating all employees the same.
A finance manager handling vendor payments faces completely different money laundering risks than a marketing coordinator approving social media posts. Yet companies routinely put both through identical training. The result? The finance manager gets too little detail on the scenarios they'll actually encounter, while the marketing coordinator wastes time on situations they'll never face. Neither can apply what they've learned because the training wasn't designed for their day-to-day reality. 

Mistake two: Prioritising rules over behaviour.
Asking people to memorise compliance regulations is like asking them to memorise the tax code. Even if they could do it (and they likely can't), it wouldn't help them make better decisions in the moment. What actually works is helping people recognise risk scenarios and understand what to do when they encounter them. The goal isn't to create compliance experts. It's to create employees who know when to pause and seek guidance. 

Mistake three: Ignoring the "mandatory" problem.
It's hardwired into human nature that when something is compulsory, motivation surrounding it drops. But rather than acknowledging this and designing around it, most organisations just make the training mandatory and hope for the best. The solution isn't to make training optional. It's to make mandatory training relevant and well-designed so that people see genuine value in completing it.

McKinsey's research found that companies are most confident in areas like having comprehensive compliance policies, regular targeted training, and a culture of compliance communicated by senior leadership. But confidence in these areas doesn't equal effectiveness. The real question is: What makes training stick?

The answer comes down to relevance and application. People learn when they can immediately connect new information to their daily work. That means training needs to be scenario-based, role-specific, and directly applicable to decisions employees actually make.

For the Swiss insurance company, fixing this meant scrapping their one-size-fits-all approach. They created 24 different versions of anti-money laundering training tailored to different roles, departments, languages, and levels of prior knowledge. Front-line staff who opened new accounts got detailed scenarios about customer due diligence, back-office processors got different scenarios on transaction monitoring; while managers got yet another version focused on their oversight responsibilities.

This goes beyond being just good pedagogy – it was good risk management. When training is relevant, people pay more attention to it, are better able to recall information, and can then act accordingly.

But relevance alone isn't enough. You also need to know who's completed what, when they completed it, and whether they actually learned anything. Larger companies generally report more mature risk and compliance management capabilities than smaller ones, chiefly because they've invested in systems that can track and document training at scale. When you're dealing with thousands of employees across multiple jurisdictions, manual tracking stops working pretty quickly.

Regulators don't care that training took place. They care that you can prove the right people completed the right training and demonstrated competence in doing so. That requires three things most organisations struggle with:

• Precise targeting of who needs what training
• Continuous tracking of progress and completion
• Audit-ready documentation of everything

The Swiss insurance company learned this the hard way twice. After implementing proper tracking systems, they could finally answer basic questions such as: Who needs money laundering training? Who's completed it? Who's overdue? What did they score on the assessment? When does their certification expire?

More importantly, they could automate reminders and escalations. If someone didn't complete training within 21 days, they got a reminder, and if still not completed seven days later, their supervisor was notified. After 42 days, both the team member and their supervisor received warnings, culminating in an alert for the compliance management team if the training still hadn't been carried out after 56 days. This system created accountability without requiring manual chasing.

This kind of systematic approach not only satisfies regulators, it actually improves compliance outcomes. Behaviour changes when everyone knows they'll be held accountable, and that accountability is consistent rather than random.

The good news is that fixing compliance training doesn't require massive budgets or complete overhauls. It requires thinking clearly about what you're trying to achieve (behaviour change, not box-ticking) and designing accordingly.

Start with your target audience.

• Who actually needs this training?
• What scenarios will they encounter?
• What decisions will they need to make?

Build your training from there.

• Use real examples from your organisation or your industry.
• Make it interactive and keep it brief.
• Test understanding, not memory.

McKinsey notes that many companies struggle to complement day-to-day compliance activities with strategic perspective, and that fixing the fundamentals first is essential before pursuing transformative approaches. Translation: Get the basics right before you worry about innovation. Make sure the right people are getting the right training. Make sure you can track who's done it. Make sure you can prove it to regulators.

Then focus on making it better. Can you use scenario-based learning instead of page-turners? Can you incorporate gamification elements? Can you deliver it in smaller chunks over time instead of one massive session? These improvements matter, but only after you've solved the fundamental problems of targeting, tracking, and documentation.

The organisations that treat compliance training as a strategic function rather than an administrative burden get better outcomes across the board. Lower regulatory risk, obviously. But also higher employee engagement, better retention of other training programmes, and a culture where people actually think about risk rather than just checking boxes.

And what of the Swiss insurance company? After implementing role-specific training with proper tracking and escalation, they went from two regulatory warnings to becoming a reference case for compliance management. The training cost more upfront to develop. But the alternative, reactive compliance after a violation, would cost far more...

Your compliance programme is only as good as what people actually do when faced with a decision in their daily work. If you can't prove they learned anything, and they can't apply what they learned, you don't have a true compliance programme, merely an expensive illusion of one.