Every year, organisations around the world spend billions of dollars ensuring that their employees have clicked through modules about data protection, health and safety, anti-bribery, workplace harassment, and dozens of other regulatory requirements. Every year, data breaches continue, accidents happen, bribes are paid, and harassment complaints are filed. The training completion rates remain high. The incidents remain stubbornly persistent. Nobody seems to find this paradox particularly remarkable.
Compliance training is not broken because the people designing it are incompetent. It is broken because the system within which it operates is optimised for the wrong thing. And until that optimisation changes, no amount of improved course design will fix the fundamental problem.
What Compliance Training Is Actually For
Let us be honest about what compliance training is designed to do in most organisations: it is designed to demonstrate due diligence. If something goes wrong — if there is a data breach, a safety incident, a discrimination complaint — the organisation can point to training records that show employees were informed of the relevant policies. The training is, functionally, a liability management tool.
This is not illegitimate. Legal exposure is real. Regulatory requirements are real. The need to document that employees have been made aware of their obligations is real. But designing training primarily around the demonstration of due diligence produces training that demonstrates awareness, not training that produces the behaviour change that would prevent the incident in the first place.
The goal of real compliance is not that everyone has clicked through the annual module. It is that everyone understands the relevant rules deeply enough to apply them correctly in complex, ambiguous, real-world situations. These are different goals. They require different training designs.
The Assessment Problem
Compliance assessments are among the weakest in corporate learning. The typical format — five to ten multiple choice questions with one obviously correct answer for each — tests recognition under optimal conditions immediately after instruction. It does not test application under pressure. It does not test what happens when the correct action is inconvenient, ambiguous, or in conflict with another priority.
Worse, compliance assessments are often designed to be passable rather than diagnostic. Pass rates below 80% generate support tickets and manager escalations. So questions get softened, retry limits get raised, and the assessment becomes a formality rather than a measure. The learner clicks through the questions, selects the sensible answer, reaches the completion screen, and has learned nothing that they would not have known without taking the course.
Compare this to what an effective compliance assessment would look like: a complex scenario in which the correct action is not immediately obvious, requires the learner to apply a principle rather than recall a rule, and has consequences that unfold over multiple decision points. This is harder to design, harder to mark, and harder to report on. It is also dramatically more predictive of actual compliance behaviour in the real world.
The Three Parties Who Keep the System Broken
Legal and compliance teams commission training based on content coverage rather than behaviour change. Their brief is "cover these topics, have people sign off that they've seen them." This is understandable from a liability perspective. It is catastrophic from a learning design perspective. When the brief is coverage, coverage is what you build.
L&D teams accept these briefs without challenging them. The path of least resistance is to take the content list, build a module, deploy it, and report completion. Challenging the brief — asking "what do you actually want people to do differently?" — risks the relationship and delays the timeline. But it is the challenge that would transform the training's impact.
Senior leaders treat compliance training as an HR administration function rather than a genuine risk management intervention. As long as completion rates are high and no one asks difficult questions about whether behaviour has actually changed, the system perpetuates itself. The training gets faster and cheaper every year. The incidents do not.
What Better Compliance Training Looks Like
It is built on scenarios rather than content. Real situations, genuine dilemmas, the kind of ambiguous cases that require judgment rather than recall. A data protection course that presents straightforward rules about what you can and cannot share is of limited value to an employee who is being pressured by a client to share information that sits in a grey area. A course that practises exactly that decision, with consequences that illustrate why the rule exists, is of considerable value.
It is reinforced over time rather than deployed once a year. A single annual module fighting the forgetting curve will always lose. Quarterly refreshers, manager conversations, incident-triggered micro-learning, point-of-need job aids — these are the infrastructure of a compliance culture, not a calendar entry.
It involves managers explicitly. Compliance culture is modelled from the top. If managers signal through their behaviour that the training is a box-ticking exercise — "make sure you complete your data protection training this month" — employees will treat it as one. If managers discuss the scenarios, share their own experience of grey-area situations, and model the behaviour the training is trying to build, the culture changes.