Training Strategies for - Cornerstone...respond to a natural disaster, for instance, can foster long-term opinions (positive or negative) in the customers and businesses they serve

Training Strategies forSafety and Risk Management

Research Brief Series 4 of 4:

Risk to Intangible Organizational Assets

THIS REPORT IS BROUGHT TO YOU BY

2|TRAININGINDUSTRY.COMTHIS REPORT IS BROUGHT TO YOU BY

CONTENTS

Introduction: A Typology of Organizational Risk

Exploring the Risk to Intangible Assets

Defining the Risk to Intangible Assets

The Prevalence of Risk to Intangible Assets

The Prevalence of Risk Across Industries

Case Studies in Organizational Risk

Case Study 1: 2013 Target Credit Card Breach

Case Study 2: 2011 Tricare Medical Records Breach

Summary and Recommendations for L&D

Research Participant Demographics

About Training Industry, Inc. Research

35

57

11

8

11

11

121314

https://trainingindustry.com/


INTRODUCTION: A TYPOLOGY OF ORGANIZATIONAL RISK

Nearly all companies contend with a variety of situations involving risk. Sometimes, this risk is hidden from plain view; other times, it is a clear facet of day-to-day business. For any company, compliance with practices that reduce risk is a part of surviving in the marketplace. Typically, we think of “safety-critical” or “high-risk” companies as those seeking to prevent accidents and promote a safety culture. Past researchers have defined these companies as possessing the following characteristics:1

• Significant business concern with the occurrence/prevention of failure events

• Process or technical complexities that resist simplification

• Focus on operational functioning

• Dedication to organizational resilience

• High value placed on industry/domain expertise

However, these characteristics arguably describe all companies.

Generally, companies are always trying to avoid failures, always grappling with the complexity and health of their operations, always trying to remain resilient to outside market forces, and always trying to retain valuable employees. Companies need not resign themselves to being at the mercy of the risks they face; they can usually take steps to significantly reduce or sometimes eliminate the impacts. What is at the core of such strategies? Training. Yes, there are other factors that drive compliance, but failures of processes and faulty responses to adverse events can generally be traced back to unaddressed training needs. In this light, the efforts of learning and development (L&D) functions to reduce these risks hold a key strategic mission in all types of organizations.

Compliance, however, isn’t synonymous with complexity. As it is usually defined, compliance training refers to a training process that focuses on educating employees on laws, regulations and policies that apply to their daily work and moral responsibilities. The objective of compliance training is to protect the organization, its employees and its customers. With those aims in mind, a sound compliance strategy is one that is aware of the spectrum of risks the company faces on a regular (and sometimes irregular) basis.

1 Weick, K.E., Sutcliffe, K.M. (2001). Managing the unexpected: Assuring high performance in an age of complexity. San Francisco: Jossey-Bass.



But what are we educating employees about? What are these risks that prompt the need for compliance training? It should come as no surprise that the nature of risk can take many forms for a company. There are four overarching features that distinguish different types of risk from each other. These include:

• Physical risk: direct risks to people, including employees or customers

• Material risk: risks to things the company owns or controls

• Operational risk: relating to processes internal to the company and/or required for day-to-day functioning

• Product/service risk: relating to both sources and targets of revenue

From the intersection of these features, we can identify categories of risks faced by organizations in today’s markets. The four categories of risk in Training Industry’s typology of high-risk organizations are:

• Risk to clients and customers

• Risk to the employee workforce (i.e., human capital)

• Risk to tangible organizational resources

• Risk to intangible organizational assets

These four types and how they relate to different features of risk are illustrated in Figure 1.

In the course of this research brief, we’ll explore the fourth of the quadrants in this figure, the risk to an organization’s intangible assets, based on data collected from 261 companies across a variety of industries. This category of risk involves the intersection of product/service risk and physical risk. We will describe in detail the ways in which the forms of this type of risk can manifest, along with breakdowns of survey data that identify the specific risks most prevalent in modern organizations.

Clients andCustomers

EmployeeWorkforce

TangibleResources

IntangibleResources

Product/Service RiskOperational Risk

Phy

sica

l Ris

kM

ater

ial R

isk

Figure 1. TRAINING INDUSTRY’S TYPOLOGY OF ORGANIZATIONAL RISK



EXPLORING THE RISK TO INTANGIBLE ASSETS

An organization’s intangible assets are often its main source of competitive advantage. At their core, they are what the company is selling. In most markets, there are plenty of companies offering the same products or services; they differentiate themselves from each other by the ideas that their brands (and by extension, their offerings) represent. These brands, patents, trademarks, market perceptions and so on often take significant time and expenditure to cultivate. None of them can be constructed overnight, and seldom can they be created at minimum expense of either effort or finances. Unfortunately, these types of assets are also at greatest risk, as they are subject to their own types of specific risks in addition to the pressures of the various types of risks illustrated in the rest of our typology. For these reasons, the principal philosophical objective of compliance training is to safeguard these assets. In some cases, training has a direct impact on protecting the intangible assets of a company by establishing and enforcing best practices; in others, the impact is indirect by way of shaping organizational culture and company values.

In the section that follows, we’ll define subcategories of the risk to a company’s intangible assets that form the downstream endpoint of all compliance training.

DEFINING THE RISK TO INTANGIBLE ASSETS

Impact of External Regulations and Policies on the Core Business

When regulations change within an industry, so, too, must a company that does business in that market. The impact of these regulations can be on the scale of a single product, such as the Federal Drug Administration’s revising the guidelines for a prescription drug, or on the scale of an entire industry, such as the Federal Aviation Administration’s updating flight inspection standards for the entire commercial and civil aircraft industry. On either end of this spectrum (and all points in between), information on changing regulations needs to be rolled out quickly and efficiently to employees of the companies grappling with the changes to ensure that they adhere to new policies. Compliance training is the vehicle through which an organization must address such adjustments to the core business and is an indispensable part of keeping the business aligned with regulatory bodies. L&D functions need to ensure they’re in the communication channel both when regulations are pending, to anticipate changes to existing training processes, and when new regulations are announced, so that they can implement training as quickly as possible.

Negative Publicity Due to Relationships with Customers, Vendors, Etc.

Once a company has a reputation for poor customer service or unaddressed problems with a product, it can forge long-term expectations about whether engaging with such a company is worthwhile. At a consumer level, addressing such a problem could take the form of an “under new management” sign at a restaurant to attempt to convince customers that past quality issues have been addressed without taking the step of changing the name above the door and losing whatever cachet it may have held. In the context of business-to-business industries, inferior relationship management can cost a company valuable contracts and partnerships and mar its status as a trusted partner. To this aim, training holds significant sway in ensuring that a company’s culture respects business relationships with partners and vendors and ethically upholds contracts. Examples are apparent any time we see a company scrambling to release a statement about mishaps in client relationships, which can occur when the company is directly responsible, or when it is indirectly responsible, through underperforming subcontractors. As such, L&D needs to institute compliance training at the company itself as well as through contract agreements, as business-to-business relationships depend on all parties interacting with each other to ensure long-term commerce is not affected by a short-term lack of rapport.

Negative Publicity on Social Media, the Web, Etc.

They say that any publicity is good publicity. In the age of constant digital information, however, bad publicity can cost a company its customers, with little recourse to shake the stigma of opinion. For instance, the pizza chain Papa John’s was embroiled in a public relations nightmare following several controversial remarks made by its CEO starting in late 2017 that had nothing to do with its core business. Despite the fact that the CEO stepped down, the company’s shares and franchise sales suffered as sponsors dropped their agreements due to the corporate response to the controversy. As a cautionary tale, Papa John’s illustrates the power and impact of negative publicity and how a company can mishandle the reaction to fallout. It also underscores the important role that training can play as a driver of an ethical and appropriate organizational culture that can weather momentary stigma without threatening the sustainability of a business.

Loss of Customers to Competitors

Staying ahead of market trends is a constant clarion call for most industries. A vibrant L&D function is part of the recipe for creating and maintaining a competitive advantage over companies that offer similar products and services. To the extent that a company can sustain its place in a market, it should be able to continue to grow its customer base. The problem with competition, however, is that a competitor may come from unexpected places. For example, the successful



online music instructor Mike Johnston takes the view that his competition is not providers of similar services but other markets, such as organized sports, that directly compete for potential customers’ time.2 In this instance, a customer of a direct competitor may be likely to seek additional providers of music lessons, whereas if the same customer abandons music altogether for soccer, none of the providers of music lessons will win that individual’s business. While training cannot directly address the competitive threats that originate from unexpected sources, it can provide employees with information about adjacencies and trends in products and services. This education can help drive the broader strategy for keeping customers focused on the offerings and solutions that drive the company’s revenue.

Threat of Risk-related Events to Brand Reputation

It is not uncommon to see companies rebrand themselves. A company sometimes does so following a merger or acquisition or in response to falling market shares. When a business pours significant resources into brand creation and maintenance, if that brand becomes toxic, it can create a “sink or swim” set of options. Can the brand withstand the impact of risks to how it is perceived in the market, or does it need to regroup entirely and begin anew? The way that power utilities companies respond to a natural disaster, for instance, can foster long-term opinions (positive or negative) in the customers and businesses they serve. While compliance training in and of itself seems to have little to do with branding on the surface, a company’s compliance practices are often stated in its values and implied in its vision statement. When risk-related events inevitably do occur, it is compliance in action that often steers the brand through rough waters. L&D functions can support the company’s brand by ensuring that current and future compliance training initiatives are aligned with company values and regularly reviewed by leadership in order to position such training as a brand ally inside the company.

Threat of Risk-related Events to Market Share

Individual companies are subject to risks that directly impact them, but there is another level of threats to contend with: the relative health of the market or industry as a whole. We need look no further than the fact that none of the original 12 companies that comprised the Dow Jones Industrial Average in 1896 are still part of this market index. The long-term evolution of energy markets from coal to gas and electricity is a clear example of this type of shift. But how could risk affect an entire market? In this context, a company’s relative share can rise and fall as competitors deal with risk-related events of their own. For example, the nature of a crisis with an individual airline’s operations following an accident carries the possibility to depress commercial air travel as a whole. Unfair as it may be, the perceptions of a provider and how it handles risk can extend to its competitors. While compliance training will not directly change these overall perceptions, it can become its own source of competitive advantage when large-scale market shifts occur. Accordingly, L&D functions

need to ensure that they can simply and succinctly summarize compliance training in ways that marketing departments can use to communicate to the market at large.

Loss and Hazards to Proprietary Processes, Patents and Designs

When a company has a process that cannot easily be duplicated or a product that meets a need better than other solutions in the market, it is essentially its own business driver. As such, proprietary processes, trademarks and patents are worth protecting for their inherent value to the company. There is good reason why companies hold patents and trademarks (to protect themselves) and why processes such as reverse engineering exist (to sidestep liability for infringing on those protections). From a compliance perspective, however, the goal of training employees on proprietary information is to make sure that they are aware of exactly what is protected, what cannot be shared beyond the physical and virtual borders of the organization, and how to avoid inadvertently doing so. L&D plays a major role in safeguarding proprietary information by contributing to a compliance-focused culture that, in turn, protects these valuable company assets. While it may not appear that such protections are always compliance-related, the disclosure of this type of information is the result of preventable behavior and insufficient practices – the very focus of compliance training.

Loss and Hazards to Intellectual Property and Information Capital

Intellectual property and information are arguably the most abstract type of organizational asset. They’re ideas, separate from a brand – they may shape a product or the inflow and outflow of data for a service, but they’re conceptual in the sense of their value. When information such as customer data is lost or hacked, the repercussions can be devastating, not only for the organization but for its customers and business partners as well. Training on protecting intellectual property and information can take many forms, as can the threats. Breaches and losses can occur through improper access to printed materials, data on storage media, or data on servers, or through intercepting the transmission channels of information. In light of these multiple sources of risk, a robust approach to safeguarding information takes into account the ways in which employees are handling information and ensures that practices are in place to mitigate unintentional disclosure and thwart malicious attempts to acquire it.

Litigation/Legal Expenses

The cost of litigation at the corporate level is seldom small, whether the company wins or loses. Particularly when the outcome of something like a class action suit goes against a company, satisfying the resulting legal expense can close the business and require liquidation of its assets. On the other side of the coin, there can be significant and prolonged legal expenses to challenge infringements on patents, trademarks

2 Mike Johnston at Big Omaha 2015. Available at https://youtu.be/vH_S0XOzPtA



and intellectual property. There are many instances of a company selling off parts of its enterprise in response to the burden of lawsuits. While training by itself will not have much impact on the outcome of a lawsuit, it can be a crucial part of the remediation. In most cases, however, the existence of compliance training is to prevent such litigation from ever taking place. L&D can play an important role throughout legal challenges brought against the company (or brought by the company against another firm) by ensuring that both policies and employee behavior are in step with the legal position of the company in the courtroom.

Slow Leadership Response When Addressing Risk

Identifying risks to customers is only half the battle. Appropriately responding to them in a timely fashion is crucial, as evidenced by the number of stories in the popular press about companies’ culpability due to their failure to do anything about known risks before a significant number of problems occurred. The difficulty comes from defining what “timely” means with respect to risk and, by extension, what constitutes a “slow” response. Given the importance of intangible assets to a company’s ability to conduct business, leaders cannot afford to be without contingency plans for risk-related events affecting their market, changes in regulations or data breaches. Though such plans are often formed at a high level of governance within a company, they need to be cascaded down communication channels quickly and efficiently. L&D will seldom have off-the-shelf training materials that it can put into immediate action to redress issues and communicate these plans, so it is imperative that company leaders work closely with L&D to create impactful training in response to threats to intangible assets.

Ignoring Unintended/Downstream Effects of Decisions

The bulk of the decisions a company makes are focused on primary consequences – in other words, if we change something, what is the immediate impact on the thing we’ve changed? In some business and military contexts, there is the idea of second- and third-order effects or consequences. These effects are impacts that are usually separated in time and space from the initial decision but are directly related to the impacts of that decision. When an intangible asset is affected, however, the unintended effects can spiral from bad publicity to lost revenue and damage to a brand’s reputation.

For example, take Starbucks’ policy that its restrooms were for use only by customers. For the majority of businesses, such a policy is sensible; public restrooms require more regular maintenance, and well-kept restrooms are generally important to customer service. That goal of the policy is the primary consequence. In 2018, two men in Philadelphia were denied use of the restroom and asked to leave a Starbucks location where they were waiting to have a business meeting with a third party, as many entrepreneurs do around the country without incident. The situation was escalated by a store employee, eventually resulting in the men’s arrest

for suspicion of trespassing. As the two men were African-American and the incident was captured on video and posted on social media, there was significant fallout and valid accusations of racial discrimination, which were covered by several national press outlets. This response was the second-order effect. In the wake of the media coverage, protests were staged at the Philadelphia store where the incident occurred, and calls to boycott Starbucks circulated on social media outlets. Ultimately, Starbucks closed more than 8,000 locations for a day of anti-bias training for hundreds of thousands of its employees, at the cost of not only the deployment of training but the lost revenue from closing operations3. That cost was the third-order effect. In this example, the company may not have considered how a simple bathroom use policy could have led to the need to suspend national operations and roll out anti-bias training to an entire workforce.

THE PREVALENCE OF RISK TO INTANGIBLE ASSETS

Next, we will examine the extent to which companies contend with the specific types of risk in this category. Survey respondents rated each risk on a five-point scale. To better contrast the ratings, we will present the combined “to a great/moderate extent” and “very little/not at all” ratings, which omit the middle rating of the scale. This approach will underscore the most frequent risks experienced by companies and the critical point that not all companies necessarily deal with each type of risk. In essence, our typology is not intended to be a checklist of risks for companies to address but a framework through which to identify the most relevant risks to a company, which will inevitably vary from one organization to the next.

Of all the subcategories of risks to organizational assets we discussed above, which are the most prevalent?

As shown in Figure 2, around half of the companies in our sample say that they are most affected by:

• Loss and hazards to proprietary processes, patents and designs

• Loss and hazards to intellectual property and information capital

• Threat of risk-related events to market share

On the other hand, about one-third of companies say they are least affected by:

• Impact of external regulations and policies on the core business

• Loss of customers to competitors

3 https://trainingindustry.com/articles/compliance/starbucks-to-close-its-stores-for-an-afternoon-of-anti-bias-training/



Again, we should stress that the types of risk to employees can vary from company to company. For the three subcategories identified as most prevalent, at least one-quarter of respondents said they are seldom or never affected by these risks; conversely, for the subcategories identified as least prevalent, about two-fifths said their companies experience these risks to at least a moderate extent.

THE PREVALENCE OF RISK ACROSS INDUSTRIES

Of the subcategories of risks to organizational assets, which are the most prevalent in different industries?

As shown in Figure 3, manufacturing companies say that they are most affected by:

• Threat of risk-related events to brand reputation (56 percent)

• Negative publicity on social media, the web, etc. (53 percent)

• Impact of external regulations and policies on the core business (50 percent)

Technology companies say that they are most affected by:


• Negative publicity due to relationships with customers, vendors, etc. (41 percent)

• Litigation/legal expenses (41 percent)

Health care companies say that they are most affected by:

• Loss and hazards to proprietary processes, patents and designs (50 percent)

• Loss and hazards to intellectual property and information capital (46 percent)

• Ignoring unintended/downstream effects of decisions (46 percent)

Loss of customers to competitors

Impact of external regulations/policies on core business

Litigation/legal expenses

Ignoring unintended/downstream e�ects of decisions

Negative publicity due to relationshipswith customers, vendors, etc.

Threat of risk-relatedevents to brand reputation

Slow leadership responsewhen addressing risk

Negative publicity onsocial media, the web, etc.

Threat of risk-relatedevents to market share

Loss/hazards to intellectualproperty/information capital

Loss/hazards to proprietaryprocesses/patents/designs

46%

46%

45%

45%

44%

39%

39%

Very little/not at all

41%

43%

34%

30%

38%

36%

30%

46%34%

48%31%

49%30%

50%27%

To a great/moderate extent

Figure 2. RATINGS OF RISK APPLICABILITY



Banking and finance companies say that they are most affected by:


• Slow leadership response when addressing risk (46 percent)

• Loss and hazards to intellectual property and information capital (42 percent)

Government agencies say that they are most affected by:

• Threat of risk-related events to market share (67 percent)



Finally, companies that provide business services and consulting say that they are most affected by:



• Negative publicity due to relationships with customers, vendors, etc. (41 percent)

As shown in these data, there are patterns in the different types of risk seen across industries that make sense given each industry vertical. For instance, negative publicity was one of the top concerns of companies in manufacturing, technology and consulting industries. On the other hand, hazards to information capital was a top concern in health care and finance companies, given the sensitivity of the patient and customer data they routinely handle. It is also worth mentioning that about one-fifth of respondents across all industries identified each type of resource-related risk as relevant to their business.

6 https://www.justice.gov/iso/opa/resources/61201322111426350488.pdf7 http://online.wsj.com/public/resources/documents/peanuthearing20090211.pdf

Banking/Finance/Insurance, N = 24

Negative publicity due to relation-ships with customers, vendors, etc.


Loss of customersto competitors

Threat of risk-related eventsto brand reputation




Ignoring unintended/downstream effects of decisions




Business Services/Consulting, N = 22











Negative publicity onsocial media, the web, etc.50%

46%

42%

42%

29%

29%

25%

25%

25%

25%

25%

45%

41%

41%

41%

41%

41%

36%

32%

32%

27%

18%

Figure 3. RATINGS OF RISK BY INDUSTRY (TO A GREAT/MODERATE EXTENT)



Government, N = 21











Loss of customersto competitors 67%

67%

62%

57%

52%

43%

38%

38%

33%

29%

29%

Health Care/Medical/Pharma, N = 24











Loss/hazards to proprietaryprocesses/patents/designs 50%

46%

46%

42%

42%

38%

33%

33%

33%

25%

25%

Manufacturing, N = 34











Threat of risk-related eventsto brand reputation 56%

53%

50%

50%

50%

47%

47%

44%

44%

44%

35%

Technology/Telecom, N = 29











Negative publicity onsocial media, the web, etc. 45%

41%

41%

38%

38%

38%

34%

34%

31%

28%

24%

Figure 3. RATINGS OF RISK BY INDUSTRY (TO A GREAT/MODERATE EXTENT)



CASE STUDIES IN ORGANIZATIONAL RISK

In the abstract, it may seem like addressing risk is like playing the classic arcade game “whack-a-mole”: A risk pops up, the organization hits it with a compliance mallet and then it waits for the next risk to emerge. In reality, things are seldom this simple. More often than not, risks emerge after the fact, borne of process failures and training gaps, in a runaway cascade of circumstances. In this section, we’ll share two case studies that illustrate how a combination of factors contribute to organizational failures and the part that compliance training can play in preventing them.

CASE STUDY 1: 2013 TARGET CREDIT CARD BREACH

At the end of 2013, the credit card information for nearly 70 million accounts was stolen from thousands of Target stores.4 Malware had infected the IT systems of a refrigeration vendor, which was then used to hack into Target’s vendor portal and exploit vulnerabilities in point-of-sale machines to capture information as customers swiped their credit cards. Target did not catch internal software alerts that may have indicated a breach had occurred, and the company was informed of the stolen data by the U.S. Department of Justice. Forensic analysis showed that had Target conducted regular, full reviews of vulnerable points in the interlinked software systems, it may have discovered the security flaws that allowed hackers to reach point-of-sale machines. Such an analysis should have included all systems, regardless of whether they handled sensitive data or not. Since the systems of the refrigeration vendor were connected to the Internet, end-to-end security protocols and encryption may have prevented back-door access to the customer information. Further, Target could have instituted software or network controls that would have made access to the point-of-sale machines impossible. This breach took place over roughly two weeks during December, at a time of high holiday shopping traffic. Clearly, this incident was a case of massive loss of information capital coupled with slow leadership response to risk and negative publicity.

How does training factor into this? Of the shortfalls that contributed to the breach, IT staff needed better training on monitoring security audit logs to respond to software alerts, which could have mitigated the volume of stolen data. Even though some of this training was available, employees may not have had sufficient time to analyze logs and detect the outbound data traffic that contained customer information. While it is true that there were not enough security measures in place to adequately protect the credit card data, the scale of this breach could have been significantly smaller if there had been enough staff with the proper training tasked to catch the malware activity.

CASE STUDY 2: 2011 TRICARE MEDICAL RECORDS BREACH

In 2011, personal information and medical records from approximately 4.6 million patients were stolen out of a Tricare contractor’s car in San Antonio, Texas.5 While the records did not contain patients’ financial data, it did include Social Security numbers, addresses, laboratory results and prescriptions. The data had been backed up and was being transported in an employee’s car from one federal facility to another. During the transport, the back-up media were robbed from the car

while it was parked at the contractor facility. Tricare provides services to patients who are active and retired members of the military, in addition to their families. The stolen data covered patient records that stretched back to 1992, and while some encryption was applied to the information, it did not meet federal standards. Again, this incident was an case of massive loss of information capital from a risk-related event. Although the contracting company stated that retrieving the data from the storage media would have necessitated the use of specific hardware and software and an understanding of the structure of the data, such equipment was commercially obtainable.

The end result of this case is the same as the Target breach: Personal data was compromised. What distinguishes the two incidents is how the data came to be compromised. There was no computer hacking involved with Tricare, as storage media were physically stolen rather than hacked digitally. Although the way the contractor was transporting the records was technically in compliance with the agreement between the data firm and Tricare, it prompted a review of data security policies and procedures. Notably, the lack of adequate encryption put the patient data at undue risk of being easily accessed if the media were sold on the black market. Clearly, had training been in place that placed tighter controls around how and where sensitive records were encrypted and transported, both by the contractor and by Tricare, in addition to better encryption protocols, the breach might not have occurred, or the potential impact might not been as nebulous in terms of the vulnerability of the data.

4 https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-354125 https://www.reuters.com/article/us-data-breach-texas/records-of-4-9-mln-stolen-from-car-in-texas-data-breach-idUSTRE78S5JG20110929



SUMMARY AND RECOMMENDATIONS FOR L&D

While the preceding pages in this brief identify the common ways risk to intangible resources can manifest in organizations, in the real world, things are never as simple as a single threat. The point of identifying subcategories of risk is to highlight the ways in which it is possible for them to overlap, evolve and take new forms across the organization when unaddressed.

As we stated in the introduction, compliance is about protecting the organization, its employees and its customers. While this report focused on why compliance practices are important for the sake of intangible resources, it’s clear that these practices are universally important. The other briefs in this series explore the other facets of the importance of compliance training in reducing organizational risk.

One of the most important findings of our research is that all companies face an array of risks. No matter whether the company operates in manufacturing, health care or finance, there are no companies that don’t grapple with multiple types of risk. Even when there are some differences in the types of risks that are most common across industries, there are no industries that only identified a single subcategory.

Why is this finding important? The idea that we can define a “high-risk” company by its industry is erroneous. For areas such as protecting intellectual property and managing publicity, few companies are immune to the effects of risk, whether the impacts are felt in consumer confidence or in trusted partner business partnerships.

So, what can an L&D function do to reduce the risk to the intangible assets of its company?

• Ensure that both proactive and reactive measures are in place to prevent and quickly respond to risk-related incidents that affect publicity. Though it might be nearly impossible to predict the multitude of ways that risk can lead to negative publicity, it is clear from countless examples in the popular press that a company’s handling of issues can shape not only how events are portrayed but the likelihood that they are picked up by media outlets. Proactively, strong compliance training can help a company catch issues before they escalate; reactively, it can function as a message to customers and partners that the company is not resting on its laurels in the wake of an incident. Said another way, strong compliance does not communicate complacency.

• Be a strategic partner in helping the business navigate changes in the market. Training drives innovation by developing and nurturing employee talent in ways

that hiring cannot. While compliance training may not immediately come to mind as a contributor to innovation, it does provide a business with a frame of reference through which to adjust to changes in its own market share, changes in the overall health of the market, and disruption from new and existing competitors.

• Be a strategic partner in helping the business weather regulatory and litigation issues. When updated regulations or legal disputes require changes to policies, training is often leaned upon heavily as a major part of a company’s internal response. L&D leaders can play an important role by being at the decision-making table to provide guidance on how compliance training should execute this internal response. That training can both prevent the organization from exacerbating a situation further and communicate new policies quickly and efficiently to the workforce.

• Act as the first line of defense against loss of proprietary information and intellectual property. An ounce of prevention is worth a pound of cure, as the saying goes, and in the context of an organization, it can be especially, painfully true. A significant reason that companies are able to keep close tabs on proprietary assets and prevent constant data breaches is that compliance training is doing what it is intended to do. Far from being a checkbox for L&D, compliance training continuously serves to protect the livelihoods of companies’ employees by giving them guidelines for how to conduct business in a way that doesn’t endanger some of the core assets of their employers.

• Ensure that leaders and managers are aware of the full battery of risks to company assets. Both of the case studies in this report illustrate different forms of data breaches. However, loss of protected information is but one of the many ways that risks to intangible assets can manifest. The more that a company’s L&D compliance strategy is able to keep these risks from fading from consideration, the more that leaders and managers can take steps to address and prevent these risks through the impact of training on the behavior of employees up and down the organizational ranks.

Compliance doesn’t have to be complicated, but it can’t be improvised. In the other research briefs in this series, we explore the ways that risk can affect clients and customers, the employee workforce, and tangible organizational resources, and we continue to examine how compliance training can play a part in reducing the impact of such risks.



RESEARCH PARTICIPANT DEMOGRAPHICS

All research findings described within this brief are based on Training Industry, Inc. research data. The following are general demographics of the respondents from the 261 companies who participated in this research.

(representing over 55% of respondents)

1 | Manufacturing

2 | Technology

3 | Health Care

4 | Banking and Finance

5 | Business Services

6 | Government

Job TitlesTop 6 IndustriesCompany Size

1-100

101-500

501-1,000

1,001-5,000

5,001-10,000

10,001-20,000

20,001-50,000

8%

8%

14%

16%

3%

18%

25%

8%

>50,000

47%Managers

16%Executives

38%Non-managerial



ABOUT TRAINING INDUSTRY, INC. RESEARCH

New insights create new ways for L&D to do business. Training Industry, Inc. provides data-driven analysis and best practices for the corporate training professional by capturing the perspectives of learning professionals, learners and training companies across a diverse array of industries. Our informational resources are shared with more than 250,000 monthly website visitors and 140,000 email subscribers.

The Training Industry, Inc. research team of experienced analysts relies on rigorous survey practices, including targeted sampling and advanced analytics. These practices are based on validated principles of measurement to answer both qualitative and quantitative questions across a variety of research designs, including market research, buyer personas, learner impact analysis, competency models and organizational assessment tools. Our expertise and audience reach allow us to provide learning professionals with in-depth market intelligence and thought leadership insights to reveal where the corporate training market is now and where it is headed in the future.

Our research harnesses the collective wisdom of learning professionals and their unique perspectives on the business of training to inform our continuing professional development programs, including events, classes, certificates and the Certified Professional in Training Management (CPTM™) certification program. We circulate these insights throughout the training market using content marketing, including webinars, infographics, email marketing, and our award-winning magazine and website.

Copyright ©2019, Training Industry, Inc. All rights reserved. The information and insights contained in this report reflect the research and observations of Training Industry, Inc. No portion of this report may be duplicated, copied, republished or reused in any way without the prior written permission of Training Industry, Inc. For more information or to request permission, contact [email protected].

Recommended citation:

Training Industry, Inc. (2019). Training Strategies for Safety and Risk Management – Risk to Clients and Customers. Retrieved from https://trainingindustry.com/research/



Risk to Clients and Customers

SUBSCRIBE TO TRAINING INDUSTRY RESEARCH

Risk to Tangible Organizational Resources

Risk to the Employee Workforce

Risk to Intangible Organizational Assets

READ ALL OF THE TRAINING STRATEGIES FOR SAFETY AND RISK MANAGEMENT RESEARCH BRIEF SERIES

Your companies must have compliance measures in place to ensure the welfare of the organization, the people who work there and the customers you serve. While compliance training deals with complex threats, your approach to it doesn’t have to be complicated. This series of research briefs outlines a data-driven framework that can help you assess the risks you face; identify which ones might still be unknown; and determine how training can protect your company, employees and customers.

This series of research briefs covers how risk can impact employees, customers, and the tangible resources and intangible assets of an organization.

Each research brief in the series includes:

• The different ways that types of risks can present themselves

• How prevalent they are both generally and across industries

• Illustrative, real-world case studies

• Recommendations for L&D leaders to align their compliance training practices with company goals and strategy

https://www2.trainingindustry.com/l/186152/2019-01-30/czcs46


Documents

Training Strategies for - Cornerstone...respond to a natural disaster, for instance, can foster long-term opinions (positive or negative) in the customers and businesses they serve