Rewatch our CIPHR Connect partner EssentialSkillz on CIPHR’s stand at the CIPD HR Software Show (filmed on 13 June 2018)
HR and L&D teams are great at providing training, but when the auditors come knocking a paper chase can ensue. This presentation looked at how to close the loop with compliance issues without training becoming a tick box exercise.
CIPHR Connect is an ecosystem of trusted business applications that integrate seamlessly with CIPHR’s powerful HR and recruitment solutions.
If you have any questions about CIPHR Connect and are a current CIPHR customer, please contact your account manager. If you are new to CIPHR, call us on 01628 814 242 or email email@example.com.
Just a little bit about us, we are EssentialSkillz. We are a specialist eLearning provider predominantly. We also do policy compliance as well. We focus particularly around health and safety and also around business protection subjects. Things like GDPR, code of conduct, cybersecurity, those types of areas. So we provide training courses in isolation or we provide a learning management system in isolation or we can combine the two together and provide you with one platform. So that’s what we do and we’ve got a lot of people and you can see the stats for yourself on there. I won’t bore you with all that. Let’s just talk about what we’re here to talk about.
So what is the problem? Well, the problem is that most companies concentrate on the positive, not on the negative. So we all concentrate on who has been trained, but do we concentrate on who hasn’t been trained? Because that’s the most important thing, that’s the compliance gap that we have. That’s the gap within the system. That’s where, potentially, we’re going to get accidents, that’s where we’re going to get mistakes, that’s where things are going to go wrong. That’s our compliance gap. And then we found most companies we talk to always look on the positive, they don’t look on the negative. So we look on the negative for you instead.
So do you have a simple way to highlight non-compliance to senior management? Are you able to say when you actually go to a board meeting and present the graph and say, rather than, “Great, look, we’re 98% compliant.” Well, actually, what you should be saying is, “No, we’re 2% non-compliant and here’s why, these are the reasons, these are the people, this is what we’re going to be doing about it.” Let’s look on the negative again. Are you able to actually show that within your business? Have you got that information at your fingertips?
Version control. So if you’re providing training to your employees and perhaps you’re doing that as face-to-face training, you might be doing it as online training, you could be doing just any type of training. Are you able to version control that training? So are you able to say, definitively, you took this particular training course on this date in 2010 or are you not? And do you have consistency across your training? So do you have different trainers across the country that are perhaps providing the same course but doing it with different levels of enthusiasm, perhaps, or different levels of competency? How do we integrate with HR to ensure employees have signed and understood the latest policies and procedures? So it’s policies, procedures, training. How do we ensure people are actually doing the very latest pieces of information that we have within the business, rather than things that are years old or perhaps even haven’t done it for a while? These are all the gaps.
Now compliance is not a dirty word. This is a dirty word, box-ticking. So a couple of relieved faces. I know that that’s a phrase, but you know what I mean. But box-ticking is a dirty word, because I’ve been in the compliance sector for 20 years and compliance became less and less popular as a word because people used to say, “Well, compliance is just box-ticking.” No, it isn’t. Compliance isn’t box-ticking. If you’re just box-ticking, you’re just doing the 1s and the 0s. You’re only looking at the very surface. Compliance is looking below the surface and actually where the problems are. That’s true compliance and I’ll show you how we can do that.
So how do we move on from box-ticking? Well, to show true compliance, you need a robust audit trail. Now that sounds kind of obvious, but I’ll show you a little bit more about what I mean by that as we move on. Well, here we go. What do we mean by this? Well, let’s do a show of hands across the audience, shall we? So who can say amongst all of these varied companies we have here, which version of training and which version of the policy every single employee in your business has seen? So if I had been to any of your businesses, picked an employee, could you say, “Well, I can tell you which training this person did, I can tell you which policy they signed off, I can tell you when they did it.”
So a show of hands of everybody who can say yes to that question. Right, there is no hands showing and that’s not surprising because we get no show of hands every time we do this talk. Because, again, everybody has gaps and everybody has little areas that perhaps they don’t know about within their business. But I’m gonna show you something that can help you. So still moving on, every time you make a change, you not only need to keep a record of the change, but you need to know who’s then been trained using that change. So if you change the training PowerPoints or whatever it might be, you need to know who’s been trained on the latest version. Same with policies. If you’ve got a new policy, you need to know, “Well, he didn’t sign the old policy, he signed the new policy.” You need definitive facts all the time to say 1s and 0s, more than that, actually I knowo further.
So if an employee comes back after three years and says, “Well, the training actually was insufficient. I’ve had a terrible accident and you didn’t train me properly.” And you showed them the training course that actually, “Well, this is the training course that we provide.” And that person says, “Well, that’s not the training course I took, it was completely different to that.” How are you going to prove any of this information? Can you prove which policy was signed off? If there was a GDPR breach, I mean GDPR was in here a couple of weeks ago and actually in the news this morning. Currys’ PCWorld had a databreach with 5.9 million records, and I can bet you a pound to a penny, there’s people scrabbling around inside that organisation now trying to find out who signed off what policy, who had the training, who’s done what when quickly before the auditors of the ICO come in. That’s exactly what we all need. We need this information at our fingertips all the time.
So where’s the pressure coming from? Well, it’s pretty obvious really. There’s risk and governance issues, there’s health and safety issues, there’s a quality and diversity, building [inaudible 00:05:20], modern slavery, cyber GDPR subsecurity, it’s across the whole business. It’s such as IT, it’s such as HR, it’s such as, exactly. Every single part of the business is touched by compliance. So that compliance pressure is coming from all round and again, what we can do with this, there’s a central way of managing this information and saying, “Well, actually, I’ve got one place I can go where I can definitively say I can see exactly who’s done what or who hasn’t done what.”
So how do we pull all our compliance reporting together? Do we do it on spreadsheets? Well, you could. If you want to lose that information, if you don’t want to keep it up-to-date, you could do that. HR system, obviously you could do CIPHR which has a fantastic HR system for doing exactly this sort of thing. Of course you could. And more importantly, how do we ensure we’ve got ongoing compliance? And I’m just going to give you a very quick example. I was with a firm of solicitors, a very well-known firm of solicitors about six months ago, and I was talking with all the partners about, it was actually about driving and about driving policies.
And I was saying to them, because I’d been brought in by somebody further down the chain and they were saying to this person, “We need to something about driving policies.” And this person who was a partner was saying, “No, we don’t. It’s all fine.” I said, “Well, okay. Can you just tell me what your process is?” And she said, “Well, on induction, we present them with the driving policy. The person reads it, we watch them read it, they sign it off and then we’ve got it all covered. So we have no gaps.” “Oh, brilliant. And did you do that when you joined the business?” She said, “Yeah, I did.” I said, “Well, brilliant. And when did you join the business?” “Nine years ago.” “Right. And have you ever seen that policy since?” “No.” “Do you know if it’s the same policy now as it was then?” “No.” “Can you remember a single word inside that policy?” “No.” So there’s absolutely no point having that policy. No point signing it because it is useless unless that person actually knows what’s inside it. It is completely useless.
So how do we ensure that when a policy’s updated, staff sign off on the very latest version? Now again, CIPHR have got a solution for this, we also have a solution for this. They’re slightly different ones. Have we got a record of this? How are we making sure that employees don’t fall through the gaps? And how do we identify those gaps across the business? Are new starters onboarded and provided with policies? So when new starters start, as a business, do you perhaps have a policy where you say, “Well, we’ll gather everybody together once every two weeks and we’ll give them the training and do the policies.” Well, that’s great but what happens in that two weeks? If somebody starts the day after you’ve done one of those onboarding processes, they’ve got two weeks within the business where they have no training, they haven’t signed off on any policies, they’re doing the exactly the same work as everybody else, their risks are just as higher as everybody else’s, but they haven’t been trained. So again, there’s a gap. Clearly, I’m going to tell you that we’ve got a solution to this problem and I’m going to show you what that solution is.
So our solution is basically that you can provide the right training, the relevant documents delivered to the right people at the right time with a robust order history. And let me show you how we do that. So I’m just going to move on. I’m going to quickly show you, before we move on to questions, just a very, very quick overview of software. So you’ve not really come here to look at a piece of software but I’m going to show you anyway. So this, I’m logged into our eLearning system as an employee. Now if I scroll down, I can see I’ve got a policy to sign off, I’ve got some training courses to do, I also have an ergonomic risk assessment I need to complete. Now the reason I’m seeing all this is because I’ve been…well, I’ve joined the business, I’ve been added to CIPHR’s system as an employee. We’ve got an integration where we then feed down that data into our system. Our system then recognises that new starter. Automatically, our system will then say, “Well, actually, based on your job role or grouping, you are all required to do this training, these policies, these risk assessments.”
Automatically, it sends an email to the employee. The employee receives the email with their login details and they go in and this is what they’ll see. They’ll see training policies, risk assessments, that are relevant to them, their job role, and what they’re doing. So first thing they do, I’m going to sign off on a policy. So within our system, you’re able to upload as many policies as you wish and then you can actually create a mini eLearning course around that policy. Now this is what I created on the train. So it’s not particularly aesthetically pleasing. You can do a better job than I can do, I’m quite sure. But anyway, I’ve just got a little bit of information there about what the policy is. When I move on to the next page, I’ve then got a sign-off button. So I’m asked to sign it. Well, I haven’t read it. So I can’t sign it because I haven’t read it yet. So first of all, I’ll read the document. So I open up the PDF in this case and I can read through my document which is fairly brief.
Then I can come back into the course. Now, see, my sign up button is now activated. So I now sign that off. There’s my signature, confirm the signature, job done, I can go back to work. Well, not quite, because all I’ve proved so far is that that person has opened up that policy and then closed the policy again. I’ve not proved that they’ve actually read it and they’ve just signed something. So instead, we’ll actually test their knowledge. So you can then have a comprehensive test afterwards based around what was actually inside that policy. Now I’ve got three simple questions on mine which I should be able to get correct. So I’ll just answer these three questions and hopefully, that one I think and finally, that one. So once I’ve completed that, I will then be able to print my certificate. So I’ll just load the certificate up and whilst that’s loading, if I had failed that test, the system will mark me as non-compliant, because although I’ve opened up the document, although I’ve signed it off, I have clearly not understood it. So there’s no way that I’m going to be marking that person as compliant because they don’t know what the policy is.
But because I have signed it off and I’ve passed the test, I can now have a certificate which has got the name of the policy, my name, name I logged in under, date and time I did it, IP address of the PC I did it from, my digital signature and then a unique reference code for every single certificate. So if that person then comes back and says, “Well, I never saw the policy, didn’t understand it.” I’m sorry but you did and this is the date and time you did it, this is the IP address you did it from, you signed it off and this is the name of the policy and we have a record of that on your training profile. So absolutely you understood that policy.” Somebody just close that off. I’m just going to quickly show you…I should put my glasses on. I’m just going to quickly show you an eLearning course. I’m sure you know what an eLearning course looks like, but basically, within our system, what you’re also able to do is configure eLearning courses specifically around your business. So it’s gone straight to the test, I’m just going to jump back into the course a little bit.
Like I said, I’m not going to bore you with actually going through an eLearning course but there was just one quick thing I wanted to mention on here. So everything within these four corners, within our system, is editable. So you as a client can come in, you can change the images, you can add in videos, you can change text, you can add in links, change anything you want within that eLearning course using the editing tool within the software. Now that’s all great and that’s brilliant. It’s nice to have that flexibility and make that fit and proper for your business, but it’s the same thing again, that who did what training when. So if you’re changing this course ongoing, how do we know who did the last version? How do we know who did the version before that? How do we know? So I’ll show you.
So I come out of this course and I’m just going to go in as a manager into the system. So I just log out of here and swap over and go in as a manager. So when I go in as a manager, I get a slightly different view. Now the first thing I’m going to do is just look at my compliance report, because I want to know who’s done what. So I’m going to go straight to my report section and look at compliance. So when my compliance report loads, what it’s going to show me is a little barometer so I can see across my business, how compliant or non-compliant I am. So I’m looking across the whole business at the moment, but if I clicked on that magnifying glass, I could delve down into any part of the business. So you can have an organisational structure that is as simple or as complex as you wish it to be. So you can actually delve down to any part of the business. When I look down to see the table below, what it’s going to show me is each of the training elements, policies, risk assessments, whatever they may be. It’s going to show me my level of current compliance, how many people were required to do it, how many people are compliant, therefore, how many people are non-compliant.
Now that’s, again, that’s great. That’s a nice little dashboard to have but that gives me the surface. That tells me the 1s and 0s, that tells me yes’s and no’s. That’s all that tells me. That doesn’t give me the detail that sits underneath that and the devil’s always in the detail. Because the way this system works as I mentioned before, when a new employee comes in, we’ll provide them with training and we’ll ask them to do it and if they haven’t done it within a set period of time, we’ll take it away and then we’ll give it back again and then we’ll keep that cycle running until they actually complete it. Now what we’d really want to know is how many times our non-compliant people have been through that cycle because they are the persistent non-offender or persistent offenders that will never actually complete the training.
So if I go into the 52, what I can see is a list of people who are in my naughty list. What I can also do is I can reconfigure that end column and then reconfigure it again, and then what it will do is it will bring to the top the people who have been enrolled the most times. So I can see at the top there, I’ve got two people with five, some people under with four. So they’ve been through that process five times, they’ve been through that process four times. So it’s not just 1s and 0s, it’s looking at the data that sits underneath. These are the people actually that are going to end up having an accident, they’re going to be your cause of your GDPR breach, they’re going to be your, because they’re just not doing what you’re asking them to do time and time again.
So you’re able to then download this, send that out to a manager to say, “Here’s a list of people that you need to do something about.” We can email those people directly from this report if I wish to as well. We can do pretty much anything we want to do. I’m just going to keep an eye on time, because I know we’re on a fairly tight schedule today. Right, and I’m just going to show you one other thing whilst we’re in here. Two things, actually. Firstly, I’m going to show you again, if we’re looking at people, we want to be able to see what those people have done. So if I go into a user’s training profile, we’ll need to see is an absolute history of absolutely everything that that employee has been asked to do or has done or has not done. And again, it’s about building a complete audit trail of every single touch point with that employee. So I can see in here all the courses this person’s completed, I can see the date they completed it, number of attempts it took them to complete it, how long they’re in for. The same with policies that are also listed in here. Under policy, I can see how long they had that window open for. So if somebody’s opened that policy, closed it in 20 seconds, then gone to sign it off, I know they’ve not really read that policy in any great detail. So we’re able to look right down into the system there.
Also, what I can see are any emails that have been sent to this employee. So again, if this employee says, “Well, I’ve never actually got asked to do the training or never got asked to do that policy.” “Well, yes, you did, and here’s the email we sent you.” It’s all recorded inside the system as well. So it’s about having that complete idea of absolutely everything that goes on against that employee. Now something else we mentioned a little bit earlier on was just around making sure that you know a history and an audit trail of everything that’s happened with training, with policies, with whatever. So who’s done what when, which version did they do it on. So as I mentioned before, all of our courses, policies, everything is editable. You can go and change it, but this is where it’s slightly different. So if I go into one of our courses, so I’m going to choose our ergonomics course. I can see it, there it is. So if I go into the editing function in here, now what I’m able to do is I can choose a page, I’ll just show you quickly how it works, but I can choose a page, click into the page and then I can just click into it and change the text and do whatever I want to do. So I can make some changes to that course.
Now when we’ve published this course, if you look here, you’ll see that revision history there. Just keep an eye on that and keep an eye on the dates on that. If I click publish, I’ll just say on here “made some changes” then I click OK. Now that’s just going to take a couple of seconds to republish but what that’s doing in the background is that’s, first of all, making a note of what we changed. Secondly, it’s republishing that. So that’s now a live course in the system. So the next person to take that course will see the one that I’ve just changed. Thirdly, it’s also creating an archive copy of the previous version of the course or the policy or whatever it might be and it’s putting that on our server.
So then, if in the future, anybody comes back and says, “Well, actually, that wasn’t the course I did,” all we’ve got to do is look at the date that they did the course and then we can bring back from the archive the exact copy of the course that they completed. And let me just show you that it has actually done that. So if I look at our ergowise [SP] course there now, what we should see is the revision history is now changed, which it has, they made some changes, there it is and you’ll see, there’s a little .zip at the end there, tell us the file name. So that’s the file that we’ve now archived back on to the server. So we have an absolute history of everything that’s happened. So as a HR department, you’re now be able to show, “Well, yes, I can prove people did training. I can prove people did policies. I can also prove that it was relevant to them because we mapped this across their job roles before we did and to think that it was delivered to them on the day that they started with the business. I can also prove the exact version that they did at any point in history. I can show the exact version of the policy that they signed off at any point in history.” I can prove pretty much anything around policies or training.
So if ever I get caught out, if I was Currys PCWorld with our data breach and then asked to check on the training and on the policies, I can definitively show by going into our system, “Yeah, I know who did it.” But I also know who didn’t do it and I’ll be honest about that and hold my hands up, but at least I know and that’s the key thing. And that’s what we’re all about and obviously, we can feed back into CIPHR’s system, we can push training completions back into there, we can bring data down from there, we could do all sorts of lovely fancy things, I’m quite sure and that’s pretty much it from me. So that was all it was. Is there any questions from anybody?