Saturday, December 20, 2025

Risk and compliance training plan for 2026

Iratxe Gurpegui
Ethics, Culture & Leadership
Risk and compliance training plan for 2026

2026 is the year risk and compliance training moves from one long annual course to short, role specific practice that people can apply the same day. Budgets are tight, attention spans are short, and regulators are asking for effectiveness evidence, not hours spent. This plan shows how organizations can design a modern compliance program while fitting how people actually learn at work.

Why 2026 training must change

Most employees will not finish a 60 minute compliance module. They will complete a five minute lesson on their phone right before a risky task. The shift is from awareness to application.

  • Move from once a year to spaced microlearning, five to seven minutes at a time
  • Replace generic lectures with role targeted scenarios tied to your risk map
  • Deliver prompts in the flow of work, right when decisions happen
  • Measure behavior and outcomes, not only completion and quiz scores

This approach aligns with what auditors ask for, training that is relevant to the risks people face and that can be evidenced as effective.

What regulators will expect to see

Regulators and auditors will not prescribe your format, they will test your effectiveness and documentation.

  • Loi Sapin II, Article 17 requires training of exposed personnel, with evidence of frequency and relevance.
  • ISO 37001 requires awareness and training appropriate to bribery risks and roles, with records kept.
  • UNE 19601 and UNE 19603 require training as part of the compliance management system, proportionate to criminal and antitrust risks and responsibilities.
  • AML programs must include ongoing employee training as part of internal controls.

Auditors typically ask for a matrix that maps risks to roles, objectives, frequency, attendance logs, test results, and remediation actions when scores are low. Expect reviewers to sample evidence specifically for anti corruption, antitrust, and criminal compliance (in Spain) training.

A role based training matrix for 2026

Tailor content to the risks each role faces. Start from your risk map, then set objectives and cadence.

Role or audience

Key risks

2026 learning objectives

Best method

Cadence

Evidence to keep

Executive team and board

Tone at the top, conflicts, third party approvals, sensitive deals

Set and model expectations, challenge red flags, approve risk appetite, oversee investigations

45 minute live case clinic, quarterly brief

Quarterly

Agenda, attendance, case notes, decisions

Sales and channel managers

Antitrust RPM and information sharing, gifts and hospitality, third party integrity

Spot and avoid risky conversations, escalate cartel red flags, apply gifts policy in practice

6 minute microlearning modules, chat based scenarios

Monthly

Completion, 80 percent pass rate, case escalations count

Procurement and operations

Third party due diligence, facilitation payments, bid rigging

Run proportionate diligence, detect bid patterns, apply contracting clauses

Interactive checklist sprints, 10 minute microlearning modules

Monthly

Diligence records, module results, exception logs

Finance and accounting

Books and records, AML red flags, payment controls

Maintain accurate records, detect unusual payments, block prohibited vendors

Short video plus quick quiz, 15 minute workshops

Bi monthly

Quiz results, control exceptions resolved

HR and recruiters

Conflicts, speak up, disciplinary framework

Manage conflicts, protect whistleblowers, apply sanctions fairly

Microlearning and templates, 30 minute yearly workshop

Quarterly micro, annual live

Attendance, case handling metrics

Marketing and trade teams

Antitrust in associations and events, claims, influencer gifts

Safe conduct at events, avoid sensitive data exchanges, gifts logging

Live role play before events, 5 minute nudges

Before each event

Pre event attendance, post event attestations

AML and KYC functions

CDD, EDD, sanctions screening

Maintain current procedures, escalate unusual activity, document decisions

Case reviews, risk sprints, 6 minute refreshers

Monthly

Case review logs, training scores

Product, AI and data teams

AI Act roles and oversight, data ethics, model risk

Identify role under AI Act, apply human oversight, document transparency

8 minute microlearning modules, live drill on oversight

Quarterly

Oversight roster, drill outcomes, logs

All employees

Code of conduct, speak up, conflicts

Recognize a concern and report, avoid retaliation, declare conflicts

New hire microlearning series, annual refresher

Onboarding and annual

Completion records, hotline usage trends

Use a simple three tier approach for depth. Exposed roles get monthly microlearnings plus drills, supporting roles get quarterly refreshers, all staff get onboarding and a yearly update.

An overhead view of a modern office where diverse employees complete five minute compliance microlearning on laptops and phones. Each screen shows a different scenario card, for example an antitrust conversation at a trade show, a gifts and hospitality decision, and an AI oversight checklist. A wall calendar highlights monthly microlearning sessions and quarterly live case clinics.

A quarterly plan you can execute in 2026

Q1, foundations and high risk refresh

  • Publish the annual plan and ownership, align with the updated risk map
  • Run two microlearning campaigns for sales and procurement on antitrust and third parties
  • Hold a 45 minute executive case clinic, cover conflicts and investigations
  • Launch AI Act roles and oversight microlearning series for product and data teams

Q2, simulations and association season

  • Before trade shows, run a 15 minute live role play for marketing and sales, issue a one page do and do not
  • Conduct an anti corruption scenario drill with procurement and finance
  • For AML functions, do a case review sprint using recent alerts, track decisions

Q3, culture and investigations

  • Run an all hands speak up and anti retaliation refresh with microlearning scenarios
  • Host a 20 minute board briefing on key risk indicators and training outcomes
  • For AI teams, drill human oversight on one high risk workflow and document it

Q4, audit readiness and targeted remediation

  • Identify low scoring teams, assign targeted microlearnings
  • Produce an evidence pack for auditors with logs, content, and outcomes
  • Review plan effectiveness with leadership, update 2027 objectives

Modern methods that fit short attention spans

  • Spaced microlearning, a five to seven minute module every 2 to 4 weeks beats a single long course
  • Scenario cards, one realistic decision per card with immediate feedback and a link to the policy
  • Chat based practice, deliver quick dilemmas in the tools people use every day, for example email or chat
  • Live case clinics, 25 minutes, 10 minute briefing and three five minute case discussions with decisions recorded
  • Event driven nudges, pre populated do and do not reminders before trade shows, audits, and vendor signings
  • Role play drills, short supervised simulations for dawn raids, investigations, and third party escalations
  • Office hours, monthly 30 minute drop in with compliance for real questions from the field

Avoid long narrated slide decks. Replace them with focused problems people actually encounter, for example a distributor asking for a margin bump and confidential competitor price lists.

Build measurement into the plan

Tracking must go beyond completion to outcomes and behavior. Keep a clean evidence trail.

Metric

Target in 2026

Why it matters

Coverage by risk role

95 percent of exposed roles trained within 30 days of plan launch

Sapin II and ISO 37001 expect exposed roles to be prioritized

Scenario pass rate

80 percent pass on first try, 95 percent after remediation

Shows understanding, enables targeted follow up

Time to remediate low scores

Under 15 business days

Demonstrates responsiveness to risk

Manager acknowledgment rate

100 percent for teams in high risk markets

Reinforces tone and accountability

Event nudge adoption

90 percent of flagged events have a pre event training confirmation

Reduces competition law exposure at meetings

Evidence completeness

100 percent of sessions with roster, content, results, and policy link

Supports audits and certifications

Document how you will respond to results. For example, if sales in country A score below target on RPM scenarios, assign a live clinic within two weeks and pause risky commercial campaigns until after the session.

Governance and accountability

  • Assign a single owner per audience, for example sales training owner is the commercial excellence lead, with compliance support
  • Agree sign off for content with legal and external counsel when needed, especially for antitrust and criminal compliance
  • Establish a quarterly steering review with compliance, HR, business leaders, and internal audit
  • Keep a controlled copy of each module and scenario, date stamped, with a link to the policy and risk it supports

The bottom line

If you build a 2026 risk and compliance training plan around short, role specific scenarios that are delivered in the flow of work and tied to your risk map, you will raise real capability and satisfy auditors. Keep the evidence tight, automate the busywork, and use live case clinics to build judgment where it counts.

Ready to connect your training plan to risks, policies, workflows, and evidence, without adding headcount, speak with Naltilia. Our platform helps mid sized teams align risk assessments to training priorities, automate reminders and attestations, and keep audit ready records while you focus on content and culture.

Back to blog