By 2025, corporate compliance departments will reduce annual compliance training by 50%, displacing costs in favor of embedded workflow-based controls to guide employees, according to Gartner.

“Many compliance leaders are dissatisfied with the effectiveness of their existing program activities,” says Chris Audet, senior director: research in the Gartner Legal, Risk & Compliance practice. “Existing training activities are not meeting key risk mitigation objectives, and there is evidence that embedded controls are more effective.”

Embedded Controls

Embedded controls are built-in, process-based mechanisms that shepherd employees to compliance within their workflows and may be detective, preventive, or corrective.

According to an April 2021 Gartner survey of 755 employees, when organizations implement embedded controls, the number of employees who miss compliance obligations drops by more than half (58%).

“Part of the appeal is that embedded controls can reduce compliance burden on employees, by transforming compliance obligations from something extra to remember into timely prompts and guidance at the point where compliance is required,” says Audet.

“Simply forgetting compliance training is one of the top causes of control failure and trying to mitigate with more training is likely to lead to more assurance fatigue.”

Nascent Market

Compliance leaders plan to increase their resource allocation towards embedded controls by 82% this year, so it is likely this demand will catalyze the market to support compliance leaders through configurable applications designed to mitigate risk within business workflows.

“Despite the clear demand, there is currently little to no marketplace dedicated to embedded controls,” says Audet. “However, compliance leaders may seek to leverage technologies already in place across the organisation, such as integrated HR management tools and chatbots.”

Given that compliance budgets are not increasing much, Gartner experts expect the funding for new embedded controls to be offset by a significant reduction in compliance training activities.

Targeted Controls

Compliance leaders looking to implement embedded controls should perform a risk assessment to identify the workflows that contribute most to risk.

They should also find the employees within those workflows who are most likely to cause control failure because of the burden of remembering, understanding and executing on compliance obligations. This will identify the ideal starting points to pilot embedded controls.

As leaders look at the areas of compliance that create the most burden (e.g. training) on employees, it will help them to identify the areas of greatest return for embedded controls.

“Embedded controls have the potential to deliver significantly better compliance outcomes when compared to training,” says Audet. “These controls should reduce the overall burden of compliance on employees and create less assurance fatigue.”