This is the first in a series of three blogs on a topic I have long been passionate about, compliance training. Before you yawn and scroll on by, hear me out on why I believe that most of us are getting it catastrophically wrong.
I am going to start by saying something that will make a lot of L&Ders uncomfortable; compliance training is the most important learning in your organisation. Not leadership development, not onboarding, not the flagship culture programme you spent months designing. Compliance training. Moreover, it is the most important learning anyone does. It keeps them safe, legal, ethical and healthy at work.
The shop window
Compliance training is our shop window. We push 100% of our audience through it and yet it is often the worst learning experience we offer.
Think about what compliance training actually is in terms of reach. Every single person in your organisation goes through it, multiple times a year, often across several different programmes covering health and safety, data protection, code of conduct, anti-bribery, safeguarding and diversity and inclusion. If anyone in sales or marketing had the attention of 100% of their potential audience, they would not put their worst products in the window; they would make that the most compelling, memorable experience they could possibly create.
We do the opposite. We put the click-next-quiz-at-the-end elearning, often not even our own but bought in from a library supplier, in the most prominent position we have. We serve it to every person in our organisation, we measure whether they ticked the box, and we call it compliance. This is L&D’s shop window, and we are displaying the tatty goods from the back of the warehouse.
It’s not only about learning quality
I know what some of you are thinking: compliance elearning is often dull, we’d all prefer more engaging approaches, but we have to work with what we’ve got, with the budgets we have, with stakeholders who just want the box ticked. I understand that reality, because I have lived it. I do not want to lay this entirely at L&D’s door, as our senior stakeholders are often more interested in audit trails than actual behaviour change. That shapes what gets funded. But this is not just a learning experience or quality argument anymore. It is a legal one, and the evidence has been building for over a decade.
The legal case: what the courts have been telling us since 2013
Courts and employment tribunals in Australia and the United Kingdom have been signalling for years that click-next, generic online compliance training is legally insufficient. The 2026 Queensland decision is the most recent and most explicit, but it sits in a long line of cases that L&D, HR and legal teams do not seem to have heard about.
It is time to sit up and listen. Take a look at the legal cases.
The tick-in-the-box is no defence.
Richardson v Oracle Corporations Australia Pty Ltd [2013] FCA 102 / [2014] FCAFC 82
Oracle required all employees to complete mandatory online sexual harassment training every two years. In the 2013 trial, a manager was found to have harassed a colleague, and Oracle argued its training was sufficient. The Federal Court disagreed, finding the training too generic, globally sourced and not specific enough to Australian law or local process. Oracle was found vicariously liable. On appeal in 2014, the Full Federal Court increased damages from $18,000 to $130,000, rejecting 30 years of conservative damage awards as manifestly inadequate and out of step with community standards. This case is over a decade old, and most organisations are still running the exact approach Oracle ran.
Ref: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCAFC/2014/82.html
Allay (UK) Ltd v Mr S Gehlen: UKEAT/0031/20/AT
An employee suffered regular racist harassment from a colleague. The employer pointed to equality and diversity training as its defence, but the Employment Appeal Tribunal found the training had become stale and ineffective after 20 months, staff had clearly forgotten it as racist behaviour and the failure of bystanders to report it showed. The training had included one slide on harassment and made clear what employees should do if they heard unacceptable remarks, and they all failed to follow that guidance. The court’s conclusion was precise: if training does not change behaviour, it does not satisfy the reasonable steps defence. This is the definitive UK ruling on the shelf life of compliance training, and it establishes that annual, once-and-done compliance training has a legal expiry date.
Loquias v The Star Entertainment Group and John Dwyer [2026] QIRC 023
A casino dealer was sexually harassed by her manager for months. Her employer had a comprehensive Equal Employment Opportunity policy, formal procedures and mandatory online training every two years, including a programme called Do the Right Thing. The court did not find fault with the content; it found the delivery fundamentally flawed. Managers completed the training online while simultaneously running the casino floor, and the Gaming Area Manager acknowledged that most participants simply skip through it because they are under pressure at work. The training had previously been done off the floor in an office, but it was moved online because it was quicker and cheaper. Commissioner Power was unambiguous: genuine training cannot reasonably occur when employees complete training while simultaneously attending to their duties. The employer and manager were ordered to pay over $49,000 in combined damages, and the manager separately paid a further $77,000. The content passed, the delivery failed and the organisation paid.
The legislative shift: proactive duties are now the law
Beyond individual cases, both Australia and the United Kingdom have made structural legislative changes that raise the stakes considerably further.
Australia: Positive Duty under the Sex Discrimination Act, in force December 2022, enforceable December 2023
Following the Respect@Work reforms, every Australian employer now has a proactive legal duty to prevent sexual harassment rather than simply responding after the fact. From December 2023, the Australian Human Rights Commission has powers to investigate organisations on its own initiative, without needing a complaint from an individual, and can issue compliance notices, compel production of documents and apply to federal courts for orders. Compliance training that cannot demonstrably change behaviour is now a direct regulatory risk, and the AHRC’s guidelines for complying with the positive duty set standards that go further than what courts have traditionally required.
United Kingdom: Worker Protection (Amendment of Equality Act 2010) Act 2023, in force October 2024
The UK introduced its own proactive duty in October 2024, requiring employers to take positive steps to prevent sexual harassment before it occurs. Tribunals now have the power to increase compensation by up to 25% where employers are found to have failed this duty, and the EHRC’s statutory code of practice is explicit that a policy alone is not sufficient and that a one-off training course does not constitute a reasonable preventative step.
United Kingdom: Employment Rights Bill, coming October 2026
The UK is tightening the standard further still. From October 2026, the Employment Rights Bill shifts the employer’s duty from reasonable steps to all reasonable steps to prevent harassment. Legal commentary has been explicit: a completion certificate dated months before an incident will not demonstrate that all reasonable steps were taken, and if anything, it demonstrates the opposite: that the organisation prioritised a record of completion over genuine readiness.
Australia: Psychosocial Hazards under Work Health and Safety Law, in force across jurisdictions from 2022–2025
Following amendments to Work Health and Safety Regulations, every Australian employer now has an enforceable duty to proactively identify, assess, and control psychosocial hazards, applying the same hierarchy of controls used for physical risks. Most jurisdictions adopted the model regulations between 2022 and 2023, with the Commonwealth regulations taking effect 1 April 2023 and Victoria completing the national picture with standalone Psychological Health Regulations from 1 December 2025. Significantly with the changes, regulators are no longer satisfied by policies alone; they are assessing whether those policies translate into measurable action. Crucially, training is explicitly positioned in the regulations; it cannot be the predominant control measure. Compliance training that substitutes for genuine risk management is now a direct regulatory liability, and the direction of travel across every jurisdiction is toward governance, documentation, and demonstrable outcomes over attendance records and tick-box completion.
The legal case for doing compliance learning differently has never been stronger. The courts and the legislators are converging on the same standard: training must be genuine, specific, regularly refreshed and demonstrably effective, not just completed. The tick-in-the-box is no defence.
The safety net you think you have does not exist
Most organisations are running compliance training as a legal defence mechanism, operating on the logic that if something goes wrong, they can show auditors that everyone completed the training, that they have the records and that they are covered. The cases above tell us that is not enough, nor has it been for over a decade. Courts look beyond the completion record to ask whether the training was delivered in a way that could genuinely be absorbed, and whether the approach could realistically change behaviour. When the answer is no, as it so often is with generic, click-next, once-a-year elearning, they find the organisation liable.
The tick in the box is not the tick in the box if nobody was actually learning, and if your training is generic, annual and completed on a laptop while people have twelve other tabs open, you are not covered. You are exposed.
What we need to be asking instead
The question is not whether everyone completed the training. The question is whether anything has actually changed. That is a fundamentally different design challenge, and it is one that compliance training, as it is typically delivered, is not built to answer. Nobody is going to remember the specifics of the gifts policy in the moment they are offered tickets to the Grand Prix, because that is not how memory works. What they will remember is a question that has been embedded in how their organisation talks to itself, a phrase, a story or a colleague who brought the subject up in a team meeting last month. That is what effective compliance learning looks like, and it is achievable.
So what now? Stop rolling the dice
There is a better way. This month I am sharing the compliance learning legal issues. Next month I will introduce the 3Rs framework from my book, The Learning and Development Handbook, which underpins how to build compliance learning that actually works. In August, I will make the case, with a real case study, that campaign-based compliance learning delivers results that click-next e-learning never can.
For now, I want to leave you with one challenge. Look at your compliance learning as if you were a new employee going through it for the first time, not as the designer or SME who knows the reasoning behind every decision, but as someone who has twelve other things on their plate, who is being asked to spend time on this because they have to and who is being watched by their manager to make sure they complete it. What do they learn, what do they remember and what changes in how they do their work?
If the honest answer is not much, then this is your shop window and it is time to rethink what you are putting in it. If you can’t wait until July for the answer, give me a call.
Legal cases referenced, however this blog does not constitute legal advice.
Don’t miss what comes next
The next two posts get practical. Sign up and I’ll send them straight to you.