Building a company-wide compliance training program from scratch comes down to six steps: run a gap assessment to find what regulators expect that you’re not currently doing, pick the courses that close those gaps, set up an LMS with role and location-tagged assignment rules, build a communication plan so employees know what’s coming, track completions in real time, and refresh the program annually based on what the data shows. The whole thing usually takes 6 to 10 weeks for a 50–500 employee company.
For HR leaders inheriting a “we don’t really have a program” situation, the work is more checklist than rocket science — but skipping the gap assessment is the single most common reason programs fail in year one.
What Does Building a Company-Wide Compliance Program Actually Involve?
Six concrete deliverables, in order. A documented gap assessment listing every required training by role, state, and industry. A course catalog mapped to those requirements. An LMS configured with the right org structure, user roster, and assignment rules. A communication plan covering kickoff, deadlines, and escalation. A reporting dashboard the executive team can review in 15 minutes. An annual review process to refresh the program as laws and roles change.
None of that requires a full-time compliance officer. Most 50–500 employee companies build their first program with one HR partner running point and a few hours of executive sponsorship. What it does require is the HR lead understanding the gap-assessment-classic courses they’re going to assign — things like The ADA Made Simple Course and FMLA: Employer Obligations — because those are the laws frontline managers most often get wrong, and they’re almost always missing from a “we don’t really have a program” inheritance.
How Do You Start With a Gap Assessment?
The gap assessment answers one question: what training are we legally required to deliver, and which of those requirements aren’t currently being met? A few practical inputs:
Pull a roster broken out by state and role. Identify federal training that applies to everyone (OSHA general industry safety, harassment baseline, HIPAA if you handle health data, FMLA awareness if you have 50+ employees). Then layer state requirements — California SB 1343 for harassment, New York annual harassment training, Connecticut CHRO, Illinois IDHR, and any state-specific paid sick leave or wage transparency rules. Then layer industry requirements — DOT for any drivers, ServSafe or food handler cards for restaurants, advanced HIPAA tracks for healthcare, OSHA 10 or 30 for construction.
The post on free compliance audit vs. gap assessment explains the difference between the two — most employers actually need a gap assessment first, and the audit comes later. The post on compliance training audit checklist for small businesses covers the questions an auditor will actually ask, which is a useful reference for the gap exercise.
Real-world scenario: a 110-employee SaaS company in Austin thought they had a “light” compliance footprint until the gap assessment surfaced harassment training requirements in California (12 employees), New York (4), and Illinois (2) — three different state laws, three different course versions, three different refresh cycles. Inheriting that from a previous HR director who had assigned a single national harassment course to everyone wasn’t malicious, just under-informed. Found the gap, fixed it in two weeks, no regulator visit.
How Do You Pick the Right Courses for Each Role and State?
Once the gap assessment is done, course selection is mostly mapping. For each row of the gap assessment — “California harassment supervisor, every 2 years” — find a course that satisfies that requirement. Confirm the course duration matches the legal requirement (California SB 1343 supervisors need two hours; non-supervisors need one). Confirm the content is current — laws change, and a 2022-vintage course may not reflect 2025 amendments.
The base set most company-wide programs need: state-appropriate harassment training (with the right CA/NY/IL/CT version per employee), HR Fundamentals: Workforce Planning and Recruitment for HR partners, an ethics baseline like Code of Conduct and Ethics (USA) for every employee, and Drug Free Workplace Program for Supervisors if you’re a federal contractor or in a regulated industry.
Don’t forget manager-specific content. Supervisors need different training than frontline employees — they’re the ones expected to recognize and respond to issues. Manager Core Competencies: Managing Ethics & Compliance is a useful supervisor track, especially for first-time managers who haven’t been formally trained on what their compliance responsibilities are. And Workplace Violence Prevention Made Simple for Managers is increasingly mandatory — California’s SB 553 took effect in 2024, and other states are following.
The post on strategic HR compliance bundles covers how to package related courses into role-based bundles — which simplifies assignment and reporting once you’re at scale.
How Should Assignment Rules and Communication Be Structured?
Build the LMS around your real org tree: Company → Region → Location → Department → Role. Get user import right the first time with location, department, and role tags already attached. Then write assignment rules off those tags rather than assigning courses one person at a time.
An assignment rule looks like: “All California employees with role = supervisor get Sexual Harassment Supervisor (CA, 2 hours), assigned within 7 days of hire, due in 30 days, refreshed every 2 years.” Build one rule per row of your gap assessment. Most LMS platforms can handle this — but only if your tagging structure is right.
The communication plan is the half most HR teams under-invest in. Three emails matter. One — kickoff email from the CEO or HR head explaining why training is rolling out, what employees will see, and how long it will take. Two — assignment notification with a clear deadline and the LMS link. Three — reminder emails at 14 and 3 days before deadline. Add a Slack or Teams announcement for distributed teams. Plain-English, employee-friendly tone — not legalese.
The communication should also explain WHY each role is getting different training. A site supervisor seeing they got the manager’s workplace violence track while their team gets the employee version often grumbles — until it’s framed as “you’re the one expected to recognize warning signs and respond, your team isn’t.” Plain framing avoids the “why am I taking more training?” pushback that derails roll-outs.
What Does a Roll-Out Timeline Look Like in Practice?
Most 50–500 employee companies can roll out from scratch in 6–10 weeks. Week 1: gap assessment, exec sponsor sign-off. Weeks 2–3: course selection and LMS contracting. Week 4: LMS configuration, user import, assignment rule build. Week 5: pilot with HR + executive team to test the experience. Week 6: company-wide kickoff. Weeks 7–10: chase completion, fix the inevitable edge cases (someone’s email isn’t right, a remote worker can’t access the LMS, a manager wants a “view by team” report).
For larger employers, the timeline stretches to 12–16 weeks, mostly because of HRIS integration, more change-management cycles, and the need to translate content into multiple languages. The post on the employee onboarding compliance training complete 2026 guide walks through the federal documentation, universal mandatory training, and role-specific tracks every from-scratch program needs to wire into onboarding from week one.
For very small employers, the timeline can compress to 3–4 weeks if you accept some imperfection in year one and plan to refine in the annual review. The post on why centralized marketplaces save time for small crews is a useful read for sub-50-employee teams where the HR person doing the build also has a day job.
How Do You Track and Iterate After Launch?
Reporting first. The dashboard you build should show, at a glance: total assigned, total complete, total overdue, broken out by location, department, and course. Drill-down to individual employees with one-click certificate retrieval. If any of that takes more than 30 seconds to produce, the dashboard isn’t audit-ready.
Set a weekly review: HR partner pulls the rollup, flags overdue completions, escalates to managers. Set a monthly review with the executive sponsor showing trend lines and any compliance gaps. Set a quarterly review with legal or outside counsel — depending on your industry — to confirm the course catalog is still current.
Annual program refresh. Once a year, re-run the gap assessment. Add courses for any new locations, new state laws, or new business lines. Retire courses that are no longer required. Update assignment rules. Push the refresh to the executive team for sign-off.
The post on how often compliance training should be conducted covers refresh cadences for each course type — annual harassment refresh, OSHA 10 one-time, HazCom when chemicals or processes change, HIPAA annual. Build those cadences into the assignment rules so refreshes happen automatically.
What’s a Realistic Budget and Headcount for a From-Scratch Program?
For a 100-employee company, expect around $1,200–$5,000 for the LMS subscription plus content (Coggno’s marketplace tier covers most of this), $500–$3,000 for a one-time gap assessment if you bring in an outside consultant, and 40–80 hours of HR partner time over 8 weeks. Total cash budget: $2,000–$8,000. Total time: 60–100 hours including communication.
For a 500-employee company, the LMS cost rises to $5,000–$25,000 a year (depending on content depth and SSO/HRIS integration), gap assessment runs $3,000–$10,000 if outsourced, and HR partner time runs 100–200 hours. Total cash budget: $10,000–$40,000. The post on how to choose a compliance training company that includes audit and gap analysis walks through what bundled service offerings look like — sometimes the gap assessment is included in the LMS contract at no extra cost.
Headcount-wise, a 100-employee company typically runs the program with one HR partner part-time. A 500-employee company usually has a dedicated compliance role or splits it between HR and operations. Above 1,000 employees, a full-time compliance manager becomes hard to avoid — too many state laws, too many role-specific tracks, too much audit prep. The post on best compliance training companies offering free gap analysis in 2026 is a useful shortcut if you’d rather have a vendor run the gap assessment for you (some include it as a sales-cycle freebie) — and it covers what to look for in either a paid or free version.
Get Your Team Trained — Without the Paperwork Headache
If you’re building a program from scratch, three Coggno courses are the right starting point — these are the gap-assessment-classic courses that almost every “we don’t really have a program” inheritance is missing:
The ADA Made Simple Course — for every manager and supervisor; ADA accommodation requests are the #2 source of EEOC complaints, and the most common root cause is supervisors not knowing what counts as a request.
FMLA: Employer Obligations — for HR partners and any manager who approves time-off requests; FMLA mishandling cited in more termination lawsuits than any other compliance training gap.
Code of Conduct and Ethics (USA) — for every employee; the foundational ethics baseline that ties together every other compliance track.
Want help running the gap assessment for your specific industry and footprint? Book a demo — we’ll walk through how Coggno handles assignment rules, multi-state harassment training, and rollup reporting for a from-scratch program.
Frequently Asked Questions About Building a Compliance Training Program
How long does it take to roll out a compliance training program from scratch?
For a 50–500 employee company, expect 6–10 weeks from gap assessment to company-wide kickoff. Larger employers (1,000+) typically need 12–16 weeks because of HRIS integration and translation work. Very small employers (under 50) can compress to 3–4 weeks if they accept some imperfection in year one. The gap assessment is week one — skipping it is the most common cause of year-one failures.
Do I need a dedicated compliance officer to run the program?
Below 500 employees, no — most programs are run by an HR partner part-time. Between 500 and 1,000 employees, a dedicated compliance role usually emerges, sometimes split between HR and operations. Above 1,000 employees, a full-time compliance manager becomes hard to avoid because of the volume of state laws, role-specific tracks, and audit prep work.
What’s the typical budget for a first-year compliance training program?
For 100 employees, $2,000–$8,000 in cash plus 60–100 hours of HR partner time. For 500 employees, $10,000–$40,000 plus 150–250 hours. The biggest variables are how many distinct compliance domains you cover (HR-only is cheap; HR + safety + healthcare is expensive) and whether you bring in an outside gap-assessment consultant.
How do I handle compliance training for remote and distributed employees?
Tag remote employees by their work state, not their employer’s HQ state. State harassment training laws follow the employee’s actual work location. Build assignment rules off the work-state tag, not the office address. Use a mobile-friendly LMS so field workers can complete training on a phone. The communication plan needs to reach Slack, Teams, and email — not just an office bulletin board.
What’s the most common mistake first-time program owners make?
Skipping the gap assessment. The temptation is to pick an LMS, assign harassment training to everyone, and call it done. That works for about six months — until an auditor notices that your California supervisors are taking a one-hour course instead of the legally required two-hour version, or your healthcare staff hasn’t done HIPAA refresh in 14 months. The gap assessment costs a few hours and saves years of remediation.
How do I prove the program is working when audit time comes?
Three artifacts. The current gap assessment showing every required training mapped to a course. The completion rollup showing assigned vs. complete by employee, location, and course. The certificate library with retrievable PDFs for every employee. State auditors (especially California DFEH and New York DHR) will ask for all three, and a tamper-evident audit trail of every assignment and completion. Build the program so producing all four takes 30 minutes, not 30 hours.
