Certainly, a “set it and forget it” approach can seem great on the surface — but it’s not likely to generate the best results. If you lay out a phishing training schedule a year in advance, you limit your ability to be responsive and make changes as needed. A one-size fits all approach is akin to a minimal-effort “check the box” approach — and, frankly, poor effort is almost always linked to poor performance.
We are certainly advocates for planning ahead — don’t mistake that. We just don’t feel it’s in an organization’s (or a program administrator’s) best interest to commit to (and build) the content and themes of a year’s worth of assessments at once. In addition to the lack of flexibility, it could amount to wasted work, as you are likely to want to adjust based on end-user behaviors and industry threat trends that emerge during your security awareness and training program. Knowing what you’d like to do is always helpful, but you should always have the agility to do what you need to do to drive results.