Are We in a Compliance Arms Race?

by Azish Filabi

Over the past few decades, while companies have invested in building and expanding their compliance programs, researchers, practitioners and employees in some companies attest to a lack of corresponding reduction in misbehavior.[1]   Some even believe that the compliance programs may be a cause of increasing misbehavior.  This begs the question: Are we in a compliance arms race?  Mind Gym, Inc., a behavioral science oriented training firm has coined this term to refer to the cycle of increasing investment in compliance programs, which increases the demand for competent professionals, and the cost of doing business, while the levels of misbehavior remain unchanged, thus spurring calls for additional internal compliance controls.[2]

In an essay in the Stanford Law Review Online, Todd Haugh describes the increasing criminalization of compliance programs, and how it potentially fuels this cycle.  He writes that while many programs are often well-intended, they approach internal corporate compliance through the lens of the criminal law by using the tools of criminal legislation/policy, internal investigation, and enforcement to achieve their goals.  This is logical, given that the genesis of these programs is from the Federal Sentencing Guidelines for Organizations (FSGO), a document issued by the Federal Sentencing Commission to incentivize companies to establish internal systems to encourage employees to do the right thing.

For many companies, the internal policies and procedures are established not only to prevent wrongdoing, but also to ensure that external investigators and prosecutors are kept out of the company.   By demonstrating that they already have the matter under control through their own internal investigations and compliance systems, companies hope to keep the prosecutors at bay.

Haugh suggests that a myopic focus on reducing criminal and quasi-criminal investigations and prosecutions, however, is leading to unintended consequences.    How does this happen?  He proposes that one factor is the psychological process of rationalization by employees who violate the rules.

While one goal of the government and internal compliance programs is to encourage companies to create cultures of compliance and thereby improve corporate culture, criminalized compliance programs allow employees room for rationalizing their unethical or illegal behavior by importing features of the criminal law, such as vague and overlapping rules, aggressive and onerous monitoring, and inconsistent enforcement.  These disparities communicate to employees that there is misalignment between the stated values of a company, on the one hand and how they actually do business, on the other, leading to rationalizations that the company does not mean what is says and that the compliance program is done with a wink and a nod.  This description is not intended to excuse the rationalization, but rather explains how criminalized compliance programs could have unintended behavioral impact on employees, and thus increase risk for the company.

Indeed, in research done by Ethical Systems collaborator Linda K. Trevino et al.[3], in What Works and What Hurts, they surveyed over 10,000 employees across six large U.S. companies and found that when employees perceive that a compliance program exists for the purpose of protecting top management, it was harmful to the company — employee misconduct was higher, organizational commitment was lower, and employees were less likely to speak-up to management about misconduct they observed.

The question of whether a compliance mindset crowds out ethical behavior has also been studied in other academic disciplines.  Fellow ES collaborators Max Bazerman and Ann Tenbrunsel have written about how ethical fading can occur in business when employees are too focused on financial goals or so-called “business decisions” that have unethical consequences.  Psychologically, the notion of bounded ethicality (PDF: 239 KB), which describes the systematic and predictable ways that people make decisions without realizing the ethical implications of their behavior, can lead many to fall into a blind spot and rationalize decisions that later upon reflection, with time and clarity, they can’t believe they made.

Eugene Soltes’s recent book, Why They Do It, puts a fine point on this in the context of white collar crime – he conducted extensive interviews with over 50 prominent corporate executives (including Bernie Madoff, and Dennis Kozlowski) who were convicted of crimes and found that most of them simply didn’t think of their behavior as unethical or illegal at the time they did it.  They had rationalized their goals as “doing what was best for the company” (as in the case of Andrew Fastow, CFO at Enron).

Behavioral Compliance[4]

If the build-up of the internal administrative state at large companies may be leading to ethical fading, is there an alternative approach executives should consider?  Haugh suggests behavioral compliance as a solution, which draws on the learning from behavioral science and social psychology.

Rather than developing compliance programs that mimic the criminal law, companies should focus their programs on the employees whose behaviors they intend to change.  As human-centered design begins with studying the individual and working back to a prototype that suits the user’s needs and behavior, behavioral compliance aims to tap into people’s intrinsic desire to see themselves as ethical and designs a compliance program that encourages ethical behavior.  For instance, as Scott Killingsworth writes in Modeling the Message:  Communicating Compliance Through Organizational Values,[5] storytelling can be a powerful behavioral tool.  By simply engaging senior leaders and managers to share examples of positive behavior, you can influence behavioral norms and emphasize adherence to corporate values and the code of conduct.

Haugh also advocates for adopting a mindset of experimentation within the company; he proposes that companies “start small and measure results. “  For behavioral compliance to work effectively, companies should adopt methods slowly, and measure results.  An experimental approach is necessary because managing and predicting human behavior is complex, and evidence-based approaches will help companies best understand what works in the context of their unique organizational culture, history, and footprint.  As Jonathan Haidt and Linda Trevino have written in Make Business Ethics a Cumulative Science for Nature Human Behavior:  “We need to…generate a constant stream of innovations in business ethics, which are then tested empirically and selected so that the most effective ones become more common throughout the business world, while those that are ineffective or counter-productive fade away.”

Measurement of E&C program outcomes can be a challenge, but social science researchers have already demonstrated effective methods.  Trevino et. al. in their large-scale study, referenced above, chose several measures of effectiveness and then were able to test the impact of an E&C program (both its formal and informal elements) on those measures.  They offered seven definitions/measures of an effective program, such as employees’ willingness to deliver bad news to management, their commitment to the organization, and observations of unethical behavior; Think of formal elements as the Code of Conduct or the hotline, and informal as the consistency with which the leaders detect and punish violations, or the alignment between stated values and actions.


Compliance programs are necessary in today’s complex legal environments to increase awareness of the law and manage adherence to the law by large-scale corporate operations. The future of compliance, however, depends on building on the knowledge of legal systems gained thus far, and integrating it with our growing knowledge of human behavior.  By building human-centered organizations and compliance systems, we can hope to build more ethical cultures and businesses.


[1] See, Corporate Executive Board surveys on observations of corporate misbehavior (PDF: 159 KB); see also, Haugh, T. The Criminalization of Compliance, Notre Dame Law Review, (2017).

[2] White paper with this reference, forthcoming.

[3] Trevino, Weaver, Gibson Toffler.  Managing Ethics and Legal Compliance:  What works & What hurts.  Winter 1999.  CA Management Review

[4] For a more detailed discussion and review of this term, see Langevoort, D.,  Behavioral Ethics, Behavioral Compliance in Research Handbook on Corporate Crime and Financial Misdealing (Jennifer Arlen, ed., Edward Elgar).  2015.

Azish Filabi is CEO of Ethical Systems.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.