« Complexity, Judgment, and the Subprime Crisis - The Hedgehog's View | Main | Thinking Like an Entrepreneur or a Lawyer? »
Thursday, July 02, 2009
Theories of Corporate Compliance
Before I entered academia, I was a compliance attorney at a large, public company. Prior to that, I was a federal prosecutor in Manhattan. It was no accident that the large, public company hired me to work on compliance matters. During my fifth year at the United States Attorney's Office (around 2003-2004), I received several calls from recruiters who were looking for prosecutors interested in taking in-house jobs in "compliance."
Different people ascribed different purposes to corporate compliance departments. The DOJ perceived compliance as a means of leveraging its police power. Compared to outsiders, internal compliance people could more easily find and prevent wrongdoing.
Another view of compliance was that in addition to policing and deterring wrongdoing, it should serve as a means of improving ethical norms within corporations. If greed had driven Jeffrey Skilling and Bernie Ebbers, then compliance programs were needed to improve organizational culture.
Finally, there was a third view of compliance - that it would improve deliberation within companies. Specifically, employees would feel empowered to speak up and take action when it appeared their supervisors were violating the law or company policies. Hotlines and robust compliance organizations theoretically would facilitate such voice.
In sum, people would be deterred from wrongdoing, adopt nicer values and talk to each other more. What's not to like? More after the jump ....
Of course, if you ascribe too many goals to one policy, inevitably that policy will disappoint. As it turns out, effective internal policing requires a certain level of deceit. Even a surprise audit is "deceitful" in the sense that it is designed to occur without warning. Deceit, however, clashes with some of the norms that the ethics folks were touting, like loyalty and transparency. As I argued in this piece, you can't have both without creating some serious friction.
Policing does not necessarily lead to more or better deliberation either. I'll address this in more detail in a later post, but suffice it to say that there has been no indication that compliance organizations within publicly held companies caused managers to make better decisions or avoid bad risks (although compliance people might argue that this wasn't their job). For that, you arguably need "enterprise risk management" (ERM) and whatever its benefits, ERM does not draw on the same skill set as corporate policing.
So all this leaves me a serious skeptic of the value of compliance. It may have temporarily restored public confidence in the stock market, but it certainly did not eliminate crime, much less improve corporate values. (If you thought corporate titans were too greedy back in 2001, I imagine you found them just as greedy in 2009). Sometimes, too much confidence can be a bad thing. Just as the legal industry is headed for a large change, the much younger compliance industry may be facing its own tipping point quite soon.
Posted by Miriam Baer on July 2, 2009 at 12:28 PM | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c6a7953ef011571a1f49e970b
Listed below are links to weblogs that reference Theories of Corporate Compliance:
Comments
Are the functions of internal corporate police really so different from the functions of ordinary police? Sure, they can't eliminate or detect all crime, but they surely help, right?
Posted by: Chris | Jul 2, 2009 1:05:36 PM
Not all "policing" is salutary. Some policing can cause individuals to question the government's legitimacy and therefore undermine normative impulses to comply with the law. (Tom Tyler's classic, WHY PEOPLE OBEY THE LAW, spells this out far better than I can). In the corporate context, where the boundaries of regulation are unclear, and where the compliance function's overriding purpose is itself contested, it is quite easy to see how corporate "policing" will generate two types of problems. On one hand, if it is transparent, it will simply create a roadmap for the most deviant types to avoid detection. If, on the other hand the policing is conducted secretly (ie, you never quite know when someone is reading your email at work), it might create the "legitimacy" problem, whereby the company's employees come to resent the company's compliance efforts.
Posted by: Miriam Baer | Jul 2, 2009 1:40:27 PM
Fair enough. But the same problems exist with normal policing, right?
Posted by: Chris | Jul 2, 2009 2:41:26 PM
No, there are differences between the two.
The laws governing compliance are not nearly as well defined as the laws governing the police's conduct. As a result, we have unrealistic views of how much compliance can achieve, and we have highly unstable expectations of how compliance officers will or should behave.
Posted by: miriam baer | Jul 2, 2009 8:35:20 PM
