Extra compliance for high-risk-potential employees

In “The Power Few of Corporate Compliance,” 53 Georgia Law Review 128 (2018), Todd Haugh of Indiana University’s Kelley School of Business argues: “Corporate compliance in most companies is carried out under the assumption that unethical and illegal conduct occurs in a more or less predictable fashion. That is, although corporate leaders may not know precisely when, where, or how compliance failures will occur, they assume that unethical employee conduct will be sprinkled throughout the company in a roughly normal distribution, exposing the firm to compliance risk but in a controllable manner. This assumption underlies many of the common tools of compliance—standardized codes of conduct, firmwide compliance trainings, and uniform audit and monitoring practices. Because regulators also operate under this assumption, what is deemed an ‘effective’ compliance program often turns on the program’s breadth and consistent application. But compliance failures—lapses of ethical decision making that are the precursors to corporate crime—do not necessarily conform to this baseline assumption.”

I agree that in many – but certainly not all – companies there is too much emphasis on C&E breadth and too little on depth. Indeed, many years ago, Joe Murphy  – who can be justly called “the father of compliance” – cautioned against overreliance on employee compliance surveys with the memorable words “criminal conspiracies do not operate by majority rule.” I also recall a CEO advising me, as I set out to conduct a risk assessment of his company, “not to spread the peanut butter too thinly.” Moreover, compliance program evaluation standards recently issued by the Justice Department’s Criminal and Antitrust divisions  will likely cause more companies to make their respective programs risk based.

Haugh further argues that: “Extreme failures are more likely the result of small groups of individuals acting unethically or illegally, who by virtue of their social and organizational networks account for an outsized amount of bad conduct, and therefore harm. These individuals are the power few of corporate compliance…Companies seeking to improve compliance, and therefore corporate governance, should no longer focus indiscriminately on organizational culture writ large. Instead of designing compliance programs aimed generally at promoting ethical culture as suggested by the Organizational Sentencing Guidelines and adopted by regulators and compliance professionals, compliance should be approached from a behavioral ethics risk management paradigm. Compliance efforts should target those individuals within the company whose unethical decision-making pose the greatest risk according to behavioral and organizational factors such as job task, leadership role, propensity to rationalize wrongdoing, and social and organizational networks. This risk-based approach may be consistent with current compliance efforts to improve companies’ ‘tone at the top,’ assuming that is where the behavioral ethics risk lies. But it also recognizes that the focus of these efforts may correctly bypass the C-suite in order to lessen the significant compliance risk caused by the power few, wherever they may be within an organization.”

Being of the behavioral persuasion I generally agree with this too. But I do think there will always be a need for enterprise-wide compliance efforts, both as an operational and symbolic matter.

Finally, Haugh identifies other compliance program recommendations based on the “power few” theory including:

– “Identify employee ethics during the hiring stage.”

– “Identify the power few in the organization…Once identified, these employees are monitored for risk-taking behavior, and how they manage it factors into promotion and compensation decisions.”

– “To ensure unethical employee decision-making is properly targeted, companies ‘need to frame [their] training around . . . specific, risky job tasks ‘.”

– “Finally, as ethical employees advance in the company and become hubs of influence themselves, they should be leveraged as ‘behavioral compliance ambassadors.’”

These are generally sound ideas and to some extent are already in use (as Haugh notes), particularly the risk-based training one. Still, having what is in effect an employee integrity watch list may be a tough sell in many companies.

–