This is a test

In Testing Compliance, (published on the Harvard corporate governance web site, with the full paper available at SSRN), Brandon L. Garrett. Professor of Law at Duke Law School, and Gregory Mitchell, Professor of Law at the University of Virginia School of Law, note that “what makes the compliance enterprise deeply uncertain and problematic is that the information generated by compliance efforts is simultaneously useful and dangerous. However, documenting problematic behaviors creates a record that may be used against the corporation in future administrative, criminal or civil proceedings, or may become the subject of a media exposé. Officers and directors, and the in-house compliance team, may sincerely hope compliance programs are effective, but they may quite rationally avoid testing that hope. The end result will often be rational ignorance with respect to the effectiveness of corporate compliance programs. This dynamic—the hope that greater attention to compliance will reap benefits drives more resources toward compliance efforts, yet fears about what examining the effects of those efforts might reveal hinders validation of compliance programs—creates a ‘compliance trap’ that can ensnare corporations and regulators alike.” The authors  “explore ways out of this trap.”

Among other things:

– They argue for government policies to promote more information sharing by companies about what works and what doesn’t in terms of C&E. While there is already some such sharing via compliance conferences and though various professional organizations there is clearly room for improvement here.

– They also note, based on compliance information published by Fortune 100 companies, that if such companies “are measuring the effectiveness of their compliance programs, they are not sharing it. It is also possible that what we see is what we get: active educational efforts focused on employee training and assessments of that training using employee surveys and reactive compliance efforts relying on whistleblower reporting and investigation of those reports. The public record reveals few active efforts to detect and remedy weaknesses within internal compliance systems.” I agree that sharing of this kind could be a powerful force in promoting strong C&E.

– They propose instituting a “legal mandate that organizations regularly test their compliance systems for effectiveness. But to incentivize companies to put in place strong compliance programs and audit those programs rigorously, the mandated reports should not increase their litigation exposure. ” I think implementing legislation to help companies avoid the “compliance trap” in this way would be very beneficial, though getting to such a safe place would – in my view – be a lengthy and difficult journey.

– They note: “Companies need to proactively test whether their employees, when given the chance to misbehave, really do. Such testing need not involve comprehensive data collection or expensive analytics, although firms increasingly use such tools, and consultants may market AI approaches to compliance. Rather, experiments, relying on blind performance testing of randomly sampled employees, can quite inexpensively measure whether employees comply in realistic work situations.” I note (as do the authors) that some this already happens but think there needs to be more of it. However, one must be careful to avoid the perception that employees are being treated as the subject of experiments.

Finally, there is much more to this piece and I encourage you to read it in its entirety.