by Jim Brennan
I. Introduction
“Mandated compliance requirements” refers to laws and regulations that require organizations to implement specific compliance measures, rather than leaving the details of compliance program measures to organizational judgment. Over time, the use of compliance mandates has expanded steadily.
Examples of mandated compliance are widespread. California law requires sexual-harassment training for employees (one hour) and supervisors (two hours) every two years. Banking regulations mandate the monitoring of transactions and the filing of Suspicious Activity Reports (SARs). Comparable prescriptive requirements now exist across a wide range of industries.
Mandated compliance has clear intuitive appeal: if certain corporate conduct causes individual or societal harm, then mandating standardized compliance measures should, in theory, reduce the risk of that harm. Other touted benefits: they establish uniform baselines, create objective expectations, and make auditing and enforcement more straightforward. Companies, for their part, gain clarity about what is expected of them.
What is less noted is that mandated compliance measures carry under-appreciated costs and risks. They can undermine employee ethical engagement, foster a minimalist, ‘check-the-box’ attitude toward compliance, focus attention and resources on items that are not the true drivers of wrongdoing, and disempower ethics and compliance officers. In other words, they can damage the effectiveness of an ethics and compliance program.
The good news: the risks of negative outcomes from mandated compliance can be mitigated. Doing so, however, requires ethics and compliance professionals to understand both the potential harms of mandated compliance as well as possible mitigating actions. There is also a need to engage with those in government who may lack the knowledge required to address these issues effectively.
II. Not All Mandates Are Equal
First, it should be noted that not all mandates are equal. Some mandated compliance measures are more likely to harm a company’s ethics endeavors than are other measures.
Where potential harms are concrete, immediate, and visible, such as in the areas of aviation, food safety, and pharmaceuticals, the importance of compliance is relatively easy to grasp: employees can readily link their compliance activities with helping to prevent catastrophic outcomes such as airplane crashes or nuclear meltdowns.
By contrast, when potential harms seem abstract, diffuse, or distant, it is much harder for employees to connect their compliance activities with the harms that those activities are intended to help prevent. For example, for an employee responsible for filing SARs on a daily basis, money laundering or terrorism financing may feel remote and disconnected from the tasks they are performing. Bank employees do not hear the actual voices of child victims of human trafficking.
It is in this latter category, where the link between compliance activity and real-world harm is less intuitive, that the hidden harms of mandated compliance are most likely to surface.
It should also be understood that mandates are not the same as guidance and government approaches that are incentive-based. When governments commit to considering effective compliance and ethics programs as a mitigating factor, but lay out the elements that this entails, these are typically not detailed but are more general, management elements. The premier example is the US Federal Sentencing Guidelines. They set out brief, general principles of the necessary elements. For example, the inclusion of “incentives” is very broad, yet it is perfectly clear that a company that wants credit for its program must address incentives. How it does this is a matter of judgment, based on its risk assessment.
Another key element of incentive-based systems is that they are centered on government discretion in assessing a program. The burden of proof is and always must be on the company, since the company alone knows what it has done. In the course of its investigation and interaction with company employees, the government can assess how effective and integrated into the company’s actual life the compliance and ethics program is. Thus, the company has a strong incentive to do what works and actually reaches employees; no checklist can suffice for this.
III. The Harms of Mandated Compliance
Mandated compliance contains a number of potential harms: malicious compliance, frozen ethics and compliance programs, a ‘check-the-box’ mentality, focusing on the wrong target, and disempowerment of ethics and compliance officers.
A. Malicious Compliance
Malicious compliance is a form of resistance in which a person formally follows a rule or directive to the bare minimum, while consciously or unconsciously refusing to internalize or identify with its underlying purpose. It could include actions that technically meet the requirements but may even undermine the purpose behind the rules. It stems from the psychological phenomenon of reactance, which refers to resistance toward rules that are experienced as externally imposed and as an infringement on personal autonomy.
When compliance feels externally imposed on a company and its employees, rather than as reinforcement of its own values, malicious compliance becomes much more likely. This increases employee disengagement and makes it significantly more difficult to achieve employee “buy-in” and internalization of underlying ethical principles. In fact, it can help build an attitude of cynicism or even rejection toward the company’s efforts at building an ethical culture. In this way, mandates, instead of reinforcing the ethical culture, can quietly weaken it.
B.Frozen Ethics & Compliance Programs
Mandated minimums often become organizational ceilings.
If regulators specify two hours of harassment training every two years, organizations quickly begin to treat that requirement as sufficient. That makes it extremely difficult for a CECO — who may reasonably conclude that additional measures are necessary for effectiveness — to persuade the organization to go beyond the bare minimums of the mandate.
As a result, internal conversations at the company about compliance measures often shift from “How do we reinforce ethical culture and increase program effectiveness?” to “What is the minimum we must do to comply with the law?” Innovation, improvement, and even a focus on effectiveness are discouraged, and as a result, ethics and compliance programs risk becoming calcified rather than adaptive over time.
C. Formalism and the Check-the-Box Trap
A frozen program that is focused on “what minimum measures do we have to take?” almost inevitably results in a ‘check-the-box’ mentality. Compliance becomes primarily focused on documentation, completion, and audit readiness rather than program effectiveness, organizational culture, and employee internalization. A check-the-box mentality treats compliance as a mechanical exercise. It takes the ‘soul’ out of the program.
This formalism also creates a false sense of security. Formalism may appear adequate on paper, but is quickly exposed as superficial when government investigators speak directly with employees and assess whether compliance is operating as lived practice rather than documented process
D. They Focus on the Wrong Target
Serious and systemic misconduct at a company most often originates at senior leadership levels, either by direct involvement or by creating an environment that breeds improper conduct. However, mandated compliance programs overwhelmingly impose requirements to be implemented at the front-line or more junior supervisory levels.
Critical drivers of misconduct that are controlled by senior executives include the messages they send about expectations (“tone from the top”), the incentive structures they create or tolerate, and, most importantly, their actual behavior and example. It is admittedly difficult for regulators to measure or directly regulate such items. The unfortunate result, though, is that mandates have a tendency to ignore many of the most significant drivers of misbehavior and instead focus an organization’s attention and resources on less impactful items.
E. Disempowered Chief Ethics & Compliance Officers
As mandates proliferate, CECOs risk being reduced to technicians and administrators of required check-the-box items rather than thoughtful builders of effective programs.
When compliance is treated as a technical function, CECOs’ judgment and discretion are devalued. Instead of asking CECOs “What works best?” the organization tends to ask the Legal Department “What do we have to do?” As a result, the CECO becomes disempowered, and the CECO’s ability to implement measures to impact organizational behavior is lessened. The CECO will inevitably have less influence, less consistent access to senior leadership and the board, and diminished standing within the organization.
There is more than a little irony that this disempowerment, which stems from governmental requirements, runs contrary to the DOJ’s (Evaluation of Corporate Compliance Programs) guidance that compliance personnel be “empowered to function effectively.”
IV. Mitigating the Harms of Mandated Compliance
The potential harms of mandated compliance measures are very real. At the same time, however, there are ways in which these harms can be mitigated. They include:
Lastly, while companies can and should employ these and other mitigation strategies, the challenge of dealing with the potential harms from mandated compliance should not be left solely to chance. The compliance industry as a whole must continue to engage regulators in a broader conversation: discussions about contemplated mandates from regulators should not focus just on the detailed content of a particular mandate but also on the potential impact of mandates as a whole on the effectiveness of a company’s ethical culture and program.
V. Conclusion: Mandates as Tools, Not Replacements for Ethical Leadership
Mandated compliance measures can be appropriate and, in some areas, necessary. But they are not sufficient, and they are not risk-free or cost-free. Mandates can reduce the effectiveness of an ethics and compliance program by fostering malicious compliance, freezing ethics and compliance programs, creating a formalistic ‘check the box’ mentality, focusing on the wrong target, and disempowering CECOs.
CECOs can mitigate these potential harms by recognizing them and taking conscious, active steps to mitigate them. By doing so, they can help keep the organization’s focus on the true target: an effective program.
Search the site
Mandated compliance can unintentionally undermine ethical culture by encouraging check‑the‑box thinking, freezing programs at legal minimums, and disempowering compliance leaders unless actively countered.
Strangers open my files. Go through my desk. Check my numbers as if I’m a kid trying to cheat. I’m honest. I follow the rules. So why does it feel
“Much like Charlie Brown running to kick the football that Lucy will certainly pull away, we work in structures that ask us to do great and impossible things, only to
My job is more than a job. It’s bigger, better, deeper. I’m a compliance professional, and the work I do matters — to me, to our company, and to everyone
Subscribe now to keep reading and get access to the full archive.