An Efficient Investment-Risk Model of Compliance

Corporate compliance — the internal processes that firms use to ensure that their employees do not violate applicable laws and regulations — has become big business. Regulation of business continues to grow, punctuated by landmark laws that have re-shaped the financial services (the Dodd-Frank Act) and health care (the Affordable Care Act) industries in the United States. Further, federal regulators have substantially ramped up their enforcement of numerous existing laws such as the Foreign Corrupt Practices Act and those governing insider trading. Corporations are dedicating greater resources towards internal compliance, both within legal departments and increasingly in separate and independent compliance functions.[1] Even in an ever-changing political environment, this long-term trend is likely to continue.

Firms, both large and small, are grappling with the rapidly rising costs of compliance, which range as high as $10,000 per employee. While investment in internal compliance structures often benefits the firm — most importantly, by reducing potential liability — its costs also merit scrutiny. These costs go beyond expenditures on compliance personnel, monitoring and reporting systems, and employee training. If firms perceive compliance-based obligations as unrealistic and insurmountable, they may very well turn way from good faith efforts to comply and work to evade regulation.[2]

Compliance from a Risk Management Perspective

Making compliance work requires viewing compliance decisions through the lens of risk. Risk management is a proactive decision-making process that firms pursue in anticipation of key decisions or problems. Application of risk management to compliance requires an understanding that compliance is a non-binary, dynamic, and bounded choice.[3] Compliance is non-binary because firms are not simply faced with one of two possible choices. Rather, firms exist in various gradations of compliant and non-compliant states. Firms can be in minor non-compliance or severe non-compliance depending on the enterprise’s deviation from a given regulatory rule or standard. Firms can also be fully compliant without any deviation. Firms thus face a sliding scale of choices when choosing to conform to a rule.

Further, compliance is a dynamic system. Compliance requirements — even for sweeping regulatory mandates — are not consistent across different firms. Each company faces its own regulatory mix from which arise the collective compliance obligations of the enterprise. Small companies may be exempt from obligations that large multinational corporations must follow. Firms in different industries may require specialized compliance capacity to respond to industry-specific regulatory mandates. How firms comply also changes as the compliance function matures in the organization. Firms will generally seek compliance with the regulations that are least costly to follow or have the greatest return on their investment. Gains in compliance become increasingly costly as firms need more complicated and extensive investments to achieve more complete states of compliance.

Finally, compliance is bounded by human limitations that arise even before a given rule becomes enforceable. A legislature or a regulator may craft a rule that is particularly ambiguous or complex. Such suboptimal drafting may be the result of an inaccurate assessment of the consequences of such regulation, a lack of sufficient time and resources, or deliberate vagueness created in order to ensure amenability to political interests. From the moment the rule is enacted, it is already embedded with imperfections that make full compliance unknowable. A firm seeking to minimize compliance-related risks must deal with all of these challenges.

An Efficient Investment-Risk (EIR) Model

Based on these observations and drawing on concepts of law and economics, we develop an efficient investment-risk (EIR) model of corporate compliance that illuminates the opportunities for firms to optimize their position vis-à-vis compliance-based regulation, as graphically shown here:


The EIR model consists of two lines that represent a hypothetical firm’s compliance decision for a single given regulatory requirement in terms of technical efficiency (TE) and allocative efficiency (AE). Technical efficiency is the ability of a firm to produce a level of output with a minimum quantity of input. Such inputs include capital, labor, and equipment used in a fashion that does not waste resources. Investments in human resources, information technology, auditing, legal, and other compliance-related activities reduce exposure to risk from non-compliance. Allocative efficiency, by contrast, represents a firm’s ability to use its inputs in their most effective proportions in order to maximize the firm’s welfare. An allocatively efficient state of compliance is one that applies resources at the state-of-the-art level but also does so in a fashion that optimally balances cost and risk. While a technically efficient firm extracts maximum output from a given use of resources, an allocatively efficient firm represents the best possible use of a range of possible uses of resources. While technical efficiency achieves “doing right compliance”, allocative efficiency describes a firm that is “doing compliance right.” Doing compliance right is not easy.

The curvilinear TE curve shows the range of risk-cost combinations resulting from the firm’s investments in compliance. As the firm invests more in compliance, it moves up the TE curve from TEb toward TEi, with each unit of investment in compliance generating a proportionally greater return in the form of reduced compliance risk. Over time, as the metaphorical low hanging fruit of compliance is plucked, returns on compliance investments decline. Once the firm passes TEi, the cost of compliance increases at a marginal rate greater than the return it provides in reduced risk of non-compliance. Compliance investments at this state are not worth their return on investment to the firm.

The straight AE line represents the firm’s pursuit of allocative efficiency. Moving from the most inefficient state at AEa, a firm pursues allocative efficiency along the diagonal line until it reaches AEi. The point AEi, TEi represents the point at which a firm achieves both technical efficiency and allocative efficiency, thereby constituting the optimal point for the firm’s compliance function. At this point, the firm has minimized avoidable costs resulting from inefficient deployment of firm resources.

By highlighting the consequences for a firm to comply in any given instance, our model shows how a firm decides to what extent to invest resources to optimize the relative benefits of compliance to the firm relative to the cost of investing in compliance. Firms will more clearly see the strategic benefits of complying with law through a more risk-aware view of their compliance functions.

Implications of the EIR Model

The EIR model provides an analytical framework for addressing the effectiveness of different approaches to business regulation. It equips regulators with a dynamic understanding of how compliance functions respond to different kinds of regulatory mandates. We categorize regulatory rules as three basic archetypes of regulation. Direct Regulation consists of traditional command-and-control rules promulgated and enforced by government agencies through sanctions and penalties. Collaborative Regulation consists of hybrid public-private approaches to regulation that use non-coercive measures and often incorporate private standards. Market Contingent Regulation seeks to influence firm behavior by providing incentives or signals to regulated firms, such as market-leveraging taxes, fees, and permits and mandatory disclosure requirements.

Through our model, we show how regulators can strategically use different combinations of Direct Regulation, Collaborative Regulation, and Market Contingent Regulation to compel more firm-efficient compliance and calibrate regulatory enforcement measures to public policy goals.


[1] See Robert C. Bird & Stephen Kim Park, The Domains of Corporate Counsel in an Era of Compliance, 53 Am. Bus. L.J. 203 (2016).

[2] See Lauren B. Edelman & Shauhin A. Talesh, To Comply or Not to Comply: That Isn’t the Question: How Organizations Construct the Meaning of Compliance, in Explaining Compliance: Business Responses to Regulation 112–13 (Christine Parker & Vibeke Lehmann Nielsen eds., 2011).

[3] Donald C. Langevoort, Monitoring: The Behavioral Economics of Corporate Compliance with Law, 2002 Colum. Bus. L. Rev. 71, 107.

This post comes to us from Robert Bird, Professor of Business Law and Co-Director of the Corporate and Regulatory Compliance Graduate Certificate Program at the University of Connecticut, and Stephen Park, Assistant Professor of Business Law and Co-Director of the Corporate and Regulatory Compliance Graduate Certificate Program at the University of Connecticut. It is based on their article, “Turning Corporate Compliance Into Competitive Advantage,” which is forthcoming in the University of Pennsylvania Journal of Business Law and available here.