How Can We Tell Whether Compliance Programs Work?

In the United States, major financial scandals in the 1970s, 1980s, and 1990s resulted in federal pressure on corporations to inculcate ethical behavior in their employees. The Foreign Corrupt Practices Act, Federal Sentencing Guidelines, Sarbanes-Oxley Act, the U.S. Organization Sentencing Guidelines, and similar laws either mandated or encouraged the expansion of corporate compliance programs[1] and, ultimately, led to creation of a “compliance industry.” In this new industry – just as in any emerging industry – arose specialized programs (and needs), trade associations and conferences, and a large job market to meet increased demands. One recent analysis estimated that the global market for corporate government, risk, and compliance reached $31.27 billion in 2019[2].

However, with this industry came doubts about whether compliance efforts by corporations were actually doing what they were supposed to do – detect and prevent illegal behavior. Concerns arose that these programs were at best superficial and at worst symbolic[3]. As a result, some government regulatory and law enforcement agencies have provided recommendations on “best practices” for corporate compliance programs. The U.S. Department of Health and Human Services, for example, issued a policy document for regulated entities in 2017 titled “Measuring Compliance Program Effectiveness: A Resource Guide,”[4] while the Department of Justice’s Criminal Division issued a guidance document for prosecutors titled “Evaluation of Corporate Compliance Programs”[5]. We believe that such efforts by government monitors are harbingers of a new era in corporate compliance – one in which data collection is a necessary component and companies can no longer simply point to the implementation of ethics codes, training programs, complaint hotlines, etc. as sufficient. Instead, corporations must now demonstrate that the implementation of such strategies precedes an actual change in behavior.

There have, however, been unintended consequences. With the rise of the compliance industry has come substantial growth in the amount of data – corporations are reporting more often to regulatory agencies and generating data internally. Scholars and compliance practitioners differ in how they collect and organize that data and the conclusions they draw from the data. As a result, there is little consensus over which research methods are most effective. In the chapters of a new book, we describe the utility of various research methods and ultimately seek to encourage compliance practitioners and academics to think about the actual research question being asked and what the best method is to answer that question.

The most important question is whether data collected by companies and regulatory agencies tell us as much about compliance behavior as about the process of compliance, perceptions of compliance, and the like. Regulatory inspectors, for example, might walk into a business that has been “spruced up” for the inspection and, therefore, the data collected reflect an anomalous day – researchers call this the “observer effect” (described in more detail in the ethnography chapter of our book[6]). Businesses self-report violations to regulatory agencies (as described in a chapter on regulatory inspections[7]), but are unlikely to report particularly serious offenses for fear of liability,[8] and thus regulatory data suffer from the “dark figure” of crime[9]. Relatedly, as described in our chapter on self-report surveys[10], victims of corporate crime often do not know they are victims (e.g., when antitrust practices raise the cost of goods), may not feel as though it’s worth their time to report the crime, or may fear retaliation for reporting co-workers’ violations – for these reasons, too, the data available may not reflect the reality of corporate noncompliance.

Although some corporations try to collect data on noncompliance (as described in two chapters of the book[11]), others are more likely to accurately record and report the number of compliance training offered to their employees, the amount of money spent on safety equipment, or their tracking of employees’ expenditures with an eye for red flags. However, even these efforts don’t tell us much about actual noncompliance – it tells us about the investment in compliance processes. What is necessary, then, is to look beyond the secondary data and lift the veil over compliance behavior. Compliance researchers, therefore, would benefit from observational studies, ethnographic methods, and intensive interviews; these research strategies allow for trust-building, promote direct observations of the natural environment, and encourage openness and transparency. Ultimately, to truly understand whether compliance is effective, researchers must first observe and record behavior that might not make it into official reports. Even better are “mixed methods” that combine observational data collection with numerical data more commonly generated by corporations, regulators, and researchers (see Chapter 13 in our book[12]).

It is difficult for academics to access the people within companies who can provide information about actual misconduct, say whether training is effective, and explain how they approach compliance each day at work. This is a shame, because academic training in rigorous research methods can help corporations achieve compliance. We encourage corporate personnel to collaborate with academic scholars (and vice versa) to better understand how compliance occurs. Despite a company’s understandable concerns about conflicts of interest, accuracy, confidentiality, and liability, compliance officers and compliance scholars have the same goal – they want to learn more about how to improve compliance and protect people from harm. Regulatory and law enforcement authorities might also play a part in encouraging such collaborations by giving corporations space and reassurances that properly measuring outcomes will not hurt, and can only help, them. These efforts will take time and patience, but are ultimately necessary to ensure that corporations move beyond counting programs and policies and determine whether they are effectively protecting consumers, employees, and the public.


[1] Weber, James, and David M. Wasieleski. 2013. “Corporate ethics and compliance programs: A report, analysis and critique.” Journal of Business Ethics 112(4): 609-626.


[3] See, e.g., the following references: Chen, Hui, and Eugene Soltes. 2018. “Why compliance programs fail and how to fix them.”  Harvard Business Review 96 (2):115-125.; Krawiec, Kimberly D. 2003. “Cosmetic compliance and the failure of negotiated governance.”  Wash. ULQ 81:487; McKendall, Marie, Beverly DeMarr, and Catherine Jones-Rikkers. 2002. “Ethical compliance programs and corporate illegality: Testing the assumptions of the corporate sentencing guidelines.”  Journal of Business Ethics 37 (4):367-383.; Parker, Christine, and Vibeke Lehmann Nielsen. 2009. “Corporate Compliance Systems Could They Make Any Difference?”  Administration & Society 41 (1):3-37.; Weaver, Gary R, Linda Klebe Treviño, and Philip L Cochran. 1999. “Corporate ethics practices in the mid-1990’s: An empirical study of the Fortune 1000.”  Journal of Business Ethics 18 (3):283-294.



[6] See, e.g., van Rooij, B., Wu, Y., and Li, N. in press. “Compliance ethnography: What gets lost in compliance management.” In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594.

[7] See Stafford, S., in press. “Using Regulatory Inspection Data to Measure Environmental Compliance”. In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594.

[8] See, e.g., Pfaff, A. and Sanchirico, C.W. (2004). “Big field, small potatoes: An empirical assessment of EPA’s self-audit policy.” Journal of Policy Analysis and Management 23(3): 415-432.

[9] See Biderman, Albert D, and Albert J Reiss Jr. 1967. “On exploring the” dark figure” of crime.” The Annals of the American Academy of Political and Social Science 374 (1):1-15.; Bulwer, William Henry Lytton Earle, and Baron Dalling. 1836. The Monarchy of the Middle Classes: France, Social, Literary, Political: 2nd Series: Richard Bentley.; Coleman, C., & Moynihan, J. (1996). Understanding crime data: Haunted by the dark figure (Vol. 120). Buckingham: Open University Press.

[10] See Rorie, M., in press. “Self-Report Surveys and Factorial Survey Experiments.” In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594. See also: Friedrichs, David. O. 2010. Trusted Criminals: White Collar Crime in Contemporary Society. Wadsworth-Cengage Publishing.; Wall-Parker, April. 2019. “Measuring white-collar crime”. In Rorie, M. The Handbook of White-Collar Crime. Wiley Blackwell Publishing.

[11] See Soltes, E., in press. “Measuring compliance risk and the emergence of analytics.” In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594.; Pellafone, R. in press. “A practical way to measure corporate compliance efforts.” In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594.

[12] Jordanoska, A., and Lord, N. in press. “Mixing and combining research strategies and methods to understand compliance.” In Rorie, M. and van Rooij, B. Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention. Cambridge University Press. ISBN: 9781108488594.

This post comes to us from professors Benjamin van Rooij at the University of California, Irvine School of Law and the University of Amsterdam Faculty of Law, and from Melissa Rorie at the University of Nevada, Las Vegas. It is based on their recent article, “Measuring Compliance: The Challenges in Assessing and Understanding the Interaction between Law and Organizational Misconduct,” available here, as well as on their book, Measuring Compliance: Assessing Corporate Crime and Misconduct Prevention, to be published early in 2022.

1 Comment

  1. Kiers

    Ever increasing compliance legislation countered by greater in magnitude regulator capture. It’s a nice game…..if you have money and a certain class pedigree.

Comments are closed.