Last November marked the thirtieth anniversary of the Federal Sentencing Guidelines for Organizations. Whether or not this officially constitutes middle age, it underscores that the government’s policy of promoting compliance & ethics (C&E ) programs is no longer “developmental,” which is how the Chair of the Sentencing Commission described it in those early days.
Indeed, the first meeting of the Ethics Officer Association (now the Ethics & Compliance Initiative), which was held in 1992, had only 19 attendees. Throughout the 1990s, the movement grew – but did so slowly. And then – for a variety of reasons– it picked up speed.
Today, C&E programs are firmly part of the mainstream in the United States and much of the rest of the world. The success of this experiment greatly exceeded the expectations of many of those who remembered the pre-Guidelines days, when the government did very little to encourage companies to implement and maintain effective C&E programs.
But virtually nothing lasts forever, and it is fair to ask: could we be headed for a “Mission Accomplished” moment here?
My concern is that the more C&E programs are implemented, the less risk may be perceived. Not everyone would think this way. Indeed, for many in the business world (including me), more C&E should lead to greater risk perception.
But suppose a company has implemented standard procedures and the more prominent attributes of an ethical culture (e.g., a decent tone at the top). In that case, some employees may question the need for a strong, innovative ongoing C&E effort.
The concern here is not the views of C&E professionals. Rather, it is business leaders who may be supporters of compliance generally but resist undertaking robust efforts for reasons of time, cost, or “over-deterrence” — forgoing legitimate business opportunities due to an unwarranted concern about risk.
What can be done about this?
Of course, companies should avoid unnecessary duplication. For instance, allowing employees to “test out” of certain C&E training may be a sound time saver for some companies (although it would not be appropriate in all circumstances).
But redundancy is not the real issue here. Rather, it is how risk-related information is received and interpreted – or ignored. To my mind, what is called for is a healthy dose of behavioral ethics.
Behavioral ethics is a well-known field of social science that shows how — due to various cognitive biases — “we are not as ethical as we think we are.” Numerous studies have documented this effect, many of which are collected here.
If we cannot rely largely on our ethical instincts, as behavioral ethics suggests, we are less likely to be complacent about the need for C&E. For some, behavioral ethics can help make C&E urgent again.
Training and communications are the main vehicles for importing behavioral ethics into C&E programs. For instance, one company made a tape of its chief ethics and compliance officer explaining to employees how and why behavioral ethics is important to preventing wrongdoing. It can also inform the drafting of the managers’ duties of a code of conduct.
To some extent, behavioral ethics can also be used in risk assessment – for instance, to identify situations where good intentions can justify bad acts. In the era of ESG, this seems worth bearing in mind.
Another risk area concerns being rushed. The best-known case goes back to the early 1970s when being rushed was found to have tremendous power for causing wrongdoing. Therefore, behavioral risk assessments should take into account the presence or absence of such circumstances.
Finally, behavioral ethics also promotes humility, which is important for mitigating the risks of “middle-aged” programs. Among other things, humility is well suited for addressing ethical challenges that are not based on the purposeful failure to be honest but on the less well-appreciated dangers of being careless.
Recognizing the limits of one’s abilities – which is part of being humble – should help underscore the need for maintaining strong C&E programs.