Purpose-Driven Compliance

Whether it is a small brokerage firm in Ann Arbor, Michigan, a private university in Cambridge, Massachusetts, or a multinational conglomerate headquartered in New York City, organizations understand that they are required to fulfill a range of compliance obligations. Compliance programs today tend to have two important characteristics in common. First, the notion that perfect compliance is an impossible goal is a key component of the understandings and expectations of many firms’ compliance programs. Second, organizations have almost uniformly adopted compliance programs in areas where enforcement activity has been significant—like in the areas of antibribery and anticorruption, anti-money laundering, antitrust, privacy, and cybersecurity. In short, today’s compliance programs, particularly at many large, complex organizations, are enforcement-driven programs that expressly tolerate certain levels of misconduct. The reality, however, is that the priorities of enforcement authorities often do not align with the key risks a firm will face. Additionally, behavioral ethics research suggests that tolerating small amounts of misconduct within an organization can lead to more significant future violations. In short, the primary drivers of today’s compliance programs may be inherently flawed.

Yet, the time may be ripe to rethink, reframe, and refocus the motivations for compliance programs at organizations today. The past twenty-five years of investment in compliance activities by the public and private sectors have resulted in the widespread adoption of increasingly complex and sophisticated compliance programs by large, complex organizations. This Article argues that organizations should build upon these foundations and move toward purpose-driven compliance programs, which are compliance programs that are directed by the firm’s (i) purpose, (ii) inherent risks based on the activities necessary to achieve that purpose, and (iii) ethical standards and goals. The priorities of enforcement authorities, which necessarily accept imperfect compliance, do not require firms to adopt a lower standard of conduct for themselves. Rather, organizations should adopt initiatives that are more proactive and focused on meeting a firm’s own purpose, goals, and expectations.