Complex Compliance Investigations

There are a variety of accepted understandings—both within industry and academic scholarship—about what is necessary for the creation of an effective compliance program. However, when one considers the many significant compliance failures—think Wells Fargo’s fraudulently opened accounts or General Motors’s faulty ignition switch—that continue to occur despite the adoption of increasingly sophisticated internal compliance programs, it suggests that it may be time to affirmatively question certain understandings and assumptions that serve as the foundation of modern-day compliance programs. This Article contributes to that effort.

Compliance programs within firms focus, for good reason, on preventing and detecting misconduct within their ranks. Those striving to create effective ethics and compliance programs spend a great deal of time on developing appropriate structures to house, manage, and support compliance efforts, so that they will effectively prevent and detect wrongdoing within firms. But as demonstrated in prior work, prevention and detection are just the first two of four stages—the latter stages being investigation and remediation—within compliance efforts. This Article focuses on the detection and investigative stages and the continuum between them. It demonstrates that many recent compliance failures within organizations might have been avoided if more robust processes—meaning the actions, practices, and routines that firms can employ to communicate and analyze information—had been in place to ensure investigations were conducted in a manner that allowed the firm to properly evaluate information from diverse areas within the firm.

Part I of the paper describes why the effort to curb corporate criminal misconduct came to rely heavily on self-policing within the organization, which contributed to the rise of the compliance function. The Part goes on to demonstrate, through the use of literature from the fields of organizational behavior and corporate governance, the importance of implementing certain structures within the creation of compliance programs. For purposes of this paper, structure refers to a firm’s decisions on how to organize itself. The Part then recounts current understandings of compliance within legal scholarship, which include an emphasis on the key structural components necessary for an effective compliance program and a focus on the prevention and detection of corporate misconduct.

Part II focuses on the evolution of the compliance function. It demonstrates that traditional compliance programs were narrow in scope, with a focus on particular subject matter areas. Yet the rise of more complex organizations—organizations with many diffuse departments or complicated organizational structures with a variety of parents and subsidiaries—brought new challenges for compliance efforts. A complex organization for purposes of this Article might be one organizational entity with a number of departments—like a university—but it may also be a complicated corporate family with many subsidiaries—like Walmart. These large, more complex organizations often suffer from information silos, which can occur when departments or divisions within a large organization are isolated from other parts of the organization. These information silos sometimes result in difficulty communicating properly throughout the organization and, in particular, can impede a firm’s attempts to fully and properly investigate claims of potential misconduct.

Part III sets forth the thesis of this Article and argues that firms must focus on adopting process-based reforms that will bolster the firm’s investigations into complex compliance failures thereby acting as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms. The Part begins by presenting two case studies, which demonstrate that recent compliance failures at complex organizations suggest that many of these compliance programs—regardless of the program’s organizational structure—suffer from information silos that result in improper or inadequate responses to significant organizational misconduct. The Part then highlights how process-based reforms might assist large, complex firms in detecting compliance failures before they become widespread, significant, or both. It applies specific process-based reforms to the compliance failures at Wells Fargo and General Motors in an effort to demonstrate how these types of additional interventions might add value to firm compliance programs. In particular, the Part suggests the creation of three interventions meant to bolster firms’ detection and investigative efforts: (i) standardized internal investigation questions, (ii) materiality surveys, and (iii) reliance upon an aggregation principle when evaluating information. The Part, drawing on two additional case studies, then highlights two limitations to process-related reforms: organizations without robust structural compliance programs, as evidenced by investigations into the Catholic Church, and organizations with corrupt cultures, as evidenced by the internal Uber sexual harassment scandal.

This Article focuses on failures within the detection and investigative stages of compliance efforts within complex organizations because shortcomings in this space are associated with potentially devastating consequences for firms. As such, those charged with managing compliance efforts within firms should think critically about whether they are engaged in efforts that will allow them to fully and properly investigate allegations of wrongdoing, so that potential problems are caught before significant damage to the firm has occurred.

The article is available here, and is the third in a series of articles aimed at improving compliance efforts within firms. The first article discusses ways to improve enforcement incentives for firms to engage in effective and systematic compliance efforts. The second article puts forth a framework for assessing the root cause of compliance failures within firms.