Today’s post is from Dr. Roger Miles. Dr. Miles (PhD, Risk) is Behavioral Risk Lead at Thomson Reuters and he develops human factor analyses for Conduct Risk governance and compliance solutions. His academic research focus is the “what actually happens” gap between designed systems and enacted human behavior.
Are We Carelessly Inviting Corrupt Behavior?
By Dr Roger Miles
As regulators wrestle to assert new controls over corruption (and of course various other abuses), we’re reminded that the wider history of regulation resembles a trail littered with the carcasses of well-intended initiatives that failed. Regulatory controls tend to fail because the people who design them often ignore how real people respond in practice, often contrarily, to having a control imposed on them.
A function of effective risk leadership in senior management – including compliance officers – should therefore be to pause to consider human aspects of control failures. Where are the human-factor hazards brewing? Do we know enough about these to keep ahead of them and head off problems early?
One way to overtake this hazard is to familiarize oneself with “dark side” research among people who game the rules (my special research interest as it happens). This insight will rapidly rid us of the faulty assumption that rulebooks (whether in the context of the Foreign Corrupt Practices Act or otherwise) describe, or prescribe, what actually happens in organizations. The reality of what actually happens is always something different, usually that the rulebook doesn’t foresee. Once we make a habit of questioning the gap between what the rulebook says should be happening, and our observations of how people behave in reality, we become better both at spotting the early signs of “creative compliance” and at preventing all kinds of troublesome behavior. A few examples make the point:
What Groups Do…
Formal demands (including the top-down introduction of rules and sanctions) often provoke ‘informal groups’ of work colleagues to respond in unorthodox local ways that create conditions for the control to fail later on. The alert manager will watch for signs that ‘game-playing’ is becoming accepted as normal behavior, such as meaningless box-ticking (in response to quality control questionnaires); and filtering of inconvenient incident reports. Also be alert for the many ways of massaging statistical reports, such as cherry-picking only the most favorable test results, re-basing of a reporting index, or redefining the thing that we’re reporting on. Informal groups also like to ridicule anyone who dissents from their view of “how we do things here” – even (perhaps especially) when this contradicts what the rules require. For the FCPA compliance leader, therefore, the first question should always be “who’s really in charge in this organization?”
What Individuals Do…
At a personal level, gaming responses include ‘presenteeism’ (physically turning up for work but leaving your motivation at the front door) and seeking to shift onto others any blame for failures. Watch for early warning signs such as a person disengaging from routine involvement in work activities, disowning their own presence in management processes, or ignoring the legitimate authority of others. Consistent with informal groups’ “how we do things”, individual rule-gamers will be active at making alternative sense of how rules apply (or don’t apply) locally to them. They will be adept at coping, workarounds, and writing creative reports. Alternatively they may retreat into fatalism, rationalizing that “it’s OK not to care because either nothing will change if I do, or I’ll only be labelled a trouble maker”.
In the Organization’s Structure
Sometimes we inadvertently design an organization to encourage rule-gaming responses. To prevent this effect we need to become more skilled at spotting these preconditions for bad behavior, and design them out. The preconditions include:
- Lack of any coherent challenge from outsiders (advocacy groups, regulators, government)
- A regulator who depends on regulatees for information (“enforced self-regulation”)
- No apparent penalties for delay in responding to a question
- Risk-taking uncoupled from consequence, with short-term rewards
- Little required interaction with shareholders or other funding sources
- The full Board meets only rarely; executive committees hand-picked by the Chairman
- Power concentrated narrowly with CEO, Chairman, or Head of Sales
- Penalties for non-compliance reported as a “normal friction cost of business”
- An except reporting (whistleblowing) procedure exists but gets no explicit support from managers – it may even be the target of jokes
There is a large and expanding research field examining the gaps between control systems as designed and “what actually happens” when real people are told to use the controls. A new approach to regulatory design intended to deal with this in the FCPA context and otherwise, behavioral regulation, is still in its infancy. We should watch for developments.