The Behavioural Science of Compliance 

Ask the average employee what they associate with the word ‘Compliance’, and you’re very likely to hear one of two types of response. The first is words that describe the area of technical expertise in which the function specialises — things like ‘rules’ or’ regulations’. The second is descriptions of the way it operates. Best-case that’ll be words like ‘necessary evil’ and worst-case ‘bureaucrats’, ‘business prevention unit’ or ‘fun police’. Now, none of those answers sounds particularly positive. Except, perhaps ‘fun police’, which can either be read negatively as ‘the people who are there to stop the fun’ or positively as ‘the police who are fun’. The fact people are unlikely to say nice things about Compliance shouldn’t really surprise us. After all, the ‘C-word’ isn’t exactly uplifting or positive! If we were creating a brand and wanted to make it sound negative or awful, we’d pick a word like ‘Compliance’. And then we’d add the suffix ‘Officer’. 

Whoever it was that first adopted the word in the context of corporate adherence to regulations — and I’ve heard lots of different suggestions for who that might have been — clearly wasn’t too concerned about what employees would think of it. On the face of it, it shouldn’t matter. After all, employers have the legal right to set rules for their employees. We all implicitly accept that in return for being paid, we will need to show up to work — either physically or virtually — and there will be some rules that are imposed on us. But if we think about what being ‘compliant’ means — in other words, the nature of the rules we need employees to follow in the 21st century — there’s a potential risk in thinking in those terms.  

That’s because not all rules operate in the same way. At one end of the spectrum, there are simple binary rules that lend themselves to being easily monitored and enforced. They’re the compliance equivalent of speed limits; they are simple to explain because the risk they mitigate is easily codifiable. Just as we either are or are not driving within the speed limit, these are rules with which an employee either is or is not compliant. For example, a worker in a restaurant kitchen either has or has not washed their hands properly before handling food. But there are other risks that are far less codifiable and where compliance with the rules has a qualitative element. In other words, where we need the individual concerned to engage with the requirement positively because ‘unthinking compliance’ won’t deliver the desired outcomes. 

A good example comes from Financial Services, where, emboldened by the 2008 crisis, regulators have been increasingly focusing on something known as ‘conduct risk’. In simple terms, this means regulating not just what people within the industry are doing but also how they are doing it. It’s not the only sector where this is happening. Other regulators are now following this trend and looking through new ‘ethical lenses’ at what companies in their industry are doing. To run a sustainable business — and meet the demands of emerging areas like ESG — means it’s no longer acceptable to justify a decision because it was ‘within the rules’. Or indeed, that the rules or laws didn’t explicitly prohibit it. As the saying goes, ‘just because you can, doesn’t mean you should’. 

So, what does that have to do with the branding of the Compliance function? On the one hand, absolutely nothing. But, if we want people to comply with rules that require them to engage thoughtfully, it’s worth thinking about what message we’re sending. The more we need their help in being ‘thinkingly compliant’, the less wise it arguably is to be seen to be treating them like small children. 

I’m not seriously suggesting that what we call the function is, on its own, going to drive employee perceptions of the way we view the rules. But it is a reminder that when we impose compliance requirements on humans, they will have a view on it. Not just about what we’re asking them to do or not do. They’ll also be thinking about our authority in that domain — what moral right do we have to impose a particular requirement on them? And they’ll have views on whether what we’ve mandated seems reasonable, given the underlying risks. Their response won’t simply be driven by whether we’re legally allowed to tell them to do something. It’ll be based on how the employees perceive it. So, even if what we’re imposing is entirely reasonable from our perspective, they might disagree. We’ve all come across rules we think are silly, authorities that we believe have ‘overstretched’ themselves and petty bureaucrats that have made our lives unnecessarily unpleasant. 

The lesson the terrible branding teaches us is relatively simple; there is a difference between situations where the risks are predictably constant and those where they are not. What might work in a nuclear power station — where health & safety is essentially a matter of respecting the laws of physics — might not work in a sales office. And vice versa. Of course, most work environments will demand compliance programs that combine ‘hard-and-fast’ rules for some risks and more flexible outcome-based principles for others. But in both cases, we’ll need to consider how employees are likely to respond. Not how we’d like them to respond, but how they are likely to respond.