Skip to main content Accessibility help
Hostname: page-component-99c86f546-4k54s Total loading time: 1.855 Render date: 2021-12-08T08:21:16.338Z Has data issue: true Feature Flags: { "shouldUseShareProductTool": true, "shouldUseHypothesis": true, "isUnsiloEnabled": true, "metricsAbstractViews": false, "figures": true, "newCiteModal": false, "newCitedByModal": true, "newEcommerce": true, "newUsageEvents": true }

39 - Compliance Management Systems: Do They Make a Difference?

from Part VII - Management and Organizational Processes

Published online by Cambridge University Press:  07 May 2021

Benjamin van Rooij
School of Law, University of Amsterdam
D. Daniel Sokol
University of Florida
Get access


Abstract: Regulatory compliance is vital for promoting the public values served by regulation. Yet many businesses remain out of compliance with at least some of the regulations that apply to them – not only presenting possible dangers to the public but also exposing themselves to potentially significant liability risk. Compliance management systems (CMSs) may help reduce the likelihood of noncompliance. In recent years, managers have begun using CMSs in an effort to address compliance issues in a variety of domains: environment, workplace health and safety, finance, health care, and aviation, among others. CMSs establish systematic, checklist-like processes by which managers seek to improve their organizations’ compliance with government regulation. They can help managers identify compliance obligations, assign responsibility for meeting them, track progress, and take corrective action as needed. In effect, CMSs constitute and structure firms’ own internal inspection and enforcement responsibilities. At least in theory, CMSs reduce noncompliance by increasing information available to employees and managers, facilitating internal incentives to correct instances of noncompliance once identified, and helping to foster a culture of compliance. Recognizing these potential benefits, some government policymakers and regulators have even started to require certain firms to adopt CMSs.

But do CMSs actually achieve their theoretical benefits? We review the available empirical research related to CMSs in an effort to discern how they work, paying particular attention to whether CMSs help firms fulfill both the letter as well as the spirit of the law. We also consider lessons that can be drawn from research on the effectiveness of still broader systems for risk management and corporate codes of ethics, as these systems either include regulatory compliance as one component or present comparable challenges in terms of internal monitoring and the shaping of organizational behavior. Overall, we find evidence that firms with certain types of CMSs in place experience fewer compliance violations and show improvements in risk management. But these effects also appear to be rather modest. Compliance in large organizations generally requires more than just a CMS; it also demands appropriate managerial attitudes, organizational cultures, and information technologies that extend beyond the systematic, checklist processes that are characteristic of CMSs. We address implications of what we find for policy and future research, especially about the conditions under which CMSs appear to work best, the types or features of CMSs that appear to work better than others, and the possible value of regulatory mandates that firms implement CMSs.

Publisher: Cambridge University Press
Print publication year: 2021

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)


American Chemistry Council (ACC). 2019. Responsible Care Management System Technical Specification. Document No. RC101.06. Scholar
Armour, John, Awrey, Dan, Davies, Paul, Enriques, Luca, Gordon, Jeffrey N., Mayer, Colin, and Payne, Jennifer. 2016. Principles of Financial Regulation. Oxford: Oxford University Press.CrossRefGoogle Scholar
Armour, John, Gordon, Jeffrey, and Min, Geeyoung. 2020. “Taking Compliance Seriously.” Yale Journal on Regulation 37: 166.Google Scholar
Bardach, Eugene, and Kagan, Robert A.. 2002. Going by the Book: The Problem of Regulatory Unreasonableness. New Brunswick, NJ: Transaction.Google Scholar
Bhaskar, Lori Shefchik, Schroeder, Joseph H., and Shepardson, Marcy L.. 2019. “Integration of Internal Controls and Financial Statement Audits: Are Two Audits Better than One?Accounting Review 94: 5381.CrossRefGoogle Scholar
Biegelman, Martin T. 2008. Building a World-Class Compliance Program: Best Practices and Strategies for Success. Hoboken, NJ: John Wiley & Sons.CrossRefGoogle Scholar
Biegelman, Martin T., and Bartow, Joel T.. 2006. Executive Roadmap to Fraud Prevention and Internal Control. Hoboken, NJ: John Wiley & Sons.Google Scholar
Black, Julia. 2012. “Paradoxes and Failures: ‘New Governance’ Techniques and the Financial Crisis.” Modern Law Review 75: 1037–63.CrossRefGoogle Scholar
Bussmann, Kai D., Niemeczek, Anja, and Vockrodt, Marcel. 2018. “Company Culture and Prevention of Corruption in Germany, China and Russia.” European Journal of Criminology 15: 255–77.CrossRefGoogle Scholar
Chen, Hui, and Soltes, Eugene. 2018. “Why Compliance Programs Fail – and How to Fix Them.” Harvard Business Review 96: 116–25.Google Scholar
Coglianese, Cary. 2019. “Review of Meta-regulation in Practice.” Public Administration Review 79: 794–8.Google Scholar
Coglianese, Cary. 2008a. “The Managerial Turn in Environmental Protection.” New York University Environmental Law Journal 17: 5474.Google Scholar
Coglianese, Cary. 2008b. Management-Based Regulation: Implications for Public Policy. OECD Paper No. GOV/PGC/REG. OECD. Scholar
Coglianese, Cary, and Lazer, David. 2003. “Management-Based Regulation: Prescribing Private Management to Achieve Public Goals,” Law & Society Review 37: 691730.CrossRefGoogle Scholar
Coglianese, Cary, and Mendelson, Evan. 2010. “Meta-regulation and Self-Regulation.” In Oxford Handbook of Regulation, edited by Cave, Martin, Baldwin, Robert, and Lodge, Martin, 146–68. Oxford: Oxford University Press.Google Scholar
Coglianese, Cary, and Nash, Jennifer. 2017. “The Law of the Test: Performance-Based Regulation and Diesel Emissions Control.” Yale Journal on Regulation 34: 3390.Google Scholar
Coglianese, Cary, and Nash, Jennifer. 2014. “Performance Track’s Postmortem: Lessons from the Rise and Fall of EPA’s ‘Flagship’ Voluntary Program.” Harvard Environmental Law Review 38: 186.Google Scholar
Coglianese, Cary, and Nash, Jennifer. 2001. “Environmental Management Systems and the New Policy Agenda.” In Regulating from the Inside: Can Environmental Management Systems Achieve Policy Goals?, edited by Coglianese, Cary and Nash, Jennifer, 125. Washington, DC: Resources for the Future Press.Google Scholar
Consumer Financial Protection Bureau (CFPB). 2012. “CFPB Supervision and Examination Manual.” Scholar
Corkery, Michael. 2016. “Wells Fargo $185 Million for Fraudulently Opening Accounts.” New York Times, September 8. Scholar
Edelman, Lauren B. 2016. Working Law: Courts, Corporations, and Symbolic Civil Rights. Chicago, IL: University of Chicago Press.Google Scholar
Edelman, Lauren B., and Suchman, Mark C.. 1997. “The Legal Environments of Organizations.” Annual Review of Sociology 23: 479515.CrossRefGoogle Scholar
Ely, Robin J., and Meyerson, Debra E.. 2010. “An Organizational Approach to Undoing Gender: The Unlikely Case of Offshore Oil Platforms.” Research in Organizational Behavior 30: 334.CrossRefGoogle Scholar
Fairman, Robyn, and Yapp, Charlotte. 2005. “Enforced Self-Regulation, Prescription, and Conceptions of Compliance with Small Businesses: The Impact of Enforcement.” Law & Policy 27: 491519.CrossRefGoogle Scholar
Fan, Yangyang, Li, Chan, and Raghunandan, Kannan. 2017. “Is SOX 404(a) Management Internal Control Reporting an Effective Alternative to SOX 404(b) Internal Control Audits?Auditing: A Journal of Practice and Theory 36: 7189.CrossRefGoogle Scholar
Federal Trade Commission. 2019. “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook.” Scholar
Ford, Cristie L. 2008. “New Governance, Compliance, and Principles-Based Securities Regulation.” American Business Law Journal 45:160.CrossRefGoogle Scholar
Gawande, Atul. 2009. The Checklist Manifesto: How to Get Things Right. New York: Metropolitan.Google Scholar
Ge, Weili, Koester, Allison, and Sarah, McVay. 2017. “Benefits and Costs of Sarbanes-Oxley Section 404(b) Exception: Evidence from Small Firms’ Internal Control Disclosures.” Journal of Accounting and Economics 63: 358–84.CrossRefGoogle Scholar
Gneezy, Uri, Meier, Stephan, and Rey-Biel, Pedro. 2011. “When and Why Incentives (Don’t) Work to Modify Behavior.” Journal of Economic Perspectives 25: 191210.CrossRefGoogle Scholar
Gneezy, Uri, and Rustichini, Aldo. 2000. “A Fine Is a Price.” Journal of Legal Studies 29: 118.CrossRefGoogle Scholar
Goebel, Sebastian, and Weissenberger, Barbara E.. 2017. “The Relationship between Informal Controls, Ethical Work Climates, and Organizational Performance.” Journal of Business Ethics 141: 505–28.CrossRefGoogle Scholar
Gorsira, Madelijne, Steg, Linda, Denkers, Adriaan, and Huisman, Wim. 2018. “Corruption in Organizations: Ethical Climate and Individual Motives.” Administrative Sciences 8: 119.CrossRefGoogle Scholar
Gray, Garry C. 2006. “The Regulation of Corporate Violations: Punishment, Compliance, and the Blurring of Responsibility.” British Journal of Criminology, 46: 875–92.CrossRefGoogle Scholar
Gray, Garry C. and Silbey, Susan S.. 2014. “Governing Inside the Organization: Interpreting Regulation and Compliance.” American Journal of Sociology 120: 96-145.CrossRefGoogle ScholarPubMed
Grüninger, Stephan and Lisa, Schöttl. 2017. “Rethinking Compliance: Essential Cornerstones for More Effectiveness in Compliance Management.” Compliance Elliance Journal 3: 317.Google Scholar
Gunningham, Neil, Kagan, Robert A., and Thornton, Dorothy. 2003. Shades of Green: Business, Regulation, and Environment. Palo Alto, CA: Stanford University Press.Google Scholar
Gunningham, Neil, and Sinclair, Darren. 2014. “The Impact of Safety Culture on Systemic Risk Management.” European Journal of Risk Regulation 5: 505–16.CrossRefGoogle Scholar
Heimer, Carol A. 2013. “Resilience in the Middle: Contributions of Regulated Organizations to Regulatory Success.” Annals of the American Academy of Political and Social Science 639(September): 139–56.Google Scholar
Hofeditz, Marcel, Nienaber, Ann-Marie, Dysvik, Anders, and Schewe, Gerhard. 2017. “‘Want To’ versus ‘Have To’: Intrinsic and Extrinsic Motivators as Predictors of Compliance Behavior Intention.” Human Resource Management 56(January–February): 2549.CrossRefGoogle Scholar
Howard-Grenville, Jennifer, Bertels, Stephanie, and Boren, Brooke. 2015. What Regulators Need to Know about Organizational Culture. Penn Program on Regulation Research Paper. Scholar
Howard-Grenville, Jennifer, Nash, Jennifer, and Coglianese, Cary. 2008. “Constructing the License to Operate: Internal Factors and Their Influence on Corporate Environmental Decisions.” Law & Policy 30: 73107.CrossRefGoogle Scholar
Huising, Ruthanne, and Silbey, Susan S.. 2018. “From Nudge to Culture and Back Again: Coalface Governance in the Regulated Organization.” Annual Review of Law and Social Science 14: 91114.CrossRefGoogle Scholar
Huising, Ruthanne, and Silbey, Susan S.. 2011. “Governing the Gap: Forging Safe Science through Relational Regulation.” Regulation & Governance 5: 1442.CrossRefGoogle Scholar
Hunter, Robert D. 2009. Standards, Conformity Assessment, and Accreditation for Engineers. Boca Raton, FL: CRC Press.CrossRefGoogle Scholar
Iliev, Peter. 2010. “The Effect of SOX Section 404: Costs, Earnings Quality, and Stock Prices.” Journal of Finance 65: 1163–96.CrossRefGoogle Scholar
Institut der Wirtschaftsprüfer (IDW). 2011. IDW AsS 980: Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems. Düsseldorf: IDW.Google Scholar
International Chamber of Commerce (ICC). 2013. “The ICC Antitrust Compliance Toolkit.” Scholar
International Chamber of Commerce (ICC). 2011. “ICC Rules on Combating Corruption.” Scholar
International Organization for Standardization (ISO). 2019a. “Projects Ongoing: ISO 37000 Guidance for the Governance of Organizations.” Scholar
International Organization for Standardization (ISO). 2019b. “Projects Ongoing: ISO 37301 Compliance Management Systems – Requirements with Guidance for Use.” Scholar
International Organization for Standardization (ISO). 2018. “The ISO Survey of Management System Certifications 2018.” Scholar
International Organization for Standardization (ISO). 2015. ISO 14001: 2015 Environmental Management System – Requirement with Guidance for Use. Geneva: ISO.Google Scholar
International Organization for Standardization (ISO). 2014. ISO 19600: 2014 Compliance Management Systems – Guidelines. Geneva: ISO.Google Scholar
Kaptein, Muel. 2015. “The Effectiveness of Ethics Programs: The Role of Scope, Composition, and Sequence.” Journal of Business Ethics 132: 415–31.CrossRefGoogle Scholar
Kearl, Holly. 2018. The Facts Behind the #MeToo Movement: A National Study on Sexual Harassment and Assault. Reston, VA: Stop Street Harassment. Scholar
Labonte, Marc. 2017. “Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework.” Congressional Research Service 7–5700. Scholar
Lund, Dorothy S., and Sarin, Natasha. 2020. “The Cost of Doing Business: Corporate Crime and Punishment Post-Crisis.” University of Pennsylvania Institute for Law and Economics Research Paper No. 20–13. Scholar
Malesky, Edmund, and Taussig, Markus. 2019. “Participation, Government Legitimacy, and Regulatory Compliance in Emerging Economies: A Firm-Level Field Experiment in Vietnam.” American Political Science Review 113: 530–51.CrossRefGoogle Scholar
Martin, Susan Lorde. 2015. “Compliance Officers: More Jobs, More Responsibility, More Liability.” Notre Dame Journal of Law, Ethics & Public Policy 29: 169–98.Google Scholar
Martinez, Veronica Root. 2020. “Complex Compliance Investigations.” Columbia Law Review 120(2): 249308.Google Scholar
McCallen, Jennifer, Schmardebeck, Roy, Shipman, Jonathan, and Whited, Robert. 2019. “Have the Costs and Benefits of SOX Section 404(b) Compliance Changed Over Time?” Working Paper. Scholar
McCarthy, James E., and Copeland, Claudia. 2016. “EPA Regulations: Too Much, Too Little, or On Track?” Congressional Research Service 7–5700. Scholar
Michael, Michael L. 2006. “Business Ethics: The Law of Rules.” Business Ethics Quarterly 16: 475504.CrossRefGoogle Scholar
Miller, Geoffrey P. 2018. “An Economic Analysis of Effective Compliance Programs.” In Research Handbook on Corporate Crime and Financial Misdealing, edited by Arlen, Jennifer, 247–62. Cheltenham, UK: Edward Elgar.Google Scholar
Miller, Geoffrey P. 2017. “Compliance: Past, Present and Future.” University of Toledo Law Review 48: 437–51.Google Scholar
Moeller, Robert R. 2004. Sarbanes-Oxley and the New Internal Auditing Rules. Hoboken, NJ: John Wiley & Sons.Google Scholar
Moen, Ronald D. and Norman, Clifford L.. 2010. “Circling Back: Clearing Up Myths about the Deming Cycle and Seeing How It Keeps Evolving.” Quality Progress 43: 22–8.Google Scholar
National Academies of Sciences, Engineering, and Medicine. 2018. Designing Safety Regulations for High-Hazard Industries. Washington, DC: The National Academies Press.Google Scholar
New York Stock Exchange (NYSE). 2019b. “Rule 3130: Annual Certification of Compliance and Supervisory Processes.”!WKUS-TAL-DOCS-PHC-%7B4A07B716-0F73-46CC-BAC2-43EB20902159%7D–WKUS_TAL_5665%23teid–598.Google Scholar
Organisation for Economic Co-operation and Development (OECD). 2010. “Good Practice Guidance on Internal Controls, Ethics, and Compliance.” Scholar
Paine, Lynn. 1994. “Managing for Corporate Integrity.” Harvard Business Review 72(2): 106–17.Google Scholar
Parker, Christine. 2002. The Open Corporation: Effective Self-Regulation and Democracy. Cambridge: Cambridge University Press.CrossRefGoogle Scholar
Parker, Christine, and Gilad, Sharon. 2011. “Internal Corporate Compliance Management Systems: Structure, Culture, and Agency.” In Explaining Compliance: Business Responses to Regulation, edited by Parker, Christine and Nielsen, Vibeke Lehmann, 170–95. Cheltenham, UK: Edward Elgar.CrossRefGoogle Scholar
Parker, Christine, and Nielsen, Vibeke Lehmann. 2009. “Corporate Compliance Systems: Could They Make Any Difference?Administration & Society 41: 337.CrossRefGoogle Scholar
Parker, Christine, and Nielsen, Vibeke Lehmann. 2006. “Do Businesses Take Compliance Systems Seriously? An Empirical Study of the Implementation of Trade Practices Compliance Systems in Australia.” Melbourne University Law Review 30: 441–94.Google Scholar
Pfaff, Alexander, and Sanchirico, Christopher William. 2004. “Big Field, Small Potatoes: An Empirical Assessment of EPA’s Self-Audit Policy.” Journal of Policy Analysis and Management 23: 415–32.CrossRefGoogle Scholar
Potoski, Matthew, and Prakash, Aseem. 2006. The Voluntary Environmentalists: Green Clubs, ISO 14001, and Voluntary Environmental Regulations. Cambridge: Cambridge University Press.Google Scholar
Ruiz, Pablo, Martinez, Ricardo, Rodrigo, Job, and Diaz, Cristina. 2015. “Level of Coherence among Ethics Program Components and Its Impact on Ethical Intent.” Journal of Business Ethics 128: 725–42.CrossRefGoogle Scholar
Schein, Edgar H. 2010. Organizational Culture and Leadership, 4th ed. San Francisco, CA: Jossey-Bass.Google Scholar
Selznick, Philip. 1992. The Moral Commonwealth: Social Theory and the Promise of Community. Berkeley: University of California Press.Google Scholar
Shimshack, Jay P. 2014. “The Economics of Environmental Monitoring and Enforcement: A Review.” Annual Review of Resource Economics (ARRE) 6: 339–60.Google Scholar
Short, Jodi L., and Toffel, Michael W.. 2010.“Making Self-Regulation More than Merely Symbolic: The Critical Role of the Legal Environment.” Administrative Science Quarterly 55: 361–96.CrossRefGoogle Scholar
Silbey, Susan S., and Agrawal, Tanu. 2011. “The Illusion of Accountability: Information Management and Organizational Culture.” Droit et société 77: 6986.CrossRefGoogle Scholar
Sokol, Daniel D. 2016. “Teaching Compliance.” University of Cincinnati Law Review 84: 121.Google Scholar
Soltes, Eugene. 2019. “Where Is Your Company Most Prone to Lapses in Integrity? A Simple Survey to Identify the Danger Zones.” Harvard Business Review July-August: 51–4.Google Scholar
Stamatis, D. H. 1995. Understanding ISO 9000 and Implementing the Basics to Quality. New York: Marcel Dekker.Google Scholar
Standards Australia. 2006. “Australian Standard: Compliance Programs.”–2006-Compliance-Standard.pdf.Google Scholar
Steinberg, Richard M. 2011. Governance, Risk Management, and Compliance. Hoboken, NJ: John Wiley & Sons.CrossRefGoogle Scholar
Stucke, Maurice E. 2014. “In Search of Effective Ethics and Compliance.” Journal of Corporate Law 39: 770832.Google Scholar
Toffel, Michael W., and Short, Jodi L.. 2011. “Coming Clean and Cleaning Up: Does Voluntary Self-Reporting Indicate Effective Self-Policy?Journal of Law and Economics 54: 609–49.CrossRefGoogle Scholar
Treviño, Linda Klebe, Weaver, Gary R., Gibson, David G., and Toffler, Barbara Ley. 1999. “Managing Ethics and Legal Compliance: What Works and What Hurt.” California Management Review 4: 131–51.Google Scholar
Tyler, Tom R. 1990. Why People Obey the Law. Princeton, NJ: Princeton University Press.Google Scholar
U.S. Department of Health and Human Services (HHS). 2019. “Office of Inspector General – Compliance.” Scholar
U.S. Department of Justice. 2018. “Justice Manual.” Scholar
U.S. Department of Justice Criminal Division. 2019. “Evaluation of Corporate Compliance Programs, Guidance Document.” Scholar
U.S. Environmental Protection Agency (EPA). 2018. “EPA Enforcement and Compliance Annual Results.”–02/documents/fy18-enforcement-annual-results-data-graphs.pdf.Google Scholar
U.S. Environmental Protection Agency (EPA). 2007. “Performance Track Could Improve Program Design and Management to Ensure Value” Rep. No. 2007-P-00013.–11/documents/20070329–2007-p-00013.pdf.Google Scholar
U.S. Government Accountability Office. 2016. “Fines, Penalties, and Forfeitures for Violations of Financial Crimes and Sanctions Requirements.” Scholar
U.S. Sentencing Commission. 2018. “Guidelines Manual 2018.” Scholar
Walberg, Susan Lee. 2018. Insider’s Guide to Compliance: Real World Advice for Building a Successful Compliance Program. Compliance Ala Carte.Google Scholar
Weaver, Gary R. 2014. “Encouraging Ethics in Organizations: Review of Some Key Research Findings.” American Criminal Law Review 51: 293316.Google Scholar
Cited by

Send book to Kindle

To send this book to your Kindle, first ensure is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle.

Note you can select to send to either the or variations. ‘’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats

Send book to Dropbox

To send content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about sending content to Dropbox.

Available formats

Send book to Google Drive

To send content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about sending content to Google Drive.

Available formats