Abstract: Regulatory compliance is vital for promoting the public values served by regulation. Yet many businesses remain out of compliance with at least some of the regulations that apply to them – not only presenting possible dangers to the public but also exposing themselves to potentially significant liability risk. Compliance management systems (CMSs) may help reduce the likelihood of noncompliance. In recent years, managers have begun using CMSs in an effort to address compliance issues in a variety of domains: environment, workplace health and safety, finance, health care, and aviation, among others. CMSs establish systematic, checklist-like processes by which managers seek to improve their organizations’ compliance with government regulation. They can help managers identify compliance obligations, assign responsibility for meeting them, track progress, and take corrective action as needed. In effect, CMSs constitute and structure firms’ own internal inspection and enforcement responsibilities. At least in theory, CMSs reduce noncompliance by increasing information available to employees and managers, facilitating internal incentives to correct instances of noncompliance once identified, and helping to foster a culture of compliance. Recognizing these potential benefits, some government policymakers and regulators have even started to require certain firms to adopt CMSs.
But do CMSs actually achieve their theoretical benefits? We review the available empirical research related to CMSs in an effort to discern how they work, paying particular attention to whether CMSs help firms fulfill both the letter as well as the spirit of the law. We also consider lessons that can be drawn from research on the effectiveness of still broader systems for risk management and corporate codes of ethics, as these systems either include regulatory compliance as one component or present comparable challenges in terms of internal monitoring and the shaping of organizational behavior. Overall, we find evidence that firms with certain types of CMSs in place experience fewer compliance violations and show improvements in risk management. But these effects also appear to be rather modest. Compliance in large organizations generally requires more than just a CMS; it also demands appropriate managerial attitudes, organizational cultures, and information technologies that extend beyond the systematic, checklist processes that are characteristic of CMSs. We address implications of what we find for policy and future research, especially about the conditions under which CMSs appear to work best, the types or features of CMSs that appear to work better than others, and the possible value of regulatory mandates that firms implement CMSs.