TABLE OF CONTENTS

Introduction

Creating systems to create, promote, and encourage ethical behavior within firms is a maddeningly difficult endeavor. Whether one focuses on the purposeful decision to attempt to cheat emissions standards by Volkswagen, the failure of attorneys to alert upper management regarding potential problems with an ignition switch at General Motors, the creation of standards that incentivized workers to fraudulently open accounts at Wells Fargo, or the deficiencies with Facebook’s privacy standards and practices, it appears that today’s firms have quite a ways to go in establishing strong ethical cultures within their organizations. The interplay between legal and regulatory requirements, the creation of compliance policies and procedures, and the instillation of ethical behavior within firms is not a new challenge, but it may be at a tipping point. Despite increased legal and regulatory mandates and the ever-increasing professionalization of compliance efforts within firms, corporate misconduct persists.

Take Facebook as an example. In 2012, the Federal Trade Commission (FTC) entered into a final settlement with Facebook “resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” In particular, the 2012 settlement required Facebook to implement policies and procedures that would ensure Facebook obtained the express consent of its consumers “before sharing their information beyond their privacy settings” and “by maintaining a comprehensive privacy program to protect consumers’ information.” And yet despite entering into this settlement, in 2018 Facebook found itself embroiled in scandal when it was discovered that “Facebook [allegedly] violated the 2012 order by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings.” Additionally, “Facebook [allegedly] did not screen the [app] developers or their apps before granting them access to vast amounts of user data.” Moreover, Facebook allegedly “misrepresented users’ ability to control the use of facial recognition technology with their accounts.” Finally, Facebook allegedly engaged in “deceptive practices when it told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.”

In other words, Facebook knew, at a minimum, in 2012 that it had problems with its privacy practices and policies. It acknowledged these problems and entered into a settlement with the FTC. Yet, it appears that Facebook failed to change its culture. It failed to take the steps necessary to stop future privacy violations and, as a result, the privacy concerns at Facebook grew and became more significant in size, nature, and scope. Facebook, unfortunately, does not appear to be unique.

Wells Fargo knew fraudulent accounts were being opened at some of its branches. General Motors knew there was something weird going on with its ignition switch. Volkswagen purposefully attempted to dodge emissions scandals. And each of these firms was aware when these scandals were brewing internally that they were expected to develop and implement effective ethics and compliance programs. The reality, however, is that when there are compliance failures, the response from regulators and industry insiders is often to find ways to incentivize and shore up compliance efforts, but each of these scandals also invokes fundamental concerns about the strength of each firms’ ethical culture.

This Essay contends that while we have grown to know much more about what is and is not necessary for the creation of an effective compliance program, it is time to think through the role of ethics within compliance efforts in a much more deliberate and meaningful manner. Part I begins by looking at the role of ethics within firms today. It evaluates the way legal scholars have focused on the role of ethics and looks to examples of decisionmaking within firms that failed to adequately consider related ethical ramifications. Part II outlines four strategies one might choose to instill (or not to instill) ethical infrastructures within firms and notes the limitations of each. Part III argues that it is time for firms to engage in more meaningful ethics efforts and implement specific and explicit ethical infrastructures within their compliance programs. In particular, it suggests that firms should commit to adopting policies and practices that (i) protect the dignity, (ii) promote the flourishing, and (iii) advance the interests of the various stakeholders within firms as a baseline to be used for establishing the ethics components of their ethics and compliance programs. In addition, Part III discusses benefits and caveats to the Essay’s suggested approach.

I. Ethics at Today’s Firms

Government officials, industry leaders, and academics all appear to understand the importance of creating cultures that focus on both ethics and compliance. Compliance here is meant to include adherence to legal and regulatory requirements, industry standards or practices, and the organization’s own internal policies and norms. Instead of focusing on compliance, however, this Part focuses on the role of ethics within ethics and compliance programs.

A. “An Effective Compliance and Ethics Program”

The Organizational Sentencing Guidelines, which apply to diverse types of organizations, apply when an organization is found guilty of engaging in criminal behavior. They outline four factors that will result in an increase in punishment: “(i) the involvement in or tolerance of criminal activity; (ii) the prior history of the organization; (iii) the violation of an order; (iv) the obstruction of justice.” The Organizational Guidelines also outline two factors that serve to mitigate the ultimate punishment a firm will face: “(i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.” The Organizational Sentencing Guidelines directly influence firm behavior because they outline clear parameters on how and why a firm may or may not receive a greater or lesser sanction for misconduct.

The admonishment to have an effective compliance and ethics program, however, is different than the other five factors in that its assessment does not lend itself well to clear-cut legal conclusions. There is a measure of judgment in whether a firm has an effective compliance and ethics program. Within this particular category, the question of what makes an effective ethics program is likely a more subjective question than what makes an effective compliance program. At this juncture, there are industry standards and norms regarding the components of an effective compliance program. Ethics, however, remains a less precise concept.

B. Global Ethics and Compliance Programs

The trend today within industry appears to be to structure a firm’s ethics and compliance responsibilities into one program. These decisions are purposeful. For example, Walmart overhauled its compliance program from 2014 to 2016, making a variety of changes to the structure of its global compliance program and its personnel. In 2016, it merged its global ethics and compliance programs, stating that it believed the “functions are closely related, as both are involved in identifying and preventing risks, responding to issues, and educating associates.” Walmart is not alone. From healthcare companies like GSK, to electronics companies like Sony, and automotive companies like Oshkosh, multinational firms continue to pivot toward the use of global ethics and compliance program. The role, however, that ethics is meant to play is sometimes difficult to discern.

For example, GSK’s description of its Global Ethics and Compliance program uses the word ethics, but it seems to generally describe functions associated with compliance efforts. GSK’s first statement on its website describing its program explains: “Global Ethics and Compliance function is responsible for supporting the development and implementation of practices that facilitate compliance with laws and Group policy.” This describes a compliance program, but it is not clear what ethics are involved. The website description then states: “The Global Ethics and Compliance function (GEC) delivers clear and integrated compliance solutions that embed GSK’s values (Patient focus, Respect, Integrity, Transparency) and expectations (Courage, Accountability, Development, Teamwork) in order to build trust.” This sentence does include concepts that likely fall within the ethics category—respect, integrity, courage—but the ethics and compliance program at GSK does not appear to overtly encourage the creation of independent ethical infrastructures. All references to possible ethical concerns are framed within and through the lens of compliance.

In short, the primary focus of the program appears to be compliance, as evidenced by the following statement on GSK’s website: “As well as promoting ethical behavior, GEC prevents and detects misconduct or non-compliance with laws, regulations and our code of conduct, through effective compliance systems.” Again, there is a nod to the importance of promoting ethics, but there is no explanation or prompting of what that ethical behavior might entail. Additionally, there is no reference to systems in place to promote this ethical behavior. That does not mean there are not specific ethical systems in place; it just means that, if there are, they are not transparent from an outsider’s view.

C. Interplay of Ethics and Compliance within Legal Scholarship

Legal academic scholarship discussing the interplay of ethics and compliance often leans more heavily on compliance than ethics. Professor Geoffrey Miller has explained that “the law of compliance shares an uneasy boundary with a broader set of issues that might loosely be termed ‘ethics beyond compliance.’” Professor Donald Langevoort has outlined six important components of a compliance program, but only one, “a commitment from senior leadership to the task, setting a right ‘tone at the top,’” invokes what might fall into the category of ethics. The other five fall properly within standard compliance activities. That is not to suggest that legal scholars do not acknowledge the importance of ethics. For example, Professor Miriam Baer has explained that “the common justification for corporate compliance programs is that they deter wrongdoing and generate ethical norms within the firm.” The reality, however, is that legal scholarship thus far has focused much more on the role of compliance than the role of ethics within firms’ ethics and compliance programs.

Scholarship within other academic disciplines discusses ethics in a more robust fashion, even when considering compliance concerns. For example, Professor Yuval Feldman and others have applied research from the behavioral ethics field to compliance efforts within firms. And yet, for the most part, there appears to be a bit of a disconnect between current industry practice—which is to create joint ethics and compliance programs—and legal scholarship, which focuses more heavily upon compliance, as opposed to ethics, activities. To be fair, legal scholars are typically not ethicists and one may question whether concerns about ethics belong within legal scholarship or should instead be housed elsewhere. It may be entirely appropriate for legal scholarship to focus heavily on compliance while management literature focuses more heavily on ethics. The problem, however, is that legal compliance has increased in sophistication and has grown dramatically over the last fifteen years as a result of the incentives created by governmental enforcement actions and changing industry practices and standards, but corporate misconduct continues unabated. It appears that focusing primarily on compliance activities is not enough to curb the tide of wrongdoing found within and throughout firms. As such, it may be time for more purposeful interdisciplinary conversations between those working on compliance and those working on ethics within firms.

D. Inadequate Ethical Decisionmaking

Importantly, the significant corporate misconduct discovered over the past five years appears to have at its core some sort of unethical conduct: the creation and implementation of a hidden device to deceive regulators and the public (Volkswagen), ignoring a product defect that was causing death and substantial bodily injury to consumers (General Motors), purposefully defrauding customers for the purpose of padding one’s own sales records (Wells Fargo), and failing to adhere to one’s own stated policies regarding the use of consumer’s information in an effort to monetize aspects of their lives and experiences (Facebook). In each instance there was a compliance failure—the firms failed to comply with legal and regulatory requirements. But the underlying problem at these firms appears to be much more fundamental and problematic than legal noncompliance.

Compliance Week, a trade publication, details the top ethics and compliance failures of the year each December. In 2018, it highlighted data privacy practices at Facebook, improper Twitter statements regarding Tesla, financial misconduct at Nissan, fraudulent behavior at Wells Fargo, and anti-money laundering deficiencies at Danske Bank. It explained: “[a]s with Compliance Week’s list of the top ethics and compliance failures of past years, the most significant cases repeatedly share one common element: senior leaders who do not value or embody ethical behavior, which ultimately trickles down through the entire workforce.” This statement is a nod to the commonly accepted understanding that the “tone at the top” will have a dramatic impact on compliance efforts at firms. This understanding has a basis within behavioral ethics scholarship, which has found that the example set by a firm’s “leaders will have a trickle-down effect throughout the firm.” And it remains important, because tone at the top is likely the most common component of current ethics and compliance programs that finds its roots in ethics, as opposed to compliance, infrastructures.

But tone at the top is not enough to ensure that ethical decisionmaking is embraced throughout a firm. Take Wells Fargo. It is true that senior leadership was responsible for setting daily cross-selling targets that resulted in employees opening fraudulent accounts. It is also true that research suggests that setting sales quotas in this manner leads to unethical conduct. At the same time, however, individual employees chose to fraudulently open accounts on behalf of customers—an action most would consider to be unethical. That is not to detract from the fault of the senior leadership at Wells Fargo; they created a culture where illegal and unethical behavior thrived and was encouraged (purposefully or not). But fixes to Wells Fargo’s compliance program, while improving the ability to monitor employees, will not necessarily be equipped to stop future unethical conduct when part of what motivates that unethical conduct is a belief that it will benefit the individual, low-level employee.

Wells Fargo, like many complex organizations with many different divisions, units, and subsidiaries, has a huge task to achieve when it undertakes the creation and implementation of its compliance program. Indeed, Wells Fargo’s problems did not end with the cross-selling scandal. Complex organizations can attempt to create monitoring systems that will appropriately take into account all risk, but the task is an enormous one. And compliance efforts alone can only do so much. But what if, at their core, the problems at Wells Fargo are not compliance problems. What if, instead, the problems are rooted in a failure to foster ethical behavior by its employees?

II. Ethical Frameworks within Compliance

Some legal scholars believe that ethics and compliance are separate and distinct concepts that may, at times, share “an uneasy boundary.” This Part investigates that boundary—a difficult task because the concept of what is or is not ethical is innately ambiguous. What one person finds to be unethical may be considered entirely appropriate by another individual. Similarly, what might seem like improper behavior in the United States may be considered normal business practice in another part of the world. Thus, leaders within firms have a variety of choices to consider when deciding how to employ ethics within their compliance frameworks. This Part goes through four possible conceptions of the role of ethics within firms today, and ultimately contends that compliance without meaningful attention to ethics may be an innately limited strategy.

A. No Ethics

Firms may determine that ethical goals are not proper to include within their compliance efforts. Their focus may remain squarely on technical compliance with legal requirements without attempts to strive for something more. Facebook’s recent difficulties regarding privacy may be an example of a decision by a firm to focus solely on compliance without concern for ethical norms.

As noted above, in 2012 Facebook agreed to settle claims regarding alleged privacy violations of its consumers’ data, including steps like “maintaining a comprehensive privacy program” and “obtaining biennial privacy audits from an independent third party.”  And yet, Facebook, while still within the twenty-year biennial audit period, suffered yet another devastating privacy scandal in 2018. In 2019, Facebook settled charges from the FTC that it violated the 2012 settlement by “deceiving users about their ability to control the privacy of their personal information.” The 2019 settlement, requires Facebook to pay a $5 billion penalty and “submit to new restrictions and a modified structure that will hold the company accountable for the decisions it makes about users’ privacy.” Indeed, the “order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.”  Interestingly, however, nowhere in the FTC’s description of its “sweeping” and “historic” settlement with Facebook is even one word mentioned regarding strengthening ethics at the firm.

Facebook’s response to the settlement includes statements surrounding the ways its agreement with the FTC will bring “rigorous new standards for protecting [consumers] privacy.” Facebook’s own description of the agreement focuses on compliance, but it does not appear that it views privacy violations as an ethical issue. Facebook notes that the “agreement will require a fundamental shift in the way” it approaches its work and “will place additional responsibility on people building our products at every level of the company.” A true statement, as the agreement’s mandated reforms are quite stringent. Additionally, Facebook touts that the “accountability required by [the] agreement surpasses current US law” and that it hopes it “will be a model for the industry.” Facebook, of course, is not entering into actions on their own, they are doing so because they are mandated to under the settlement agreement, which concluded various governmental investigations from the FTC and the Department of Justice.

Only time will tell whether Facebook’s focus on complying with the agreement without a similarly public focus on ethics will be enough to ensure long-term change at the firm, and recent revelations only serve to deepen concerns of this nature. At a minimum, it does appear that the 2012 settlement agreement was not sufficient to trigger a sea change at the firm. Additionally, Facebook’s failure to mention ethics within its announcement of privacy change is notable, because Facebook is aware that there are significant ethical issues facing technology companies at this time, as evidenced by its investment in research related to ethics in artificial intelligence in early 2019. Thus, it is not that Facebook necessarily rejects notions of ethics within its decisionmaking wholesale, it just is not acknowledging, at least publicly, those ethical issues with regards to its responsibilities related to consumers’ privacy.

B. Paper Ethics

It may be possible for a firm to have implemented a robust and seemingly effective compliance program, but a paper ethics program. This would be a situation where the firm has internal controls, policies, and procedures that meet or exceed industry standards, that would be readily approved as effective by any prosecutor at the Department of Justice, and that might actually deter compliance failures, but have an ethics program that looks to be nothing more than lip service.

When one looks at the descriptions of global ethics and compliance programs, one can readily identify the compliance efforts, but as in the case of GSK the ethics can often be difficult to define. Indeed, take, once again, Wells Fargo. In the aftermath of the allegations against it, in December 2018 Wells Fargo released a Business Standards Report. Among other things, the report details the root causes of improper conduct within their ranks. In particular, it notes (i) the elimination of product sales goals; (ii) the centralization of control functions within corporate risk, human resources, finance, technology, and data groups; (iii) the strengthening of its risk management program, particularly for compliance and operational risk; and (iv) changes to the governance structure and composition of its Board of Directors. There is no mention at all of ethical considerations within the root cause of the improper conduct found throughout the firm.

The report does, however, mention ethics as one of Wells Fargo’s five core values. It even outlines high-level expectations for team members and for mangers, and incorporates by reference the Wells Fargo Code of Ethics and Business Conduct. But when one reviews the code, one finds a great deal of compliance guidance, and not much on actual ethics. Indeed, even the half-page “ethics” section starts with this question: “Does it comply with the spirit or intent of any applicable law, rule, regulation, or regulatory expectation?” Begging the question, what ethical norms is the firm, if any, attempting to convey to its workforce?

C. Professional Ethics

For many firms much of their activity is cabined in by the professional ethics and standards with which their internal and external agents, like lawyers and accountants, are required to comply. Outside auditors for public companies, for example, must comply with Generally Accepted Accounting Principles (GAAP) when submitting financial statements to the Securities and Exchange Commission. Similarly, a lawyer engaged in an attorney-client relationship with an organization, whether as inside or external counsel, must comply with the rules of professional conduct of the state where the lawyer is admitted to practice law. Compliance officers, while not technically members of a self-regulating profession, often refer to themselves as compliance professionals, and are often members of compliance organizations that put out non-binding guidance and standards. These codes of conduct may incentivize pockets of employees to engage in certain types of ethical behavior, but in general the standards are less about instilling and promoting strong ethical norms and more about ensuring base levels of professionally acceptable conduct for particular segments of a firm’s workforce. As such, reliance on professional ethics or standards is not sufficient for creating widespread ethical norms within and throughout firms.

D. Moral Philosophy for Business Ethics

The broadest conception of ethics likely comes from philosophers whose field of study focuses on how moral and ethical people should behave. When those concerned with business ethics borrow from moral philosophy, they focus “on the evaluation of practices of employees, managers, and their organizations from a moral standpoint.” In particular, they study the various cognitive approaches to moral development as well as “various distinctions and debates that ha[ve] existed in philosophy for centuries.” Philosophers debate the importance of this type of learning to achieving more ethical behavior. In particular, “[p]hilosophers have argued that philosophical thinking is central to moral education, will make us better citizens, and will also provide the courage to stand up for justice.” Yet others argue “that there is no empirical evidence in support of these claims.”

For those charged with creating ethics and compliance programs within firms, attempting to apply very broad aspects of moral philosophy might seem a particularly daunting task. Ironically, however, the amorphous references to ethics found within many firms’ compliance programs today can seem just as lacking in firm boundaries and limiting principles as one might expect to find when attempting to apply the field of moral philosophy to compliance decisions. As a result, it would seem that the “ethics” within an ethics and compliance program would need some sort of defining attributes for the concept to do tangible work within a firm.

The problem with firms that do not rely on ethics, implement paper ethics programs, or who focus solely on adhering to professional ethics and standards is that they are relying heavily on compliance efforts, which are inherently limited. For example, attempting to manage all potential wrongdoing through a compliance program at a firm as large, diverse, and vast as Wells Fargo is a seemingly impossible task. Everything cannot be monitored all of the time. Every risk cannot be identified in advance. Thus, for a firm to achieve the goal of stopping improper conduct within its ranks, it must rely, to a certain extent, on the decisionmaking of its people. Indeed, it is this reliance that creates many zones of risk for firms—if their employees fail to comply with legal and regulatory requirements, the firm is held accountable for their actions. Thus, firms should consider whether compliance alone, without practices that also promote ethical decisionmaking, are likely to prevent improper conduct from occurring. It may be that firms need to think through ethics in a more systematic way to ensure meaningful ethical mechanisms are placed within the infrastructure of the firm to guide the conduct of firms’ employees and agents. Part III contributes to that effort.

III. More Meaningful Ethics

Firms have focused primarily on compliance reforms when wrongdoing is discovered for good reason. The compliance function involves activities like monitoring, which can bolster a company’s claim that it engaged in appropriate prevention and detection efforts. The compliance function also might involve automating certain functions like tracking payments or ensuring adherence to certain disclosure obligations, which, again, can be used as evidence of the work actively being done by and in the firm to ensure misconduct does not occur. Ethical interventions, however, are often thought of as more difficult to measure and track and, therefore, are not a priority in a world where many compliance policies are adopted defensively. In particular, many components of compliance programs are adopted, in part, to ensure mitigation credit, or possibly even a declination, if wrongdoing is discovered.

And yet, a failure to robustly consider ethical considerations might have damaging effects to the firm. To be clear, to suggest firms should focus on ethics is not to suggest that firms abandon compliance in the hope that people’s “natural goodness [is] waiting to be unlocked.” To the contrary, scholarship from the area of behavioral ethics suggests that all people have the potential to engage in misconduct—even people whose moral and ethical sense of self is quite high. Thus, those charged with creating compliance and ethics programs, must think through more than how to create the perfect compliance apparatus. They must also consider how ethical infrastructures might influence—and perhaps decrease—the rates of improper behavior within and throughout the organization. The unabated nature of compliance failures with significant ethical issues within organizations over the past five years may suggest that focusing on compliance structures alone is not enough.

This Part puts forth the thesis of this Essay and argues that firms should implement specific and explicit ethical infrastructures within their compliance programs. This Part begins by suggesting some guiding principles to apply when creating ethical infrastructures within firms’ compliance programs. The Part then suggests that firms should commit to adopting policies and procedures that (i) protect the dignity of, (ii) promote the flourishing of, and (iii) advance the interests of the various stakeholders of firms as a baseline to be used for establishing the ethics components of their ethics and compliance programs. The Part concludes by outlining benefits of the proposed framework as well as caveats to the approach.

A. Guiding Principles

If one assumes that having no commitment to ethics or a paper commitment to ethics is undesirable, then those charged with creating and implementing ethics and compliance programs for firms must make a determination regarding “how much” ethics they want their ethical infrastructures to incentivize. As is explained above, professional ethics and standards tend to act as a baseline or floor for certain types of employee conduct while moral philosophy might be described as creating a hazy sort of ill-defined ceiling. Thus, the real question for firms is how to create ethical infrastructures that lie somewhere between the floor of professional ethics and the ceiling of moral philosophy. Some guiding principles might aid in making these determinations, and the fields of behavioral ethics, social psychology, and organizational behavior can be helpful in this effort.

For example, behavioral ethics research suggests that the frame in which a decision is presented impacts an individual’s moral awareness. For example, if an employee perceives a decision as an ethical decision, they are morally aware when entering into a decision-making process. If, instead, the person is focused on the problem from the perspective of a business or legal frame, they are less likely to engage with whether the decision has moral or ethical implications. Thus, those establishing ethics and compliance programs should find ways to prime employees so they assess decisions in a manner that invokes moral awareness as opposed to from a strictly business or legal frame, which is arguably the frame from which most compliance programs—like Facebook’s new privacy program—originate.

Additionally, social psychology has long established that when firms engage in robust monitoring of employees to ensure compliance with firm expectations, it can actually contribute to the erosion of individual autonomy necessary for employees to act independently. As noted by one legal scholar, this may ultimately lead to “lower rates of compliance than would exist in the absence of close monitoring and visible penalties.” Thus, it may be important to promote an ethics and compliance program that ensures that employees maintain certain levels of decisionmaking and autonomy. In doing so, employees will retain certain levels of responsibility and ownership over decisions they are responsible for making and those decisions’ consequences.

Research from the field of organizational behavior teaches that employees often feel uncomfortable expressing their views within workplaces. Indeed, there is a robust literature on the use of employee voice, which is defined as “informal and discretionary communication by an employee of ideas, suggestions, concerns, information about problems, or opinions about work-related issues to persons who might be able to take appropriate action, with the intent to bring about improvement or change.” Employee voice is particularly important, because those in leadership roles within firms “often fail to see the issues and problems that frontline employees see.” Additionally, “[t]hey may also believe that employees feel free to communicate upward, failing to recognize the reluctance and fear that many employees experience” when faced with the decision to voice concerns to upper management. This is problematic, as “there is evidence suggesting that voice is in fact stifled in many organizations and that employees are often very hesitant to engage in voice, particularly when the information could be viewed by the recipient as negative or threatening.” If employees feel uncomfortable utilizing voice, it stifles progress within the firm and, more importantly, can contribute to a failure to detect misconduct. When that misconduct goes undetected, it provides an opportunity for it to grow and become of greater significance and increases potential related liabilities. Thus, it may be important for firms to create ethics and compliance programs that encourage employees to utilize voice and to do so even when alerting management to potentially harmful behavior within the firm, as this information might assist in protecting the firm and its stakeholders over the long-term.

The research cited from the above fields is not new, and it is known by many who work in compliance. And yet, when one reviews many compliance program documents, it is often not clear what, if anything, from these fields has been taken into account by those charged with creating and implementing compliance programs. Adopting a specific and concrete ethical imperative within the overarching structure of a firm’s compliance program will incentivize those charged with creating and implementing compliance program policies and procedures to find ways to incorporate more meaningful ethics throughout the ethics and compliance program.

B. Ethical Infrastructures within Compliance

The question for those charged with creating and implementing ethics and compliance programs is how to incorporate the insights from research such as what is reviewed briefly in Part III.A. Part II explains a variety of ways firms might engage (or not) with ethics as part of their compliance programs. This Part calls for firms to implement specific and explicit ethical infrastructures within their compliance programs. The reality is that this could be done in a number of ways, but this Essay draws on research from the fields of behavioral ethics, social psychology, and organizational behavior to guide its specific suggestion. In particular, firms should commit to adopting policies and procedures that (i) protect the dignity of, (ii) promote the flourishing of, and (iii) advance the interests of various stakeholders of firms as a framework for establishing the ethics components of their ethics and compliance programs. The importance of each component is discussed in turn below.

1. Dignity.

The importance of dignity is, again, not a new concept, but remains of integral importance. Dignity is defined as “the quality or state of being worthy, honored, or esteemed.” If an employee is excessively monitored in his or her workplace, resulting in an erosion of his individual autonomy, it impacts his sense of dignity. If an employer does not trust an employee to do his job completely and competently, it challenges the employee’s sense of worth, honor, and esteem. Relatedly, if an employee is afraid of speaking out about problems, inefficiencies, or potential misconduct within a firm, that employee’s sense of dignity is threatened.

Ensuring the dignity of a firm’s consumer base can be similarly important for a firm. For example, Facebook’s statements surrounding its new, mandated privacy policy focuses on adherence to the law and the settlement agreement, but it does not discuss the ways in which it harmed consumers. At most, Facebook acknowledged that it is “important that the people who use our platform can trust that their information is protected.” Facebook went on to explain that the agreement with the FTC was an “unambiguous commitment to do that,” yet less than two months later Facebook was forced to suspend “tens of thousands” of apps, potentially revealing widespread privacy issues. One problem with framing the privacy issues at Facebook as merely issues of legal and regulatory compliance is that it fails to prime decisionmakers at the firm about the ways in which its actions may impact the dignity of the firm’s consumers.

2. Flourishing.

The importance of human flourishing is acknowledged throughout history. Indeed, in 2016 Harvard founded an entire program for the purpose of studying “various academic fields on topics fundamental to human flourishing, and to develop and implement systematic approaches to the synthesis of knowledge across disciplines.” Flourishing is defined as: “marked by vigorous and healthy growth” or “very active and successful.” Others define human flourishing as “an effort to achieve self-actualization and fulfillment within the context of a larger community of individuals, each with the right to pursue his or her own such efforts.”

By including a focus on flourishing as part of a firm’s ethical infrastructure as related to compliance, it will help to ensure that individuals throughout the firm are seen as partners in the compliance effort. Again, at firms where compliance programs rely heavily on excessive monitoring and automation at the expense of creating environments where individual autonomy and employee voice are valued, it diminishes an effort by employees to achieve fulfillment and self-actualization within their workforces. If employees are told that certain decisions are outside of their purview or instructed to just check a specific set of boxes, it stifles the potential of employees to assist the firm in identifying and responding to potential issues and problems.

Ensuring an ability to flourish is also important for consumers. Facebook, for example, markets itself, in part, as a platform that can bring people together for good. Just a day before disclosing that it had suspended tens of thousands of apps, Facebook announced that people had raised over $2 billion for causes through the site. Facebook wants its consumers to see its platform as something that can be used for good and to allow individuals to achieve fulfillment of certain goals and aspirations. And yet, Facebook’s ability to promote connections is tainted when it fails to create those connections in a manner that respects each individual’s right to pursue those efforts as he or she dictates when selecting his or her own privacy preferences.

3. Stakeholders.

The concept of stakeholders within much of legal scholarship is fraught, because it invokes corporate law debates about who should control the actions of firms—shareholders alone or stakeholders more generally. This particular debate is particularly ripe for discussion given the recent statement from Business Roundtable supporting a vision of corporate purpose that encompasses stakeholders as opposed to one focused on shareholder primacy. This Essay takes no side in that larger debate.

Instead, the focus on advancing the interests of stakeholders is meant as a way to ensure that those charged with creating and implementing ethics and compliance programs think through the ways the program might impact individuals both within and outside of the firm. The reality is that misconduct within a firm often has the potential to harm employees, consumers, shareholders, or third parties more generally. For example, the mishandling of the ignition switch failure at General Motors resulted in employee’s concerns being discounted or ignored, the firing of employees, harm to consumers who drove cars where the ignition switch failure caused the airbags not to deploy, harm to third parties who were involved in collisions as a result of the failure, and the revelation of the failure led to a variety of questions regarding the firm’s value for shareholders. An effective ethics and compliance program must think through those various constituencies and consider how to analyze potential risks and issues for each set of stakeholders independently.

C. Potential Benefits

This Essay argues that firms implement specific and explicit ethical infrastructures within their compliance programs, and then suggests one way to promote such an outcome. There are a variety of potential benefits to the approach suggested in Part III.B., but this section will highlight three.

1. Engaging the Ethical Frame.

As outlined in Part III.A., whether an individual makes a decision from an ethical or business or legal frame changes whether they perceive the decision as having moral considerations. By implementing explicit and specific ethical infrastructures within compliance programs, firms can begin to prime their employees to make decisions from an ethical as opposed to a business or legal frame. The suggestion in this particular Essay, to develop policies and procedures that will (i) protect the dignity of, (ii) promote the flourishing of, and (iii) advance the interests of various stakeholders of firms provides some markers for what decisionmakers and employees should consider. It prompts them to think beyond value of shareholders, which is important, because harm to other constituencies can lead to significant problems within firms.

2. Priming the Lawyers Drafting Compliance Documents.

The individuals who often draft compliance documents are attorneys—both internal and external to firms—and they often draft those documents based on their expertise within particular legal and regulatory areas. If firms adopt particular ethical infrastructures as part of their compliance programs, it would provide an underlying framework for ensuring that those given the task of drafting compliance documents consider certain ethical considerations. If a lawyer is told that ethics is important, then the lawyer will include a general admonishment to behave ethically within the compliance documents. If a lawyer is instead told that certain specific and explicit ethical infrastructures must be present throughout the firm’s compliance program, the lawyer will be forced to consider those additional factors throughout the drafting process. In some instances, this may require the attorney to consult leaders within the firm to identify the best ways in which to incorporate ethical considerations throughout compliance policies. Importantly, these specific and explicit ethical infrastructures likely must go beyond general terms like “ethics,” “courage,” or “respect,” and instead focus on interventions that require specific and explicit ethical considerations when drafting compliance documents that include ethical infrastructures.

3. Flexibility in Implementation.

Compliance programs are necessarily as diverse as the companies that implement them. Each organization has its own unique structure, industries, risks, and concerns, and compliance programs regularly reflect that fact. Firms hoping to include more meaningful ethics norms within their ethics and compliance programs will need similar flexibility to implement ethical infrastructures that will work well for their particular firms. This Essay encourages firms to implement specific and explicit ethical infrastructures within their compliance programs, and then suggests one way to promote such an outcome. But firms could easily adopt other types of ethical infrastructures. What is important is that firms consider how they might incorporate more meaningful ethics within their compliance programs and actually do so.

D. Caveats

This Essay leaves a variety of questions unanswered. Can a firm mandate ethics?  Probably not. Do individuals within firms care about ethics? Hopefully so. Should lawyers oversee the creation of ethical standards? Perhaps, but probably not in a vacuum.

The truth is that when people are confronted with a task as seemingly unwieldy as establishing a program of ethics, it is often perceived as a daunting or impossible task. It is daunting, but hopefully this Essay has shown it is not impossible. In the field of ethics and compliance the challenge is not necessarily to fix everything at once, the challenge is to be brave enough to think through the weaknesses in one’s program and experiment with ways in which improvements might be made. Much has been done on the compliance front over the past fifteen years. It is time for ethics to have its turn.

Conclusion

Policymakers, industry leaders, government officials, and even a few legal academics have acknowledged the importance of ethics within compliance programs. In practice, however, ethics and compliance programs often focus a great deal on specific compliance controls without similarly specified ethics infrastructures. This Essay argues that it is time for firms to adopt explicit and specific ethical infrastructures within compliance programs. That is not to suggest that creating ethical infrastructure will be easy, but the persistent scandals plaguing sophisticated organizations all across the globe suggest that it is time to at least experiment with creating more meaningful ethics within ethics and compliance programs at firms.