Compliance Management Systems: Do They Make a Difference?

Document Type

Book Chapter

Publication Date



Regulatory compliance is vital for promoting the public values served by regulation. Yet many businesses remain out of compliance with some of the regulations that apply to them—presenting not only possible dangers to the public but also exposing themselves to potentially significant liability risk. Compliance management systems (CMSs) may help reduce the likelihood of noncompliance. In recent years, managers have begun using CMSs in an effort to address compliance issues in a variety of domains: environment, workplace health and safety, finance, health care, and aviation, among others. CMSs establish systematic, checklist-like processes by which managers seek to improve their organizations’ compliance with government regulation. They can help managers identify compliance obligations, assign responsibility for meeting them, track progress, and take corrective action as needed. In effect, CMSs constitute firms’ own internal inspection and enforcement responsibilities. At least in theory, CMSs reduce noncompliance by increasing information available to employees and managers, facilitating internal incentives to correct instances of noncompliance once identified, and helping to foster a culture of compliance. Recognizing these potential benefits, some government policymakers and regulators have even started to require certain firms to adopt CMSs.

But do CMSs actually achieve their theoretical benefits? We review the available empirical research related to CMSs in an effort to discern how they work, paying particular attention to whether CMSs help firms fulfill both the letter as well as the spirit of the law. We also consider lessons that can be drawn from research on the effectiveness of still broader systems for risk management and corporate codes of ethics, as these systems either include regulatory compliance as one component or they present comparable challenges in terms of internal monitoring and shaping of organizational behavior. Overall, we find evidence that firms with certain types of CMSs in place experience fewer compliance violations and show improvements in risk management. But these effects also appear to be rather modest. Compliance in large organizations generally requires more than just a CMS; it also demands appropriate managerial attitudes, organizational cultures, and information technologies that extend beyond the systematic, checklist processes characteristic of CMSs. We address implications of what we find for policy and future research, especially about the conditions under which CMSs appear to work best, the types or features of CMSs that appear to work better than others, and the possible value of regulatory mandates that firms implement CMSs.


Regulatory compliance, administrative regulations, compliance programs, enterprise risk management, risk control, organizational behavior, corporate behavioral change, corporate codes of ethics, rule of law, systems engineering, organizational cultures

Publication Title

Cambridge Handbook of Compliance

Publication Citation

In Cambridge Handbook of Compliance (Benjamin van Rooij & D. Daniel Sokol eds., Cambridge 2021)