Corporate compliance is a “wicked problem”: one with many moving parts, where there is no single effective solution, the law of unintended consequences applies, and the solution itself is a never-ending process. Nowhere is this wickedness more apparent than in the delicate relationship between the board of directors and senior executive management, where the board must simultaneously pursue two dissonant, yet equally critical, tasks: it must enlist, support and utterly depend on the C-suite to develop a culture of integrity throughout the organization; but it must also monitor and enforce compliance within the C-suite itself.

In an essay published by Corporate Counsel last June, “Only the Right CEO Can Create a Culture of Integrity,” Ben Heineman Jr. addressed the first of these tasks. He stressed the CEO’s indispensable role in building a high-integrity organizational culture, based on shared principles and practices that influence how people feel, think and behave: “[S]uccess in this core task depends mightily on having the right CEO with the right values, energy, and commitment truly to lead the company.” Selecting that CEO, Heineman said, is “the most important” job of the board.

If only that were the board’s sole compliance job. Directors’ compliance responsibilities would be refreshingly straightforward if, having selected the CEO and established appropriate direction, accountabilities and incentives, they could always rely on the CEO to both evangelize and implement compliance. But CEO selection is tricky and, more to the point, if confronted with compelling pressures or temptations and fortified by plausible rationalizations, good people can do very bad things. The just-released report on a recent RAND Symposium, “Culture, Compliance and the C-Suite,” examines the board’s other critical compliance task—supporting, monitoring and enforcing C-suite compliance.

This is not a duty that can be fully delegated to the corporate compliance and internal control staffs. We have entered a time when regulatory agencies like the Securities and Exchange Commission are engaging directly with board members as part of routine compliance examinations, when deferred prosecution agreements commonly prescribe specific compliance roles for directors, and when federal sentencing guidelines deny leniency in cases of executive misconduct unless the board has consulted regularly, and directly, with the chief compliance officer.

Directors, in their role as guardians of corporate integrity, have never been more closely watched. In this context, the RAND report discusses how boards can best address compliance in the C-suite, while still engaging productively with the CEO and other senior executives in building a strong and pervasive culture of compliance. The conversation was not about Caremark standards, personal liability or other legal requirements for boards, but about effectiveness; it was not about what a board must do to protect itself, but about what a board can do to protect the company, its shareholders, its employees and the public from the very rare, always unexpected, and usually devastating advent of serious executive misconduct.

A CEO committed to organizational integrity can do things no board can do: armed with high visibility, line of sight, and the tools of command and control, the CEO can set a powerful example and require adherence to it. So let’s unpack why it is that, nevertheless, the board must do more than hire a CEO of apparent high integrity and get out of the way.

No one intentionally hires the “wrong” CEO. I believe most boards feel that they have the right CEO—the best they could get, or, at a minimum, one who could not with confidence be traded in for an improved model. And we can assume that the board trusts the CEO; certainly, when any responsible board concludes that trust in the CEO is no longer justified, the search for a replacement begins. So it seems fair to propose that at any given time, most boards feel that they have fulfilled their CEO-selection responsibility as best they can, and that their CEO, if not necessarily ideal, is at least not palpably “wrong” and is worthy of their trust.

And yet, despite all this careful hiring of trusted executives, C-suite misconduct persists, with all its destructive impact upon profit, morale and reputation. Executive misconduct is uncommon, but not as rare as psychopathy or clinical narcissism and so cannot be explained solely by the extreme pathologies of a few very bad apples. Something else is going on.

Like most human traits, integrity manifests along a bell curve. At the thin outer edges of the curve, perhaps two standard deviations from the mean, we have the true psychopaths at one end and at the other end the saints—persons of vigilant, resolute integrity, for whom morality is their North Star and constant focus. It is hard to draw your executives solely from the latter pool—you need people of extraordinary distinction on several other scarce traits as well—and if that brand of ethical invulnerability is indispensable for the CEO role, then most hiring efforts are doomed from the start. Most realistic candidates fall somewhere in the middle 96 percent of the integrity curve, and within that fallible group, we know that circumstance and context strongly affect ethical decision-making. The influence of social and situational forces on our decisions is so pervasive that psychologists use the term “fundamental attribution error” to refer to our naïve belief that immutable character traits drive most behavior.

Time and again experience has shown that people who consider themselves (and are considered by others) highly moral can be led into misconduct by any of the five P’s: pressure, pleasure, power, pride or priorities—not to mention payment. Forces like these are rampant in the C-suite, where ambitious executives confront enormous economic stakes, strong pressures and incentives, and high expectations for performance, under circumstances where they have great discretion to act and the power to avoid external controls.

Worse yet, recent behavioral science research shows that these corrosive external forces are amplified by a variety of human failings that we’re all prey to—pernicious cognitive biases that can blind us to the ethical or legal dimensions of a situation, lead us to rationalize misconduct that promotes our own interests, and goad us into escalating our commitment to the wrong path once we’re on it. Factors such as conflicts of interest, overconfidence, in-group loyalty, conformity pressures, motivated blindness and attentional blindness—plus the disinhibiting effect of power—cloud our judgment, make the first small step of misconduct easy to take and easier still to rationalize and lubricate the slippery slope.

More than anything else, this latter point about small beginnings—how easy it can be to round earnings up by just a penny, to recognize revenue that “should have” come in before quarter-end, or to extend a small and untraceable financial “courtesy” to a foreign official who is holding up your project—shows why hiring trusted executives and putting them on the honor system doesn’t always work out. The key to understanding misconduct is not in its explosive endings but in its quiet beginnings. Once context bends character on a small scale, escalation may turn out to be easy if not inevitable.

A point made repeatedly in the RAND report is that, in light of these findings, the board must take charge not only of selecting executives for character, but of shaping the ethical context in which the entire C-suite operates. A board that aspires to ethical leadership beyond Caremark’s minimum requirements can do much to discourage the small, seductive lapses that open the door to larger violations. Directors can model a strong ethical example through their own behavior and can show institutional commitment to compliance by establishing a board-level compliance committee. They can impose explicit high expectations about executive conduct, adopt a low tolerance for even minor infractions, and never give a pass to a top performer. The board can reinforce this ethical context by holding senior executives accountable for propagating an unbending culture of integrity throughout the organization, and by incorporating compliance expectations and metrics into executive compensation and evaluation processes.

The board can also buffer some of the situational forces that tend to incubate C-suite misconduct, particularly by ensuring that legal, ethical and stakeholder considerations are systematically taken into account in major decisions. The board should set responsible, achievable goals and timelines for the organization and its leaders, and avoid hazardous performance incentives, such as large all-or-nothing stakes.

Finally, the board has a non-delegable monitoring responsibility. We cannot know what pressures the trusted colleagues who lead a company may be enduring, what temptations look like through their eyes, or what rationalizations may seem satisfactory to them in a moment of crisis. And the fact that someone is a charismatic evangelist of upright morality is plainly no guarantee of their own compliance efforts. Moreover, despite the best efforts to the contrary, people at the wrong end of the integrity bell curve do occasionally land in the C-suite—and a few of them have compelling personalities, advanced manipulative skills, and no conscience whatsoever. The board must keep an eye on the store.

There’s an adage that half of all advertising dollars are wasted: we just don’t know which half. Monitoring the C-suite—like monitoring anybody else—is a similar proposition. A board can’t know in advance whether monitoring is actually necessary in any particular case. After all, from a distance, covered-up misconduct looks a lot like compliance—until all hell breaks loose. Our best hope is that the monitoring effort is largely a waste of time, and often, with high-integrity officers in place, it will be. But we cannot afford to equate low likelihood with low risk. The persistence of exceptional, and always unexpected, eruptions of misconduct, and the enormous damage executive wrongdoing can inflict, means that monitoring is never optional.

The efficacy of a board’s monitoring is directly proportional to the quality of information it receives, and healthy information flow depends on the empowerment of those in control functions such as the chief compliance officer, the heads of internal audit and HR, and the general counsel. By supporting the independence of these officers, ensuring that they get the resources to build a culture of “speaking up” backed by a strong and multichannel Caremark “corporate information and reporting system,” and tapping into the resulting information flow through regular briefings, the board can help ensure that it receives unbiased, unfiltered information of high quality from all corners of the organization.

All of these steps can be implemented without getting in the way of the CEO—to the contrary, the “right” CEO will probably welcome them. And if the CEO is “wrong,” getting in his way is a very good idea. •