In our perpetual quest for simplicity, sometimes we fail to understand the complexity of an issue.   In the corporate world, if you ask board members and CEOs how they would define a compliance program ”failure,” I am sure most  would answer that a compliance program fails when the government brings an enforcement action. In other words, when the government investigates a company and when a company breaks the law, compliance has failed in its primary responsibility  —  to prevent a violation of the law.

This is a good definition in extreme enforcement cases. Take for example, Siemens, Alstom, Volkswagen and other significant enforcement actions that involved systematic breakdowns in a company’s culture and compliance controls. When a significant number of actors circumvent controls and embrace behaviors inconsistent with the company’s culture and code of conduct, it is reasonable to conclude that the company’s compliance program has failed.

So far, there is nothing controversial about that argument.  However, the issue is more nuanced than that because a “failure” should not depend on whether the government catches a company but should depend on the overall performance of a compliance program.

The definition here appears to depend on certain degrees of misconduct. In other less significant enforcement actions, is it fair to conclude that a compliance program failed when a smaller number of employees, possibly in one office, carry out an illegal scheme?

In the Johnson Controls FCPA action last year, sixteen employees at an office in China banded together to circumvent financial controls to collect money and use it to pay bribes. That was not a systemic breakdown across the company, but was a local breakdown.  Is it fair to conclude that the company’s compliance program failed?

On the other side of extremes of misconduct, we  often hear about the myth of the so-called rouge employee who engages in misconduct causing corporate liability under the respondeat superior doctrine. Without getting into whether such a circumstance actually occurs, as the number of actors dwindles, it is harder to characterize a company’s compliance program as a “failure.”

A company’s compliance program cannot be judged on a standard of perfection. Nor can a CCO be held accountable for each and every significant occurrence of misconduct. Bad people work at good companies and it is unfair to suggest that a compliance program has to ensure that everyone at a company comports with a code of conduct and the law. Such a standard is unfair and irrelevant.

Let’s try some other measures. What if we adopt a standard based on rates of employee misconduct? Even that standard, however, is subject to other variables such as detection resources, availability of hotlines, and internal investigation programs. It is hard to measure accurately a single factor – rate of misconduct – when such a factor is subject to multiple variables.

The issue is really much more nuanced. Government prosecutors who hold corporations to a strict standard of corporate compliance are not necessarily being fair. Companies that have effective programs may fail to prevent misconduct and law-breaking. Just like many issues in life, the answer is one of degrees.

With 20-20 hindsight, it is easy to conclude that General Motors, Takada, BNP Paribas, or HSBC suffered from compliance program failures. These cases easily fall into the systemic sets of violations where compliance appears to be just an after thought or compliance officers are ignored or overrun by bad actors.

Corporate leaders, however, contribute to the definition problem as well. By simplistically asserting that a compliance program “fails” when there is a government enforcement action, the board and CEO have adopted the simplistic – and inaccurate – measurement of an effective compliance program. More attention needs to be given to how the compliance profession defines success and how it defines failure. There are grey areas surrounding these questions and they require closer examination and thoughtful solutions.