Kenneth A Bamberger & Diedre K. Mulligan, PIA Requirements and Privacy Decision-Making in US Government Agencies in Privacy Impact Assessment (D. Wright & P. De Hert eds. 2012) available at SSRN.
Many large law firms are experiencing increased demand for their compliance and risk management services. They are writing compliance manuals and organizing and teaching training programs. They compete with consulting and accounting firms for this work.
Some of this work requires skills not traditionally found in law firms. To be sure, the translation of regulations into simpler language for manuals and the oral communication skills necessary for trainings are commonplace. But, the best internal controls require knowledge of the pressures on the corporate actor. And they require understanding the actor’s perspective, in order to motivate their commitment to compliance. Lawyers known for their “judgment,” often had such knowledge and understandings. But many lawyers relied on their independence to avoid engagement with what they belittled as “corporate politics and in-fighting.” Others would rely on their independence to emphasize that they simply gave options to their clients and were not responsible for what their clients did.
Both the forces acting on and the forces emanating from corporate actors must be understood to implement the compliance programs that are evolving as essential features of corporate governance. Heretofore, corporate governance did not get below the board level. And, the idea that directors do not direct was repressed, even as it was repeatedly discovered. If we are going to contribute to compliance and risk management, and if we are train graduates who can compete with those from business schools, then we have to get inside the corporation, which heretofore has been a black box. We need to understand organizational behavior.
Because of the lack of transparency in corporations, research on their organizational behavior, especially regarding legal compliance, has been limited. Fortunately, public agencies are large organizations, beset by agency cost problems, and operating more in the sunshine than corporations. Not all research on public agencies make comparisons to corporations possible, but Bamberger and Mulligan analyze a problem which parallels that of corporate compliance and risk management.
Inside the corporation, compliance activities are “secondary mandates:” the goal of compliance is “at best orthogonal to, and at worse in tension with,” (P. 225) the corporation’s primary economic objective. They interact with “structures, cultures and decision-making routines geared to maximizing” (P. 226) the corporation’s primary economic mission.
Bamberger and Mulligan examine privacy, a secondary mandate, at two public agencies, US Departments of State and Homeland Security, reviewing their consideration of RFID (radio frequency identification) technologies for passports and visitor and immigrant identification. They examine how the risks to privacy of this technology, and its consideration in the two agencies’ PIA (privacy impact assessment) interacted with the structures, cultures and processes at the agencies which were geared to efficiency and security, values in tension with preserving privacy.
Bamberger & Mulligan’s goal for the secondary mandate is that the organization “integrate meaningful consideration of” it “into agency structures, cultures and decision-making” (P. 226). The question is not whether the organization will be found to be guilty of non-compliance or even whether the organization is committed to compliance. Because what constitutes compliance is always contestable (within limits) and because compliance may be in tension with the organization’s primary mandate, a compliant organization is not the appropriate goal. At best, as the organization’s mission is elaborated, the claims of compliance are meaningfully and seriously part of the organization’s structures, cultures and decision processes.
So understood risk assessment is not the search for hot spots. Rather, it is the process-based reorientation of decision-making to include compliance values. For example, Bamberger & Mulligan, similar to those who studied NEPA, discovered that “front-loading” compliance (privacy or environmental) experts into planning processes, led to full consideration of these values as part of decision-making. In my own work on inside counsel, I too found that their being involved early in the decision making process was critical to their being able to influence decision-making.
So understood, compliance cannot stand separate from or over operations. Compliance is best effected, Bamberger & Mulligan emphasize, by an “insider:” To operationalize and impact decision-making “requires both an insider’ seat at the policy-making table and an insider position within the day-to-day bureaucratic processes” (P. 240). Otherwise, compliance is likely to be either merely “ceremonial” or ineffective due to information asymmetries.
At the same time, compliance requires that the insider be committed to compliance values – though personal history, expertise or reporting relations. They must be trusted insiders, but they must not be defined by the culture, structures and processes of day-to-day decision-making.
So, the effective implementer of compliance does not have a “compliance mind-set” (P. 247). Rather, she is an “expert” on compliance, but for her a “policy orientation” dominates. Her goal is to “ensure the reasoned consideration of” compliance “throughout the” organization (P. 247). She is not a cop. She is a go-to expert and shaper of organizational decision-making.
Bamberger & Mulligan clearly show how the management of the privacy compliance experts as the two public agencies resulted in vastly different results, regarding the same technology. They discuss how the pressures at the agency and on agency personnel interacted with privacy concerns. In so doing, they have much to teach those who consider compliance at corporations. Bamberger & Mulligan repeatedly term the agencies “bureaucracies.” Yet, their own evidence suggests that the agencies operate by project-team decision-making, which is characteristic of the modern (de-bureaucratized) corporation. Their lessons reach further than they think.