Over more than three decades of defending claims, litigating False Claims Act cases, and helping clients avoid suspensions and debarments, my law firm colleagues and I have learned a fair amount about risk and what makes corporate compliance programs succeed or fail.
One of the “secret ingredients” we have used over the years to drive clients toward the former and avoid the latter is a healthy mix of traditional legal principles and behavioral economics.
Richard Thaler, the 2017 Nobel laureate in economics, describes behavioral economics as economics with more realistic assumptions about human behavior. Daniel Kahneman, the Nobel laureate author of Thinking, Fast and Slow, describes it as the study of how people make decisions under conditions of uncertainty, relying on heuristics (mental shortcuts) that systematically depart from rational choice.
However defined, the core insight is straightforward: Behavioral economics is about human behavior—how we assess risk, how we make decisions, and how our brains often lead us to misjudge both.
A thoughtfully designed compliance program not only must recognize – and guard against – the tricks our brains play on us, but also must look for opportunities to benefit from those tricks.
Here are a few illustrations of how my Sheppard colleagues and I incorporate behavioral economics in our compliance work – and how you can too.
Overconfidence bias/Optimism bias
Humans are, by nature, overconfident—even those who would describe themselves as shy. We tend to overstate our abilities and our level of certainty, while underestimating the role of luck (good or bad) in outcomes. In the compliance context, overconfidence is particularly dangerous. When organizations convince themselves that their internal controls are strong—or even impenetrable—they stop looking for weaknesses.
The result is missed opportunities to identify and address gaps before they metastasize into real problems.
Mitigating overconfidence is no easy task, but there are practical tools that can help. One approach my colleagues and I use is a “Legal Pre-Mortem,” adapted from the concept of “prospective hindsight.”
A pre-mortem begins by gathering key company players and positing a compliance failure—a termination for default, an Office of Inspector General (OIG) subpoena, a Civil Investigative Demand (CID) from the U.S. Department of Justice (DOJ)—and then asking, in the voice of an unhappy CEO: “We spend significant resources on compliance—how did this happen?!”
From there, we work backward, identifying the decisions, assumptions, and missed signals that “led” to the hypothetical failure. Our experience is that this exercise helps counter overconfidence by forcing a more candid assessment of risk and surfacing vulnerabilities that might otherwise go unnoticed—with no one getting defensive because no one has done anything wrong (yet).
Prospect theory/Loss aversion
We know people dislike losses more than they value equivalent gains. The classic illustration of this cognitive bias, as so many do, involves a gamble.
Consider a coin flip: Would you prefer a 50/50 chance of winning $200 (and nothing if you lose), or a guaranteed $100? While an economist will tell you the expected value is the same in both scenarios, most people choose the sure thing, revealing an aversion to potential losses. This cognitive bias has real implications for those of us who design, implement, and maintain compliance programs. Knowing how strongly people react to potential losses tells us it is not enough to emphasize the benefits of investing in compliance. Effective programs must also highlight the significant losses those programs are designed to prevent—financial, reputational, and operational.
Confirmation bias
We all know someone who believes “the evidence” invariably supports their views. (If you don’t, you may be that person.) That instinct often reflects a confirmation bias—the tendency to seek out and give greater weight to information that reinforces our existing beliefs, while discounting or ignoring information that challenges them. Most people simply do not go looking for evidence that proves themselves wrong; they look for evidence that proves themselves right.
As but one relatively modern example, consider this: studies of online behavior show that users are significantly more likely to engage with information that aligns with their views than with information that contradicts them.
This same dynamic plays out in the workplace—with serious consequences. Confirmation bias can cause organizations to overlook warning signs that elements of their compliance programs are not working. The familiar refrain, “We should have seen that coming,” is often less about hindsight and more about ignored signals that did not fit the prevailing narrative.
Effective compliance programs build in safeguards against this bias. This starts with creating space—and accountability—for objective, dispassionate discussion and evaluation. In complex organizations, failures will occur. The risk lies in explaining those failures away as outliers rather than examining whether they reveal broader weaknesses. Regular audits, independent reviews by those not involved in designing the program, and cross-functional discussions that bring diverse perspectives to the table (finance, HR, legal, compliance, and business teams) all help counteract confirmation bias and strengthen a compliance program over time.
Base rate neglect
Humans have a tendency to underweight general probabilities and over-rely on case-specific details—a phenomenon behavioral economists refer to as base rate neglect (or the base rate fallacy). A viral video of an unruly airline passenger makes us wonder why it “happens all the time.” A single frustrating checkout experience at the grocery store leaves us convinced we always pick the slowest line. These reactions feel natural because we struggle— especially in the moment—to recall all the times the opposite occurred.
Psychological research confirms both the existence and prevalence of this bias in all manner of scenarios.
In a classic experiment originating from two of the grandfathers of behavioral
economics, Daniel Kahneman and Amos Tversky, subjects are given a description of a woman who is quiet, organized, and detail-oriented, with a strong interest in books. When asked whether she is more likely to be a librarian or a lawyer, most choose librarian. But that answer ignores the base rate: There are far more lawyers than librarians in the U.S., making it statistically more likely she is a lawyer—even if the description “fits” the stereotype of a librarian. (Think of it this way – even if we count only the lawyers who fit the description above, there still are more of those than there are librarians.)
What does this mean for compliance? Among other things, it reminds us to resist designing compliance programs that overreact to the issue of the moment and remember to give adequate attention to the often more frequent and consequential sources of compliance risk.
Present bias
I’ll concede this may be my favorite cognitive bias (and, yes, that confirms I am a behavioral economics nerd). Perhaps this is because it is so pervasive in everyday life. In simple terms, present bias is the tendency to overweight immediate costs and benefits relative to those in the future. It helps explain the surge in gym memberships each January (and the cancellations each March), the familiar refrain, “Why did I eat (or drink) all that,” and the roughly $1.9 trillion in U.S. credit card debt.
In the compliance context, present bias helps explain why organizations often underinvest in robust compliance programs. A dollar spent today feels far more expensive than the possibility of several dollars in penalties tomorrow. The same dynamic plays out at the individual level: Just as executives view compliance investments as a near-term cost, employees often view training and controls as near-term costs. Understanding present bias helps us design thoughtful and
effective compliance programs that work for employees – and their employers.
Fortunately, there are practical ways to mitigate this bias. First, emphasize the near-term benefits of compliance—faster approvals, better deal selection, and smoother audits, to name just three.
Second, reduce resistance by making compliance easier and more intuitive. Third—and most importantly—make future risks concrete. Abstract warnings about “potential liability” rarely move decision-makers. But specific, tailored scenarios do. When leaders can clearly see—and quantify—the potential consequences of noncompliance, it becomes much easier to overcome the
pull of the present.
Conformity bias
In 1956, social psychologist Solomon Asch published a paper with a rather unwieldy title—Studies of Independence and Conformity—but a simple and powerful insight: It is difficult to maintain independent judgment when those around us signal, through words or silence, that we are wrong.
Asch’s experiment involved a group of participants (all of whom, except the actual subject of the experiment, were in on the game) asked to compare the length of three lines to a control line. Unbeknownst to the subject, the other participants had been instructed to give an obviously incorrect answer. Faced with a unanimous but clearly wrong majority, roughly one-third of the unwitting subjects gave the wrong answer at least some of the time.
In the compliance context, this cognitive bias matters a great deal. Employees take cues from those around them. When peers remain silent in the face of risky or noncompliant behavior, that silence sends a message.
One way my colleagues and I work to mitigate this problem is to incorporate a meaningful active bystandership component into our compliance programs. By teaching employees about the invisible forces that influence behavior—and equipping them with practical skills to intervene in a colleague’s conduct before something irreversible happens—organizations can empower individuals to act, even when group dynamics push in the opposite direction.
Consequence insensitivity
I’ll end with this one. And I concede that I may have coined this
label, but the concept is not novel. Indeed, the concept draws from a range of well-established behavioral insights, most notably, the fact that decision-makers are often poor at assessing risk.
Even highly experienced executives tend to focus on what feels most immediate and manageable, discounting low-probability, but high-impact events in favor of more familiar, lower-stakes risks.
My colleagues and I see this cognitive mistake play out frequently in practice. Over more than three decades of advising companies, we often are asked: “How likely are we to be dinged if we violate clause X or Y?” It is a fair question—but it is only half the analysis.
Risk has two components: likelihood and consequence. Focusing on likelihood alone can lead to costly mistakes. A 10 percent chance of a lawsuit that could do significant harm to the business warrants serious attention, even if the odds seem remote.
From an expected-value perspective, a
10 percent chance of a $100 million problem is far more significant than, say, a 50 percent chance of a $10 million problem.
Yet many decision-makers gravitate toward probability and give insufficient
weight to magnitude.
Fortunately, compliance professionals have a useful tool to overcome this bias: the risk matrix.
While not without its limitations—particularly if treated as a substitute for judgment rather than a guide—risk matrices force both likelihood and consequence into view. By mapping risks across two axes, they make it harder to ignore magnitude and encourage more balanced, disciplined conversations about exposure.
Conclusion
Human decision-making is fraught with error—yours, mine, everyone’s. A well-designed compliance program is meant to guard against the cognitive biases that drive those errors.
Too often, however, companies build programs that are well-intentioned—and look good on paper— but collapse when theory meets reality.
As Professor Thaler has observed, if you want people to do something, make it easy. The same principle applies to compliance: Programs that are simple, intuitive, and easy to follow are far more likely to succeed.
By reducing friction, companies can blunt the biases that lead to so many unexpected—and costly—failures. By incorporating behavioral economics into traditional legal thinking, we can all do a much better job reducing that friction.
Jonathan Aronie is a partner at Sheppard Mullin LLP, where he previously led the firm’s Governmental Practice and now leads its Organizational Integrity Group. He advises and defends federal contractors in a wide range of procurement matters, from building effective compliance programs to litigating False Claims Act cases.
