STRIKING THE RIGHT BALANCE BETWEEN TRUST AND CONTROL
R&C: What factors determine when to rely on employee trust versus implementing stricter controls in a compliance framework?
Frank: Organisations decide whether to rely on employee trust or impose stricter controls by assessing the inherent risk against the organisation’s risk appetite. The starting point is to identify the events that could manifest the risk and the potential consequences if they do. If the inherent risk – probability and impact assuming no controls – exceeds the organisation’s tolerance, management should implement preventive and detective controls to bring risk within appetite. Several factors influence this judgment. Magnitude of harm matters most – for example financial loss, legal exposure or reputational damage. Opportunity and incentives also matter – roles involving money, sensitive data or discretion typically require more controls. Prior misconduct or weak tone at the top argues for tighter oversight. Trust is important, but in compliance, it should be structured trust – that is, trust supported by controls calibrated to inherent risk and the organisation’s risk appetite.
R&C: Could you share any examples of where excessive control undermined trust or where trust led to a compliance lapse? What lessons might we draw from these events?
Greenman: Two well-known episodes show the risk at both extremes. At Wells Fargo, aggressive sales quotas and constant monitoring drove employees to open millions of unauthorised accounts. The organisation had plenty of controls – but it focused on hitting targets rather than questioning whether the aggressive targets themselves created misconduct risk. Employees learned that hitting the metric mattered more in their performance evaluation than serving the customer.
Apr-Jun 2026 Issue
StoneTurn