Legal rules are in force to protect shareholders, employees, and consumers from risk. Many of the most notorious corporate accidents and failures have resulted from noncompliance with these rules. Consider the examples of the BP Deepwater Horizon oil spillWells Fargo’s account scandal, and even Chipotle’s foodborne illness outbreaks. Each of these cases originated with some sort of rule violation.

When it comes to research about rule violations, the vast majority of studies by business scholars has focused on a singular question: Which organizations are most likely to break the rules? Prior studies have shown that rule violations are more likely in organizations with poor financial performance, deviant cultures, and flawed organizational processes. These accounts explain rule violations by looking at the characteristics of errant organizations.

We asked an altogether different question: Which rules are most likely to be broken? To tackle this question, we compiled a detailed dataset of over 80,000 rule observations from 1,011 hygiene inspections of 289 restaurants in Santa Monica, California, from 2007 to 2010. Our findings from a forthcoming paper suggest that the design of rules themselves can create significant challenges for otherwise well-intentioned organizations.

More Complex Rules are More Likely to be Broken

The system of hygiene rules in force in Los Angeles County during our study period was composed of 86 different rules around issues like appropriate food temperatures, employee handwashing, and vermin control. Health inspectors would visit each restaurant about every four months to check for compliance with each of these rules. Restaurant owners were highly incentivized to follow the rules because these inspections determined the scores posted by their front door. Other research has also found that better grades are associated with higher online ratings and increased revenues.

To study whether some rules were more prone to being broken than others, we focused on how complex each rule was. We coded each rule according to two types of complexity. First, we coded the number of components for each rule (i.e., its “size” based on the number of sections of the California State Code that make up the rule). For example, the rule about cooling methods was made up of only one section, whereas the rule about food-contact surfaces was made up of four different sections. Second, we coded the number of connections for each rule (i.e., its functional links to other rules in the system). Some rules were stand-alone, whereas others were linked to as many as five other rules, so that noncompliance with one rule might cause noncompliance with another. For example, the rule about food-contact surfaces was connected to five other rules about rodents, cockroaches, and other potential causes of dirty food-contact surfaces.

Our intuition was that rules that were high in either type of complexity would be harder to follow. Because organizations rely on routines for following rules, complex rules would require complex routines, which would be harder to execute reliably. As expected, both types of rule complexity increased noncompliance. The two also reinforced one another such that having many components and connections made it far more likely that the rule would be broken. Compared to a stand-alone rule with a single component, a rule that had three components and was connected to one other rule in the system was 78% more likely to be violated, all else being equal.

What happens after a restaurant is penalized for breaking rules? We expected that managers would have a harder time learning from their mistake and cleaning up their act if they had broken a complex rule compared to a simple rule. But, surprisingly, we found that the two types of complexity had opposite effects on repeat violations. Although higher numbers of connections were indeed associated with more repeat violations, higher numbers of components were associated with fewer repeat violations. In other words, bigger rules, although more likely to be violated, were also more likely to be fixed by the time the inspector returned for the subsequent inspection. While we couldn’t determine the mechanism at play due to limitations of the data, our hunch is that managers had limited attention and thus focused their efforts on the biggest rules deemed out of compliance (i.e., high components), yet they struggled to dig deeper and identify the underlying causes of violations of those rules linked to other rules (i.e., high connections).

Our findings also revealed that rule-breaking is very persistent over time. A restaurant was more than twice as likely to break a rule if it broke that same rule in the past, all else being equal. This “sticky” nature of noncompliance was true regardless of either type of rule complexity.

All of our analyses accounted statistically for a range of factors, including, among other things, differences in restaurants (e.g., age, size, cuisine, price level, etc.) and rules (e.g., penalties, content, etc.), as well as restaurants’ previous noncompliance records. Our findings don’t contradict prior research but, instead, offer a more complete picture by highlighting the critical role of rules themselves.

A Few Rules about Rules

Organizations are “immersed in a sea of law” made up of rules that are increasingly complex. Regulatory agencies often make rules bigger by tacking on additional stipulations to make them more comprehensive. These same agencies also frequently increase the interconnectedness of rules, especially in response to crises. The findings from our study suggest that both trends may have unintended consequences.

Of course, managers are not only responsible for compliance with legal rules; they also routinely design rules for the workplace. Although our study focused on the former, other studies have shown that organizational rules, too, tend to proliferate and grow increasingly complex over time. Managers would do well to conduct periodic audits of workplace rules with an eye toward making them as simple and straightforward as possible so as to curb noncompliance.

We suggest that managers might be able to better cope with their regulatory environments, and enforce compliance with their own rules, by following a few suggestions:

  • Design Deliberately – Rule-breaking is persistent; once it happens, it is hard to correct. Encourage middle managers to establish reliable routines around following rules early on to prevent bigger hurdles down the line. Better yet, involve frontline employees in the process.
  • Check for Connections – Noncompliance is particularly persistent when it comes to interconnected rules. In the event that a rule is broken, look beyond that one rule in order to find the root cause of the violation. Without addressing the root case, the real problem might be overlooked and other violations are likely to occur.
  • Manage Mindfully – Not all rules are created equal. Focus ongoing efforts on managing compliance with more complex rules, as they are most prone to violation. To do so, managers should treat rule compliance programs as less of a legal exercise and more of a behavioral science by experimenting with multiple types of training programs, codes of conduct, and other systems so as to learn how to most effectively mitigate rule violations.

Rules reflect important societal and organizational values and are in force to protect us from risk. Accounting for how the complexity of these rules either helps or hinders compliance will ensure that these values are upheld and risks mitigated.