What factors determine when to rely on employee trust versus implementing stricter controls in a compliance framework?

Jonny: Organizations decide whether to rely on employee trust or impose stricter controls by assessing the inherent risk against the organization’s risk appetite. The starting point is to identify the events that could manifest the risk and the potential consequences if they do. If the inherent risk (probability and impact assuming no controls) exceeds the organization’s tolerance, management should implement preventive and detective controls to bring risk within appetite.

Several factors influence this judgment. Magnitude of harm matters most, for example, financial loss, legal exposure, or reputational damage. Opportunity and incentives also matter; roles involving money, sensitive data, or discretion typically require more controls. Prior misconduct or weak tone at the top argues for tighter oversight.

Trust is important, but in compliance, it should be structured trust, that is, trust supported by controls calibrated to inherent risk and the organization’s risk appetite.

Could you share any examples of where excessive control undermined trust or where trust led to a compliance lapse? What lessons might we draw from these events?

Laura: Two well-known episodes show the risk at both extremes. At Wells Fargo, aggressive sales quotas and constant monitoring drove employees to open millions of unauthorized accounts. The organization had plenty of controls—but they focused on hitting targets rather than questioning whether the aggressive targets themselves created misconduct risk. Employees learned that hitting the metric mattered more in their performance evaluation than serving the customer.

The collapse of FTX reflects the opposite failure. Reports describe an organization with few meaningful governance safeguards, where leaders relied heavily on personal trust rather than basic financial controls.

The lesson is simple: compliance breaks down at both extremes. Controls that distort incentives invite circumvention. Trust without verification invites abuse. Effective compliance programs require both—clear expectations, sound controls, and a culture where employees understand the purpose behind them.

In your experience, how does the culture of an organisation influence the balance between autonomy and oversight in compliance practices?

Laura: An organization’s culture drives the balance. In healthy cultures, managers grant autonomy because employees understand the organization’s objectives, risk appetite, expectations, and consequences of non-compliance. Unhealthy cultures create the opposite dynamic. Organizations that lack trusted employees layer rules, approvals, and monitoring which can perpetuate the unhealthy culture where employees may feel pressured to hide errors or mistakes and not speak up when they observe or suspect misconduct.

Jonny: In our experience, companies often get in trouble because management believes the culture is healthier than it is. Leaders assume employees will act with integrity even though compensation programs and performance pressures unintentionally incentivize bad behavior. The problem often lies not with employees, but with signals management sends through targets, compensation, priorities and, most notably, by management’s examples (i.e., tone from the top).

What role is technology – such as artificial intelligence, automation or surveillance tools – playing in shifting the trust-control dynamic within organisations?

Jonny: Technology is reshaping the trust–control dynamic. Controls used to be more visible (e.g., required approvals, supervisory reviews, formal sign-offs) signaling distrust and slowing business. Today’s technology (e.g., AI, data analytics) allows controls to operate in the background without interrupting workflows. In fact, technology increases the productivity of these workflows, allowing them to churn large amounts of data at a rapid pace with human oversight.

The shift can change how employees experience compliance. People can exercise autonomy while technology verifies compliance with policy and reduces the need for intrusive oversight and manual reviews while still delivering, and many times more efficiently delivering, an effective compliance program.

What steps should be taken to ensure that compliance controls empower rather than alienate employees, especially in high-trust environments?

Laura: Organizations must articulate their objectives and risks. Employees are more likely to embrace controls when they understand the objectives the organization seeks to achieve and the events that would impede achieving them. Without that context, controls feel arbitrary.

Tailoring matters. Target specific risks, not blanket restrictions. Precision reduces friction and signals respect for employee judgment.

Pay particular attention to compensation and performance targets. Employees quickly notice when organizations reward behavior that controls discourage. This misalignment undermines employees’ trust. A strong culture of compliance and tone from the top is key.

Do you believe that regulatory expectations are evolving toward more trust-based models, such as self-reporting and proactive disclosures)? How are organisations adapting?

Jonny: Regulators increasingly reward organizations that surface and self-disclose problems. The DOJ, SEC and other enforcement agencies offer quantifiable credit for voluntary self-disclosure, cooperation, and timely remediation. At the same time, governments have expanded whistleblower programs that reward individuals who report misconduct directly to regulators. Together, these developments create a powerful incentive: if the company does not detect and disclose the problem, someone else might.

Laura: Organizations are strengthening internal reporting mechanisms. Many have expanded hotlines, web-based portals, and other confidential channels that allow employees and third parties to raise concerns early. They also communicate more clearly that good-faith reporting will not trigger retaliation – but enforcement is critical. Organizations must actively enforce it by monitoring for retaliation and disciplining offenders.

The objective is straightforward. If employees trust internal reporting systems, issues surface internally first, giving the organization an opportunity to investigate, remediate, and decide whether self-disclosure is appropriate.

How should organisations measure the effectiveness of their trust-control balance? Are there specific key performance indicators or feedback mechanisms they can rely on?

Jonny: Organizations should ask themselves: do employees raise concerns early, or do problems surface only after they cause harm?

Track reporting metrics. Healthy organizations tend to see steady usage of hotlines and reporting to supervisors that prompt escalation, and meaningful follow-up. A complete absence of reports signals fear or indifference.

Laura: It’s also important to review control deviations. Organizations should examine operational indicators such as policy exceptions, control overrides, and repeat findings from monitoring or internal audit. These data points reveal whether employees exercise judgment within the organization’s risk appetite or seek to bypass policies, processes, and controls.

Ask employees directly. Surveys, exit interviews, and training feedback often reveal whether controls feel like tools that support good decisions—or obstacles people try to work around. Surveys can be a key tool in measuring the employees’ trust in the organization, leadership, and the controls in place.

Jonny Frank brings over 45 years of public and private sector experience in forensic investigations, compliance, and risk management, including more than two decades of law and business school teaching. He helps organizations and counsel remediate misconduct and address regulatory findings. Jonny is well known for his work in risk assessment, remediation, controls testing, and compliance monitoring. He joined StoneTurn from PwC, where he was a Partner and founded and globally led the Fraud Risk & Controls practice. He also served as Executive Assistant United States Attorney for the Eastern District of New York, a Senior Faculty Fellow at the Yale School of Management, and an Adjunct Associate Professor at Fordham University Law School and Brooklyn Law School.

Laura Greenman brings nearly 15 years of public and forensic accounting expertise, as well as in-house and consulting financial services experience. She specializes in implementing and testing internal control frameworks and compliance programs of large financial institutions and corporations and advising companies on how to remediate and enhance compliance programs to prevent and detect fraud and ethical misconduct. Laura has deep monitorship experience, having led teams on many of StoneTurn’s largest and most complex monitorship engagements. She joined StoneTurn in 2016 from Goldman Sachs, where she was a Legal Entity Controller focused on financial and regulatory reporting, and previously worked in EY’s Financial Services Assurance practice.

Download a copy of the Q&A from Risk & Compliance Magazine or read more on their website.

If you have any questions or would like to discuss how we can help, reach out to Jonny Frank or Laura Greenman.

To receive Insights, sign up for our newsletter.