The Badness Police
A Theory of Regulation
Imagine, that Congress, in a deregulatory mood, decided to scrap every regulatory law and statute and dismantle every regulatory agency. Instead, they pass just one law, “Don’t be bad”, and empower an agency, the “Badness Police” to enforce it. To make sure the Badness Police don’t overregulate, they limit the Badness Police’s rulemaking to one page. That’s it. Just one law – “don’t be bad” – enforced by the Badness Police with one page of rules.
What happens next? Well, without detailed laws and regulations, many cases of bad behavior go to court. In court, judges have to decide whether a company’s conduct was bad. Each time the judges issue an opinion, they add new factors to consider when evaluating badness: “foreseeability,” “harm to vulnerable groups,” “duty to mitigate”. These now become de facto rules; over time, badness is evaluated through 12-factor badness checklists, balancing steps, and standards of “reasonableness” which congeal into binders of case law. To avoid going to trial, some firms sign consent decrees with the federal government that include detailed “badness remediation plans” that have the force and effect of law.
But that’s just the start. Companies become frustrated with the lack of guidance on what counts as bad. They look closely at the Badness’ Police enforcement records to see what violations merited prosecution, but they need more. The Badness Police respond, and start to issue interpretive guidance, FAQs, webinars, advisory letters, and more to “clarify” the real meaning of their one page of regulations. To help industry comply with badness regulations, the badness police provide a sample risk matrix and heat map for firms to assess their badness – each element of the risk matrix is an area in which firms have the opportunity to institute controls, develop logs, and carry out attestations to assure compliance. And, fortunately, an ISO-approved standards development organization, the Institute for Badness Mitigation and Goodness Promotion (IBMGP) issues a 500-page badness standard which the badness police incorporate by reference into their badness regulations.
Companies have a clearer idea of the rules, but they still fear being sued for badness, and start to protect themselves. Every company appoints a Chief Badness Officer (CBO) who operates the Office of Badness Compliance; they are responsible for managing badness training, establishing corporate anti-badness policies, running a hotline for employees to report instances of badness, and issuing anti-badness process controls. Every time a new court decision is passed or the IBMGP issues new standards or the badness police issue a new FAQ, the companies implement new internal process controls to make sure they remain in compliance. Extensive records are kept of all badness mitigation activities so that companies can prove in court that they took all necessary steps. The motto: “If it isn’t documented, it didn’t happen.”
The anti-badness regime is shaping up, but it’s just getting started. Industry still fears that they may be held liable for badness despite their internal controls, so they turn to insurers who underwrite badness liability policies. The new badness liability insurance policies require firms to introduce more procedures and controls, including even more anti-badness training, logging, and audits. And speaking of audits, we now have badness auditors and certifiers who can confirm that firms are “bad-safe”. Part of being bad-safe is making sure your business partners are bad-safe too. Platforms and vendors, fearful of being held liable for their customers’ bad behavior, add “no-bad” clauses and rules that customers must follow. And companies put badness policies into their procurement contracts so that their internal badness policies flow down to their contractors and subcontractors.
To help manage all of this, companies hire badness consultants to help them improve their anti-badness policies and procedures. Consultants conduct “anti-badness maturity assessments” and develop “badness mitigation playbooks.” Companies whose badness compliance is not up to industry standards hire fractional CBOs to help them get their badness organization into shape.
Now the IBMGP realizes they have a mess on their hands: there are too many anti-badness policies within companies, some of which conflict with one another. They agree on the need for harmonization, and the solution is simple: They compare badness rules across companies and industries and agree on a combined industry-wide set of badness standards that adopts the strictest rule from every company.
Sadly, despite all of the badness mitigation, badness somehow still keeps happening. This is when the regulatory ratchet really gets going. Of course, there are no new laws or rules (since regulation is bad). Instead, the badness police start a crackdown on bad behavior, making examples of bad companies by suspending them from all federally regulated business activities (which turns out to be everything they do) until they improve their internal badness prevention procedures. Risk aversion ramps up even further. New rules, policies, and controls are implemented, insurers impose new rules, auditors step up their scrutiny, and things finally begin to calm down. Until, of course, the next badness incident takes place.
The Badness Police are not oblivious to the fact that the badness bureaucracy has grown. They become concerned that companies are over-interpreting their simple anti-badness rules. They look into loosening the badness restrictions. After several years of public meetings and engagements with key anti-badness stakeholders, they rewrite the one-page badness regulations. Clearly, the old badness restrictions were too prescriptive and detailed, so the new badness regulations make it clear that companies can mitigate badness in whatever way they choose; as long, of course, as they document their compliance and apply proper procedures and controls. They suggest that companies consider “risk-based” compliance so that those activities that might be baddest can come under the greatest scrutiny. They suggest that for activities with little or no possibility of badness, companies can issue very brief “badness assessments” that justify why no interventions are needed.
The Badness Police request public comment on the proposed changes to the badness regulations. The companies, of course, let their Chief Badness Officers respond on their behalf, since they’re the experts. The CBOs let the Badness Police know they are thrilled with the new changes. In their submissions to the federal docket, they “applaud the Badness Police’s commitment to regulatory flexibility and reform.” All of the Badness Police’s key stakeholders respond to the docket as well: the badness auditors, badness consultants, badness insurers, and the IBMGP all weigh in. Amazingly, they all agree that the new anti-badness regulations are an excellent and important step forward in badness regulation. The Badness Police is thrilled – everyone agrees that national badness policy is on the right track. The new badness regulations are quickly approved and revolutionize the badness industry by creating brand new badness assessments for every company to complete. Fortunately, the badness consultants are there to help.
How Did We Get Here?
I set up this thought experiment to answer a question that I have wondered about for some time: Why is it that seemingly simple rules and regulations so often seem to spill over into a flood of procedures? Why does there seem to be a ratchet effect in which rules, policies, and procedures grow increasingly cumbersome and strict without any movement in the other direction? I’m far from the first to examine this problem, but I also wanted to explore why the rules and proceduralism seem to extend so far from government; why they seem pervasive even in regulated industries themselves.
I want to answer this question not because I am opposed to regulation, but because I believe in it. Like most of my readers, I am firmly opposed to badness. In fact, I have spent much of my career as a badness consultant. I actually think we need badness consultants, badness standards, badness compliance, badness liability insurance - all of it. The badness police is the reason that our drugs work and our planes don’t crash. It might be motivated reasoning on my part, but I genuinely believe that badness is really bad, and that people who work on addressing badness actually reduce the amount of badness in the world.
What we really want to avoid is the baggage that these kinds of laws and institutions can carry with them: The tendency to layer in process for process’ sake, to entrench needless risk aversion, to build up procedural clutter, and to create a culture in which “zero tolerance” for badness distorts rational decision-making. Our goal should be to prevent the buildup of this sort of clutter and find ways to clear it; not to give up on regulations and controls entirely.
To address this problem, first we need to name it. Others have examined this problem and used terms like regulatory “ratchet”. I prefer a different term: regulatory cascade. An initial rule or set of rules initiates a series of downstream responses that inundate those at the bottom – the rank-and-file employees in regulated industries – with rules, regulations, and documentation. It usually starts innocuously enough when lawmakers issue a vague statute, often designed to address a real problem, and empower an agency to address it. Then agencies start making rules. Some of these are bright-line rules: “do Y, don’t do X”. But some rules are more abstract, like “take reasonable steps to prevent Z”. Courts may provide further clarification. But regardless of what the courts and agencies do, if there is ambiguity over what the law requires and a legitimate fear of punishment for violating the rules those who are subject to the rules will impose rigorous policies and procedures on themselves. After all, it is better to err on the side of caution than to get sued or suffer a severe penalty. Taking matters into their own hands, the implementing organizations – along with insurers, auditors, consultants, and a whole team of others – become rule makers as well. The rules companies develop can be even more restrictive, harmful, and wasteful than those imposed by government.1
What makes this cascade so dangerous is its tendency to perpetuate itself. Whether it starts with statutes, rulemaking, or court cases, once the cascade begins it is difficult to stop; there is a natural tendency for rules, regulations, and documentation requirements to cascade down from regulators to regulated entities, contractors, and others, accumulating additional rules along the way.
Worse yet, once the rules have cascaded down, there is no easy way to undo them. The regulatory and legal changes are now deeply entrenched in corporate policy and culture. Stopping the initial regulations that triggered the cascade won’t necessarily help anymore. And undoing the cascade from the bottom is almost impossible – by the time the cascade has run its course, the result is an swamp of rules that is nearly impossible to drain. Even if you were determined to eliminate red tape in your organization, you would have a hard time finding someone who has the responsibility and authority for doing so. And nobody wants to be the executive who removed a policy that might have protected their organization from a major lawsuit. Eventually, the tangle of rules and regulations becomes the status quo: The anti-badness bureaucracy is protected by vested interests who seek to preserve it because their jobs depend on it and the culture reinforces it.
What to do about the regulatory cascade
So what are we supposed to do? On the one hand, we can’t just do without regulation. On the other hand, regulation seems to breed an inevitable and self-reinforcing process that has brought us excessive proceduralism and bureaucratization.
First, we should stop making the problem worse by blindly cutting regulation. Policies like “sunset provisions”, and blunt rules like “1 in, 10 out” for regulations seem likely to backfire, unless they’re very carefully targeted. That’s because the regulatory cascade is driven by broad, vague policies. Regulations don’t just exist to restrict people’s behavior or impose requirements; they also exist to define concepts and resolve ambiguities. When forced to cut regulations, it’s those ambiguity-resolving policies that are likely to be eliminated first. Deregulation just pushes the burden of figuring out what the law is to courts and to risk-averse Chief Badness Officers. One odd but instructive example came when Norway “deregulated” its maritime safety regulations. Instead of requiring companies to follow a specific set of rules, they let companies develop their own systems for assuring safety. The result was “overregulation at the organizational level”; companies published thick safety manuals and imposed record-keeping requirements for even trivial tasks.
That said, the deregulators are onto something important: by and large, we have replaced clear, prescriptive rules from Congress with vague “principle-based” regulation whose details are worked out by the executive branch. This has clearly caused problems. But I would argue that the real problem is not so much that Congress has abrogated its responsibility for setting clear, unambiguous rules. It’s that the agencies overseen by Congress have abrogated those responsibilities as well. The regulatory cascade often begins when regulators make vague demands of regulated entities and then impose severe penalties when those demands are not met. Regulators should be working to replace or supplement broad, difficult-to-interpret regulations with specific directives that can be easily followed and whose compliance can be easily measured. Goodhart’s law still holds, but it need not preclude us from trying to hold regulated entities to reasonable, measurable standards.
A well-established way to make regulation less vague is through the creation of safe harbors. Safe harbors are specific sets of rules that, if followed, guarantee a company is in compliance with the regulation. For example, HIPAA restricts the sharing of “protected health information” unless that data is de-identified. De-identified data is valuable in health research, but de-identifying data can be challenging; it’s difficult to prove that the de-identification method worked. Fortunately HIPAA has a safe harbor: If researchers follow a well-defined set of rules for de-identifying data, they can be assured that it meets HIPAA standards. The safe harbor rules don’t work for every use case, but researchers still have the option to use other methods to de-identify data. The safe harbor method lets researchers comply with the law and lower their legal risk.
We should also make sure that penalties for rule violations are reasonable and proportionate. We’re all familiar with the idea that a regulation whose violation is punished with a “slap on the wrist” can fail to motivate compliance. But the reverse is true too. A regulation whose consequences are too severe can motivate overcompliance: a tendency to pursue regulatory compliance at the cost of other socially valuable goals such as innovation and efficiency. For example, in the 1990s several universities were (dubiously) accused by the government of not following proper procedures for obtaining patients’ informed consent during clinical research. They were punished with the “Institutional Death Penalty” – a complete cutoff of all federal research funding. Since then, universities have tightened their internal research oversight so severely that even simple, low-risk research has been slowed down.
Making well-designed rules and proportionate punishments is hard work, so I will also make a nakedly self-interested plea to stop firing the bureaucrats and technocrats. At X, Elon Musk seems to have gotten away with firing his Chief Badness Officer and laying off the entire badness department. From there, it might have seemed like a good idea to fire the government bureaucrats who make the badness rules in the first place. But it is the bureaucrats who are in the best position to keep the cascade at bay. The statistical agencies, program evaluators, and technocrats in government spend their days trying to make sure the rules government sets are clear, specific, measurable, reasonable, responsive, and not self-defeating. Without them, you don’t necessarily get deregulation; you get worse regulation and vaguer regulation, which simply produces even more proceduralism and stasis.
There are no easy answers to the regulatory cascade. Making precise rules, adjusting them so they can’t be gamed or exploited, and establishing clear, meaningful punishments for violating the rules is hard work - even if we enlist AI to help us. It’s easy to understand why agencies don’t want to do it, especially considering the procedural barriers they face. But when government fails to make clear, simple, effective rules, the responsibility for writing those rules simply falls on others who are less capable of doing it well: courts, companies, insurers, auditors, and private citizens. If we want to ease the regulatory burden and prevent the regulatory cascade, we need more government rules, not less.
Here’s some more theory for what I believe is happening, grounded in what I know of the law/economics literature: There is very good literature on the relative merits and drawbacks of rules-based vs. standards-based regulation. But the existing literature may understate the drawbacks of standards-based regulation and management-based regulation because it does not fully account for the distortionary behavior that these forms of regulation induce within regulated firms. In terms of legal and economic theory, the regulatory cascade happens when: 1) To avoid excessive rulemaking and provide flexibility, regulators apply principles-based and management-based regulation instead of bright-line rules. This shifts compliance work onto firms. 2) Firms respond by building internal rule bureaucracies that set their own bright-line rules and procedural controls. These internal rules and controls are more sensitive to internal company conditions than government-imposed rules, but they also share many of the problems of those government-based rules including rule imprecision, unchecked bureaucratic growth, and principal-agent problems (particularly, a tendency towards risk aversion driven by blame avoidance). They also have additional drawbacks – the cost of building the rules-based bureaucracy is imposed separately on every single firm rather than just once for a single agency, and firms lack certainty on what the rules are and how they may be enforced, leading to greater imprecision in the rules. 3) A lack of market discipline further entrenches the inefficient outcome; the regulations themselves make it harder for new entrants with less onerous compliance systems to displace older, less efficient firms.
Note to lawyers, economists, and policy wonks: I’d love to know about other literature that either refutes, supports or just adds more detail to this theory, so please share if you know of any. I’d also be open to collaborating on an empirical investigation to see if this is really what is happening.
Maybe I've been surrounded by too much gentle parenting talk lately but it sounds like all the badness policing and regulation has been fear driven rather than thoughtfully created and developmentally appropriate rules. Which, is understandable in that intentional or unintentional badness can have serious, sometimes lethal, consequences. I like the idea that reasonable humans can agree on criteria for making every effort to prevent badness, like a safe harbor. But I'm not naive and I understand it will be difficult to ensure corporations and people act in good faith.