AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
Compliance Maturity And Stock Volatility: An Empirical Study Of Spain's IBEX 35
The Strategic Relevance Of Compliance In The Spanish Market
Compliance is a major ethical and strategic consideration that directly affects financial performance and determines whether the risk of organizational failure is contained within tolerable levels. In Spain, compliance risk has moved from a peripheral concern to a mainstream governance issue, driven by the introduction of corporate criminal liability through the reform of the Spanish Criminal Code by Organic Law 1/2015 and by the increasing exposure of Spanish companies to cross-border regulatory frameworks.
In response to this shifting landscape, Spanish companies across all sectors undertook significant revisions of their codes of conduct, ethics policies, and whistleblowing mechanisms. Many organizations established formal compliance functions for the first time. However, the relationship between the maturity of these compliance programs and the organization's observable risk profile as measured by financial market indicators has received limited empirical attention, particularly in the Spanish context.
This study examines that relationship by analyzing whether a measurable correlation exists between the compliance maturity of publicly listed Spanish companies and their stock price volatility, used here as a market-based proxy for perceived risk.
Study Design And Methodology
To investigate the correlation between compliance maturity and market risk, this study analyzed the 35 public companies that compose Spain's benchmark IBEX 35 index. The methodology comprised three components: a compliance maturity assessment based on publicly available governance documents, a market risk measure derived from historical stock price data, and a weighting mechanism based on relative market capitalization.
Compliance Maturity Assessment
The compliance maturity of each company was evaluated by analyzing its code of ethics and other publicly available ethics and corporate governance documents. Ten compliance domains were assessed, each representing a material area of legal and regulatory exposure for companies operating in Spain and internationally.
The domains evaluated were corruption, business conduct, and gifts. Antitrust and market abuse. Worker protection, discrimination, and harassment. Environmental protection and urban planning compliance. Copyright and intellectual property protection. Data protection and privacy, including obligations under the General Data Protection Regulation and Spain's Organic Law 3/2018. Tax compliance. Anti-money laundering. Occupational fraud. And whistleblowing policy, including the availability and accessibility of reporting channels and the disclosed management framework for handling reports, which was weighted at thirty percent of the total score to reflect the central role that reporting mechanisms play in the effectiveness of a compliance program under both Spanish and international standards.
For each domain, a complete score was assigned when the code of ethics and related governance policies established standard controls to mitigate the principal compliance risks associated with that domain. Where coverage was partial or where compensating controls were documented, the score was adjusted proportionately based on the nature and adequacy of the disclosed mitigating measures.
It is important to acknowledge that this scoring methodology relies on the quality and completeness of publicly disclosed documents. It therefore measures the stated maturity of the compliance program as presented to the market and regulators, not the operating effectiveness of that program in practice. Companies with sophisticated compliance programs that disclose limited public information may be underscored, while companies with well-drafted but weakly implemented programs may be overscored.
Market Risk Measure
The risk level for each company was defined as the historical 250-day volatility, calculated as the annualized standard deviation of daily stock returns over a 250-trading-day period. This measure captures the total variability of a stock's returns and is widely used as a proxy for the overall risk perceived by the market.
It is important to distinguish this measure from beta, which captures only the systematic component of risk, meaning the sensitivity of a stock's returns to movements in the broader market. Historical volatility, by contrast, reflects total risk, encompassing both systematic risk arising from general market movements and idiosyncratic risk arising from company-specific factors such as governance quality, regulatory exposure, operational disruptions, and reputational events. For the purposes of this study, total risk is the more appropriate measure because compliance program quality is more likely to influence idiosyncratic risk factors than systematic market-wide movements.
Weighting By Market Capitalization
To reflect the relative economic significance of each company within the index, the dataset of 35 companies and their associated compliance and risk observations was expanded into 700 weighted data points. Each company's observations were replicated in proportion to its relative market capitalization within the IBEX 35, based on the most recent statistics published by Bolsas y Mercados Españoles. This weighting approach ensures that larger companies, which have greater market impact and typically face more complex regulatory environments, exert proportionate influence on the aggregate findings.
The sector classification used in the analysis follows the criteria established by Bolsas y Mercados Españoles for the IBEX 35 index.
Findings
On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.
There are 2 types of outliners in the analysis:
- Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and
- AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.
You can find the supporting data from these links:
MS Access Datasets
Summary of dataset
Supporting Code of Ethics and Documents
The data analysis revealed a weak negative linear correlation with a Pearson coefficient of negative 0.18 between compliance maturity and historical stock volatility. This result suggests a modest inverse relationship: companies with higher compliance maturity scores tended to exhibit slightly lower stock price volatility.
However, the magnitude of this correlation is small, and several important qualifications apply.
First, correlation does not imply causation. The observed relationship may reflect the influence of confounding variables. Larger and more established companies tend to have both more developed compliance programs and lower stock volatility for reasons unrelated to compliance, including greater analyst coverage, higher institutional ownership, more diversified revenue streams, and more stable earnings profiles. Without controlling for these variables through multivariate regression or other techniques, it is not possible to attribute the observed relationship to compliance maturity itself.
Second, statistical significance should be evaluated in the context of the effective sample size. While the weighting procedure produced 700 data points, the underlying number of independent observations remains 35, which limits the statistical power of the analysis. With a correlation coefficient of negative 0.18 and an effective sample size of 35, the result is unlikely to achieve conventional levels of statistical significance at the 95 percent confidence threshold.
Third, the analysis identified sector-level variation in the strength of the correlation. The compliance and volatility relationship was stronger in the retailing and telecommunications sectors than in the index as a whole. This finding may reflect the fact that companies in consumer-facing and heavily regulated sectors face more direct reputational and regulatory consequences from compliance failures, making their market risk more sensitive to the quality of disclosed compliance programs.
Implications For Compliance Leaders
Despite the modest magnitude of the observed correlation, the findings offer several insights relevant to compliance and governance professionals.
The existence of any negative correlation between compliance maturity and market volatility, even a weak one, is directionally consistent with the broader body of research suggesting that strong governance and compliance practices contribute to reduced risk premiums and lower cost of capital. Studies published in journals including the Journal of Financial Economics and the Journal of Business Ethics have documented similar relationships between governance quality and market-based risk measures in larger international datasets.
For chief compliance officers and boards, the practical implication is that compliance program maturity may contribute to risk reduction as perceived by the market, but it is unlikely to be the dominant factor. The primary drivers of stock volatility remain macroeconomic conditions, sector dynamics, earnings quality, and company-specific operational performance. Compliance maturity is best understood as one component of a broader governance quality signal that the market incorporates into its risk assessment.
The sector-level variation in the findings suggests that compliance investments may generate more visible risk reduction benefits in industries with higher regulatory exposure and greater reputational sensitivity. Compliance leaders in these sectors have a stronger empirical basis for making the case that compliance program investment contributes to measurable risk outcomes.
Finally, this study highlights the limitations of relying solely on publicly disclosed compliance documents as a measure of program maturity. Organizations that invest in building effective compliance programs but do not communicate their efforts transparently through public disclosures may fail to capture the market-signaling benefits that a well-disclosed program can provide. This finding reinforces the importance of compliance communication and transparency, not only for regulatory purposes but as a component of investor relations and enterprise risk management.
Directions For Further Research
This study represents an initial exploration of the compliance-risk relationship in the Spanish market. Future research could strengthen the analysis in several ways. Expanding the sample beyond the IBEX 35 to include mid-cap and small-cap companies listed on the Spanish continuous market would increase statistical power and allow for more granular sector-level analysis. Incorporating multivariate regression to control for firm size, leverage, sector, profitability, and institutional ownership would help isolate the independent contribution of compliance maturity to volatility reduction. Extending the time horizon to examine whether compliance program improvements precede subsequent reductions in volatility would provide stronger evidence regarding the direction of the relationship. And supplementing the public document analysis with proprietary compliance program data, where available, would address the measurement limitation inherent in relying exclusively on disclosed information.
A More Defensible Interpretation
The most defensible takeaway is not that better compliance lowers market risk in a direct or measurable way across all companies. The stronger conclusion is that visible compliance maturity may be associated with aspects of governance quality that investors and stakeholders value, and that this relationship may be more visible in sectors where trust, conduct, and regulatory exposure are especially relevant.
This is a more modest conclusion, but it is also a more credible one. In governance analysis, precision matters. Overclaiming causation where only weak correlation exists can quickly undermine a good idea.
Final Perspective
Compliance maturity should not be viewed only as a defensive cost center or as a legal safeguard against misconduct. It is part of the broader institutional quality of a company. It can influence how risks are surfaced, how issues are escalated, how decisions are challenged, and how the organization protects value over time.
The analysis of the IBEX 35 does not prove that stronger compliance maturity reduces market risk. But it does suggest that the relationship between governance quality, visible compliance discipline, and market perception deserves more attention, especially in jurisdictions and sectors where corporate conduct has become a defining element of enterprise trust.
For boards and compliance leaders, that should be the practical message. If compliance maturity is visible only on paper, its value will remain limited. If it is embedded into governance, conduct, and decision making, it becomes part of the company’s resilience story.
References
Spanish legal and governance developments related to corporate criminal liability and whistleblowing frameworks
US Department of Justice. Evaluation Of Corporate Compliance Programs
Organisation For Economic Co operation and Development. Corporate governance and business integrity guidance
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Academic literature on governance quality, disclosure quality, and market risk relationships
Get the latest in corporate governance, risk, and compliance on Twitter