Conflict of Interest Blog

Do compliance officers have an inherent conflict of interest?

In Agency, Authority, and Compliance, Sean J. Griffith of the  Fordham University School of Law argues:

Compliance can and often does serve as a conduit through which regulators and enforcement authorities enlarge their authority beyond statutory bounds. The potential to do so is a function of the symbiotic relationship between compliance officers and regulatory authorities. Compliance officers owe their professional existence and their organizational authority to the interventions of regulators and enforcement agents. This creates a unique incentive structure and renders compliance officers especially receptive to regulators’ extra-legal pronouncements. As a result, the separation of compliance from legal and the elevation of the compliance function as the co-equal of the legal department, a structure often insisted upon by regulators and enforcement authorities, effectively enlarges the compliance conduit through which the government may abuse the rule of law. Rather than separating compliance from legal, compliance should be subordinated to legal so that an officer accountable exclusively to the best interests of the firm is charged with interpreting the law and advising the firm on what the law requires. Only after this determination has been made should compliance officers be charged with the task of executing on these decisions. A necessary condition to realigning organizational responsibilities in this way, however, is for the government to stop insisting on the alternative. More broadly, the government should not involve itself in the organizational details of compliance, but rather should limit itself to making and enforcing the law.

This is an interesting and unusual  perspective and one that I am not unsympathetic to.  Indeed, in a piece last year in Compliance Week I argued that in many companies having the chief compliance officer report administratively to the general counsel would in fact be appropriate  (assuming – among other things –  that the CCO reported informationally to the board of directors).

But I’m not persuaded that a conflict-like condition exists because CCOs “owe their professional existence and their organizational authority to the interventions of regulators and enforcement agents,” at least, not as a general matter.  One might find exceptions where a company is under a monitorship or is in a very highly regulated business. But for most organizations, I believe, this is no more the stuff of conflict than is the fact that a company’s sales people effectively owe their respective jobs to its customers (which presumably would not diminish the sales people’s fidelity to their employer’s best interest).

I also don’t agree with the notion that whether to take a contemplated compliance measure should be decided by the GC and how to do so that of the CCO. While conceptually neat, as a practical matter the two areas tend to overlap considerably, making the proposed separation of powers difficult to implement.

Finally, regarding the suggestion that, “the government should not involve itself in the organizational details of compliance, but rather should limit itself to making and enforcing the law,…”  I generally believe that without the government’s involvement in the details of compliance over the past nearly 30 years, the overall state of compliance would be weaker than it is today.

Behavioral ethics and compliance to the rescue?

A colleague once voiced the view that the C&E field was “out of energy and out of ideas.”  I have often been of the same mind but am cheered by the advent in recent years  of “behavioral ethics and compliance”

The need for new C&E ideas was recently articulated in Preventing Corporate Crime from Within: Compliance Management, Whistleblowing and Internal Monitoring   by Benjamin van Rooij of the University of California, Irvine, School of Law, University of Amsterdam –  Faculty of Law, and Adam Fine, Arizona State University,  School of Criminology & Criminal Justice:

To reduce and prevent corporate crime and wrongdoing requires more than punishment of corporations and corporate executives. True change requires transformations within such corporations. This paper discusses three options to induce such corporate transformations: corporate compliance management mechanisms, whistleblower protection rules, and independent internal monitoring. The paper concludes that the existing empirical evidence shows doubt whether these systems actually can be effective in reducing corporate crime and wrongdoing. It concludes that the available studies show that these systems are more likely to be effective exactly where it is least needed, namely when there is leadership commitment to compliance, when there is successful external oversight and when there is a compliance culture. The paper concludes with critical thoughts about what this means for existing legislation stimulating these systems, for regulators and compliance officers, as well as for research in this area. Here it argues that internal compliance management must become much more based on behavioral insights from the social and behavioral sciences, and that the scientific community must do a greater effort to provide such support to public and private practitioners.

I certainly agree with this  last conclusion, and for those looking for practical  ideas on how compliance officers, regulators and social scientists can assist one another along these lines  please see my Behavioral Ethics and Compliance Index, which has nearly 100 posts on this area.

Is a weak compliance program worse than no program?

Many years ago I was asked by a prospective client if I could design a “C minus” (i.e., just barely passing) compliance program for them. I responded that, for various reasons, by aiming for a C minus they were likely to end up with an “F.” I did not get the gig. But would there have been any harm in aiming low?

Yes, there would – at least according to David Hess of the University of Michigan’s Ross School of Business, who argues, in a piece in the Brooklyn Journal of Corporate Finance and Commercial Litigation:

“Employee perceptions of an organization’s compliance program are critical. A program that has lost legitimacy with its employees is not just ineffective, but it creates more harm than good by leading to more unethical behavior. This Article identifies ways in which compliance programs can start to lose legitimacy, explains how that lost legitimacy leads to increased wrongdoing, and then concludes by setting out some basic reforms focused on helping stop this downward spiral and protecting the legitimacy of the compliance function.”

Hess’s first point – that, for a variety of reasons, compliance programs can lose their legitimacy – is well trod ground.  Less so is the notion that that an “ineffective program creates more harm than good.” Here, he argues – persuasively, in my view: “If there was no ethical infrastructure, then the individual would rely on his or her own moral reasoning. With a weak infrastructure the organization is sending the message to the individual that ethical concerns do not matter for doing his or her job.” Hess also notes, in this regard, that while research has shown “that a properly enforced code of conduct decreases unethical behavior …  the simple existence of a code of conduct, after controlling for perceived code enforcement and corporate culture, increased unethical behavior.”

Finally, he notes: “Corporations should be required to regularly evaluate their ethical culture.  This recommendation focuses on helping to ensure appropriate and ongoing monitoring of the ethical infrastructure to prevent the compliance program from chipping away to a point where it has lost legitimacy … Measurement of the ethical culture helps  corporate actors recognize when intervention is necessary.”

To which we should all say Amen.





How to assess the efficacy of codes of conduct

Here is a post from the Compliance Program Assessment Blog on assessing codes of conduct.

Rebecca Walker and I hope you find it useful.

Lessons learned from lessons learned

Rebecca Walker and I recently authored this post for our program assurance column in Corporate Compliance Insights.

We hope you find it useful.

“To lose one parent may be regarded as a misfortune; to lose both looks like carelessness.”

So said Oscar Wilde. And while he clearly didn’t have compliance programs in mind, his immortal words provide a humorous introduction in these distinctly unfunny times to the topic of how the Department of Justice’s recently revised Evaluation of Corporate Compliance Programs (“the Evaluation”)  has impacted how the Department evaluates companies’ risk assessment measures in investigations and prosecutions.

By way of background, over the years many compliance failures have been risk assessment failures. But risk assessment was not in the original Sentencing Guidelines, which were issued in 1991, although it was added when the Guidelines were amended in 2004.  In 2017 the Department published the first iteration of the Evaluation, which was followed by revised versions in 2019 and this year. In this post I look at aspects of the whole of the discussion of risk assessment in the Evaluation – not just the 2020 additions.

One key aspect of the Evaluation is documentation. Many risk assessments are somewhat informal and not sufficiently documented.  Documenting the risk assessment is useful not only in the event of a government investigation or prosecution but also for self-checking by management and for the board of directors’ periodic review of the program. Therefore, for those companies that haven’t already done so, drafting a risk assessment governance document should be considered.

Having a defined methodology – which not all companies do – is also important under the Evaluation. There  are lots of methodological considerations for conducting risk assessments. Included are:

– Different processes – document reviews, interviews, focus groups, surveys.

– Different substantive approaches – e.g., how important is risk impact (as opposed to risk likelihood)? What are boundaries?  What are likely risk scenarios?

– Finding a way to measure success. What have you learned – not just about newly discovered risks, but getting a better understanding about known ones?

One size doesn’t fit all, but all need to select and deploy a methodology.

A third important area under the Evaluation is resources, with the issue being whether the process enables the company to allocate resources to different program elements in an effective and efficient way.  Note that many companies use the results of risk assessments for auditing and board oversight,  but there are many other program elements that could benefit from such use.

Finally, the Evaluation calls upon companies to adopt a “lessons learned” approach to compliance. This brings us back to the title of the piece, and specifically to the need to avoid the appearance of being careless by failing to prevent a recurrence of a specific type of wrongdoing. While funny in a great comic play, there would be little to laugh about in such a situation in a criminal case.



Insider trading and “inner controls”

Here is my latest column in Compliance & Ethics Professional – which looks at insider trading from a behavioral compliance perspective.

I hope you find it interesting.

Conflicts of interest in a post-Trump era

In a classic Watergate-era Doonesbury, Mark asks rhetorically whether it is fair to judge the ethicality of the White House based solely on the various cases and allegations that had surfaced during that scandal. No it isn’t, he replied: those are only the ones we know about.

The latest Trump COI to surface was an allegation this week that (as described in the NY Times) ”the American ambassador to Britain, Robert Wood Johnson IV, told multiple colleagues in February 2018 that President Trump had asked him to see if the British government could help steer the world-famous and lucrative British Open golf tournament to the Trump Turnberry resort in Scotland,…”

As Trump COIs go I suppose this isn’t the worst. But, by any reasonable analysis it is unethical.

Last winter a government watchdog group, Citizens for Responsibility and Ethics in Washington (“CREW”), issued a report finding: “President Trump’s unprecedented decision to retain his business interests while serving in the White House set the stage for a deluge of conflicts of interests between the government and the Trump Organization. From the beginning of President Trump’s administration, CREW has endeavored to track these conflicts, which pit President Trump’s personal and financial interests against those of the nation as a whole, and this week, President Trump reached a new, disgraceful milestone: He has racked up 3,000 conflicts of interest during his time in office.”       

And these are just the ones we know about.

As of this writing, Joe Biden seems likely to win the presidential election in November (but obviously things could change between now and then). Still, it is not too soon for him to consider how his administration will deal with COIs.

Of course, for many reasons, there should be no fear that he will personally engage in COIs of a nature and scale that Trump has.  But he can and should ensure that by word and deed all facets of a Biden administration treat this area as a top priority.  This means – among other things – understanding and addressing through risk assessment, education, enforcement and other compliance measures the many types of harms COIs can cause to individuals, organizations and societies.

Some of these are listed in a recent posting in the FCPA Blog   The most significant of these is in  the broader (i.e., societal) realm. On a wide range of issues – the most pressing of which is climate change– there is an increasing need for devising solutions that will be predicated on substantial trust because they will require substantial sacrifice. Conflicts of interest in the public sphere make this already considerable challenge even more daunting.

Answers to tough questions on conflicts of interest

Recently our friends at NAVEX Global invited Rebecca Walker and me to teach a master class on conflicts of interest.

Part of the session involved our receiving and responding to key questions about COIs.

We thought you might like to see this Q & A.



Approvals of conflicts of interest: what is the appropriate standard?


While some organizations bar conflicts of interest in all cases, many opt for allowing COIs  to exist where appropriate. But how should appropriate be defined for these purposes?

One formulation that I have recommended is:

A COI may be approved only where doing so would clearly be in the best interest of the company.

Two comments about this.

First, the word “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.  But, it is still a high standard  and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word in a COI policy should itself be helpful.

Second, the “best interest of the company” should be read broadly. It requires more than an absence of corruption or other  outright misconduct. Rather, it also mandates consideration of how  the COI at issue could impact the ethical culture of the organization and related matters.

For more on COIs and harm see this recent piece from the FCPA Blog.