Conflict of Interest Blog

Behavioral ethics and “middle-aged” compliance programs

In my latest column in the FCPA Blog  I consider  how behavioral ethics can re-energize “middle-aged” compliance programs.

I hope you find it useful.

Climate Change Compliance and Ethical Habits of Mind

In a soon-to-be published article in the Iowa Law Review, Susan S. Kuo and Benjamin Means, both of the South Carolina School of Law, argue that:

Unless corporations prioritize climate change mitigation, efforts to control global warming will fail. Yet, the strategies that have been proposed for enlisting corporations are insufficient to the task. In our era of political polarization, a comprehensive “Green New Deal” to transition the U.S. economy away from fossil fuels is a nonstarter. Nor can we expect corporate risk management or social responsibility to fill the gap; there are practical limits to how far corporate managers can depart from strategies designed to maximize profits for investors. This Article contends that climate change is a compliance issue. Scholars have overlooked compliance as a solution because they believe it achieves nothing more than fidelity to existing laws and regulations. This is a mistake. Once neglected as a backwater of corporate governance, the field of compliance has evolved and now involves forward-looking strategic analysis of legal and business risks as well as ethical considerations. A compliance-based approach best captures the rationale for holding corporations responsible for climate change and provides a robust framework for achieving results

The authors cover a great deal of ground – too much for me to attempt to summarize here. So, I hope you will read the original.

But I do want to add from an earlier post on “habits of mind” the following:

The full promise of compliance and ethics programs goes beyond the business realm to nurturing habits of mind that can be helpful to addressing a wider range of challenges than traditional corporate law abidance and ethicality. Among other things, such habits could include thinking systemically about risk, having a deep appreciation for the interests of other individuals, insisting on transparency where it is reasonable to do so, embracing meaningful approaches to accountability for doing what is right and for stopping what is wrong and protecting truth telling at all costs. None of these ways of thinking were invented by C&E practitioners. But for many millions of Americans and others there is now a steady reminder through C&E programs of the importance of thinking in these and related ways – and this could provide a foundation for promoting greater ethicality in the broader societal realm, including addressing climate change.

In other words, C&E can not only make our corporations more responsible when it comes to dealing with climate change, it can do so for individuals.





Compliance program assessments: the basics

Justice Holmes famously said The life of the law has not been logic: it has been experience. But when it comes to compliance and ethics (“C&E”) programs both law and experience matter.

To an extent never previously seen companies are assessing their C&E programs. The main reason is that the government – meaning, in the first instance, the United States government, but increasingly the governments of other countries as well – has issued various policy statements strongly encouraging business organizations to take this step.   But additionally,  experience has taught companies that assessments can be an invaluable way of doing what’s right and avoiding what’s wrong.

This posting will provide a short overview of how to assess your program.

What is a C&E program assessment?

An assessment is a review of policies, procedures and organizational culture regarding C&E.  Note that there are also other forms of C&E checking that can overlap with assessments. For example, program and risk assessment can overlap with auditing.

Program assessments are generally comprised of interviews and document reviews. Sometimes focus groups and/or surveys are part of the assessment process, too.

Ideally, interviews are conducted of both senior company officials and staff (e.g., law, compliance, human resources, finance, audit, controls, logistics, security and others), as well as the chair of the audit committee. Additionally, interviews of rank-and-file employees should be conducted where practical, although this is not always the case. Interviews can also be conducted of third parties, such as a company’s law firm that handles compliance-related matters.

The number of interviewees in an assessment is driven by a variety of factors. However, as a general matter 40 to 50 interviews should be adequate for most assessments.

Interviews should be confidential, meaning interviewees should be instructed that they are not to discuss the assessment with anyone else. A company should also give serious consideration to conducting the assessment under the attorney-client privilege. On the one hand it adds a layer of confidentiality to the process, which should help promote candor on the part of the interviewees. On the other hand, a privileged assessment may be more difficult to share if one also seeks to preserve the attorney-client privilege.

Yet another layer of confidentiality is to instruct interviewees that the company will not disclose the source of comments except where it is facing a true exigency. In my experience this safeguard can be very helpful in promoting candor in interviews.

What to assess.

Among the areas of focus of an assessment is the culture of the organization. To my mind the following should be included

First there are the ethics culture mainstays, which need no introduction.

– Tone at the top.

– Tone in the middle.

– Speak up culture.

– Undue pressure.

– “Organizational justice.”

Second, there is the view of C&E by employees.  Note that the inclusion of this factor stems in part from a finding in the high-profile WorldCom case many years ago after that the denigration of compliance and law department personnel contributed to the massive fraud at issue in that case.

Third is the extent to which employees identify with their company and its mission. Unlike the other cultural attributes this one is a “two-edged sword.”  On the one hand such identification should make employees workforce less risk taking because presumably they would not want to cause harm to an entity that they admire. On the other hand, strong feelings about a company can have the opposite effect of leading employees to commit acts of blind loyalty to bad individuals, entities or causes.

Policies and procedures

In addition to reviewing culture a program assessment should cover all the key policies and procedures in the program. These include program oversight by the board of directors and executives; management of the compliance department; the role of other staff departments in the program; any functions outside the compliance department that play an important role in the program (e.g., ethics liaisons); risk assessment; training and communication; concerns reporting; investigations; discipline; remedial measures; auditing and monitoring; assessment and incentives.

In my experience, the areas most likely to provide “low hanging fruit” are monitoring and incentives. But each assessment will be different,

The criteria used for each aspect of the interviews will vary. However, criteria for efficacy generally include C&E program resources, clout, independence and reach.
The Report

In conducting interviews on these topics one should, of course, strive to identify not just positive findings but areas for opportunities for improvement. However, one should generally address recommendations in a non-dramatic tone, because those will be easier for a company to implement.

One should also, where possible, present the assessment to the board or management committee along with a plan for implementing the recommendations.

Moreover, it is also important to distinguish between recommendations to be implemented as soon as reasonably possible versus those which can be implemented “in the long term.” There is no generally accepted period of time for this. But one year would seem to be sufficient for most companies.


2022 behavioral ethics and compliance index

While in the more than ten years of its existence the COI Blog  has been devoted primarily to examining conflicts of interest it has also run quite a few posts on what behavioral ethics might mean for corporate compliance and ethics programs. Below is an updated version of a topical  index to these latter posts.  Note that a) to keep this list to a reasonable length I’ve put each post under only one topic, but many in fact relate to multiple topics (particularly the risk assessment and communication ones); and b) there is some overlap between various of the posts.


– Business ethics research for your whole company (with Jon Haidt)

– Overview of the need for behavioral ethics and compliance

– Behavioral ethics and compliance: strong and specific medicine

– Behavioral C&E and its limits

– Another piece on limits

– Behavioral compliance: the will and the way

– Behavioral ethics: back to school edition

– A valuable behavioral ethics and compliance resource

– Strengthening your C&E program through behavioral ethics

–  Ethics made easy

  Have you checked your behavioral externalities?

A behavioral ethics and compliance primer

Happy anniversary, Corporate Sentencing Guidelines.


Risk assessment

–  Being rushed as a risk

–  Too big for ethical failure?

– “Inner controls”

– Is the Road to Risk Paved with Good Intentions?

– Slippery slopes

– Senior managers

– Long-term relationships

– How does your compliance and ethics program deal with “conformity bias”? 

– Money and morals: Can behavioral ethics help “Mister Green” behave himself? 

– Risk assessment and “morality science”

 Advanced tone at the top

 Sweating the small stuff

The risk of good intentions

Communications and training

– “Point of risk” compliance

–  Publishing annual C&E reports

– Behavioral ethics and just-in-time communications

– Values, culture and effective compliance communications

– Behavioral ethics teaching and training

– Moral intuitionism and ethics training

– Reverse behavioral ethics

– The shockingly low price of virtue

– Imagine the real

– Behavioral ethics training for managers


– Behavioral ethics program assessments

Positioning the C&E office

– What can be done about “framing” risks

– Compliance & ethics officers in the realm of bias

 Behavioral ethics, the board and C&E officers

 Lawyers as compliance officers: a behavioral ethics perspective


– Behavioral Ethics and Management Accountability for Compliance and Ethics Failures

– Redrawing corporate fault lines using behavioral ethics

– The “inner voice” telling us that someone may be watching

–  The Wells Fargo case and behavioral ethics


– Include me out: whistle-blowing and a “larger loyalty”

Incentives/personnel measures

– Hiring, promotions and other personnel measures for ethical organizations

Board oversight of compliance

– Behavioral ethics and C-Suite behavior

– Behavioral ethics and compliance: what the board of directors should ask

Corporate culture

– Is Wall Street a bad ethical neighborhood?

– Too close to the line: a convergence of culture, law and behavioral ethics

–  Ethical culture and ethical instincts

Values-based approach to C&E

 A core value for our behavioral age

– Values, structural compliance, behavioral ethics …and Dilbert

The spirit of liberty – and ethics

Appropriate responses to violations

– Exemplary ethical recoveries


Conflicts of interest/corruption

– Does disclosure really mitigate conflicts of interest?

– Disclosure and COIs (Part Two)

– Other people’s COI standards

– Gifts, entertainment and “soft-core” corruption

– The science of disclosure gets more interesting – and useful for C&E programs

– Gamblers, strippers, loss aversion and conflicts of interest

– COIs and “magical thinking”

– Inherent conflicts of interest

– Inherent anti-conflicts of interest

– Conflict of interest? Who decides?

– Specialty bias

– Disclosure’s two-edged sword

– Nonmonetary conflicts of interest

– Charitable contributions and behavioral ethics

– More on conflicts of interest disclosure

Insider trading

– Insider trading, behavioral ethics and effective “inner controls” 

– Insider trading, private corruption and behavioral ethics

Legal ethics

– Using behavioral ethics to reduce legal ethics risks


– New proof that good ethics is good business

– How ethically confident should we be?

– An ethical duty of open-mindedness?

– How many ways can behavioral ethics improve compliance?

– Meet “Homo Duplex” – a new ethics super-hero?

– Behavioral ethics and reality-based law

– Was the Grand Inquisitor right (about compliance)?

– Is ethics being short-changed by compliance?


More compliance monitoring, please

Relationships between relevant C&E “checking” categories can be confusing.  For example, auditing can overlap with program assessment and with risk assessment. The line between auditing and investigations is not always well marked.  Monitoring can overlap with program governance and management. Metrics are generally part of monitoring but are sometimes discussed separately. Encouraging reports of suspected violations can be seen as a form of monitoring – but is generally treated as a different animal. Other types of internal controls (e.g., pre-approvals) can also be viewed as a form of monitoring – but typically serve a different function. Monitoring differs from auditing in that it is less independent and more real time. Speaking generally, it is an under-utilized C&E function.

Monitoring by business people is often called “the first line of defense.” It can be the most immediate and least independent form of C&E checking.

Examples include:

  • Reviewing pricing and other activities for any indicia of antitrust violations.
  • Monitoring COIs that have been conditionally okayed.
  • Reviewing invoices of third parties for any indicia of corruption or violation of other rules.
  • Making sure that those expected to take in-person training in fact do so.

Two final points about monitoring.

First, it can serve to educate business people on C&E matters (learn by doing).

Second, it can provide a basis for incenting C&E in performance evaluations (or similar processes). For instance, managers who don’t do a good job in monitoring should have that shortfall impact their evaluations.

Directors, fiduciary duties and climate change

In Directors’ Fiduciary Duties and Climate Change: Emerging Risks –  writing in the Harvard corporate governance blog – Cynthia A. Williams (York University), Sarah Barker (MinterEllison), and Alex Cooper (CCLI) state:

“The last few years have seen a significant change in the understanding of climate change as a material risk to businesses, with government and capital markets responding. There has also been a notable increase in the number of so-called ‘Caremark’ claims against directors and officers for failing to exercise proper oversight surviving motions to dismiss. These two developments, construed together, indicate that directors and officers of Delaware corporations are navigating their corporations through an increasingly risky environment, and there is the potential that they may face litigation and ultimately personal liability for failing to manage these risks. Delaware directors and their attorneys must understand this new legal risk.”

Further, they note: oversight liability may arise where directors and officers: “fail to consider or oversee the implementation of climate-related legal risk controls; fail to monitor mission-critical regulatory compliance, either specific climate change-related regulations or existing regulations which require consideration or disclosure of climate change risks. This latter category is likely to include a broad range of regulations, but may include: securities laws, which require listed companies to disclose material risks; environmental laws, as the physical effects of climate change catalyze infrastructure failure; and health and safety laws for companies with employees are exposed to increasingly hostile conditions; or fail to monitor climate-related mission-critical operational and business risks…”

Also, “[w]hile directors and officers are likely to be particularly focused on the risk that they may be found personally liable for a breach of their duties, proper compliance with fiduciary obligations requires acting to a higher standard. Given the defenses available to fiduciaries, and the difficulty in bringing claims for breach of fiduciary duty, a director or officer found to be liable for such a breach will generally have acted egregiously. The standard to which directors and officers must act to avoid liability is therefore a bare minimum. To minimize the risk of such claims being brought, directors and officers will need to act to a higher standard to avoid the attentions of litigious shareholders; and to further reduce their potential exposure, and to ensure proper compliance with their legal obligations, directors and officers should seek to follow best practices.”

Finally, I believe that  directors should consider commissioning  an independent assessment of the controls and other  parts of the climate change compliance program. Recognizing the need for help – particularly on something as complex and consequential as this – is  itself an important best practice.

Who is the client?

My latest column in Compliance & Ethics Professional.

The Marx Brothers and Risk Assessment

From Duck Soup

Rufus T. Firefly

now, members of the cabinet…

[pounds gavel]

Rufus T. Firefly we’ll take up old business.

Cabinet Member : I wish to discuss the tariff.

Rufus T. Firefly : Sit down, that’s new business. No old business? Very well…

[pounds gavel]

Rufus T. Firefly : we’ll take up new business.

Cabinet Member : Now, about that tariff…                                                  

Rufus T. Firefly : Too late, that’s old business already. Sit down.

When a company acquires or develops a new business, risk assessment should be front and center in its plans. But that isn’t always how it works, particularly after an acquisition goes through and the acquisition becomes “old business.”

New businesses can be particularly risky for several reasons:

-The new business may operate in ways that are unfamiliar to the acquiring business.

-The key players – employees, suppliers , customers, third parties and others – may also be unfamiliar.

– The acquisition may create undue pressures to perform.

There are many ways to address challenges of this sort.  But a good starting place for many is to deal with the area in risk assessment governance documentation.

Moral hazard – the latest

As described in several earlier posts, “moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risk taking.  While most Americans presumably are not aware of this somewhat obscure term, the phenomenon itself  is pretty obvious (as well as terrifying with respect to COVAD -19 vaccination and climate change).

Moral hazard can also pose a significant challenge to promoting compliance and ethics. That is, the law provides for large fines for organizations convicted of federal offenses, but those who bear the brunt of such punishments (mostly the shareholders) are often different than the individuals who benefit from the wrongdoing (usually the executives or other high-ranking personnel).

The history of corporate business crime enforcement is, in part, an effort to close this moral hazard gap.

The latest page  in this history was written  two weeks ago by Deputy Attorney General Lisa O. Monaco  at the Keynote Address at the ABA’s 36th National Institute on White Collar Crime:

“To hold individuals accountable, prosecutors first need to know the cast of characters involved in any misconduct. To that end, today I am directing the department to restore prior guidance making clear that to be eligible for any cooperation credit, companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue. To be clear, a company must identify all individuals involved in the misconduct, regardless of their position, status or seniority.”

Note that this is not a new policy but, is, as Monaco says, a restoration of a prior one. Still, given the career-related incentives prosecutors have in case selection, it seems likely to me that her announcement will be seen as an encouragement to bring more cases against senior personnel than is currently done.

This is a small step toward closing the moral hazard gap, but is worth mentioning in C&E training and other communications as a way of getting the attention of senor personnel.

Redefining compliance recidivism

Last week Deputy Attorney General Lisa O. Monaco  announced in the Keynote Address at the ABA’s 36th National Institute on White Collar Crime:

“that all prior misconduct needs to be evaluated when it comes to decisions about the proper resolution with a company, whether or not that misconduct is similar to the conduct at issue in a particular investigation. That record of misconduct speaks directly to a company’s overall commitment to compliance programs and the appropriate culture to disincentivize criminal activity.

To that end, today I am issuing new guidance to prosecutors regarding what historical misconduct needs to be evaluated when considering corporate resolutions. This will include an amendment to the Department’s “Principles of Federal Prosecution of Business Organizations.” Going forward, prosecutors will be directed to consider the full criminal, civil and regulatory record of any company when deciding what resolution is appropriate for a company that is the subject or target of a criminal investigation.

Going forward, prosecutors can and should consider the full range of prior misconduct, not just a narrower subset of similar misconduct — for instance, only the past FCPA investigations in an FCPA case, or only the tax offenses in a Tax Division matter. A prosecutor in the FCPA unit needs to take a department-wide view of misconduct: Has this company run afoul of the Tax Division, the Environment and Natural Resources Division, the money laundering sections, the U.S. Attorney’s Offices, and so on? He or she also needs to weigh what has happened outside the department — whether this company was prosecuted by another country or state, or whether this company has a history of running afoul of regulators. Some prior instances of misconduct may ultimately prove to have less significance, but prosecutors need to start by assuming all prior misconduct is potentially relevant.

Taking the broader view of companies’ historical misconduct will harmonize the way we treat corporate and individual criminal histories, as well as ensure that we do not unnecessarily look past important history in evaluating the proper form of resolution.”

What does this mean for compliance officers?

Perhaps most importantly, companies need to review the breadth of their respective risk assessments. (Indeed, the new policy can be seen as creating a risk impact multiplier, meaning that a prior offense is, as a general matter,  more likely now than before to adversely impact a company in an investigation/prosecution.)     The same is true regarding culture and program assessments.  All of these should  be constructed/revised with the new standard of recidivism in mind, which for many companies will be more encompassing than what they currently deploy.

As well, the company’s C&E processes regarding remedial measures following discovery of wrongdoing should be robust and well documented. Even before Monaco’s announcement this was an area of weaknesses for many companies and all should take this opportunity to consider whether they need to make improvements.

Finally, and particularly for large, widely dispersed organizations, this new approach to recidivism underscores the need to have effective C&E management  and governance throughout the enterprise.  Among other things, directors should be informed of this important development.