Conflict of Interest Blog

“To lose one parent may be regarded as a misfortune; to lose both looks like carelessness.”

So said Oscar Wilde. And while he clearly didn’t have compliance programs in mind, his immortal words provide a humorous introduction in these distinctly unfunny times to the topic of how the Department of Justice’s recently revised Evaluation of Corporate Compliance Programs (“the Evaluation”)  has impacted how the Department evaluates companies’ risk assessment measures in investigations and prosecutions.

By way of background, over the years many compliance failures have been risk assessment failures. But risk assessment was not in the original Sentencing Guidelines, which were issued in 1991, although it was added when the Guidelines were amended in 2004.  In 2017 the Department published the first iteration of the Evaluation, which was followed by revised versions in 2019 and this year. In this post I look at aspects of the whole of the discussion of risk assessment in the Evaluation – not just the 2020 additions.

One key aspect of the Evaluation is documentation. Many risk assessments are somewhat informal and not sufficiently documented.  Documenting the risk assessment is useful not only in the event of a government investigation or prosecution but also for self-checking by management and for the board of directors’ periodic review of the program. Therefore, for those companies that haven’t already done so, drafting a risk assessment governance document should be considered.

Having a defined methodology – which not all companies do – is also important under the Evaluation. There  are lots of methodological considerations for conducting risk assessments. Included are:

– Different processes – document reviews, interviews, focus groups, surveys.

– Different substantive approaches – e.g., how important is risk impact (as opposed to risk likelihood)? What are boundaries?  What are likely risk scenarios?

– Finding a way to measure success. What have you learned – not just about newly discovered risks, but getting a better understanding about known ones?

One size doesn’t fit all, but all need to select and deploy a methodology.

A third important area under the Evaluation is resources, with the issue being whether the process enables the company to allocate resources to different program elements in an effective and efficient way.  Note that many companies use the results of risk assessments for auditing and board oversight,  but there are many other program elements that could benefit from such use.

Finally, the Evaluation calls upon companies to adopt a “lessons learned” approach to compliance. This brings us back to the title of the piece, and specifically to the need to avoid the appearance of being careless by failing to prevent a recurrence of a specific type of wrongdoing. While funny in a great comic play, there would be little to laugh about in such a situation in a criminal case.

 

 

Insider trading and “inner controls”

Here is my latest column in Compliance & Ethics Professional – which looks at insider trading from a behavioral compliance perspective.

I hope you find it interesting.

Conflicts of interest in a post-Trump era

In a classic Watergate-era Doonesbury, Mark asks rhetorically whether it is fair to judge the ethicality of the White House based solely on the various cases and allegations that had surfaced during that scandal. No it isn’t, he replied: those are only the ones we know about.

The latest Trump COI to surface was an allegation this week that (as described in the NY Times) ”the American ambassador to Britain, Robert Wood Johnson IV, told multiple colleagues in February 2018 that President Trump had asked him to see if the British government could help steer the world-famous and lucrative British Open golf tournament to the Trump Turnberry resort in Scotland,…”

As Trump COIs go I suppose this isn’t the worst. But, by any reasonable analysis it is unethical.

Last winter a government watchdog group, Citizens for Responsibility and Ethics in Washington (“CREW”), issued a report finding: “President Trump’s unprecedented decision to retain his business interests while serving in the White House set the stage for a deluge of conflicts of interests between the government and the Trump Organization. From the beginning of President Trump’s administration, CREW has endeavored to track these conflicts, which pit President Trump’s personal and financial interests against those of the nation as a whole, and this week, President Trump reached a new, disgraceful milestone: He has racked up 3,000 conflicts of interest during his time in office.”       

And these are just the ones we know about.

As of this writing, Joe Biden seems likely to win the presidential election in November (but obviously things could change between now and then). Still, it is not too soon for him to consider how his administration will deal with COIs.

Of course, for many reasons, there should be no fear that he will personally engage in COIs of a nature and scale that Trump has.  But he can and should ensure that by word and deed all facets of a Biden administration treat this area as a top priority.  This means – among other things – understanding and addressing through risk assessment, education, enforcement and other compliance measures the many types of harms COIs can cause to individuals, organizations and societies.

Some of these are listed in a recent posting in the FCPA Blog   The most significant of these is in  the broader (i.e., societal) realm. On a wide range of issues – the most pressing of which is climate change– there is an increasing need for devising solutions that will be predicated on substantial trust because they will require substantial sacrifice. Conflicts of interest in the public sphere make this already considerable challenge even more daunting.

Answers to tough questions on conflicts of interest

Recently our friends at NAVEX Global invited Rebecca Walker and me to teach a master class on conflicts of interest.

Part of the session involved our receiving and responding to key questions about COIs.

We thought you might like to see this Q & A.

 

 

Approvals of conflicts of interest: what is the appropriate standard?

 

While some organizations bar conflicts of interest in all cases, many opt for allowing COIs  to exist where appropriate. But how should appropriate be defined for these purposes?

One formulation that I have recommended is:

A COI may be approved only where doing so would clearly be in the best interest of the company.

Two comments about this.

First, the word “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.  But, it is still a high standard  and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word in a COI policy should itself be helpful.

Second, the “best interest of the company” should be read broadly. It requires more than an absence of corruption or other  outright misconduct. Rather, it also mandates consideration of how  the COI at issue could impact the ethical culture of the organization and related matters.

For more on COIs and harm see this recent piece from the FCPA Blog.

PLI briefing on revised DOJ compliance program standards

Rebecca Walker and I hope to see you then and there. 

Are you a member of the “compliance elite”?

In “Compliance Elites ”Professor Miriam Baer of Brooklyn  Law School writes:

“As corporate compliance has expanded its influence, so too has the status of those who implement and oversee the firm’s compliance function. Chief compliance officers (CCOs), who are often (but not exclusively) lawyers by training, increasingly boast the types of resumes one associates with elite lawyers. In many ways, this is good news for compliance. There may, however, be several downsides to a strategy of relying so heavily on a cadre of compliance elites. The aim of this Article is to discuss one of these downsides.”

At the outset, I question how significant the phenomenon of compliance elites is.  (As used by Baer, “the term ’elite’ refers to an attorney’s academic and postgraduate achievements: her education, her awards while in law school, her clerkship, and the various positions she held after law school.” )  In my nearly thirty years in the field I have encountered many CCO’s who, while not elite, have been very successful in developing and implementing sound compliance programs. We still have a ways to go before elite is the norm,  And that to me is a good thing.

Still, as noted above, there are many “pluses” to having elite compliance personnel. Baer lists here recruiting top-flight human capital and otherwise securing necessary resources for the compliance program.  To me this is key, both as a matter of common managerial sense and because the U.S. Department of Justice places great emphasis on these factors in its criteria in evaluating programs.

Additionally, by hiring members of the compliance elite, “the organization emits potent internal and external signals. Within the firm, the CCO’s arrival affirms to its rank-and-file employees that corporate management is committed to improving its compliance effort. That, in turn, improves morale among those inclined to follow the law and potentially induces broader and earlier internal whistle-blowing.”

Finally, on the downside,  Baer argues: “imagine a new CCO confronts a series of performance targets upon entering the firm. Which ones merit the closest attention, and which ones deserve to be shelved immediately? If the firm is emerging from a scandal, the worst systems may be obvious to everyone. Beyond this, however, reasonable people will differ. It will be the CCO’s responsibility to tread carefully but thoroughly in determining which additional performance goals merit a closer look, and it may not be the goal itself that is the problem. It may be how the firm measures the goal, how it compensates (or punishes) performance aimed at achieving said goal, or how quickly it expects its employees to meet its goal that induce different degrees of misconduct. It is within this ambiguous gray zone that performance blind spots are most likely to emerge and do their damage. Absent blunt evidence to the contrary, someone who has repeatedly scored in the top percentiles nationally on standardized tests; who has then followed up that performance by scoring at the top of a law school’s grading curve; and who has bested many of her competitors in series of workplace mini tournaments might not find a series of severe or unforgiving performance targets problematic.”

This is interesting but, in my view, a stretch. While lots of life experiences can contribute to cognitive biases, I just don’t think doing well on  a standardized test rises to that level.

Nearly 1500 C&E professionals have downloaded the free risk assessment e-book

Have you?

It is available from Corporate Compliance Insights.

I hope you find it useful.

Making the most of risk assessment

Today the FCPA Blog published a post I authored on risk assessment.

I hope you find it useful.

Moral hazard and the revised DOJ compliance standards

One of the great afflictions of our age is moral hazard. As noted in an earlier post: “The concept of moral hazard was used originally to refer to the phenomenon that providing insurance tended to promote risky behavior by insured parties.  Subsequently, the idea has been applied more generally to mean the provision of incentives that encourage unduly risky conduct by shifting the impact of a bad decision to a party other than the decision maker.”

Another way of thinking about this area is that moral hazard can arise from of lack of appropriate accountability. A notable example of this can be found in an SEC report several years ago on ratings agencies quoting an e-mail between two analysts concerning their plans to give positive ratings to certain financial instruments that were, in fact, unworthy of such ratings: “Let’s hope we are all wealthy and retired by the time this house of cards falters.” A more consequential example is climate change: those who are most likely to be affected by this unparalleled calamity are generally not the same as those who have the power to slow it down (and ultimately reverse it).  And, the Pandemic presents millions of  moral hazard influenced decisions concerning wearing safety masks and other issues.

Moral hazard is not the same thing as conflicts of interest. But they are close enough to each other to be considered “cousins.”   However, the former does not get nearly the attention that the latter does. (See prior posts on moral hazard collected here.)

Moral hazard poses a significant challenge to law enforcement in many types of business crime cases. That is, the Sentencing Guidelines provide for large fines for organizations convicted of federal offenses, but those who bear the brunt of such punishments (mostly the shareholders) are often different than the individuals (usually executives) who benefit from the wrongdoing. The problem, of course, is that their organizations do not hold them to account through the investigation and disciplinary processes.

The history of corporate business crime enforcement is, in part, an effort to close this moral  hazard gap. The latest chapter of this history was released June 1 when the Criminal Division of the Justice Department published its  third iteration of Evaluation of Corporate Compliance Programs.

The prior iterations of the guidance already had included considerably strong approaches to promoting accountability by individual wrongdoers.  In the new version what  most struck me as relevant to the moral hazard issue was the following question: “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”

I am not suggesting that this is some sort of panacea for moral hazard in companies.  Moreover, adding this to a  compliance program works only if the compliance function is indeed independent and has a sufficient degree of “clout.”  As well, a company needs to publicize that it is doing such monitoring and also that it imposes discipline for violations in a sufficiently rigorous way.

But if taken to heart a corporation’s having the compliance function monitor its investigations and resulting discipline to ensure consistency could be a helpful (albeit only partial) antidote to moral hazard.

For more information about the revisions to the Evaluation of Corporate Compliance Program see this post on the Compliance Program Assessment Blog.