Conflict of Interest Blog

Effective C&E Programs: The Justice Department Speaks

Last week, together with David Wilkins of SNC-Lavalin, I chaired the Practising Law Institute’s Advanced Compliance & Ethics Workshop.  Marshall Miller, the number 2 in the Justice Department’s Criminal Division, gave the keynote address, which was subsequently posted on the Department’s web site.  Among the important points he made were the following.

First, Miller said that a principal hallmark of an effective C&E program “is high-level commitment.  When employees truly understand that a company’s leadership is committed to compliance – even when it runs up against profits – only then does a company truly have a successful compliance program.”

A side note on this: I’ve found over the years that one of the most meaningful gauges of the seriousness of a C&E program is whether a company can provide specific examples of where it has in fact sacrificed  potential profits to maintain its C&E-related standards. A company’s having done this often makes a profound impression on employees (and potentially third parties) – and can be seen as more significant than mere words in a code of conduct.

Second, Miller said: “The quickest way to check on that commitment is to take a look at corporate structure.  If you see compliance executives sitting in true positions of authority at a corporation, reporting directly to independent monitoring bodies, like internal audit committees or boards of directors, you likely are looking at a strong compliance program.   Compliance programs also need to be resourced; they need to have teeth and respect.”

A side note on this:  It was clear from Miller’s talk that Justice was not saying that all companies needed to have the C&E officer report administratively – as opposed to informationally  - to the board.  Very few companies take the former approach; indeed, based on a show of hands, none of the conference attendees do this.

Third, Miller said: “Another key hallmark is whether the program grows with the company.  Any good compliance program needs to be periodically evaluated, using risk assessment models aimed at the individual circumstances of the company.  As companies change over time, so must compliance policies.”  Key here is the phrase “risk assessment models aimed at the individual circumstances of the company,” because too many companies assess risk using a one-size-fits-all approach.

Fourth, he noted: “A strong compliance program must also involve enforcement and discipline.  It is human nature to pay more attention to what people do than to what they say.  Compliance must be incentivized; violations disciplined.  And the response must be even-handed.  Too often we see low-level employees who implemented bad conduct fired, but bosses, who did nothing to stop the conduct – and may even have directed it – left in place without sanction.”  To my mind, this has always been a weakness of many C&E programs, as discussed in this earlier post.

Fifth,  Miller said that “expanding corporations must extend their compliance programs to all of their subsidiaries – even, or perhaps especially, those that were recently acquired – and must ensure that compliance policies are understood and implemented by all employees, no matter what country they work in.”  This seems an especially important point, given the history of C&E failures involving subsidiaries, joint ventures and other members of corporations’ “families” – as discussed in this eight-part series from the FCPA Blog.

Finally, there was lots more to the conference than Miller’s fine speech – but I don’t have permission to post all of  it, as it is for PLI members and other conference attendees.  I can, however, post this legal update I gave with Joe Murphy with lots of information about how law promotes – and sometimes impedes – companies developing strong C&E programs.

Risk assessment: frequently asked questions

In addition to the COI Blog, I write a column on risk assessment for Corporate Compliance Insights. My most recent posting there is on various risk assessment FAQ’s that – both in conducting assessments and advising clients on how they can do so themselves – I’ve dealt with over the years.

The column can be accessed here. I hope you find it interesting.

C&E officer reporting relationships: a tale of two recent surveys

More than a decade ago, Iowa senator Charles Grassley famously said of a company’s general counsel also serving as its compliance officer: “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement,…” And since then, there has been a lively (albeit not always as colorfully expressed) debate involving C&E practitioners, lawyers and others concerning the issue of to whom should the C&E officer report.

Earlier this month a survey conducted by NYSE Governance Services and the SCCE  captured considerable attention in the C&E field with its finding that 38% of  persons “with overall responsibility for the compliance program” in their companies reported to the CEO, 19% reported to the board of directors and only 18% did so to the general counsel. This led the Wall Street Journal to proclaim: “Legal [is] losing its grip over risk and compliance.”

However, two caveats should be borne in mind here. First, the specific question in question – “To whom does the person with overall responsibility for the compliance program report?” – could be read to include merely informational reporting (i.e., the C&E officer meets periodically with the CEO) as opposed to the more significant administrative kind (i.e., the CEO is the supervisor of the C&E officer). Having heard  many C&E officers speak over the years about their reporting relationships in a way that uses the two types interchangeably I would be surprised if this ambiguity didn’t account for a slice (and perhaps a large one) of the CEO and BOD numbers.  Second, nearly a third of the survey respondents were from the “health care and social assistance fields” – which is much higher than the percentage of such organizations in the economy generally; this is significant because, for regulatory reasons, reporting to the BOD and CEO are more common than in these types of entities than in most others.

A less noticed but no less notable contribution to this debate was the report of a survey published only a few weeks earlier by Mitratech (a provider of  enterprise legal management solutions for legal departments).  While not posing the same question that the NYSE Governance Services one did, this report noted (among other things) that “[t]he legal department owns the enterprise compliance function in 40% of respondents’ organizations and owns a portion of compliance functions in another 24% of organizations” and also that “[t]he role of the legal department in enterprise compliance is increasing as the responsibilities of the Chief Compliance Officer (CCO) and General Counsel become more tightly intertwined.”  These results feel closer to the actual practices I’ve seen in business organizations than do those in the other survey.

Granted, I have never been a pig farmer from Iowa, but I have been around this issue for a long time (my first experience with it dating back to the mid-1990’s when I was asked by a client whether the C&E officer should report to the GC or its Chief Operating Officer). Based on my experience since then, I can say with some confidence that there is no one-size-fits-all approach to the question of to whom the C&E officer should report.

Certainly, in a company where the GC herself is likely to be a source of risk then the case for independent reporting is clear enough. (This is not about the GC being honest as an individual but, rather,  giving advice regarding or otherwise playing a role in company activities that are relatively likely to be scrutinized in an enforcement context.)   Also, in industries where the government has expressed a preference for not including the GC in the C&E officer’s line of administrative reporting, then that is entitled to a fair bit weight. And, where employees are likely to see the GC as an aggressive defender of the company’s interests – which is sometimes the case where the company is the subject of high-profile litigation – then having the C&E officer subordinate to the GC could inhibit employees reporting suspected wrongdoing.

But there are many other situations where not reporting to the GC would effectively make the C&E officer an organizational “orphan,” because the CEO or BOD – who have a  vast array of responsibilities – would in fact do less for her (and the program) than would a GC whose duties and skill set naturally lend themselves to promoting C&E.   Indeed, I recall one case where the C&E officer did in fact report administratively to the audit committee;  it was a well-intended approach, but the committee gave him little day-to-day guidance, which sadly seemed to contribute to his losing his job. More generally, as C&E program requirements increasingly become part of the sinews of US business law (a trend that seems inevitable), then the case for administrative reporting to the GC may actually be enhanced.

Finally, even if a company does opt for this latter approach, care must be taken to protect the C&E officer’s independence – both actual and apparent – through other means.  One of these is having her reporting periodically to the relevant BOD committee in executive session.  Another is to provide that the C&E officer’s duties and compensation cannot be adversely affected without prior approval of such committee.  Finally, a GC to whom a C&E officer reports should take steps to ensure program independence by other members of the law department – such as through training them on their “reporting up” obligations under S-Ox section 307.

(For additional reading on BOD oversight of C&E programs please see this post by my partner Rebecca Walker and me on the Harvard Law School corporate governance blog.)

Come to the Advanced C&E Workshop

On October 7-8, together with David Wilkins of SNC-Lavalin, I’ll be chairing the annual PLI Advanced Compliance & Ethics workshop in NY, which will also be available by web cast.  My partner Rebecca Walker will be chairing the workshop in SF on November 17-18.

We have assembled an all-star team of C&E officers and law firm practitioners for the conference. We hope to see you there.

How friendly should the E&C officer be?

While not an outright conflict of interest, getting too close to management has pitfalls for the E&C officer – as Steve Priest and I discuss in our latest Ethics Exchange (on the ECOA web site).  At the same time,  being  close may be essential to being seen as a trusted adviser to key personnel at an organization – and to be in a position to identify and address risks at an early stage.

We hope you find our effort to strike the right balance useful.

Compliance programs and the culture of care

Samuel Johnson once said: “It is more from carelessness about truth than from intentionally lying that there is so much falsehood in the world.” And carelessness is obviously at the root of many other types of wrongdoing too.

In a keynote speech at the just-concluded SCCE  10th annual Compliance and Ethics Institute, FBI director James Comey spoke of the need for companies to have a “culture of care” when it comes to cyber-security.  (Unfortunately the speech is not yet published on the FBI web site, so I can’t link to the text.)  While focusing on cyber-security, Comey did indicate that the concept of a culture of care might have broader application to the world of compliance and ethics.

I think the concept is indeed potentially quite useful for C&E professionals.  But what might be included in such a culture?

One example is suggested by a presentation – Beyond Agency Theory: The Hidden and Heretofore Inaccessible Power of Integrity, by Michael Jensen and Werner Erhard – discussed in this earlier post. The authors argue that honesty requires more than sincerity: “When giving their word, most people do not consider fully what it will take to keep that word.  That is, people do not do a cost/benefit analysis on giving their word.  In effect, when giving their word, most people are merely sincere (well-meaning) or placating someone, and don’t even think about what it will take to keep their word. This failure to do a cost/benefit analysis on giving one’s word is irresponsible.”    This argument makes sense to me – and I think it would to Samuel Johnson  and James Comey as well.

And, as noted above, the need for carefulness goes beyond being honest.  More broadly, a culture of care would help shape an organization’s values, policies, procedures, risk assessment, approach to incentives and  C&E training and communications.  As well, carelessness would be addressed sufficiently through the investigations and disciplinary policy/process – something that too few companies do, as discussed here.  

Finally, I asked Steve Priest, a true master at diagnosing and shaping corporate cultures, what he thinks about the “culture of care” concept.  He said “Emphasizing a ‘culture of care’ makes great sense. However for many who do not understand the full sense in which James Comey used the phrase, it will seem soft. It isn’t soft, but to balance it I encourage organizations to aim for these three in your culture: care, competence and courage. Organizations and leaders that demonstrate care, competence and courage may not win every sprint, but they will win most marathons.”

I agree with Steve that care alone cannot a culture make.  And, as with virtually any part of a C&E program, one has to guard against overdoing it.   In this connection, nearly 20 years ago, I was concerned that my then eight-year-old daughter occasionally ran out into the street without checking for traffic – and so to help make her more careful I tried to get her to keep a “safety journal.”  I’m proud (in retrospect) to say that she refused – as my idea was a bit over the top, and this story from the archives of Kaplan family compliance history helps to remind me that one must be careful not to promote over-cautiousness.

 

Conflicts of interest, compliance programs and “magical thinking”

An article earlier this week in the New York Times takes on the issue of “Doctors’ Magical Thinking about Conflicts of Interest.”  The piece was prompted by a just-published study  which examined “the voting behavior and financial interests of almost 1,400 F.D.A. advisory committee members who took part in decisions for the Center for Drug and Evaluation Research from 1997 to 2011” and found a powerful correlation between a committee member having a  financial interest (e.g., a consulting relationship or ownership interest ) in a drug company whose product was up for review and the member’s voting in favor of the company – at least in circumstances where the member did not also have interests in the company’s competitors.

Of course, this is hardly a surprise, and the Times piece also recounts the findings of earlier studies showing strong correlations between financial connections (e.g., receiving gifts, entertainment or  travel from a pharma company) and professional decision making (e.g., prescribing that company’s drug). Nonetheless, some physicians “believe that they should be responsible for regulating themselves.”

However, such self regulation can’t work, the article notes,  because “our thinking about conflicts of interest isn’t always rational. A study of radiation oncologists  found that only 5 percent thought that they might be affected by gifts. But a third of them thought that other radiation oncologists would be affected.  Another study asked medical residents similar questions. More than 60 percent of them said that gifts could not influence their behavior; only 16 percent believed that other residents could remain uninfluenced. This ‘magical thinking’ that somehow we, ourselves, are immune to what we are sure will influence others is why conflict of interest regulations exist in the first place. We simply cannot be accurate judges of what’s affecting us.”

While the findings of these and similar studies are, of course, most relevant to conflicts involving doctors and life science companies, there is a broader learning here which, I think, is vitally important to C&E programs generally.  That is, they help to show that “we are not as ethical as we think” – a condition hardly limited to the field of medicine or to conflicts of interest, as has been discussed in various prior postings on this blog.

One of the overarching implications of this body of knowledge is that we humans need structures – for business organizations this means  C&E programs, but more broadly these have been called “ethical systems” – to help save us from falling victim to our seemingly innate sense of ethical over-confidence.  So, to make that case, C&E professionals should – in training or otherwise communicating with employees (particularly managers) and directors  - address the issue of “magical thinking” head-on.

Moreover, using the example of COIs to prove the larger point here may be an effective strategy, because employees are more likely to have experience with ethical challenges in this area  than with other major risks, such as corruption, competition law or fraud – which indeed may be so scary as to be largely unimaginable to many employees.  I.e., these and other “hard-core” C&E risk areas might be subject to an even greater amount of magical thinking than is done regarding COIs.  So, at least in some companies,  discussing COIs might offer the most accessible “gateway” to addressing the larger topic of ethical over-confidence.

The conflict of interest case of the year

With less than four months to go, the corruption case again the governor of Virginia and his wife seems destined for 2014 COI case of the year honors.  But while much of the press revolved around the Governor’s unsavory – and unsuccessful – trial strategy of throwing his wife/co-defendant “under the bus,” for COI aficionados what is noteworthy about the prosecution lies elsewhere.

First, on the public policy level, it highlights – as much as any case has in recent memory – the need for strong government ethics laws at the state level.    Perhaps states like Virginia (and NJ, where I live, which is infamous for its culture of corruption) will now look for guidance to those states that have been successful on this front, such as ethics front-runner Oregon.  

Second, on a law enforcement level, the case is precedent setting.  As described in this Washington Post article : “[L]egal experts say the case — especially if it survives an appeal — could encourage prosecutors to pursue similar charges against officials who take not-so-obviously significant actions on behalf of their alleged bribers and make it easier for them to win convictions. ‘I think the case clearly pushes the boundary of ‘official act’ out a bit farther, and I think that’s quite potentially important,’ said Patrick O’Donnell, a white-collar criminal defense lawyer at Harris, Wiltshire & Grannis. ‘It’s striking that here, McDonnell was not convicted on any traditional exercise of gubernatorial power. It wasn’t about a budget or a bill or a veto or appointment or a regulation.’ [Rather,] ‘[t]he McDonnells stand convicted of conspiring to lend the prestige of the governor’s office to Richmond businessman Jonnie R. Williams … by arranging meetings for him with state officials, allowing him to throw an event at the Virginia governor’s mansion and gently advocating for state studies of a product that Williams’s company sold.”

Third, and most relevant to C&E professionals, the case appears to be a striking example of the behaviorist learning, “we are not as ethical as we think” – a principle that helps underscores the need for strong C&E programs in organizations of all kinds.  That is,  based on McDonnell’s testimony,  there seemed to me a real possibility that he genuinely believed that he was not corrupted by the gifts and loans from Williams, and there is indeed some indication that the jurors found him sincere, at least generally.  But believing yourself to be unaffected by a conflict of interest doesn’t make it true – given the results of various behavioral ethics studies showing that COIs impact us considerably more than we appreciate.  (Posts relating to some of these studies are collected here.)    Perhaps this makes the McDonnell case – although more about conflicts in government than in business – a teachable moment for C&E practitioners in all settings.

Prosecutors, massive fines and moral hazard

Many years ago, I lived next door to a young police officer and his family who, while presumably paid a modest salary, drove a pretty expensive car.   He was able to do this, I learned, because his department seized autos (and other property) of various suspected offenders and then let its officers drive the vehicles for their personal use.  Although he seemed in every respect like an honorable young man, the impact that this practice could have – and also appear to have – on law enforcement decisions left me feeling uneasy.

The latest issue of The Economist has a sweeping indictment of the US system of business law enforcement.  There are many components to this assault, including that: large fines are, in effect, extorted from companies, but the guilty individuals often go free (which, in my view, is quite true); settlements of these cases often obscure facts that should be made known to the public (with which I also agree); US laws are so numerous and complicated that companies face a grave risk of prosecution for conduct that they never could have suspected was wrongful (with which I agree only slightly); and part of the cost of this system is that “[e]normous amounts of time and money are now being put into compliance programmes that may placate judges, prosecutors, regulators and monitors but undermine innovation and customer services” (which I also think is an overstatement,  but also is true enough for companies to be careful not to go overboard in their compliance programs).   But the critique that interested me the most concerned the view that the prospect of recovering large fines influences law enforcement decisions, i.e., a corporate variation on the story in the first paragraph of this post.

This part of The Economist article relied in part on a paper in the January 2014 Harvard Law Review – “For-Profit Public Enforcement,” by Margaret H. Lemos (Professor, Duke University School of Law)   and Max Minzner, (Professor, University of New Mexico School of Law), in which the authors seek to show “that public enforcers often seek large monetary awards for self-interested reasons divorced from the public interest in deterrence. The incentives are strongest when enforcement agencies are permitted to retain all or some of the proceeds of enforcement – an institutional arrangement that is common at the state level and beginning to crop up in federal law. Yet even when public enforcers must turn over their winnings to the general treasury, they may have reputational incentives to focus their efforts on measurable units like dollars earned. Financially motivated public enforcers are likely to…undertake more enforcement actions [and] focus on maximizing financial recoveries rather than securing injunctive relief,… Those effects will often be undesirable, particularly in circumstances where the risk of over-enforcement is high.”

I don’t know if it is quite right to call this a conflict of interest, but it does seem close to a moral hazard, in that those with power to reduce risks (prosecutors) may have interests that are not well aligned with those who bear the consequences of their actions (the public).  Moreover, and independent of this concern, prosecutors sacrificing tomorrow’s interests (as the benefits of deterrence take place entirely in the future ) for a quick buck today – the very trade-off for for which guilty companies are often castigated  - itself can be harmful because, as Justice Brandeis famously said: “Our government is the potent, the omnipresent teacher. For good or for ill, it teaches the whole people by its example.”  

(For more on moral hazard see the posts collected here. And here is a post on implications for risk assessment of the government’s seeking large financial recoveries from corporate defendants.)

“The inner voice that warns us somebody may be looking”

Within the treasure trove of H.L. Mencken’s sayings, this definition of “conscience” may be my favorite.  And, various studies have indeed shown that the sense that somebody may be watching can help promote ethical behavior.  Among these are  experiments exposing individuals to “eyespots” –  drawings which create a vague sense of being watched, even among those who know as a factual matter that they aren’t being seen. (See, e.g., this study, showing that exposure to eyespots can promote generosity.)

While actually deploying eyespots around the workplace is hardly a viable option for most companies, various technological advances offer not only the appearance of being watched but the actuality of it.  Such monitoring technologies can be particularly promising for promoting compliance by parts of a workforce for whom supervision is relatively remote – which is often the case for sales people.

For two other risk-related reasons, sales people can be a logical choice for C&E monitoring:

- Their incentives may not align well with those of their respective companies – a “moral hazard” condition.  (Indeed, in a risk assessment interview I conducted last week, the interviewee responded to a question about conflicts of interest by saying – only somewhat in jest – that the whole company sales force had such conflicts.)

- Sales people tend to be in a position to cause legal/ethical violations – e.g., corruption, collusion and fraud – much more than the average employee at a company.

But, while the case for monitoring sales people is strong as a general matter, obviously not all monitoring strategies are equally effective.  According to a paper published in the September 2014 issue of the Journal of Business Research, “Does transparency influence the ethical behavior of salespeople?” John E. Cicala, Alan J. Bush, Daniel L. Sherrell and George D. Deitz (rentable on Deep Dyve): “it is not the perception of visibility that drives sales persons behavior, but rather the perception of the likelihood of negative consequences resulting from management use of knowledge and information gained from technologically increased visibility.”

Of course, these results – based on an on-line survey which is described in the paper – presumably won’t surprise any C&E professionals. (Nor, likely, would they have impressed Mencken, who also said: “A professor must have a theory as a dog must have fleas” – although I should add that that’s just another chance to quote the great man – not a reflection of my view of this paper.) But, as with much of the social science research discussed in this blog, having data to back up what is intuitively known may be useful, particularly when seeking to make C&E reforms in a company that are being resisted.

Most relevant here is the often-contentious issue of how open a company is with its discipline for violations (meaning not just of sales persons but any employee).  While C&E professionals typically understand that true “public hangings” – i.e., full identification of individual transgressions and transgressors – can be undesirable for all sorts of reasons, there is still a lot that their respective companies can do in a general way to show that   negative consequences do exist for breaches of C&E  standards. Hopefully, this new research can help C&E professionals make such a case.