Conflict of Interest Blog

Ethics or compliance? We need both

Ethics and compliance have long been seen by some as representing essentially inconsistent approaches to promoting desirable conduct in companies.  I have never been persuaded by this oddly Manichean world view. Rather, and as previously argued in Compliance & Ethics Professional (page 2 of PDF), I believe that compliance can give ethics “body” and ethics can give compliance “soul.” Or, as the 2004 amendments to the U.S. Sentencing Guidelines for Organizations indicate, companies should have “compliance and ethics” programs.

Moreover, many “middle-aged” programs (discussed more generally in this piece on the CCI web site ) need all the help they can get.  To those struggling to maintain a sense of urgency in their programs, the answer to the question “Ethics or compliance?” is a resounding “Yes.”

Of course, there are some C&E challenges that companies face that are largely “C” and little or no “E.” (A recent posting here suggests that these include dealing with requirements of anti-corruption, export control and competition law.)  The converse is true as well.

But some risk areas – such as conflicts of interest – clearly need healthy elements of both. So does the overall platform for ensuring that companies do the right thing, such as paying due attention to C&E in incentive structures.

The importance of incentives to C&E was addressed in a piece last weekend in the NY Times by Gretchen Morgenson  about a recent proposal by Professors Claire A. Hill and Richard W. Painter of the University of Minnesota Law School “for making financial executives personally liable for a portion of any fines and fraud-based judgments a bank enters into, including legal settlements” regardless of fault.  The proposal, she notes, quoting one of the professors, “would help instill a culture… ‘that discourages bad behavior and its underlying ethos, the competitive pursuit of narrow material gain.’”

Clearly the goal here is to go beyond traditional notions of compliance to promote a more truly ethics-driven approach to banking.  But by using the mechanics of “carrots and sticks” to achieve that goal, it is also very much in the heartland of compliance.

While the case for this sort of an approach may be strongest in the financial services industry, its logic is applicable more broadly.  For instance, a large company in any industry might adopt a policy that if any of its divisions are prosecuted the leaders of that division will bear some of the costs incurred by the company.  However, and in the spirit of the Sentencing Guidelines themselves, I think that an executive who could show that she made a strong effort to promote C&E in her division – going beyond promoting mere rule abidance, to embrace a truly cultural view of ethics – should be spared some of this punishment.

Of course, few if any other industries have had the perverse incentives C&E-wise that financial services have, which is why I would temper the no-fault aspect of the Hill and Painter proposal as applied to other areas of business.  But any company where the managers are not the owners faces the potential for “moral hazard” when it comes to mitigating C&E-related risk, as discussed in the prior posts collected here.  And that is why  companies of all kinds need to consider how (and indeed if) they provide incentives for ethics and compliance.


Is political ideology a compliance and ethics risk?

In a post  last week on the Harvard Law School Forum on Corporate Governance and Financial Regulation, Danling Jiang, Associate Professor of Finance at Florida State University, summarizes a recent article she authored with Irena Hutton, Associate Professor of Finance at Florida State University; and Alok Kumar, Professor of Finance at the University of Miami: “Political Values, Culture, and Corporate Litigation,” which was published in the latest issue of Management Science and which “examine[s] whether the political culture of a firm defines its ethical and legal boundaries as observed by the propensity for corporate misconduct.”

As described in her post: “Using one of the largest samples of litigation data to date, [they] show that firms with Republican culture are more likely to be the subject of civil rights, labor, and environmental litigation than Democratic firms, consistent with the Democratic ideology that emphasizes equal rights, labor rights, and environmental protection. However, firms with Democratic culture are more likely to be the subject of litigation related to securities fraud and intellectual property rights violations than Republican firms whose Party ideology stresses self-reliance, property rights, market discipline, and limited government regulation.” (The full paper can be downloaded for free from the Harvard web site.)

This is interesting – if not necessarily surprising – stuff, and particularly so in an election year. But does it bear on the work of C&E professionals? And does it have anything to do with conflicts of interest?

In a COI Blog post during the last presidential election,  I noted that managers’ political ideology could create moral hazard vis a vis their respective companies: “Consider the example of corporate support for political causes or candidates for public office…  In some instances, a senior manager with the power to make decisions  for a company regarding such support may use that power to embrace a candidate or cause even if doing so is against her company’s interests  (e.g., the cause or candidate’s positions may offend a large percentage of the company’s customers).   For the purposes of our example, assume further that the manager does not expect to be tangibly rewarded for providing the company’s support to the candidate, and thus may not have a true “interest” for COI purposes (at least not in the traditional sense).  Nonetheless, because of the manager’s political beliefs, she may cause the company to take risks in supporting the candidate that are unjustifiable from the organization’s perspective.  In other words, this is a case of an intangible moral hazard risk.”

Of course, this example does not involve quite the same C&E-related dynamic that Professor Jiang and her colleagues study in their paper. But, I think it should be part of the discussion because to the extent that ideology does create C&E risk there is something COI- or moral-hazard – like at issue, since a given company’s shareholders as a class presumably have no particular ideology that they are willing to fund through increased company litigation costs and related expenses.  Thus, in ideological companies both C&E officers and corporate directors should be mindful of risks of this nature. I.e., even if it does not suggest any particular type of mitigation (and I don’t think it does), political ideology based risk should be factored into the larger risk calculus of the enterprise.

Perhaps more basically, the research raises the question of whether part of the way to become an ethical and compliant  company is by eschewing ideology, or at least moving in that direction.  That hopefully will be the subject of its own post at a later time, but for further reading on how harmful generally ideological thinking can be to ethical thought and deed see Jonathan Haidt’s The Righteous Mind.

Behavioral anti-corruption compliance and its limits

Previous posts here have suggested ways in which behavioral ethics research findings can enhance the practice of corporate compliance and so I was interested in a recent piece in the FCPA Blog about the potential for a behavioral ethics approach to anti-corruption compliance. “How fewer controls leads to more compliance” is authored by Prof. Dr. Johann Graf Larmbsdorff, who designed the Corruption Perceptions Index on behalf of Transparency International, oversaw its realization until 2008 and has published extensively in the field.

The post – which summarizes a recent paper of his – makes six points about undesirable consequences of a traditional controls-based approach to corruption prevention.  Some I agree with, like the need for having compliance certifications executed in a more time-sensitive way. (Indeed, as noted in this recent post, such an approach can be helpful with risk areas beyond corruption).  Others – e.g., “elimination of official discretion has counterproductive effects in development aid” – are outside my realm of knowledge/experience, but make intuitive sense.

Lambsdorff’s overall conclusion about controls is that they make “officials and employees … [be] seen as potentially corrupt actors, who must be rigorously controlled. Behavioral science points to the hidden costs of such methods. It provides us with impressive evidence that in most circumstances people are trustworthy and willing to take individual responsibility. Rather than adding more and more controls, we should allow people to use their discretionary power for preventing corruption.” I certainly agree with some of this, but not all.

To begin, the basic point that that more is not always better when it comes to compliance is, from my experience, clearly right.  (See this post on the need for “Goldilocks compliance.”)  Indeed, part  of the advice I generally give clients is that they should continuously be reviewing their compliance program measures – anti-corruption and other – to make sure they aren’t engaging in overkill, which can be both inefficient and ultimately unsustainable.

But I am less certain about the behavioral science premise underlying Lambsdorff’s overall conclusion.   According to his paper, laboratory experiments have shown that assuming a distrustful attitude toward individuals (which controls inherently do) causes those individuals to act in a less compliant/ethical manner. I have not read the research that he cites, but question whether anything done in a laboratory can sufficiently replicate the effect of the real-world conditions – particularly the pressures and risks, both of which can be extreme – that business people face when it comes to dealing with corruption.

Indeed, in my – concededly anecdotal – experience, many business people welcome controls, as controls can help minimize the prospect of going to prison for making a wrong decision or having one’s employer economically ruined based on a colleague’s malfeasance. (This is particularly true with risk areas involving complex, often non-obvious rules – such as corruption, and also competition law and export controls.) Viewed in this light, having anti-corruption controls is no more disrespectful than is going to a doctor for an annual checkup.

Moreover, one can argue that behavioral science supports the need for strong compliance controls, as it teaches us we are not as ethical as we think. (I.e., it shows that our “inner controls” may not be all that we believe them to be. )    A compliance program grounded in behavioral science should help employees appreciate this.

Finally, there is this important view, from long-time compliance practitioner and scholar (and, by way of disclosure, my co-author on a compliance treatise) Joe Murphy  in the comments section to Lambsdorff’s post: “One of the points missed in some of the behavioral work is that these principles apply to averages. So certain techniques have ‘tendencies’ to reach certain results. ‘Most’ people will act a certain way. XX% will not steal if there are pictures of eyes looking at them. Trust and feeling good are really nice things to have. But relying on this alone misses the point that companies are responsible for all the acts of all their people all the time. Any companies with large numbers of employees need also to recognize that there will be sociopaths and psychopaths among those large numbers – bad actors, no matter what the culture may be. … As one of my friends has observed, ‘trust is not a control.’ …. The behaviorists’ insights are useful, but I still side with Lord Acton, who observed that power tends to corrupt and absolute power corrupts absolutely. I believe this is no less true in business than it has been in politics. Those with power in corporations need to be subject to checks and balances, in addition to any behavioral steps we may try.”

Or, as the old Russian proverb goes, Trust, but verify.

(For further reading on limits of behavioral ethics and compliance see this post and this one.)

Pitfalls in rewarding compliance performance

An interesting piece of early compliance program history concerned a monitorship where, according to the monitor’s reports, the defendant company sometimes responded harshly to even minor cases of wrongdoing.  The unintended consequence of this, the monitor found, was that some employees were hesitant to report wrongdoing for fear of causing their colleagues to be unfairly treated.

“Carrots,” as well as “sticks,” can also have an unintended consequence of discouraging reports of suspected violations. In a draft guidance document  issued in November for comment, Protecting Whistleblowers: Recommended Practices for Employers for Preventing and Addressing Retaliation, the Occupational Safety and Health Administration  advises companies to “[e]liminat[e] all formal and informal workplace incentives that encourage or allow retaliation or discourage reporting. Examples of problematic incentives include rewarding employee work units with prizes for low injury rates or linking supervisory bonuses to lower reported injury rates.”

Given the great interest these days in both incentives and metrics, it is inevitable that many companies will seek to find ways to quantify C&E performance of various kinds and give rewards based on the numeric results. By and large, this is a positive development, as it is harnesses in support of C&E the force of two powerful truths: what’s measured is what counts and incentives work.   But OSHA’s experience also suggests a need to keep an eye out for unintended, undesirable consequences as companies explore different approaches of this kind.

The Yates Memo – and what you can do about it

A policy statement issued last September by Deputy Attorney General  Sally Quillian Yates is seen by some as heralding a new era of  individual accountability in corporate investigations, although there are plenty of skeptics too about the prospect for genuine change in this regard.  (My own position can be described as cynical but forever optimistic.)

But even the most hardened cynic  would agree that there is some chance that things will now be different when it comes to individual accountability for corporate wrongdoing, and so it is fair to ask: Does your company have a policy on this policy?

In my latest column in Compliance & Ethics Professional I offer two suggestions on how C&E officers can respond to this potentially significant development.


What’s new in managing conflicts of interest

Most organizational or other types of ethical standards (e.g., professional ones) do not have a zero tolerance approach to COIs.  That is as it should be: many COIs can be managed without too much difficulty – and the benefits of a zero tolerance regime in these instances would likely be outweighed by the costs.  But sometimes managing a conflict of interest does pose considerable challenges, as illustrated by two recent stories from very different contexts.

First, as reported in the Wall Street Journal this past week: “At Hillary Clinton’s confirmation hearing for secretary of state, she promised she would take ‘extraordinary steps…to avoid even the appearance of a conflict of interest.’ Later, more than two dozen companies and groups and one foreign government paid former President Bill Clinton a total of more than $8 million to give speeches around the time they also had matters before Mrs. Clinton’s State Department, … Fifteen of them also donated a total of between $5 million and $15 million to the Bill, Hillary and Chelsea Clinton Foundation, the family’s charity, according to foundation disclosures. In several instances, State Department actions benefited those that paid Mr. Clinton…”

The Journal does caution that it is aware of no evidence of a quid pro quo involving the speech fees or donations. But still, and as described more fully in the piece, the appearance of COIs seems strong.

The story further describes how “[t]he Clintons struck an agreement with the Obama administration to allow State Department ethics officers to check for conflicts between speech sponsors and Mrs. Clinton’s government work….” Such reviews were conducted by career civil servants at State – not political appointees, and did result in a few speech requests being rejected, including potential appearances sponsored by North Korea, China and the Republic of Congo.

But while better than nothing, this hardly seems enough, as it is unrealistic to ask an employee of any organization to make a decision that could cost the head of the organization vast sums of money (through her marriage). While they may rise to the occasion when presented with truly egregious cases (e.g., taking money from the North Korean government),  preventing actual or apparent COIs requires a more effective compliance regime than this.  At least in the private sector, a COI-related decision about a CEO and her spouse would almost certainly involve the board of directors – as they are not subordinate to the CEO the way that an ethics officer is. Perhaps there is a lesson that the public sector can learn from the private one.

On the other hand, while clout is necessary for monitoring COIs effectively, it is generally not sufficient – and boards of directors don’t always do a good job in this area either.  A recent case from Delaware Supreme Court –  In re Rural/Metro Corp. Stockholders Litigation, as summarized in this post by an attorney from Orrick, Herrington & Sutcliffe on the Harvard Law School Forum on Corporate Governance and Financial Regulation  – underscores this.

The case involved conflicts of interest on the part of a financial advisor to a company (and not a CEO), the  specifics of which are less important (at least to me) than is the following italicized (by me) portion of that summary:  “While a board will not be liable any time it fails to discover conflicts of interest on the part of its financial advisors, the Court’s decision reaffirms that a board has an affirmative duty to take sufficient steps to uncover any conflicts of its advisors, including by requesting ongoing disclosure of material information that might impact the board’s decision-making process.” This is a technical compliance point, but an important one.

Indeed, requiring ongoing disclosure of COI-related information should be seen as a necessary component of any monitoring regime (not just those involving financial advisors).  But I would bet that many organizations – public and private – fall short in this regard. The holding should prompt C&E personnel to review monitoring related provisions of COI policies/procedures to see if the ongoing disclosure piece is adequate.

These are two very different stories – and two different lessons, one having to do with the “will” of COI mitigation and the other the “way.”  But together they help remind those involved in any aspect of monitoring COIs of the need to develop approaches that are truly up to the often difficult task at hand.

(For further reading on COI  disclosure and management see the posts collected here.)

A code of conduct for Caesar’s wife

“Follow the money” is as good a rule as any for an assessment of compliance risk, and this is surely true for conflicts of interest.   In many companies that trail leads to procurement – and often to the understanding that those involved in buying goods and services for a company on a day-to-day basis must be above any suspicion.

Increasingly (at least from what I can see) procurement activity is being centralized in enterprise-wide procurement functions.  Much of the impetus for this has nothing to do with conflicts of interest – but, rather, arises from a need to bring more professionalism to procurement and to get the benefit of buying in large quantities, among other things. However, centralization is also a plus from a COI prevention perspective, as it is easier to monitor and otherwise mitigate COI risks in a small group than in the much larger general employee population.

Such C&E measures sometimes include having a specific (and typically very short) code of conduct for the procurement department (in addition to the general code). Among the types of COI issues that could be covered are those relating to gifts, entertainment, travel and donations – meaning these codes can have more restrictive rules about such activities  for procurement staff than for the rest of the employee population. Other types of COIs are typically addressed in these codes as well (e.g., having an ownership interest in or receiving other income from a supplier).

Of course, procurement codes should cover issues beyond  those in the COI area. Confidential information (meaning that of suppliers) is one such topic.  Another is antitrust, with a focus on the oft-neglected buy side.

Reviewing such a code should be part of the on-boarding process for new procurement employees.  As well, periodic training on its key provisions should be provided.  And, one should consider certifications by procurement employees too.

I should emphasize that not every company needs a code like this. However, in my view there are many companies that don’t but should consider developing one.

Finally, there is more to a “Caesar’s wife” approach to compliance for procurement than a code, training and certification. Companies should also be alert to “point-of-risk” compliance opportunities (a concept explored in a recent post). For instance, when a procurement department member  leaves a company to go work for a supplier and has knowledge of pricing and other sensitive information of other suppliers (meaning her new employer’s competitors) the exiting process should include  a reminder of the continuing obligation to keep information of this sort confidential.  And, somewhat more drastically, for higher risk business lines or geographies, rotating procurement assignments may be what it takes to be truly above suspicion.


Conflict of interest TV?

Not exactly.

But here is an audio recording with a video of PPTs of my presentation on Conflicts of Interest: Business, Law, Compliance and Social Science at the October SCCE Compliance and Ethics Institute.

I hope you find it interesting.

“Point-of-risk” compliance

Marketers have long known that “point-of-sale” display of products can be a powerful advertising tool.  But can its logic be put to work for promoting compliance and ethics?

I was recently asked by a client to fill out a vendor information form and noticed that in addition to seeking information from vendors the form required the employee proposing the hiring to certify that any conflict of interest involving the vendor had been disclosed and okayed by management and the C&E officer.  While I know that many companies have some form of COI certifications (see prior posts collected here), I can’t recall having seen one on a vendor information form of this sort before – even though the common sense of such a “point-of-risk” compliance approach seems pretty obvious.  Indeed, it is hard to think of any reason why a company wouldn’t do this.

Moreover, such an approach  is supported by behavioral science, as described in this earlier post.  And, as also noted in that post, beyond the COI risk area there is no shortage of  other “point-of-risk” compliance opportunities for many companies: “anti-corruption – before interactions with government officials and third-party intermediaries;  competition law – before meetings with competitors  (e.g., at trade association events);  insider trading/Reg FD – during key transactions, before preparing earnings reports;  protection of confidential information – when receiving such information from third parties pursuant to an NDA;  …  accuracy of sales/marketing – in connection with developing advertising, making pitches; and employment law – while conducting performance reviews…” (Note: in the earlier post I refer to this approach as “just-in-time” compliance, but on reflection think that “point of risk” is closer to the mark.)  Doubtless there are many others too.

I should stress that this suggestion does not imply an increase in the total amount of C&E education, which for some companies would be a non-starter.  Rather, a robust “point-of-risk” strategy might allow a company to decrease its use of less impactful communications, meaning principally those that  lack immediacy and context.

Thinking more broadly, a “point of risk” C&E communication strategies might work for teaching ethics in business schools and colleges. Writing last week in the Huffington Post,  William Steiger of the University of Central Florida’s College of Business Administration  argued that: “Business schools should use examples of ethical practices and decision-making throughout the curriculum, not just in the ethics class.” I agree (and indeed when I was teaching business ethics years ago made a similar proposal; I hope Steiger has more success with this than  I did).

Whether it is in the workplace or classroom, there is a growing need to  find ways to better communicate and otherwise support ethical expectations.  For many businesses and schools, a point-of-risk approach may be a good place to start.

Ethical “have-nots”

The central notion of behavioral ethics is that We are not as ethical as we think and the central notion of compliance/ethics programs is that they can help fill the gap – at least for business organizations – left by our imperfect human nature.  But do C&E programs actually work? The Institute for Business Ethics’ recently published 2015 Ethics at Work survey of employees in the UK and Western Europe – available for free download here (and another aspect of which was discussed last week on this blog) – has some important data on this always compelling issue.

Among other things, the study asked whether the respondents’ respective employers had various elements of a C&E program – or at least what might be considered the more ethics, rather than compliance, aspects of such – and then correlated those responses with answers to questions about the employers’ ethical behavior. The findings were striking.

For instance, of those respondents (from Continental Europe) whose companies had all the elements of a program, 74% said that their line manager supports them in following the company’s ethical standards but for those with none of these elements the number was a mere 27%. The results were nearly identical for a question about whether those who violate their companies’ ethical standards are disciplined.

While not as grim as Thomas Hobbes’s famous description of unchecked human nature causing life to be “nasty, brutish and short,” this picture of the ethical “have nots” is nonetheless quite dreary.  For someone considering investing in, seeking employment at or doing business with such an ethical laggard it could repellent  enough to influence a decision unfavorable to a company. And in light these stakes, is there any defense for corporate directors and senior managers who choose not to have C&E programs for their companies?