Conflict of Interest Blog

Assessing compliance training

The latest post in the Compliance Program Assessment Blog.

Rebecca Walker and I hope you find it useful.

Frequently asked questions about conflicts of interest

An earlier post  explored the various contexts – such as board meetings, hiring interviews, employee engagement surveys, training, compliance audits and exit interviews – where asking the right question can help promote C&E at a business organization. To this list should be added frequently added questions documents (“FAQs”).

FAQs are used with some frequency to supplement codes of conduct and policy statements. They can provide a greater level of information than is feasible in a traditional policy statement – because they are generally easier to read than the latter.

FAQs can be particularly useful in promoting COI-related compliance measures. That is because the issues raised in the COI realm tend to be more personal than are other types of C&E issues and so employees might welcome a chance to have their questions answered in this way rather than through actual contact with someone in their organization – at least as an initial matter.

Those seeking a model for drafting a COI FAQ, should take a look at what Walmart has done in this area – which can be found here. It is a very comprehensive document, covering in some detail what are presumably all the major COI risk areas for the company (financial interests, gifts and entertainment, outside employment, personal relationships with other associates, personal relationships with suppliers, protecting personal and business information and information sharing). For each, the document recites the relevant company policy and follows that with one or more questions and answers. (E.g., the Outside Employment section asks and answers questions about working for a competitor, operating a side business and working for a supplier.)

The Walmart FAQ document also does a good job in explaining the reasons for the company’s position on the issues raised in the questions. For instance: I supervise an associate who does odd jobs on the side. I would like to hire the associate to do some work at my home. Is this okay? As a manager with direct reports, it’s important to remain objective regarding your associate’s work. This situation requires a manager to think through all of the potential issues and use good judgment. This particular situation could potentially create a real or perceived conflict of interest since the work done for you at home may appear to influence how you view your direct report at work. If you hire someone you supervise to do work on your home, the boundaries between work and personal life may become blurry and difficult to manage. For instance, if you are not pleased with the outcome of the work, it could impact your perception of the associate. It may also appear to others that you are more lenient on that associate’s performance at work since the associate is doing work for you at your home. Finally, the associate may not want to do personal work for their manager for these same reasons, but may feel obligated to do so.

Of course, not every C&E program needs an FAQ – for COIs or any other risk areas. Those that do tend to be large and have relatively complex compliance profiles. And in considering whether to go this route companies should consider the total mix of relevant information about the risk area in question (i.e., not just what is in the code and policy document, but also the treatment of the risk area in training and other communications). As with any part of a C&E program, one has to be mindful of the dangers here of doing too much as too little.

The spirit of liberty and the spirit of ethics

In the latest issue of National Defense magazine.

Have a happy Fourth!

A new blog for compliance professionals

My law partner Rebecca Walker and I recently launched the Compliance Program Assessment Blog – a first-of-its-kind resource devoted entirely to the why and how of conducting C&E program assessments.

We hope you find it useful.

Thanks.

Building an ethical culture: where to begin

Increasingly, official and other important expectations regarding compliance & ethics (“C&E”) programs have a culture-related component. But where should C&E professionals start in addressing this important but challenging area?

One very useful resource is Regulating For Ethical Culture, recently published in Behavioral Science & Policy,  by Linda K. Treviño of the Smeal College of Business, the Pennsylvania State University; Jonathan Haidt of NYU’s Stern School of Business; and Azish E. Filabi of Ethical Systems. (Note that Treviño and Haidt are also members of Ethical Systems, as am I.)

In this article the authors:

Describe the origins in the Federal Sentencing Guidelines for Organizations of the government’s ethical culture expectations, and also recent regulatory interest in culture, particularly in the banking industry.

Provide an overview of what is meant by culture in the setting of a business organization – which includes both formal systems (codes, training) and informal ones (“role models [managers at all levels], norms of daily behavior, rituals that help members understand the organization’s identity and what it values, myths and stories people tell about the organization, and the language people use in daily behavior”). The authors further note: “Senior leaders are critical to establishing an ethical culture—they provide resources for effective programs, send values-based messages, and serve as role models for ethical behavior and the use of ethical language. They have the potential to influence every other system within the organization. Critically, leaders also need to attend to the alignment of the organization’s cultural systems. When all of the constituent systems support ethical behavior, the company will have an ethical culture, although it needs constant attention to keep it that way. When the culture is in a state of misalignment—when cultural systems send mixed messages—the company is less likely to have an ethical culture.”

Offer guidance for assessing ethical culture in business organizations. Among other things they state that “anonymous surveys and focus groups (often in combination) have been the assessment methods of choice.” (Note: based on my experience with compliance assessments, I’m less sanguine about getting candid comments by employees in focus groups than by using anonymous surveys.) They also – based on research done by Treviño and colleagues – identify outcomes that C&E programs should seek to achieve – with one or more sample survey items for each. (The program outcomes are: “Reduced observations of unethical and illegal behaviors”; “Increased employee awareness of ethical and legal issues that arise at work”; “Creation of conditions that increase employee willingness to seek ethical and legal advice within the company”; “Increased employee willingness to report bad news to management”; “Increased employee willingness to report ethical violations to management, such as via ethics hotlines (often anonymous) and other reporting channels”; “Increased employee perception that the program is contributing to better (and more ethical) decision making in the organization”; and “Increased employee commitment to the organization.” (Note that this last outcome could “cut both ways” and one might add others to this list, but overall both the outcomes and related survey questions are, in my view, fit for purpose. )

Discuss five aspect of ethical culture that can have a profound effect on employee behavior: the orientation of the C&E program (e.g., values based, compliance based): ethical leadership, ethical climate, fairness and trust.

Finally, the authors encourage companies to assess culture regularly; to “[i]dentify, through data and investigations, how the organizational culture contributes to misconduct”; and to “[d]esign interventions to improve conduct and culture.”

There’s much more in this article that will be helpful not only to those just getting started in seeking to develop ethical cultures in their respective organizations but also to those seeking to maintain such cultures over the long haul.

Nonmonetary conflicts of interest

In “Using behavioral ethics to curb corruption” – recently published in Behavioral Science & Policy – Yuval Feldman of Bar-Ilan University notes  that “Classic studies on the corrupting power of money focus on politicians influenced by campaign donations and on physicians whose health care decisions are affected by the receipt of drug industry money and perks. In contrast, more recent studies have analyzed situations where a government regulator has no financial ties to a private entity being regulated but does have social ties to the organization or its members, such as sharing a group identity, a professional background, a social class, or an ideological perspective. In that situation, regulators were likely to treat those being regulated more leniently. Thus, even relatively benign seeming tendencies that regulations tend to ignore—such as giving preference to people having a shared social identity—could be as corrupting as the financial ties that are so heavily regulated in most legal regimes.”

Feldman cites two studies that support this view: “In 2014… investigators in the Netherlands showed that regulators in the financial sector who had previously worked in that sector were less inclined to enforce regulations against employees who shared their background. Similarly, in a 2013 look at the regulation of the U.S. financial industry before the 2008 crisis, James Kwak noted that the weak regulation at the time was not strictly a case of regulatory capture, in which regulatory agencies serve the industry they were meant to police without concern for the public good. Some regulators, he argued, intended to protect the public, but cultural similarities with those being regulated, such as having graduated from the same schools, prevented regulators from doing their job effectively. In such instances, people often convince themselves that their responses to nonmonetary influences are legitimate, mistakenly thinking that because such influences usually go unregulated, they are unlikely to be ethically problematic.”

I agree that the danger posed by nonmonetary COIs tend to be underappreciated and have tried to make this point in prior posts. Included are: glory as a conflict of interest,  and friendship and COIs (discussed in the second case in this post).

But perhaps the most interesting case of a nonmonetary COI to appear in this blog  concerned an issue of “director independence in an internal investigation [that] arose several years ago in a case brought by the shareholders of Oracle [against the company’s board]. There, the Delaware Court of Chancery ruled that a board special litigation committee consisting of two Stanford professors could not be considered independent in an internal investigation concerning alleged insider trading by fellow board members, because the target directors had close ties to that university: ‘It is no easy task to decide whether to accuse a fellow director of insider trading,’ the court wrote, and for the company to have compounded ‘that difficulty by requiring [special litigation committee] members to consider accusing a fellow professor and two large benefactors of their university’ of a criminal act was ‘inconsistent with the concept of independence recognized by our law.’”

Feldman closes his discussion of this issue with a call for “[a]dditional controlled research … on  the ways that nonmonetary influences cause corruption and on how they can lead people to engage unwittingly in wrongdoing.” I agree, but also think using the research that is already available, compliance and ethics officers can deploy internal education about nonmonetary COIs into policies, training and other C&E communications and investigation/discipline protocols.

A valuable behavioral ethics and compliance resource

The Institute of Business Ethics recently published Using Behavioural Ethics to improve your Ethics Programme, a Business Ethics Briefing. For those interested in “behavioral ethics and compliance” – a frequently addressed topic in this blog – the briefing is a must read.

Among the suggestions made in this piece is: “Ethics needs to become part of [an organization’s] reward, recognition and promotion system.” While, to some extent,  one could reach this conclusion using a classical economics framework, the IBE briefing approaches it from an “availability bias” perspective. Specifically,  they write: “the availability bias refers to the human tendency to judge an event by the ease with which examples of the event can be retrieved from your memory. The availability bias leads people to overestimate the likelihood of something happening because a similar event has either happened recently or because they feel emotional about a previous similar event. This has a significant impact on the ability of organisations to promote ethics. If employees can recall a case where a person has been promoted or rewarded for the commercial results they achieved even when it is widely known that how they achieved them was ethically questionable, they will think that this is the norm in the organisation – even if it was just a one off event. On the other hand, publicly recognising and rewarding people that distinguish themselves for living up to the organisation’s ethical values or communicating positive stories internally can be a quick and effective way to send employees the message that ethics is important in the organisation.”

Another suggestion from IBE  – and, in my view, a best practice –  arises out of the famous “Good Samaritan” behavioral  experiment, which demonstrated that time pressure could be a powerful cause of unethical behavior. The Briefing describes how GlaxoSmithKline “used this research as a basis for developing their own scenario [in their ethics training] that addresses the topic of work-home balance and time pressure. This has enabled employees to discuss the issue openly and increased awareness of the role that time pressure can have on our decision making abilities.”

A third suggestion concerns the “framing effect,” which shows that “[c]hoices can be worded in a way that highlights the positive or negative aspects of the same decision, leading to changes in their relative attractiveness.” Specifically, the briefing  describes how “[t]he global management, engineering and development consultancy Mott MacDonald recognised this when they changed the name of their reporting line from ‘whistleblowing facility’ to adopt a more positive name – Speak Up Line.  As a result, they noticed a significant increase in the number of concerns raised.”

Finally, with respect to the core behavioral area of “nudging,” IBE “suggests that an approach that focuses on ethics – communicating the ethical values, explaining how and why an organisation does its business, encouraging individual judgement based on ethical values – is at least as important as having clear rules of conduct that employees must follow and the related sanctions.” Note that I want to believe this is so and to some extent do, but I also have some doubts – or at least questions – about it, as discussed in this earlier post.

The briefing has various other helpful suggestions, but as a nudge to get you to read the original I’ll  stop here.

The latest on compliance programs from the Department of Justice

For at least three decades the U.S. Department of Justice has been encouraging – including, in some cases, incenting – companies to develop and implement effective compliance programs, most recently in Deputy Attorney General Rod Rosenstein’s speech Monday at the annual Compliance Week conference in Washington DC. Every C&E professional should read his remarks – which can be found here.  Note that the Deputy AG broke no new ground with the speech. But – as the latest word on the subject from DOJ – it can be  useful to draw from in preparing compliance training, particularly for the Board and senior management, in explaining  the benefits of having a strong program generally and of assessing risks and program efficacy in particular, and in other matters.

Some of the highlights are:

When companies come under investigation, we ask two principal questions about the company’s compliance function: First, what was the state of the compliance program at the time of the improper conduct? Second, what is the current state of the compliance function, after remediation to address any lessons learned? The first question focuses on whether there was an adequate compliance function. The 2008 revisions to the Principles of Federal Prosecution of Business Organizations are known as the “Filip Factors” – after a former Deputy Attorney General. The Department directed prosecutors to determine “whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

(My note: while not new, it is good to see the inclusion here of the efficacy of a program at the time of the misconduct in question, because sometimes only post-wrongdoing-based compliance is listed by the DOJ  as worth their consideration.)

– At the same time, we recognize that even the best compliance program may not stop individual bad actors. Corporate compliance programs are sometimes compared to preventative medicine. It’s a good analogy.  Getting an annual physical doesn’t mean you won’t get sick. But those screenings – just like a robust compliance program – help to ensure that issues will be detected and addressed at an early stage.

(The preventive medicine comparison – while also not new – is potentially helpful because it underscores that compliance is, and is seen by DOJ as, a true no-brainer.)

– Compliance is not a one-size-fits-all proposition… Even blue-chip, multinational corporations with strong preexisting programs must continuously evaluate their risk profiles and adapt to new circumstances.

(This should, of course, be helpful to E&C officers in persuading their companies to undertake  risk and program assessments.)

– Our Department does not use a rigid formula to assess the effectiveness of corporate compliance. Each company’s risk profile and solutions to reduce its risks warrant consideration. We make an individualized determination in each case.

(This should also be helpful in moving ahead on risk and program assessments.)

So, all told, good stuff – but only if members of the E&C community put it to use.

 

Does your conflict of interest risk assessment do this?

My latest column in Compliance & Ethics Professional, available on page 2 of attached PDF.

I hope you find it useful.

Directors and compliance programs: a look at the law

Many years ago, I was previewing for a general counsel a presentation on compliance programs that  I was planning to make to his company’s board of directors, and I mentioned the real  prospect of individual liability under the Delaware Chancery Court’s 1996 opinion in the Caremark case.  (Caremark – for readers who aren’t US lawyers or compliance professionals – is probably the nation’s most often cited compliance program case in modern times.) The GC stopped me to note that the potential for such liability was actually remote under Caremark. He was right and I have tried to avoid making the same mistake again.

In an article to be published in the Temple Law Review – and summarized on the Harvard Law School Corporate Governance Forum – Professor Donald C. Langevoort of the Georgetown University Law Center takes a look at the role that Caremark has played over the last 20 years in encouraging directors to promote compliance at their respective companies. It is a thoughtful and informative piece that is strongly recommended for those who advise boards on C&E matters. Among other things, it can help such advisors avoid making the mistake that I nearly did, and instead  focus on the legal expectations that matter most to boards.

He starts with a page of history: There is a lively academic debate over whether Caremark’s causal impact on the unmistakable growth curve of compliance has been overstated. After all, the holding in the decision (approving a de minimis settlement) was that the standard for holding directors of Delaware corporations liable for monetary damages under a test requiring “sustained and systematic indifference” to compliance oversight would be exceedingly hard to prove. Plus federal law had already been trending strongly in the direction of a robust corporate compliance obligation in many disparate fields of regulation (e.g., antitrust, financial services, healthcare, defense contracting) and—as Caremark duly noted—the Organizational Sentencing Guidelines had made the presence and quality of compliance (including board oversight) a substantial factor in the size and severity of any federal penalty for criminal wrongdoing. Within a few years would come even bigger waves of pressure from Washington, via the emergence of deferred prosecution agreements, corporate charging decisions, and—for public companies—the mandates of the Sarbanes-Oxley Act, which required new board structures, internal control processes and whistleblower protections to address the risk of financial misreporting, which arises in the face of any material corporate wrongdoing. …But we need not obsess on history. Caremark is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management.

Langevoort next looks at the case law under Caremark regarding directors who were allegedly confronted with “red flags” of wrongdoing  within their respective companies. He notes that that law creates an arguably perverse incentive for management to not escalate such information to the board, at least where (as is often the case) there is some ambiguity as to its meaning. Nonetheless, he writes: Today, however, I doubt that well-advised boards take this position (though some probably wish they could). The reason, once again, stems mainly from pressures from regulators and enforcers at the federal level, who have come to believe in the value of a stronger board-level presence in compliance. The Organizational Sentencing Guidelines, COSO principles and numerous regulatory pronouncements seek not only board approval of written policies and procedures and key compliance personnel decisions, but a much more interactive involvement that includes reporting lines running from the chief compliance officer (and perhaps chief legal officer) directly to the board, unfiltered by senior executives.

Finally, he asks whether Caremark was incomplete with respect to its understanding of the causes of and means to prevent wrongdoing by companies: We are increasingly coming to see how and why ethical and legal lapses occur. Corporate cultures are belief systems—transmitting to loyal, committed managers and employees a sense of what is valued, and what is denigrated. They help coordinate the activities of numerous stakeholders, an essential task in making the complex corporate system function. When corporations are under immense (often shareholder-driven) competitive pressure to succeed, belief systems can become facilitators for what it takes to survive and thrive, the grease in the corporate machinery. When circumstances create temptations to behave illegally, those beliefs can provide rationalizations that explain why what is profitable is also morally acceptable, via what psychologists call motivated inference. Once these kinds of rationalizations take hold, wrongdoing starts to happen, in small steps, then bigger ones…Caremark gives no hint of any of this, though that is not a criticism. At the time, culture and norms were not central to thinking about governance or compliance.

The past twenty years has seen a significant transformation regarding these matters which – Caremark aside – creates new and heightened expectations when it comes to the sort of regulatory pronouncements Langevoort features in his article.

Of course, corporate directors often need help when it comes to understanding and addressing their respective organizations’ culture and norms. Here are some initial thoughts of mine on the topic of culture assessments , but there is obviously a lot more that can be and has been said about it (including by Professor Langevoort)   And, I look forward to the next twenty years – when we will see if the law regarding directors and compliance lives up to the potential suggested by our emerging knowledge about corporate culture and wrongdoing.

Finally, yesterday I spoke with a reader of the blog who asked how much the point of the piece – that directors’ most significant C&E expectations come not from Caremark but from regulatory pronouncements – really mattered.  I think it does matter, because if directors believe that the C&E officers who report to the board are wrong about the law they may be less inclined to trust them on other matters, which could be bad for all involved.