Conflict of Interest Blog

The latest on compliance programs from the Department of Justice

For at least three decades the U.S. Department of Justice has been encouraging – including, in some cases, incenting – companies to develop and implement effective compliance programs, most recently in Deputy Attorney General Rod Rosenstein’s speech Monday at the annual Compliance Week conference in Washington DC. Every C&E professional should read his remarks – which can be found here.  Note that the Deputy AG broke no new ground with the speech. But – as the latest word on the subject from DOJ – it can be  useful to draw from in preparing compliance training, particularly for the Board and senior management, in explaining  the benefits of having a strong program generally and of assessing risks and program efficacy in particular, and in other matters.

Some of the highlights are:

When companies come under investigation, we ask two principal questions about the company’s compliance function: First, what was the state of the compliance program at the time of the improper conduct? Second, what is the current state of the compliance function, after remediation to address any lessons learned? The first question focuses on whether there was an adequate compliance function. The 2008 revisions to the Principles of Federal Prosecution of Business Organizations are known as the “Filip Factors” – after a former Deputy Attorney General. The Department directed prosecutors to determine “whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

(My note: while not new, it is good to see the inclusion here of the efficacy of a program at the time of the misconduct in question, because sometimes only post-wrongdoing-based compliance is listed by the DOJ  as worth their consideration.)

– At the same time, we recognize that even the best compliance program may not stop individual bad actors. Corporate compliance programs are sometimes compared to preventative medicine. It’s a good analogy.  Getting an annual physical doesn’t mean you won’t get sick. But those screenings – just like a robust compliance program – help to ensure that issues will be detected and addressed at an early stage.

(The preventive medicine comparison – while also not new – is potentially helpful because it underscores that compliance is, and is seen by DOJ as, a true no-brainer.)

– Compliance is not a one-size-fits-all proposition… Even blue-chip, multinational corporations with strong preexisting programs must continuously evaluate their risk profiles and adapt to new circumstances.

(This should, of course, be helpful to E&C officers in persuading their companies to undertake  risk and program assessments.)

– Our Department does not use a rigid formula to assess the effectiveness of corporate compliance. Each company’s risk profile and solutions to reduce its risks warrant consideration. We make an individualized determination in each case.

(This should also be helpful in moving ahead on risk and program assessments.)

So, all told, good stuff – but only if members of the E&C community put it to use.

 

Does your conflict of interest risk assessment do this?

My latest column in Compliance & Ethics Professional, available on page 2 of attached PDF.

I hope you find it useful.

Directors and compliance programs: a look at the law

Many years ago, I was previewing for a general counsel a presentation on compliance programs that  I was planning to make to his company’s board of directors, and I mentioned the real  prospect of individual liability under the Delaware Chancery Court’s 1996 opinion in the Caremark case.  (Caremark – for readers who aren’t US lawyers or compliance professionals – is probably the nation’s most often cited compliance program case in modern times.) The GC stopped me to note that the potential for such liability was actually remote under Caremark. He was right and I have tried to avoid making the same mistake again.

In an article to be published in the Temple Law Review – and summarized on the Harvard Law School Corporate Governance Forum – Professor Donald C. Langevoort of the Georgetown University Law Center takes a look at the role that Caremark has played over the last 20 years in encouraging directors to promote compliance at their respective companies. It is a thoughtful and informative piece that is strongly recommended for those who advise boards on C&E matters. Among other things, it can help such advisors avoid making the mistake that I nearly did, and instead  focus on the legal expectations that matter most to boards.

He starts with a page of history: There is a lively academic debate over whether Caremark’s causal impact on the unmistakable growth curve of compliance has been overstated. After all, the holding in the decision (approving a de minimis settlement) was that the standard for holding directors of Delaware corporations liable for monetary damages under a test requiring “sustained and systematic indifference” to compliance oversight would be exceedingly hard to prove. Plus federal law had already been trending strongly in the direction of a robust corporate compliance obligation in many disparate fields of regulation (e.g., antitrust, financial services, healthcare, defense contracting) and—as Caremark duly noted—the Organizational Sentencing Guidelines had made the presence and quality of compliance (including board oversight) a substantial factor in the size and severity of any federal penalty for criminal wrongdoing. Within a few years would come even bigger waves of pressure from Washington, via the emergence of deferred prosecution agreements, corporate charging decisions, and—for public companies—the mandates of the Sarbanes-Oxley Act, which required new board structures, internal control processes and whistleblower protections to address the risk of financial misreporting, which arises in the face of any material corporate wrongdoing. …But we need not obsess on history. Caremark is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management.

Langevoort next looks at the case law under Caremark regarding directors who were allegedly confronted with “red flags” of wrongdoing  within their respective companies. He notes that that law creates an arguably perverse incentive for management to not escalate such information to the board, at least where (as is often the case) there is some ambiguity as to its meaning. Nonetheless, he writes: Today, however, I doubt that well-advised boards take this position (though some probably wish they could). The reason, once again, stems mainly from pressures from regulators and enforcers at the federal level, who have come to believe in the value of a stronger board-level presence in compliance. The Organizational Sentencing Guidelines, COSO principles and numerous regulatory pronouncements seek not only board approval of written policies and procedures and key compliance personnel decisions, but a much more interactive involvement that includes reporting lines running from the chief compliance officer (and perhaps chief legal officer) directly to the board, unfiltered by senior executives.

Finally, he asks whether Caremark was incomplete with respect to its understanding of the causes of and means to prevent wrongdoing by companies: We are increasingly coming to see how and why ethical and legal lapses occur. Corporate cultures are belief systems—transmitting to loyal, committed managers and employees a sense of what is valued, and what is denigrated. They help coordinate the activities of numerous stakeholders, an essential task in making the complex corporate system function. When corporations are under immense (often shareholder-driven) competitive pressure to succeed, belief systems can become facilitators for what it takes to survive and thrive, the grease in the corporate machinery. When circumstances create temptations to behave illegally, those beliefs can provide rationalizations that explain why what is profitable is also morally acceptable, via what psychologists call motivated inference. Once these kinds of rationalizations take hold, wrongdoing starts to happen, in small steps, then bigger ones…Caremark gives no hint of any of this, though that is not a criticism. At the time, culture and norms were not central to thinking about governance or compliance.

The past twenty years has seen a significant transformation regarding these matters which – Caremark aside – creates new and heightened expectations when it comes to the sort of regulatory pronouncements Langevoort features in his article.

Of course, corporate directors often need help when it comes to understanding and addressing their respective organizations’ culture and norms. Here are some initial thoughts of mine on the topic of culture assessments , but there is obviously a lot more that can be and has been said about it (including by Professor Langevoort)   And, I look forward to the next twenty years – when we will see if the law regarding directors and compliance lives up to the potential suggested by our emerging knowledge about corporate culture and wrongdoing.

Finally, yesterday I spoke with a reader of the blog who asked how much the point of the piece – that directors’ most significant C&E expectations come not from Caremark but from regulatory pronouncements – really mattered.  I think it does matter, because if directors believe that the C&E officers who report to the board are wrong about the law they may be less inclined to trust them on other matters, which could be bad for all involved.

Should compliance officers be optimists?

First, a  short but intriguing piece from the back pages (in 2007) of the ABA Journal:

Lawyers are often the exception to the rule. It’s no different, researchers are finding, in studies of optimists. A study by Duke University researchers found that, on the whole, optimistic people do better in life, the Wall Street Journal reports (sub. req.). They work more hours, save more money, pay credit card bills more promptly, are less likely to smoke, and are more likely to remarry after divorce. (Those who were overly optimistic, however, didn’t make such good judgments.) Martin Seligman of the University of Pennsylvania, who studies positive psychology, says most optimists do better in life than merited by their talents alone. But with lawyers, the opposite is true. Seligman’s survey of law students at the University of Virginia found that pessimists got better grades, were more likely to make law review and got better job offers. “In law,” he told the newspaper, “pessimism is considered prudence.”

Of course, being a lawyer and being a compliance officer are not the same thing. But given the substantial overlap between the two – at least as a general matter – this research should be of some interest to those in the latter line of work.

Next, a somewhat related piece from the back pages (in 2015) of the COI Blog  on finding the right degree of ethical confidence in a given organization:

“M]uch of the field of “behavioral ethics” is addressed to proving that “we are not as ethical as we think.” …The view of human nature underlying this key insight predates the behavioral ethics field. Perhaps most famously, Judge Learned Hand said in 1944: “The spirit of liberty is the spirit which is not too sure that it is right.” I believe that this is a good way to view the spirit of compliance and ethics too. At least as applied to C&E, this is not to say that we should be relativistic about what is right. Rather, we should be skeptical about our ability to do what is right when pressures or temptations pull us in the wrong direction. Those likely to be confronted by risks of misconduct (e.g., corruption or competition law violations) should strive to be ethically alert – which is not always consistent with being highly confident. Indeed, while the focus on corporate culture is a generally a very positive development in the C&E field, it carries the danger that having a strong culture could be seen as obviating the need for the regular “blocking and tackling” that C&E programs are based on. This is particularly true of glorification of – and over-reliance in some companies on – the “tone at the top.” On the other hand, one should also be skeptical about the value of pessimism. Given how relatively new the C&E field is – and the tendency for many to view it as a fad which has overstayed its welcome – a truly pessimistic view can effectively scuttle a compliance program. That is, some degree of optimism is absolutely necessary for the effective operation of a C&E program – whether it is a salesperson choosing to forgo a questionable business opportunity or a mid-level manager deciding whether to call the hotline. Optimism is also necessary for boards of directors and senior managers in determining whether to invest the substantial time and other company resources needed to develop and maintain an effective C&E program, particularly given that the empirical case for such programs is still a work in progress. For every company, the right C&E confidence quotient will be different. But all should to some degree be both skeptical and optimistic.

What should be added to this topic in 2018?

I think the case for optimism has grown – particularly in the past year. By this I mean not that things are looking better than in the recent past but that the need for an optimistic cast of mind may be at an all-time high.

This is due (in my view) to events in the political, rather than business, realm – and particularly the assault by the Trump administration on notions of honor, truthfulness, responsibility, prudence, generosity, humility and other foundational elements of any ethical system. My hope – and belief – is that being optimistic about these characteristics in one’s job can help protect them in the public sphere. This is clearly an optimistic case for optimism – but I do believe it has merit, at least as an intuitive matter.

Yesterday, hundreds of thousands of individuals gathered around the world in support of common sense gun control. Just as – as an old saying goes – there are no atheists in a foxhole, so it seems likely to me that there were very few pessimists in these crowds, at least not based on what I heard and saw at the rally I attended.

Of course, there will always be a substantial place for pessimism when it comes to law, C&E and politics. But now may be a time to accentuate the positive.

Accurately categorizing conflicts of interest

My most recent column in Compliance & Ethics Professional (p2 of attached PDF) briefly looks at three areas where it is important to accurately categorize COIs.

You might find it useful in drafting COI policies or designing risk assessments.

 

Five topics for compliance and ethics culture assessments

Compliance program assessments – which seem to be increasingly popular with both government enforcement personnel and companies seeking to enhance their programs as a matter of good corporate citizenship – can and generally should cover a lot of ground. And that ground ought to include the organization’s ethical culture.

Of course, the notion of ethical culture itself is pretty broad, and there is no one right way for assessments of this sort to be conducted. But there are certain topics which  –  in my view – are worth considering in virtually any given assessment.

Perhaps the most obvious of these is “tone at the top,” which in an assessment itself  tends to have various components, including:

– what senior managers say to underscore their expectation that employees will act lawfully and ethically;

– the related but distinct question about what senior managers do to underscore the expectation that employees will follow all dictates of the organization’s C&E program, such as those concerning taking training or conducting vendor due diligence;

– inquiries designed to ascertain whether senior managers’ own conduct undermines their  C&E messaging; and

– similar questions regarding various levels of management besides those at the very top (such as functional or business unit leadership or those further down the organizational ladder).  One best practice to consider: having those at or near the top engaged in a visible way in reminding delinquents of the need to take mandatory C&E training.

Another obvious avenue for assessment concerns an organization’s speak-up culture. Perhaps the most important facet of this sort of inquiry is assessing not only the environment regarding true C&E matters but all kinds of workplace  concerns and questions, as reticence to speak up in one area may affect (or reflect) reticence in others. Of course, relevant to a company’s speak-up culture is its degree of “organizational justice,” and the extent to which wrongdoing is responded to in a fair and sufficiently rigorous way.

A third and somewhat less obvious aspect of culture assessment concerns rule following, and the extent to which it is genuinely expected in an organization. Here too it may be helpful to think beyond core compliance program  rules to those concerning other aspects of a company’s business, such as rules covered by a delegation of authority policy.

Note however,  that for the ethics component of an assessment a strong rule-following culture may be less than ideal. But from a pure compliance perspective it is hard to beat a deep embrace of rules, as further discussed here.

A fourth and also less obvious area for assessment concerns industry culture. While not true of all or even most companies, in some industries such types of  culture may be more of a source of risk than the organizational type. This is particularly true of industries with a significant degree of inter-company mobility.

Fifth – as is obvious from many cases of non-compliance, most recently the high-profile Wells Fargo scandal   – a key aspect of culture is the extent to which pressure/incentives make it difficult for employees to do their jobs in an ethical and law-abiding way. Indeed, this may be the most important cultural attribute of all – and should be explored fully in any assessment, with aspects of this inquiry including both economic “carrots” and “sticks,” as well as non-economic incentives.

Finally, I should emphasize that this piece is not intended to be a comprehensive overview of all areas to cover in a culture assessments, which is a complex and hugely important topic. But hopefully it will be helpful to those designing assessments for the first time, among others.

Compliance risk – and mitigation – at the top

 

Many years ago, the CEO of a client company told me that he wanted to fire another corporate officer there. I asked him what basis he had for this contemplated action and he said it was that the officer had failed to take mandatory compliance training. I responded by asking if he – the CEO – had taken the training, to which he replied (without a trace of irony)  that he had not.

In recent months, the unprecedented sexual misconduct allegations against (among others) high ranking officials in prominent businesses has brought unprecedented attention to the need to prevent and detect such wrongdoing using high-level solutions. For instance, writing recently in the Harvard Law School corporate governance blog , Subodh Mishra, Executive Director at Institutional Shareholder Services, Inc., identifies the following five components of an effective sexual misconduct risk management policy:

– Sexual misconduct risk is specifically enumerated and oversight assigned to a board committee.

– The board has expertise in workplace and employee issues.

– Material penalties are in place for perpetrators and abettors.

– Executive compensation structures—at a minimum—contain incentives for creating a safe and equitable workplace.

– The company models the behavior it seeks to promote.

These seem like generally sound observations, but the point of my post is not to add to the conversation on this particular area of risk but rather to suggest that ideas of this sort can and should be applied to compliance risks more broadly.

Certainly, assigning  a board-level committee compliance  responsibility with an emphasis on risks (such as corruption or antitrust ones) at the top, would be a sound measure generally for companies to take.  And the board having expertise regarding compliance issues is compelling for the same reason that having such expertise in workplace/employment issues is – though for both areas expertise can (in my view) sometimes be provided by access to an outsider adviser rather than appointment to a seat on the board.

Moreover, I certainly think that the emphasis on penalties for those engaged in misconduct is important to preventing wrongdoing of various kinds at the top, particularly the suggestion that “These policies may also be extended to any individuals that willfully concealed violations or engaged in retaliation against whistleblowers.” And, on the other side of the coin, reflecting compliance success generally in executive compensation structure makes sense just as it does for promoting diversity (part of Mishra’s recommendations), although doing so with the former may be more methodologically challenging than it is with the latter. Still, it can be done.

Finally, the point about modeling behavior is every bit as important to promoting compliance generally as it is to preventing harassment and discrimination in particular. For a board committee overseeing compliance at the top, this aspect of effective risk management has implications for a wide range of conduct – both substantive (e.g., how conflicts of interest are dealt with by senior managers) and procedural (such as ensuring that managers take the required training, to go back to the example at the top of this post).

Expiration dates for conflicts of interest?

“The past is never dead. It is not even past…” wrote William Faulkner. Should something similar be said of conflicts of interest?

While this blog has addressed future COIs it has never previously done so with past ones. The latter was suggested to me by a recent posting in MedPage Today by Milton Packer MD, which posed the question: “Does a financial conflict of interest ever expire?” Doctor Packer – writing about COIs in the medical research realm – noted: “All organizations that worry about conflicts of interest have a ‘sunset’ provision. It is the identification of [a] date before which the influence of a prior relationship is deemed to be irrelevant. You can argue about whether it should be 1, 3, 5 or 20 years. But at some point in time, the influence of that relationship becomes negligible.”

However, formal sunset provisions of this sort do not necessarily exist in all COI management regimes. For instance, it would be rare to find one in a corporate code of conduct, although presumably organizations without such provisions would take the time factor into account in applying more general COI standards in their respective codes. The same might be the case regarding various professional services and other ethical standards.

So, what criteria should those handling conflicts of interest – either in drafting or applying COI policies – consider in determining whether a given COI is really “past”?

First, one should assess whether the COI at issue is based purely on the economics of the relationship or if “substance” comes into play. As a general matter, the logic of having an expiration date for a COI of the former sort seems sound, since the impact of receiving such a benefit would indeed tend to diminish over time. By contrast, where the COI is more qualitative – meaning based more on the substance of such work– then its influence is less likely to be negligible, particularly if the prior work is related to the contemplated opportunity.

Second, size matters. The larger the financial benefit in question, the further back one may need to go to reach a point where its influence is negligible.

Third, appearance matters. As a general matter, some types of COIs will seem more worrisome than others – particularly when they are difficult to evaluate by key constituencies.

Fourth, one should consider in these deliberations – as Doctor Packer’s post does – the implications of a given sunset provision vis a vis recruiting the most able individuals for the task at hand. I.e., the maximum ethical approach does not always yield the best results. While this consideration is of perhaps of most obvious relevance in designing or applying medical research COI regimes, it can come up in other contexts too.

Fifth, I’ve lumped a lot of things together in this short post, but want to emphasize that whether a COI should be deemed to be in the past may be a narrower test than what needs to be disclosed in the first instance. This distinction may be necessary to ensure that the party with the putatively past COI is in fact applying the applicable expiration date appropriately.

 

Managers’ C&E program duties: some drafting tips

One of the essential  ingredients of a compliance & ethics program is having well-articulated and effectively promoted program-related duties for managers.

In my latest column in Compliance and Ethics Professional (page 4 of PDF) I offer some suggestions for meeting this challenge.

I hope you find it useful.

Learning from Wells Fargo

Although I was a pretty decent student in college my best grade there wasn’t an A. It wasn’t even a B. It was a “C Minus Over an F.” The reason I considered it my best grade – even though it certainly wasn’t my highest one – is that I’d earned it by ignoring the professor’s instructions about the assignment. Learning to follow instructions – even in this costly way – was more valuable to me (particularly over time) than was doing well in any of my other classes.

While learning from one’s own missteps may be the most effective form of instruction, the missteps of others can be helpful too, and in the world of business education a time-honored vehicle for facilitating such learning is the case study. In that regard, I was pleased to see that Ethical Systems  has just published an excellent case study for the ethics realm, Under Pressure: Wells Fargo, Misconduct, Leadership and Culture. which was created by Bharathy Premachandra, Ethical System’s 2017 Bryan Turner Intern in Business Ethics, and Azish Filabi, the organization’s Executive Director. The study is written principally for use in the classroom, but I believe that it can be a helpful tool in the corporate compliance & ethics program world as well.

By way of background: “About a year ago, Wells Fargo announced a settlement of $185 million with federal regulators after admitting to having opened millions of unauthorized customer accounts, falsifying bank records, forging customer signatures and contact information, and even manipulating/transferring funds between accounts to charge overdraft fees, all without customer knowledge or consent.” Moreover, since then a second scandal has emerged at the bank, concerning fraudulent auto insurance sales practices.

Applying well respected ethical cultural and leadership models to the case, the study’s authors identify and describe various infirmities with the bank’s culture contributing to these unhappy developments. Included are those concerning incentives (e.g., “It was reported that some branch and district managers considered only sales performance for overall performance rating. Hence, for many, this meant that selling more than your colleagues was a prerogative and failing to do so meant penalization, transfer and even termination.”); leadership (“the complicity of leadership went hand-in-hand with the high pressure, numbers-focused sales culture”); employee selection systems (“Even before new hires joined the Bank, they were socialized to think that winning over competitors, at any cost, is a priority”); and informal systems (“Decentralization encouraged independence and self-reliance, which on the one hand had benefits for financial performance, but on the other hand likely fueled unethical behaviors through lack of oversight and accountability for how business goals were accomplished.”) The authors also note that formal compliance systems – such as the hotline and associated non-retaliation policies and procedures – were evidently not “built into the bedrock” of bank’s culture.

There is, in sum, a goldmine here of ethical learning for business organizations of various kinds, and I hope that C&E professionals will use it to inform key aspects of their respective programs – such as risk assessment, training and board oversight.

I should emphasize that I’m not suggesting that the full report be made required reading throughout a company. (It is 23 pages.)

But I do think that a company-specific version can be created for any given organization and used to facilitate  a discussion regarding the key points in the study. For instance, seeing the shortfall at the bank regarding ethics in the employee selection process would probably give many other organizations suggestions for their own improvement in that area.

Of course (and to borrow from Tolstoy –  sort of) every company is somewhat different when it comes to C&E needs and optimum solutions. But there is a lot of commonality in these areas too.

And in any event, the main alternative to learning from the missteps of others is learning from one’s own. That was a painful exercise for me in college, but is presumably many times worse for those who do so in the “real world.”