Monitoring

C&E monitoring is generally considered “real-time” checking, and can play an important role in mitigating certain types of COIs, as will be explored in this section of the blog.

More compliance monitoring, please

Relationships between relevant C&E “checking” categories can be confusing.  For example, auditing can overlap with program assessment and with risk assessment. The line between auditing and investigations is not always well marked.  Monitoring can overlap with program governance and management. Metrics are generally part of monitoring but are sometimes discussed separately. Encouraging reports of suspected violations can be seen as a form of monitoring – but is generally treated as a different animal. Other types of internal controls (e.g., pre-approvals) can also be viewed as a form of monitoring – but typically serve a different function. Monitoring differs from auditing in that it is less independent and more real time. Speaking generally, it is an under-utilized C&E function.

Monitoring by business people is often called “the first line of defense.” It can be the most immediate and least independent form of C&E checking.

Examples include:

  • Reviewing pricing and other activities for any indicia of antitrust violations.
  • Monitoring COIs that have been conditionally okayed.
  • Reviewing invoices of third parties for any indicia of corruption or violation of other rules.
  • Making sure that those expected to take in-person training in fact do so.

Two final points about monitoring.

First, it can serve to educate business people on C&E matters (learn by doing).

Second, it can provide a basis for incenting C&E in performance evaluations (or similar processes). For instance, managers who don’t do a good job in monitoring should have that shortfall impact their evaluations.

Robots and conflicts of interest

From “Do You Have a Conflict of Interest? This Robotic Assistant May Find It First”  recently published in the NY Times:

What should science do about conflicts of interest? When they are identified, they become an obstacle to objectivity... Sometimes a conflict of interest is clear cut.But other cases are more subtle, and such conflicts can slip through the cracks, especially because the papers in many journals are edited by small teams and peer-reviewed by volunteer scientists who perform the task as a service to their discipline.

The Times  piece further notes: With such problems in mind, one publisher of open-access journals is providing an assistant to help its editors spot such problems before papers are released. But it’s not a human. Software named the Artificial Intelligence Review Assistant, or AIRA, checks for potential conflicts of interest by flagging whether the authors of a manuscript, the editors dealing with it or the peer reviewers refereeing it have been co-authors on papers in the past…(Note: prior coauthoring of an article by itself would not constitute a COI, but could be an indication of one.)  The tool cannot detect all forms of conflict of interest, such as undisclosed funding sources or affiliations. But it aims to add a guard rail against situations where authors, editors and peer reviewers fail to self-police their prior interactions.

Note that the use of data mining for COIs is not new. Indeed, for many years, auditors have looked for matches between the addresses of employees and vendors. And  anti-corruption compliance programs increasingly involve data mining, as is true of competition law compliance too

Moreover, the specifics of efforts like these will vary by industry. (E.g., the co-author relationships of the type referenced above would presumably  be relevant only to businesses where publishing plays an important role.)

But for any company it is worth considering – based upon the company’s risk profile – whether there  are any opportunities of this sort.

 

 

 

“The inner voice that warns us somebody may be looking”

Within the treasure trove of H.L. Mencken’s sayings, this definition of “conscience” may be my favorite.  And, various studies have indeed shown that the sense that somebody may be watching can help promote ethical behavior.  Among these are  experiments exposing individuals to “eyespots” –  drawings which create a vague sense of being watched, even among those who know as a factual matter that they aren’t being seen. (See, e.g., this study, showing that exposure to eyespots can promote generosity.)

While actually deploying eyespots around the workplace is hardly a viable option for most companies, various technological advances offer not only the appearance of being watched but the actuality of it.  Such monitoring technologies can be particularly promising for promoting compliance by parts of a workforce for whom supervision is relatively remote – which is often the case for sales people.

For two other risk-related reasons, sales people can be a logical choice for C&E monitoring:

– Their incentives may not align well with those of their respective companies – a “moral hazard” condition.  (Indeed, in a risk assessment interview I conducted last week, the interviewee responded to a question about conflicts of interest by saying – only somewhat in jest – that the whole company sales force had such conflicts.)

– Sales people tend to be in a position to cause legal/ethical violations – e.g., corruption, collusion and fraud – much more than the average employee at a company.

But, while the case for monitoring sales people is strong as a general matter, obviously not all monitoring strategies are equally effective.  According to a paper published in the September 2014 issue of the Journal of Business Research, “Does transparency influence the ethical behavior of salespeople?” John E. Cicala, Alan J. Bush, Daniel L. Sherrell and George D. Deitz (rentable on Deep Dyve): “it is not the perception of visibility that drives sales persons behavior, but rather the perception of the likelihood of negative consequences resulting from management use of knowledge and information gained from technologically increased visibility.”

Of course, these results – based on an on-line survey which is described in the paper – presumably won’t surprise any C&E professionals. (Nor, likely, would they have impressed Mencken, who also said: “A professor must have a theory as a dog must have fleas” – although I should add that that’s just another chance to quote the great man – not a reflection of my view of this paper.) But, as with much of the social science research discussed in this blog, having data to back up what is intuitively known may be useful, particularly when seeking to make C&E reforms in a company that are being resisted.

Most relevant here is the often-contentious issue of how open a company is with its discipline for violations (meaning not just of sales persons but any employee).  While C&E professionals typically understand that true “public hangings” – i.e., full identification of individual transgressions and transgressors – can be undesirable for all sorts of reasons, there is still a lot that their respective companies can do in a general way to show that   negative consequences do exist for breaches of C&E  standards. Hopefully, this new research can help C&E professionals make such a case.

Mitigating holiday cheer: what’s new in gifts and entertainment compliance

It is that time of year again, and so we look once more at what’s new under the C&E officer’s tree to help with the timeless challenge of gifts and entertainment (G&E)  compliance.

First, in what seems like just yesterday (because  it was just yesterday), “[a]n employee of Deutsche Bank‘s Japanese brokerage unit was arrested on … suspicion of showering a local pension fund manager with expensive meals, golf outings and trips overseas in return for some 1 billion yen in investments,”  as reported by the NY Times,   The piece continues: “The wining and dining of corporate pension fund executives had, in fact, become commonplace at Deutsche Securities, which set up shop in Tokyo in 2005, [t]he Nikkei business daily said. In some cases, the feasting got so out of hand that employees filed the mounting expenses over many days in a bid not to attract attention, the paper said. The [Securities and Exchange Surveillance Commission] advised that the government reprimand Tokyo-based Deutsche Securities over its conduct.”

This story is still developing, but it seems like a huge black eye for the bank.  However, presumably the lessons of how one of the world’s largest financial institutions could allow this type of very damaging conduct to occur will be a gift to others seeking to stay out of trouble.  (Among other things, this case could show why high-risk organizations need to do more  G&E monitoring, but that’s just a guess.)

Indeed, one of the most useful things that C&E officers can do regarding G&E is to keep track of others’ missteps in this treacherous area – and use that information in training and periodic communications to employees.   A helpful stocking stuffer in that regard is   this chart recently prepared by K&L Gates partners Amy Sommers and Matt Morley showing FCPA enforcement actions involving gift-giving in China, which I found via one of Tom Fox’s many excellent writings on anti-corruption compliance.

Another G&E  goody  to consider getting for that hard-to-please C&E officer on your shopping list is this recently published article “Honing a compliant gifts policy: the trends we are seeing today,” by Laura Flippin of DLA Piper. Among these trends:  “setting global limits on the amount that may be spent on any single meal, with three tiers covering low, medium and high cost markets. …Limiting gift giving, globally, to no more than $50 worth of low-value items which may be given at any one time to a single individual, with a cap of no more than four gifts annually…Requiring all gifts to be sourced centrally by procurement and prohibiting the use of vouchers or gift cards that can be easily converted to cash….Mandating prior written approval from a regional or above-country compliance officer if an employee wants to provide more than two gifts yearly to any single recipient (whether or not a government official) …Using a specific, documented process to address hospitality provided for high-profile, unique events in countries where the company has a large presence or business interests – for instance, the London Olympics.”

Of course, global companies increasingly need to keep track of the increasing number of “local” G&E laws and regulations, e.g., those of Nigeria – presented here by ethixBase  (the publisher of the COI Blog).  EthixBase has compiled  domestic gift giving rules from more than 80 countries – something that should bring joy to even the most Scrooge-like C&E officer of a global company.

Finally, some recent possibly relevant articles from our own back pages:

–          Gifts, entertainment and “soft core” corruption.

–          Complying with customers’ COI requirements.

–          COIs and industry culture.

Ho, ho, ho…

 

Facing up to COI Sunshine

By Bill Sacks

On February 1st, 2013, the Centers for Medicare and Medicaid Services (CMS) released the final rules implementing the “Physician Payment Sunshine” provisions of the Affordable Care Act. These provisions, originally introduced as a separate bill by Senators Charles Grassley (R – IA) and Herbert Kohl (D-WI), will require Pharmaceutical and Medical Device companies to track and report all payments or “transfers of value” to physicians and teaching hospitals that exceed $10.00 (or essentially…everything).

The “Sunshine” provisions were designed to increase transparency in industry’s formal and informal relationships with medical providers. Ever since astute observers noticed that physicians could be influenced by financial considerations there has been concern that industry largesse could unduly influence research results, continuing medical education, prescribing, and other practice patterns. The thinking is, to paraphrase Justice Brandeis, “Sunshine is the best disinfectant.”

A public database of industry payments to physicians and teaching hospitals will go online by late 2014. This forthcoming transparency, on top of new COI regulations published by the NIH and Public Health Service that took effect last August, has resulted in significant movement on the part of hospitals and academic medical centers to put in place automated systems to collect and review conflict of interest disclosures and – just as important – to manage the conflicts uncovered through the disclosure process.

Technology to Improve COI Management

Compliance Officers and General Counsels in other industries should take note. Government contractors have obligations to identify and manage conflicts of interest under the Federal Acquisition Regulations (FAR). Many such contractors have tried to manage their COI obligations with paper surveys or simple generic online survey tools. These manual processes often collapse under their own weight, filling file cabinets or Excel spreadsheets with unusable, inaccessible data.

Newer, relational database tools are becoming more popular with organizations that need the ability to provide targeted survey questions to people with different reporting obligations, to direct COI survey responses to designated project managers and reviewers, to conduct detailed analysis on survey responses across projects, to produce customized reporting, and to maintain a database of archived responses.

Organizations seeking or managing federal contracts should periodically evaluate their COI management processes and systems to assess their effectiveness and to determine whether more up-to-date technological solutions could enhance operational efficiency.

(Bill Sacks is Vice President and co-founder of HCCS Inc., which provides online compliance training and workflow tools to organizations subject to federal regulations.  He can be reached at bsacks@hccs.com.)

Conflicts of interest monitoring

Most recently, we looked at auditing for COIs.  In this post, we examine what might be called auditing’s first cousin – monitoring, and particularly monitoring for COIs.

Monitoring is a broadly used concept in the C&E world.  It can refer both to monitoring by business personnel (front-line monitoring – or what is sometimes seen as part of the “first line of defense”) and also monitoring by a compliance or risk function (the “second line of defense”).

Auditing  (the “third line of defense”) differs from monitoring in that the former  a) occurs less in “real time” and b) is more  independent than the latter.

An example of COI monitoring by businesses/first line of defense is managers reviewing employee inputs into a gifts and entertainment data base.   Another – which overlaps with the more traditional notion of an internal control – is supervisors reviewing employee T&E reimbursement requests. (In this example the review can be considered the monitoring – at least to the extent that the supervisor is looking for COI-related information.  The necessity that the supervisor approve the request before the employee can be reimbursed is the more traditional control, at least under some definitions.)

An example of the second line of defense applied to COIs (in this case, third-party ones) is the practice in the pharma industry of C&E personnel attending some of their company’s events involving health care providers, to ensure compliance with fraud and abuse standards (which are COI based).  Another instance is where the C&E function gathers and reviews information through data bases, such as for gifts and entertainment (as mentioned above), and/or through certifications.

In the above examples monitoring essentially means preventing or detecting COIs.  But monitoring – both first and second line of defense types – can also refer to managing COIs that have been disclosed and approved.  This can be essential in various highly regulated fields, such as health care, where it may be impossible/undesirable to ban all COIs but where those that are permitted to exist must be carefully watched.

While not every organization needs to have robust COI monitoring, I believe that many organizations should do more to mitigate with this sort of approach than currently do, particularly given the abundant evidence that as individuals we don’t do a good job managing our own conflicts (as this is not an area where “inner controls” – i.e., our moral sentiments – provide much of a “defense”).

Moral Hazard – Part Three: Intangible Interests, Monitoring By Boards

In prior postings, we introduced the concept of “moral hazard” (which, again, is principally based on economics, not ethics) to the Blog and considered how moral hazard risks can be addressed through appropriate attention to incentives, both positive and negative.  In this posting we discuss the less common form of intangible moral hazard based interests.

Consider the example of corporate support for political causes or candidates for public office (hopefully a good example to use in an election year).  In some instances, a senior manager with the power to make decisions  for a company regarding such support may use that power to embrace a candidate or cause even if doing so is against her company’s interests  (e.g., the cause or candidate’s positions may offend a large percentage of the company’s customers).   For the purposes of our example, assume further that the manager does not expect to be tangibly rewarded for providing the company’s support to the candidate, and thus may not have a true “interest” for COI purposes (at least not in the traditional sense).  Nonetheless, because of the manager’s political beliefs, she may cause the company to take risks in supporting the candidate that are unjustifiable from the organization’s perspective.  In other words, this is a case of an intangible moral hazard risk.

Of course, compared to other C&E risks (e.g., corruption, competition law) political support is not an area of great danger to most companies.  Nonetheless, presumably because of this potential for divergence of interests, it is in fact area of relatively significant amount of board oversight and other high-level compliance measures, as described in The Conference Board’s  Handbook on Corporate Political Activity Emerging Corporate Governance Issues.

I should emphasize that most moral hazard risks really are of the tangible variety – and come particularly from the area of compensation.  But as with COIs, organizations need to think broadly about moral hazard to have an effective C&E approach regarding all the ways in which employees might be moved to act inconsisently with  the interests of the organization.

Next up on the Blog: “behavioral ethics and compliance.”

Other People’s Conflicts

Samuel Johnson once famously said of some unfortunate soul, “He is not only dull himself, he is the cause of dullness in others,” and in this posting we’ll examine how companies can avoid the misfortune that sometimes comes from causing conflicts of interests in others.

To start, a brief bit of COI history.

Several years ago an advertising agency lost a highly lucrative account with Wal-Mart and – according to some press accounts at the time – part of the reason for the loss was the agency’s entertaining of a Wal-Mart executive in ways that allegedly caused her to violate that company’s code of conduct. Although the agency presumably violated no law, its loss of future revenue could be seen as costly as some of the largest criminal fines in history.

The case led many companies to add to their codes of conduct a requirement that in providing gifts, entertainment or travel to employees of third parties one must not cause those employees to violate their respective employers’ codes. But is such a provision by itself enough to mitigate risks of this kind?

For any given business organization, addressing this issue should, of course, be driven by an assessment of relevant risk. However, for all organizations it may be useful to consider the range of available C&E measures that can be taken here, and “work backwards” to determine if their respective risks warrant implementing the measure in question.

First, there is the language of the code itself. While at first blush a mandate that employees must not cause a violation seems strong, a preferable approach may be to specify that employees must ensure that they do not cause a violation. The latter sort of requirement (particularly if reinforced the right ways) suggests a higher and more meaningful burden on the employees who deal with third parties.

Second, companies can establish a practice of periodically collecting customers’ and other relevant third parties’ codes and disseminating gifts and entertainment language to at-risk employees and their respective managers. Even if it is not possible to do this for all third parties, the effort can be useful if codes for major customers are obtained.

Third, COI training can emphasize the importance of identifying and following relevant third-party standards. Fourth, companies can deploy “just-in-time” communications to at-risk employees around these issues.

Fifth, for organizations with relatively high risks in this area, managers can be required to monitor for compliance with third-party codes. Sixth, auditors might be tasked with including third-party standards in their audits.

Finally, note that this post deals with the topic of other people’s conflicts only at a very high level. There are many other aspects to this area. Indeed, the whole field of corruption by definition involves “causing conflicts in others,” and many of the largest criminal fines in history (specifically in the FCPA and health care fraud-and-abuse areas) have been precisely about that. The point of this post is to suggest that even without significant corruption risks, all organizations should consider whether they do enough to avoid creating third-party COIs.