“Checking” – auditing, monitoring, certifications, self assessments and questions in exit interviews (among other things) – can play an essential role in nearly any COI compliance regime. See the several sub categories below for more information about some of the principal checking tools.

C&E risk action plans for mitigating COIs

Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment.  One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.

A risk action plan is a tool for  having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site,  I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.

Facing up to COI Sunshine

By Bill Sacks

On February 1st, 2013, the Centers for Medicare and Medicaid Services (CMS) released the final rules implementing the “Physician Payment Sunshine” provisions of the Affordable Care Act. These provisions, originally introduced as a separate bill by Senators Charles Grassley (R – IA) and Herbert Kohl (D-WI), will require Pharmaceutical and Medical Device companies to track and report all payments or “transfers of value” to physicians and teaching hospitals that exceed $10.00 (or essentially…everything).

The “Sunshine” provisions were designed to increase transparency in industry’s formal and informal relationships with medical providers. Ever since astute observers noticed that physicians could be influenced by financial considerations there has been concern that industry largesse could unduly influence research results, continuing medical education, prescribing, and other practice patterns. The thinking is, to paraphrase Justice Brandeis, “Sunshine is the best disinfectant.”

A public database of industry payments to physicians and teaching hospitals will go online by late 2014. This forthcoming transparency, on top of new COI regulations published by the NIH and Public Health Service that took effect last August, has resulted in significant movement on the part of hospitals and academic medical centers to put in place automated systems to collect and review conflict of interest disclosures and – just as important – to manage the conflicts uncovered through the disclosure process.

Technology to Improve COI Management

Compliance Officers and General Counsels in other industries should take note. Government contractors have obligations to identify and manage conflicts of interest under the Federal Acquisition Regulations (FAR). Many such contractors have tried to manage their COI obligations with paper surveys or simple generic online survey tools. These manual processes often collapse under their own weight, filling file cabinets or Excel spreadsheets with unusable, inaccessible data.

Newer, relational database tools are becoming more popular with organizations that need the ability to provide targeted survey questions to people with different reporting obligations, to direct COI survey responses to designated project managers and reviewers, to conduct detailed analysis on survey responses across projects, to produce customized reporting, and to maintain a database of archived responses.

Organizations seeking or managing federal contracts should periodically evaluate their COI management processes and systems to assess their effectiveness and to determine whether more up-to-date technological solutions could enhance operational efficiency.

(Bill Sacks is Vice President and co-founder of HCCS Inc., which provides online compliance training and workflow tools to organizations subject to federal regulations.  He can be reached at

Conflicts of interest monitoring

Most recently, we looked at auditing for COIs.  In this post, we examine what might be called auditing’s first cousin – monitoring, and particularly monitoring for COIs.

Monitoring is a broadly used concept in the C&E world.  It can refer both to monitoring by business personnel (front-line monitoring – or what is sometimes seen as part of the “first line of defense”) and also monitoring by a compliance or risk function (the “second line of defense”).

Auditing  (the “third line of defense”) differs from monitoring in that the former  a) occurs less in “real time” and b) is more  independent than the latter.

An example of COI monitoring by businesses/first line of defense is managers reviewing employee inputs into a gifts and entertainment data base.   Another – which overlaps with the more traditional notion of an internal control – is supervisors reviewing employee T&E reimbursement requests. (In this example the review can be considered the monitoring – at least to the extent that the supervisor is looking for COI-related information.  The necessity that the supervisor approve the request before the employee can be reimbursed is the more traditional control, at least under some definitions.)

An example of the second line of defense applied to COIs (in this case, third-party ones) is the practice in the pharma industry of C&E personnel attending some of their company’s events involving health care providers, to ensure compliance with fraud and abuse standards (which are COI based).  Another instance is where the C&E function gathers and reviews information through data bases, such as for gifts and entertainment (as mentioned above), and/or through certifications.

In the above examples monitoring essentially means preventing or detecting COIs.  But monitoring – both first and second line of defense types – can also refer to managing COIs that have been disclosed and approved.  This can be essential in various highly regulated fields, such as health care, where it may be impossible/undesirable to ban all COIs but where those that are permitted to exist must be carefully watched.

While not every organization needs to have robust COI monitoring, I believe that many organizations should do more to mitigate with this sort of approach than currently do, particularly given the abundant evidence that as individuals we don’t do a good job managing our own conflicts (as this is not an area where “inner controls” – i.e., our moral sentiments – provide much of a “defense”).

Auditing for Conflicts of Interest

Does your company’s C&E audit plan sufficiently address COIs?  Most companies presumably have some COI-related auditing, but far fewer deal with this important C&E area in a systematic way.

As with other C&E-related areas, COI-directed audits tend to fall largely into a “substance” bucket and a “process” one.

The former includes  (but is by no means limited to) certain measures that are necessary for all  companies – such as examining T&E records of corporate officers and other key individuals.  It should also include auditing based on industry-related COI laws and regulations (e.g., in health care/life science, government contracting or financial services), as well as cross-industry areas of legal risk (such as FCPA).

Of course, for companies with a risk of organizational conflicts there is a host of audit measures one might take. Perhaps less obvious, where companies face significant risks of causing third-party COIs  that should be audited.

The latter type of audit measures (for process) would look at COI-related:

Risk assessment processes.  Are they well designed? Are they being followed? Is the information from the process being fully used to inform other aspects of the C&E program?

Policies and communications.  Are the standards clear?  Is there a training and communications plan around COIs? What is employee understanding of applicable standards?

Procedures around disclosure, review and management.  As with other audit areas, this part of the effort would look at both design and operation — and also focus on the sufficiency of documentation.

– Accountabilities.  This includes both administrative accountability and discipline for violations (including the culpable failure by managers to prevent and detect violations by others).

Finally,   political and charitable contributions should, for some companies, be reviewed, not only for COIs but also the related issues of moral hazard or bias.


Conflict of interview review processes

As prior posts have discussed, reviews of disclosed employee conflicts of interest pose a number of challenges. Disclosures may not truly mitigate conflicts.  Indeed, they may actually cause more wrongful COI-based conduct to occur than would be the case absent a disclosure.

Still, very few business organizations opt for a true “zero tolerance” approach to all COIs.  And for those that don’t, COI review processes are necessary for determining when a COI should be permitted to exist and under what conditions.

At a minimum, COI reviews should be conducted by an independent person or body.   Independence for these purposes means more than COI-free in the traditional sense.  It should also encompass the behavioral ethics concept of “motivated blindness,”  i.e., a reviewer should not be someone who may – due to the relationships involved – be inclined to approve a conflict-laden relationship or transaction.

For this reason, companies may wish to have COI reviews conducted by a C&E committee.  One obvious benefit to this approach is that there is “safety in numbers.” Another is that the committee will have or develop expertise (born of experience) in evaluating conflicts, which behavioral ethics research shows can be useful.    Offering less C&E protection – but still more than having COI reviews made by a line supervisor – is tasking a staff function, such as legal or HR,  for this job.

Of course, some companies do permit supervisors to approve COIs.  If this approach is adopted, companies should still seek to have a reasonable degree of rigor in the process by:

– requiring that any approvals be in writing and sought before engaging in a conflict-based transactions;

– providing and publicizing avenues for supervisors to ask questions of the C&E function when performing COI reviews; and

– including the issue of COI reviews in supervisor training – or, if this is impractical, providing written guidance (e.g., FAQs)  regarding such reviews.

Finally, companies should check on the supervisors’  actions in reviewing or approving COIs, such as through audits.

Moral Hazard – Part Three: Intangible Interests, Monitoring By Boards

In prior postings, we introduced the concept of “moral hazard” (which, again, is principally based on economics, not ethics) to the Blog and considered how moral hazard risks can be addressed through appropriate attention to incentives, both positive and negative.  In this posting we discuss the less common form of intangible moral hazard based interests.

Consider the example of corporate support for political causes or candidates for public office (hopefully a good example to use in an election year).  In some instances, a senior manager with the power to make decisions  for a company regarding such support may use that power to embrace a candidate or cause even if doing so is against her company’s interests  (e.g., the cause or candidate’s positions may offend a large percentage of the company’s customers).   For the purposes of our example, assume further that the manager does not expect to be tangibly rewarded for providing the company’s support to the candidate, and thus may not have a true “interest” for COI purposes (at least not in the traditional sense).  Nonetheless, because of the manager’s political beliefs, she may cause the company to take risks in supporting the candidate that are unjustifiable from the organization’s perspective.  In other words, this is a case of an intangible moral hazard risk.

Of course, compared to other C&E risks (e.g., corruption, competition law) political support is not an area of great danger to most companies.  Nonetheless, presumably because of this potential for divergence of interests, it is in fact area of relatively significant amount of board oversight and other high-level compliance measures, as described in The Conference Board’s  Handbook on Corporate Political Activity Emerging Corporate Governance Issues.

I should emphasize that most moral hazard risks really are of the tangible variety – and come particularly from the area of compensation.  But as with COIs, organizations need to think broadly about moral hazard to have an effective C&E approach regarding all the ways in which employees might be moved to act inconsisently with  the interests of the organization.

Next up on the Blog: “behavioral ethics and compliance.”

Conflicts of Interest in the News: 011412 Edition


The two big COI news stories of the week were:

–  Economists Adopt New Disclosure Rules for Authors of Published Research.  The reforms follow “heavy scrutiny of economists’ conflicts of interest before the financial crash of 2008.”  This is a good (and certainly overdue) step (and sadly underscores how it often takes a scandal for COI-related reforms to be implemented).  Of course, disclosure by itself does not necessarily mitigate COIs.

Ties of FDA experts to pharma companies revealed. The “FDA asked outside experts in December to discuss the safety of birth control that contains the compound drospirenone, including Bayer’s Yaz and Yasmin. The panel decided by a four-vote margin that the benefit of pregnancy prevention from these pills outweighed their risk of dangerous blood clots. But according to court and public documents, three of the FDA’s 26 advisers had research or financial ties to Bayer. A fourth adviser had a connection to a manufacturer of generic copies of Yaz, Barr Laboratories, now part of Teva Pharmaceuticals. All four of these advisers voted that the drugs’ benefits outweighed risks, meaning the pills could stay on the market…” Beyond the impact on the decision at issue, one can imagine the harm that COIs of this sort have on public trust of the FDA.

Other news of the week concerns COIs and…

Government contractors.  This is an analysis from the Corporate Compliance Insights website of an important decision from the General Accounting Office concerning government contractors hiring former government officials, underscoring, among to other things, the need to do meaningful conflicts checks in hiring.

Journalists: “Next week, thousands of tech journalists will descend on Las Vegas to get a sneak peek at coming tech gadgets at the International Consumer Electronics Show.  Many will also probably come away with grab bags of goodies…The question, of course, is whether journalists can properly serve their readers when the industry is handing them bottles of top-shelf booze and pricey toys.”

Supreme Court Justices.  A tricky issue,  indeed: who decides COI issues for the court of last resort?

Regulators: “A former Securities and Exchange Commission official has agreed to pay a $50,000 fine for going through the revolving door and working for alleged Ponzi scheme mastermind Robert Allen Stanford after purportedly taking part in SEC decisions to not investigate Stanford, the Justice Department said Friday.” (Bad facts – but also an unusual case.)

And, thanks to Broc Romanek of the invaluable – particularly for securities and corporate lawyers – for featuring our post on COIs in serving on other companies’ boards.  Apparently this was the occasion for much discussion there – and so we will return to the topic before not too long.

Coming up next week: more on COI risk assessment, moral hazard and a video coming attraction for a series on cognitive bias and “behavioral compliance and ethics.”


Conflict of Interest Certifications – Part Two: Content

In a recent post we discussed the “why” and “who” of COI certifications.  Below, we examine what is typically covered by a COI certification.

First, the basics tend to be questions around the following issues:

– Employment (of oneself or family members) with or consulting for an entity doing or seeking to do business with or competing against the company.

– Holding a financial interest (again, involving oneself or family members) in the above-described types of organizations.

– Employment of relatives at the company.

– Gifts, entertainment and travel involving any person or entity doing or seeking to do business with the company (including loans involving such persons or entities).

Sometimes these questions are asked broadly, other times in terms of the employee’s area of responsibility (e.g., do you have any procurement- or management-related duties concerning any entity in which you or a family member have an ownership interest?)

Second, less frequently one also sees questions concerning:

– Any other outside employment or consulting (i.e., regardless of whether it involves a competitor, supplier, etc.)

– Service on a board (of directors or advisors).

– Anti-corruption requirements –  questions involving employees of governmental entities and, less commonly, union officials.

– Corporate opportunities.

– Purchases, sales or leases of property involving the company.

– Holding government office (presumably on a part-time basis) – which is generally relevant only to organizations that have significant dealings with a large number of local governmental bodies, like energy utilities; and

– Relationships with the company’s external auditors.

Finally, one should ask, in substance:  Do you have any other relationships, etc., that might reasonably be regarded as creating an actual or apparent conflict of interest with your responsibilities to the company?

I hope that readers of the Blog will use the comment feature to share any other issues or relationships that organizations might wish to consider for their COI certifications.

Conflict of Interest Certifications

There’s one way to find out if a man is honest – ask him.  If he says, “Yes,” you know he is a crook.  Groucho Marx

There is, of course, something to this bit of Marxist logic. But, on balance, the benefits of “asking” in a C&E program can be considerable, and one asking-based tool that has existed for many years is the certification.

Should an organization require employees to execute on a periodic basis certifications regarding actual or apparent COIs?  If so, what should be the content of the certifications? And should an entire employee population receive them?

We will consider the first and third questions in this post and the other in the next post.

While not advisable for every entity, this type of process can, I believe, be useful for reminding employees (in a way that a terse general code of conduct certification  typically does not do) of the organization’s specific COI standards and requirements.  Certifications indeed often will surface  COIs that have not otherwise arisen through other C&E processes.  While they might elicit denials regarding  truly illicit behavior (Groucho’s thesis), that is less true of many other, less nefarious sorts of COIs.  As one  reader of the Blog wrote to us yesterday, “employees are often confused about  COIs and don’t think they have one when they do or at least when there is an  appearance of a possible conflict. [Certifications] seem to be a good way to help employees focus on specific activities that can present a conflict.”

However, certifications  are clearly not for everyone. Whether an organization should undertake this  sort of effort – which can require a substantial time commitment – depends on a variety of factors.  In effect, this is a form of risk assessment, which should typically include the following considerations:

Likelihood:  How likely is the process to uncover an  otherwise unidentified COI?  And, how likely is a certification to prevent an otherwise undeterred  COI?

Impact:  How harmful could such a COI be – meaning one that would likely be deterred or detected and addressed by the certification process but not other ways?

Other benefits:  Are there other high-risk activities (e.g.,“sensitive payments,” contacts with competitors) that should be added to a COI certification, and, if so, what does a likelihood and impact assessment of those topics add to the analysis?

Capacity:  Does your organization have the resources to follow-up on all “yes” answers or failures to respond?  (This is a deal breaker for many companies.)

Finally, this analysis should not necessarily be performed on an all-or-nothing basis.  Even if it does not make sense to require all employees to execute certifications – as, in my experience, is frequently the case – there may still reason to do so for managers and others in sensitive positions (e.g., procurement; “control” functions – such as law, finance, human resources and audit; and, in some organizations, sales).

To be continued…



Other People’s Conflicts

Samuel Johnson once famously said of some unfortunate soul, “He is not only dull himself, he is the cause of dullness in others,” and in this posting we’ll examine how companies can avoid the misfortune that sometimes comes from causing conflicts of interests in others.

To start, a brief bit of COI history.

Several years ago an advertising agency lost a highly lucrative account with Wal-Mart and – according to some press accounts at the time – part of the reason for the loss was the agency’s entertaining of a Wal-Mart executive in ways that allegedly caused her to violate that company’s code of conduct. Although the agency presumably violated no law, its loss of future revenue could be seen as costly as some of the largest criminal fines in history.

The case led many companies to add to their codes of conduct a requirement that in providing gifts, entertainment or travel to employees of third parties one must not cause those employees to violate their respective employers’ codes. But is such a provision by itself enough to mitigate risks of this kind?

For any given business organization, addressing this issue should, of course, be driven by an assessment of relevant risk. However, for all organizations it may be useful to consider the range of available C&E measures that can be taken here, and “work backwards” to determine if their respective risks warrant implementing the measure in question.

First, there is the language of the code itself. While at first blush a mandate that employees must not cause a violation seems strong, a preferable approach may be to specify that employees must ensure that they do not cause a violation. The latter sort of requirement (particularly if reinforced the right ways) suggests a higher and more meaningful burden on the employees who deal with third parties.

Second, companies can establish a practice of periodically collecting customers’ and other relevant third parties’ codes and disseminating gifts and entertainment language to at-risk employees and their respective managers. Even if it is not possible to do this for all third parties, the effort can be useful if codes for major customers are obtained.

Third, COI training can emphasize the importance of identifying and following relevant third-party standards. Fourth, companies can deploy “just-in-time” communications to at-risk employees around these issues.

Fifth, for organizations with relatively high risks in this area, managers can be required to monitor for compliance with third-party codes. Sixth, auditors might be tasked with including third-party standards in their audits.

Finally, note that this post deals with the topic of other people’s conflicts only at a very high level. There are many other aspects to this area. Indeed, the whole field of corruption by definition involves “causing conflicts in others,” and many of the largest criminal fines in history (specifically in the FCPA and health care fraud-and-abuse areas) have been precisely about that. The point of this post is to suggest that even without significant corruption risks, all organizations should consider whether they do enough to avoid creating third-party COIs.