Checking

“Checking” – auditing, monitoring, certifications, self assessments and questions in exit interviews (among other things) – can play an essential role in nearly any COI compliance regime. See the several sub categories below for more information about some of the principal checking tools.

Mitigating holiday cheer: what’s new in gifts and entertainment compliance

It is that time of year again, and so we look once more at what’s new under the C&E officer’s tree to help with the timeless challenge of gifts and entertainment (G&E)  compliance.

First, in what seems like just yesterday (because  it was just yesterday), “[a]n employee of Deutsche Bank‘s Japanese brokerage unit was arrested on … suspicion of showering a local pension fund manager with expensive meals, golf outings and trips overseas in return for some 1 billion yen in investments,”  as reported by the NY Times,   The piece continues: “The wining and dining of corporate pension fund executives had, in fact, become commonplace at Deutsche Securities, which set up shop in Tokyo in 2005, [t]he Nikkei business daily said. In some cases, the feasting got so out of hand that employees filed the mounting expenses over many days in a bid not to attract attention, the paper said. The [Securities and Exchange Surveillance Commission] advised that the government reprimand Tokyo-based Deutsche Securities over its conduct.”

This story is still developing, but it seems like a huge black eye for the bank.  However, presumably the lessons of how one of the world’s largest financial institutions could allow this type of very damaging conduct to occur will be a gift to others seeking to stay out of trouble.  (Among other things, this case could show why high-risk organizations need to do more  G&E monitoring, but that’s just a guess.)

Indeed, one of the most useful things that C&E officers can do regarding G&E is to keep track of others’ missteps in this treacherous area – and use that information in training and periodic communications to employees.   A helpful stocking stuffer in that regard is   this chart recently prepared by K&L Gates partners Amy Sommers and Matt Morley showing FCPA enforcement actions involving gift-giving in China, which I found via one of Tom Fox’s many excellent writings on anti-corruption compliance.

Another G&E  goody  to consider getting for that hard-to-please C&E officer on your shopping list is this recently published article “Honing a compliant gifts policy: the trends we are seeing today,” by Laura Flippin of DLA Piper. Among these trends:  “setting global limits on the amount that may be spent on any single meal, with three tiers covering low, medium and high cost markets. …Limiting gift giving, globally, to no more than $50 worth of low-value items which may be given at any one time to a single individual, with a cap of no more than four gifts annually…Requiring all gifts to be sourced centrally by procurement and prohibiting the use of vouchers or gift cards that can be easily converted to cash….Mandating prior written approval from a regional or above-country compliance officer if an employee wants to provide more than two gifts yearly to any single recipient (whether or not a government official) …Using a specific, documented process to address hospitality provided for high-profile, unique events in countries where the company has a large presence or business interests – for instance, the London Olympics.”

Of course, global companies increasingly need to keep track of the increasing number of “local” G&E laws and regulations, e.g., those of Nigeria – presented here by ethixBase  (the publisher of the COI Blog).  EthixBase has compiled  domestic gift giving rules from more than 80 countries – something that should bring joy to even the most Scrooge-like C&E officer of a global company.

Finally, some recent possibly relevant articles from our own back pages:

–          Gifts, entertainment and “soft core” corruption.

–          Complying with customers’ COI requirements.

–          COIs and industry culture.

Ho, ho, ho…

 

Risk assessment, program assessment and conflicts of interest

In my most recent column for Corporate Compliance Insights , I explore points of intersection between C&E risk assessment and C&E program assessment – two important functions that, while conceptually distinct, overlap to a considerable degree with each other.  In today’s posting I’d like to continue that discussion insofar as the two types of assessment are addressed to COIs.

First, COI risk assessment is – at least for some organizations – more challenging than assessment of any other law/ethics area, because of the extraordinary array of interests  and intersections that can create COIs.  For this reason, truly comprehensive COI risk assessments can cover a lot of ground – as reflected in a six-part series the COI Blog has run on this topic.  Moreover, perhaps as much as any risk area, COI risks can be granular – further complicating the matter.  (See this CCI article on “nano compliance”  for more on the challenges of dealing with granular compliance risks.)

However, as with other C&E program matters it is essential that the perfect (which is truly unachievable in this case) not be the enemy of the good here – and so companies should begin somewhere.  One approach to this is to develop an initial plan which – based on known risk factors and easily available data (e.g., from COI disclosures) – has attainable COI risk assessment goals for “year one” with other measures  scheduled on a risk-tiered basis for later years.   If undertaken in good faith and with reasonable dispatch, this route could offer meaningful protection for an organization in the event that its C&E program were scrutinized by the government (although whether it would do so in any given situation would depend  in part on a host of other factors).  Put otherwise, it could help show that a company’s failure to identify and address a harmful COI was not for want of trying.

Second, COI program assessment does, of course, depend in part upon the results of an organization’s risk assessment, and so – assuming that a company hasn’t conducted the latter – this might seem a reason to postpone consideration of the former.   But there are many other aspects of program assessment, too – such as the overall strength of a company’s COI policies;  training and communications; disclosure and management measuresauditing, monitoring and other forms of checking;  enforcement;  and oversight – by boards of directors as appropriate and perhaps even COI SMEs.  Note that COI program assessments are presumably less common than assessments regarding anti-bribery and other major risk areas (such as competition law) which operate in a well defined statutory framework.  But that does not mean the need for such efforts is low; indeed, it is precisely because of the sprawling nature of COI risks and related need for useful remediation that a program assessment can be important for this area – to make sure nothing meaningful slips through the cracks.

Additionally, it is possible to combine aspects of a program assessment and a risk assessment.  For instance, an employee survey that asks, among other things, about perceptions of the company’s success in addressing COIs could serve a  highly useful risk assessment function by identifying where within a company most significant COIs seem to be (assuming, that is, that the survey data can be sliced by business and/or geographical unit) and also a program assessment one of understanding areas for improvement in the overall approach to COIs. More generally, given the overlap between these two functions such an approach should be appealing for many companies.

A final point: whether it is a COI risk assessment, a program assessment or some combination of the two, it is essential not only to gather the information in question but also to turn that information into action plans.  This may seem obvious but over the years I’ve seen quite a few examples of needs identified by these processes that went unaddressed.

 

C&E risk action plans for mitigating COIs

Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment.  One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.

A risk action plan is a tool for  having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site,  I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.

Facing up to COI Sunshine

By Bill Sacks

On February 1st, 2013, the Centers for Medicare and Medicaid Services (CMS) released the final rules implementing the “Physician Payment Sunshine” provisions of the Affordable Care Act. These provisions, originally introduced as a separate bill by Senators Charles Grassley (R – IA) and Herbert Kohl (D-WI), will require Pharmaceutical and Medical Device companies to track and report all payments or “transfers of value” to physicians and teaching hospitals that exceed $10.00 (or essentially…everything).

The “Sunshine” provisions were designed to increase transparency in industry’s formal and informal relationships with medical providers. Ever since astute observers noticed that physicians could be influenced by financial considerations there has been concern that industry largesse could unduly influence research results, continuing medical education, prescribing, and other practice patterns. The thinking is, to paraphrase Justice Brandeis, “Sunshine is the best disinfectant.”

A public database of industry payments to physicians and teaching hospitals will go online by late 2014. This forthcoming transparency, on top of new COI regulations published by the NIH and Public Health Service that took effect last August, has resulted in significant movement on the part of hospitals and academic medical centers to put in place automated systems to collect and review conflict of interest disclosures and – just as important – to manage the conflicts uncovered through the disclosure process.

Technology to Improve COI Management

Compliance Officers and General Counsels in other industries should take note. Government contractors have obligations to identify and manage conflicts of interest under the Federal Acquisition Regulations (FAR). Many such contractors have tried to manage their COI obligations with paper surveys or simple generic online survey tools. These manual processes often collapse under their own weight, filling file cabinets or Excel spreadsheets with unusable, inaccessible data.

Newer, relational database tools are becoming more popular with organizations that need the ability to provide targeted survey questions to people with different reporting obligations, to direct COI survey responses to designated project managers and reviewers, to conduct detailed analysis on survey responses across projects, to produce customized reporting, and to maintain a database of archived responses.

Organizations seeking or managing federal contracts should periodically evaluate their COI management processes and systems to assess their effectiveness and to determine whether more up-to-date technological solutions could enhance operational efficiency.

(Bill Sacks is Vice President and co-founder of HCCS Inc., which provides online compliance training and workflow tools to organizations subject to federal regulations.  He can be reached at bsacks@hccs.com.)

Conflicts of interest monitoring

Most recently, we looked at auditing for COIs.  In this post, we examine what might be called auditing’s first cousin – monitoring, and particularly monitoring for COIs.

Monitoring is a broadly used concept in the C&E world.  It can refer both to monitoring by business personnel (front-line monitoring – or what is sometimes seen as part of the “first line of defense”) and also monitoring by a compliance or risk function (the “second line of defense”).

Auditing  (the “third line of defense”) differs from monitoring in that the former  a) occurs less in “real time” and b) is more  independent than the latter.

An example of COI monitoring by businesses/first line of defense is managers reviewing employee inputs into a gifts and entertainment data base.   Another – which overlaps with the more traditional notion of an internal control – is supervisors reviewing employee T&E reimbursement requests. (In this example the review can be considered the monitoring – at least to the extent that the supervisor is looking for COI-related information.  The necessity that the supervisor approve the request before the employee can be reimbursed is the more traditional control, at least under some definitions.)

An example of the second line of defense applied to COIs (in this case, third-party ones) is the practice in the pharma industry of C&E personnel attending some of their company’s events involving health care providers, to ensure compliance with fraud and abuse standards (which are COI based).  Another instance is where the C&E function gathers and reviews information through data bases, such as for gifts and entertainment (as mentioned above), and/or through certifications.

In the above examples monitoring essentially means preventing or detecting COIs.  But monitoring – both first and second line of defense types – can also refer to managing COIs that have been disclosed and approved.  This can be essential in various highly regulated fields, such as health care, where it may be impossible/undesirable to ban all COIs but where those that are permitted to exist must be carefully watched.

While not every organization needs to have robust COI monitoring, I believe that many organizations should do more to mitigate with this sort of approach than currently do, particularly given the abundant evidence that as individuals we don’t do a good job managing our own conflicts (as this is not an area where “inner controls” – i.e., our moral sentiments – provide much of a “defense”).

Auditing for Conflicts of Interest

Does your company’s C&E audit plan sufficiently address COIs?  Most companies presumably have some COI-related auditing, but far fewer deal with this important C&E area in a systematic way.

As with other C&E-related areas, COI-directed audits tend to fall largely into a “substance” bucket and a “process” one.

The former includes  (but is by no means limited to) certain measures that are necessary for all  companies – such as examining T&E records of corporate officers and other key individuals.  It should also include auditing based on industry-related COI laws and regulations (e.g., in health care/life science, government contracting or financial services), as well as cross-industry areas of legal risk (such as FCPA).

Of course, for companies with a risk of organizational conflicts there is a host of audit measures one might take. Perhaps less obvious, where companies face significant risks of causing third-party COIs  that should be audited.

The latter type of audit measures (for process) would look at COI-related:

Risk assessment processes.  Are they well designed? Are they being followed? Is the information from the process being fully used to inform other aspects of the C&E program?

Policies and communications.  Are the standards clear?  Is there a training and communications plan around COIs? What is employee understanding of applicable standards?

Procedures around disclosure, review and management.  As with other audit areas, this part of the effort would look at both design and operation — and also focus on the sufficiency of documentation.

– Accountabilities.  This includes both administrative accountability and discipline for violations (including the culpable failure by managers to prevent and detect violations by others).

Finally,   political and charitable contributions should, for some companies, be reviewed, not only for COIs but also the related issues of moral hazard or bias.

 

Conflict of interview review processes

As prior posts have discussed, reviews of disclosed employee conflicts of interest pose a number of challenges. Disclosures may not truly mitigate conflicts.  Indeed, they may actually cause more wrongful COI-based conduct to occur than would be the case absent a disclosure.

Still, very few business organizations opt for a true “zero tolerance” approach to all COIs.  And for those that don’t, COI review processes are necessary for determining when a COI should be permitted to exist and under what conditions.

At a minimum, COI reviews should be conducted by an independent person or body.   Independence for these purposes means more than COI-free in the traditional sense.  It should also encompass the behavioral ethics concept of “motivated blindness,”  i.e., a reviewer should not be someone who may – due to the relationships involved – be inclined to approve a conflict-laden relationship or transaction.

For this reason, companies may wish to have COI reviews conducted by a C&E committee.  One obvious benefit to this approach is that there is “safety in numbers.” Another is that the committee will have or develop expertise (born of experience) in evaluating conflicts, which behavioral ethics research shows can be useful.    Offering less C&E protection – but still more than having COI reviews made by a line supervisor – is tasking a staff function, such as legal or HR,  for this job.

Of course, some companies do permit supervisors to approve COIs.  If this approach is adopted, companies should still seek to have a reasonable degree of rigor in the process by:

– requiring that any approvals be in writing and sought before engaging in a conflict-based transactions;

– providing and publicizing avenues for supervisors to ask questions of the C&E function when performing COI reviews; and

– including the issue of COI reviews in supervisor training – or, if this is impractical, providing written guidance (e.g., FAQs)  regarding such reviews.

Finally, companies should check on the supervisors’  actions in reviewing or approving COIs, such as through audits.

Moral Hazard – Part Three: Intangible Interests, Monitoring By Boards

In prior postings, we introduced the concept of “moral hazard” (which, again, is principally based on economics, not ethics) to the Blog and considered how moral hazard risks can be addressed through appropriate attention to incentives, both positive and negative.  In this posting we discuss the less common form of intangible moral hazard based interests.

Consider the example of corporate support for political causes or candidates for public office (hopefully a good example to use in an election year).  In some instances, a senior manager with the power to make decisions  for a company regarding such support may use that power to embrace a candidate or cause even if doing so is against her company’s interests  (e.g., the cause or candidate’s positions may offend a large percentage of the company’s customers).   For the purposes of our example, assume further that the manager does not expect to be tangibly rewarded for providing the company’s support to the candidate, and thus may not have a true “interest” for COI purposes (at least not in the traditional sense).  Nonetheless, because of the manager’s political beliefs, she may cause the company to take risks in supporting the candidate that are unjustifiable from the organization’s perspective.  In other words, this is a case of an intangible moral hazard risk.

Of course, compared to other C&E risks (e.g., corruption, competition law) political support is not an area of great danger to most companies.  Nonetheless, presumably because of this potential for divergence of interests, it is in fact area of relatively significant amount of board oversight and other high-level compliance measures, as described in The Conference Board’s  Handbook on Corporate Political Activity Emerging Corporate Governance Issues.

I should emphasize that most moral hazard risks really are of the tangible variety – and come particularly from the area of compensation.  But as with COIs, organizations need to think broadly about moral hazard to have an effective C&E approach regarding all the ways in which employees might be moved to act inconsisently with  the interests of the organization.

Next up on the Blog: “behavioral ethics and compliance.”

Conflicts of Interest in the News: 011412 Edition

 

The two big COI news stories of the week were:

–  Economists Adopt New Disclosure Rules for Authors of Published Research.  The reforms follow “heavy scrutiny of economists’ conflicts of interest before the financial crash of 2008.”  This is a good (and certainly overdue) step (and sadly underscores how it often takes a scandal for COI-related reforms to be implemented).  Of course, disclosure by itself does not necessarily mitigate COIs.

Ties of FDA experts to pharma companies revealed. The “FDA asked outside experts in December to discuss the safety of birth control that contains the compound drospirenone, including Bayer’s Yaz and Yasmin. The panel decided by a four-vote margin that the benefit of pregnancy prevention from these pills outweighed their risk of dangerous blood clots. But according to court and public documents, three of the FDA’s 26 advisers had research or financial ties to Bayer. A fourth adviser had a connection to a manufacturer of generic copies of Yaz, Barr Laboratories, now part of Teva Pharmaceuticals. All four of these advisers voted that the drugs’ benefits outweighed risks, meaning the pills could stay on the market…” Beyond the impact on the decision at issue, one can imagine the harm that COIs of this sort have on public trust of the FDA.

Other news of the week concerns COIs and…

Government contractors.  This is an analysis from the Corporate Compliance Insights website of an important decision from the General Accounting Office concerning government contractors hiring former government officials, underscoring, among to other things, the need to do meaningful conflicts checks in hiring.

Journalists: “Next week, thousands of tech journalists will descend on Las Vegas to get a sneak peek at coming tech gadgets at the International Consumer Electronics Show.  Many will also probably come away with grab bags of goodies…The question, of course, is whether journalists can properly serve their readers when the industry is handing them bottles of top-shelf booze and pricey toys.”

Supreme Court Justices.  A tricky issue,  indeed: who decides COI issues for the court of last resort?

Regulators: “A former Securities and Exchange Commission official has agreed to pay a $50,000 fine for going through the revolving door and working for alleged Ponzi scheme mastermind Robert Allen Stanford after purportedly taking part in SEC decisions to not investigate Stanford, the Justice Department said Friday.” (Bad facts – but also an unusual case.)

And, thanks to Broc Romanek of the invaluable – particularly for securities and corporate lawyers – theCorporateCounsel.net for featuring our post on COIs in serving on other companies’ boards.  Apparently this was the occasion for much discussion there – and so we will return to the topic before not too long.

Coming up next week: more on COI risk assessment, moral hazard and a video coming attraction for a series on cognitive bias and “behavioral compliance and ethics.”

 

Conflict of Interest Certifications – Part Two: Content

In a recent post we discussed the “why” and “who” of COI certifications.  Below, we examine what is typically covered by a COI certification.

First, the basics tend to be questions around the following issues:

– Employment (of oneself or family members) with or consulting for an entity doing or seeking to do business with or competing against the company.

– Holding a financial interest (again, involving oneself or family members) in the above-described types of organizations.

– Employment of relatives at the company.

– Gifts, entertainment and travel involving any person or entity doing or seeking to do business with the company (including loans involving such persons or entities).

Sometimes these questions are asked broadly, other times in terms of the employee’s area of responsibility (e.g., do you have any procurement- or management-related duties concerning any entity in which you or a family member have an ownership interest?)

Second, less frequently one also sees questions concerning:

– Any other outside employment or consulting (i.e., regardless of whether it involves a competitor, supplier, etc.)

– Service on a board (of directors or advisors).

– Anti-corruption requirements –  questions involving employees of governmental entities and, less commonly, union officials.

– Corporate opportunities.

– Purchases, sales or leases of property involving the company.

– Holding government office (presumably on a part-time basis) – which is generally relevant only to organizations that have significant dealings with a large number of local governmental bodies, like energy utilities; and

– Relationships with the company’s external auditors.

Finally, one should ask, in substance:  Do you have any other relationships, etc., that might reasonably be regarded as creating an actual or apparent conflict of interest with your responsibilities to the company?

I hope that readers of the Blog will use the comment feature to share any other issues or relationships that organizations might wish to consider for their COI certifications.