Checking

“Checking” – auditing, monitoring, certifications, self assessments and questions in exit interviews (among other things) – can play an essential role in nearly any COI compliance regime. See the several sub categories below for more information about some of the principal checking tools.

“Point-of-risk” compliance

Marketers have long known that “point-of-sale” display of products can be a powerful advertising tool.  But can its logic be put to work for promoting compliance and ethics?

I was recently asked by a client to fill out a vendor information form and noticed that in addition to seeking information from vendors the form required the employee proposing the hiring to certify that any conflict of interest involving the vendor had been disclosed and okayed by management and the C&E officer.  While I know that many companies have some form of COI certifications (see prior posts collected here), I can’t recall having seen one on a vendor information form of this sort before – even though the common sense of such a “point-of-risk” compliance approach seems pretty obvious.  Indeed, it is hard to think of any reason why a company wouldn’t do this.

Moreover, such an approach  is supported by behavioral science, as described in this earlier post.  And, as also noted in that post, beyond the COI risk area there is no shortage of  other “point-of-risk” compliance opportunities for many companies: “anti-corruption – before interactions with government officials and third-party intermediaries;  competition law – before meetings with competitors  (e.g., at trade association events);  insider trading/Reg FD – during key transactions, before preparing earnings reports;  protection of confidential information – when receiving such information from third parties pursuant to an NDA;  …  accuracy of sales/marketing – in connection with developing advertising, making pitches; and employment law – while conducting performance reviews…” (Note: in the earlier post I refer to this approach as “just-in-time” compliance, but on reflection think that “point of risk” is closer to the mark.)  Doubtless there are many others too.

I should stress that this suggestion does not imply an increase in the total amount of C&E education, which for some companies would be a non-starter.  Rather, a robust “point-of-risk” strategy might allow a company to decrease its use of less impactful communications, meaning principally those that  lack immediacy and context.

Thinking more broadly, a “point of risk” C&E communication strategies might work for teaching ethics in business schools and colleges. Writing last week in the Huffington Post,  William Steiger of the University of Central Florida’s College of Business Administration  argued that: “Business schools should use examples of ethical practices and decision-making throughout the curriculum, not just in the ethics class.” I agree (and indeed when I was teaching business ethics years ago made a similar proposal; I hope Steiger has more success with this than  I did).

Whether it is in the workplace or classroom, there is a growing need to  find ways to better communicate and otherwise support ethical expectations.  For many businesses and schools, a point-of-risk approach may be a good place to start.

The complicated and consequential world of compliance “checking”

Over time, companies should devote an increasingly greater amount of C&E program effort/resources to “checking” – auditing, monitoring and other forms of self assessment.  More than two decades after C&E checking became the law of the land, one can imagine how little sympathy the government would have for a company that tries to get “credit” for its C&E program but which had taken insufficient steps to determine if that program was in fact fit for purpose.

However, if the need for checking is clear, where to start  (or what step to take next) may not be. Both as a conceptual and practical matter, this can be a daunting area to tackle given the many types and dimensions of checking available.

In a complimentary web cast sponsored by The Network on January 20, 2015 at 1:00 pm Eastern, I’ll try to survey the world of C&E checking, describing relevant legal expectations and best practices that apply to both the risk area and the general program dimensions.  I’ll also discuss practical measures that companies can take to begin or improve a regime of C&E checking – in effect, a needs assessment for one’s C&E auditing, monitoring, program assessment and risk assessment.  Finally, I’ll consider what the impact of “behavioral ethics” should be on C&E checking.

Postscript:  more than 500 C&E folks attended the web  cast live and another 400 are getting the recorded version.   If you’d just like the slides, please click here.

“The inner voice that warns us somebody may be looking”

Within the treasure trove of H.L. Mencken’s sayings, this definition of “conscience” may be my favorite.  And, various studies have indeed shown that the sense that somebody may be watching can help promote ethical behavior.  Among these are  experiments exposing individuals to “eyespots” –  drawings which create a vague sense of being watched, even among those who know as a factual matter that they aren’t being seen. (See, e.g., this study, showing that exposure to eyespots can promote generosity.)

While actually deploying eyespots around the workplace is hardly a viable option for most companies, various technological advances offer not only the appearance of being watched but the actuality of it.  Such monitoring technologies can be particularly promising for promoting compliance by parts of a workforce for whom supervision is relatively remote – which is often the case for sales people.

For two other risk-related reasons, sales people can be a logical choice for C&E monitoring:

– Their incentives may not align well with those of their respective companies – a “moral hazard” condition.  (Indeed, in a risk assessment interview I conducted last week, the interviewee responded to a question about conflicts of interest by saying – only somewhat in jest – that the whole company sales force had such conflicts.)

– Sales people tend to be in a position to cause legal/ethical violations – e.g., corruption, collusion and fraud – much more than the average employee at a company.

But, while the case for monitoring sales people is strong as a general matter, obviously not all monitoring strategies are equally effective.  According to a paper published in the September 2014 issue of the Journal of Business Research, “Does transparency influence the ethical behavior of salespeople?” John E. Cicala, Alan J. Bush, Daniel L. Sherrell and George D. Deitz (rentable on Deep Dyve): “it is not the perception of visibility that drives sales persons behavior, but rather the perception of the likelihood of negative consequences resulting from management use of knowledge and information gained from technologically increased visibility.”

Of course, these results – based on an on-line survey which is described in the paper – presumably won’t surprise any C&E professionals. (Nor, likely, would they have impressed Mencken, who also said: “A professor must have a theory as a dog must have fleas” – although I should add that that’s just another chance to quote the great man – not a reflection of my view of this paper.) But, as with much of the social science research discussed in this blog, having data to back up what is intuitively known may be useful, particularly when seeking to make C&E reforms in a company that are being resisted.

Most relevant here is the often-contentious issue of how open a company is with its discipline for violations (meaning not just of sales persons but any employee).  While C&E professionals typically understand that true “public hangings” – i.e., full identification of individual transgressions and transgressors – can be undesirable for all sorts of reasons, there is still a lot that their respective companies can do in a general way to show that   negative consequences do exist for breaches of C&E  standards. Hopefully, this new research can help C&E professionals make such a case.

An important real-world conflict of interest experiment

In today’s NY Times, Michael Greenstone, an economics professor at MIT, writes about a study on auditor COIs that he –  together with Esther Duflo of M.I.T.;  and Rohini Pande  and Nicholas Ryan, both of Harvard – recently published.   The study was conducted in Gujarat, India, where industrial plants with high pollution risks are required  “to hire and pay auditors to check air and water pollution levels three times annually and then submit a yearly report to” a governmental body. In the study, for a randomly selected set of companies, but not for a control group, “auditors were paid a fixed fee from a central pool of money, a subset of the audits was chosen to have its findings re-examined, and auditors received payments for accurate reports, judged by comparisons with the re-examinations. The control group continued under the status quo system in which auditors were chosen and paid by the plants they were auditing.”

The results of this real-world experiment  powerfully demonstrate the impact on the ethicality of conduct that financial incentives can have – even on the judgment of individuals who, by virtue of their professional norms, are supposed to be resistant to COIs.  That is: “While many of the plants violated the pollution standards, few of the auditors in the control group reported these violations. In the case of particulate matter, an especially harmful air pollutant, auditors reported that only 7 percent of industrial plants violated the pollution standard. In reality, 59 percent of plants exceeded it.” However, “[t]he rules changes [in the experiment] caused the auditors to report more truthfully. In the restructured market, auditors were 80 percent less likely to falsely report a pollution reading as in compliance, and their reported pollution readings were 50 to 70 percent higher than when they were working in the status quo system. This difference was as large even when comparing reports of auditors working simultaneously under the two systems. Finally, and most important, the plants that were required to use the new auditing system significantly reduced their emissions of air and water pollution, relative to the plants operating in the status quo system. Presumably, this was because the plants’ operators understood that the regulators were receiving more accurate information and would follow up on it.”

Three comments on this important study.

First, while most directly relevant to auditors, these results can, I believe, be broadly applicable to COIs generally.  That is, if professionals who are trained to rise above COIs fare this poorly, one can only imagine the impact of COIs on the rest of us.

Second, the more important compliance and ethics program efforts become to society, the greater the need for not just C&E auditing but other forms of checking – such as monitoring, as was discussed in a piece in Corporate Compliance Insights.   But monitoring  (as a general matter) is even less independent than is auditing, so this recent study underscores  the considerable  challenges for making forms of checking beyond auditing effective.

Third, research to determine “what works”   is vitally important for the C&E field to mature and realize its full promise,  and real-world studies such as this one can be particularly valuable in that regard.  Interestingly, another article in today’s NY Times describes how in the UK there is now an government-run effort (headed by a “Behavioral Insights Team”) to use research to determine what works with respect to various public policies, including some compliance-related ones. I hope that the US and other countries will follow the UK’s lead here.

Finally, here is a prior post on auditor COIs

 

Mitigating holiday cheer: what’s new in gifts and entertainment compliance

It is that time of year again, and so we look once more at what’s new under the C&E officer’s tree to help with the timeless challenge of gifts and entertainment (G&E)  compliance.

First, in what seems like just yesterday (because  it was just yesterday), “[a]n employee of Deutsche Bank‘s Japanese brokerage unit was arrested on … suspicion of showering a local pension fund manager with expensive meals, golf outings and trips overseas in return for some 1 billion yen in investments,”  as reported by the NY Times,   The piece continues: “The wining and dining of corporate pension fund executives had, in fact, become commonplace at Deutsche Securities, which set up shop in Tokyo in 2005, [t]he Nikkei business daily said. In some cases, the feasting got so out of hand that employees filed the mounting expenses over many days in a bid not to attract attention, the paper said. The [Securities and Exchange Surveillance Commission] advised that the government reprimand Tokyo-based Deutsche Securities over its conduct.”

This story is still developing, but it seems like a huge black eye for the bank.  However, presumably the lessons of how one of the world’s largest financial institutions could allow this type of very damaging conduct to occur will be a gift to others seeking to stay out of trouble.  (Among other things, this case could show why high-risk organizations need to do more  G&E monitoring, but that’s just a guess.)

Indeed, one of the most useful things that C&E officers can do regarding G&E is to keep track of others’ missteps in this treacherous area – and use that information in training and periodic communications to employees.   A helpful stocking stuffer in that regard is   this chart recently prepared by K&L Gates partners Amy Sommers and Matt Morley showing FCPA enforcement actions involving gift-giving in China, which I found via one of Tom Fox’s many excellent writings on anti-corruption compliance.

Another G&E  goody  to consider getting for that hard-to-please C&E officer on your shopping list is this recently published article “Honing a compliant gifts policy: the trends we are seeing today,” by Laura Flippin of DLA Piper. Among these trends:  “setting global limits on the amount that may be spent on any single meal, with three tiers covering low, medium and high cost markets. …Limiting gift giving, globally, to no more than $50 worth of low-value items which may be given at any one time to a single individual, with a cap of no more than four gifts annually…Requiring all gifts to be sourced centrally by procurement and prohibiting the use of vouchers or gift cards that can be easily converted to cash….Mandating prior written approval from a regional or above-country compliance officer if an employee wants to provide more than two gifts yearly to any single recipient (whether or not a government official) …Using a specific, documented process to address hospitality provided for high-profile, unique events in countries where the company has a large presence or business interests – for instance, the London Olympics.”

Of course, global companies increasingly need to keep track of the increasing number of “local” G&E laws and regulations, e.g., those of Nigeria – presented here by ethixBase  (the publisher of the COI Blog).  EthixBase has compiled  domestic gift giving rules from more than 80 countries – something that should bring joy to even the most Scrooge-like C&E officer of a global company.

Finally, some recent possibly relevant articles from our own back pages:

–          Gifts, entertainment and “soft core” corruption.

–          Complying with customers’ COI requirements.

–          COIs and industry culture.

Ho, ho, ho…

 

Risk assessment, program assessment and conflicts of interest

In my most recent column for Corporate Compliance Insights , I explore points of intersection between C&E risk assessment and C&E program assessment – two important functions that, while conceptually distinct, overlap to a considerable degree with each other.  In today’s posting I’d like to continue that discussion insofar as the two types of assessment are addressed to COIs.

First, COI risk assessment is – at least for some organizations – more challenging than assessment of any other law/ethics area, because of the extraordinary array of interests  and intersections that can create COIs.  For this reason, truly comprehensive COI risk assessments can cover a lot of ground – as reflected in a six-part series the COI Blog has run on this topic.  Moreover, perhaps as much as any risk area, COI risks can be granular – further complicating the matter.  (See this CCI article on “nano compliance”  for more on the challenges of dealing with granular compliance risks.)

However, as with other C&E program matters it is essential that the perfect (which is truly unachievable in this case) not be the enemy of the good here – and so companies should begin somewhere.  One approach to this is to develop an initial plan which – based on known risk factors and easily available data (e.g., from COI disclosures) – has attainable COI risk assessment goals for “year one” with other measures  scheduled on a risk-tiered basis for later years.   If undertaken in good faith and with reasonable dispatch, this route could offer meaningful protection for an organization in the event that its C&E program were scrutinized by the government (although whether it would do so in any given situation would depend  in part on a host of other factors).  Put otherwise, it could help show that a company’s failure to identify and address a harmful COI was not for want of trying.

Second, COI program assessment does, of course, depend in part upon the results of an organization’s risk assessment, and so – assuming that a company hasn’t conducted the latter – this might seem a reason to postpone consideration of the former.   But there are many other aspects of program assessment, too – such as the overall strength of a company’s COI policies;  training and communications; disclosure and management measuresauditing, monitoring and other forms of checking;  enforcement;  and oversight – by boards of directors as appropriate and perhaps even COI SMEs.  Note that COI program assessments are presumably less common than assessments regarding anti-bribery and other major risk areas (such as competition law) which operate in a well defined statutory framework.  But that does not mean the need for such efforts is low; indeed, it is precisely because of the sprawling nature of COI risks and related need for useful remediation that a program assessment can be important for this area – to make sure nothing meaningful slips through the cracks.

Additionally, it is possible to combine aspects of a program assessment and a risk assessment.  For instance, an employee survey that asks, among other things, about perceptions of the company’s success in addressing COIs could serve a  highly useful risk assessment function by identifying where within a company most significant COIs seem to be (assuming, that is, that the survey data can be sliced by business and/or geographical unit) and also a program assessment one of understanding areas for improvement in the overall approach to COIs. More generally, given the overlap between these two functions such an approach should be appealing for many companies.

A final point: whether it is a COI risk assessment, a program assessment or some combination of the two, it is essential not only to gather the information in question but also to turn that information into action plans.  This may seem obvious but over the years I’ve seen quite a few examples of needs identified by these processes that went unaddressed.

 

C&E risk action plans for mitigating COIs

Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment.  One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.

A risk action plan is a tool for  having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site,  I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.

Facing up to COI Sunshine

By Bill Sacks

On February 1st, 2013, the Centers for Medicare and Medicaid Services (CMS) released the final rules implementing the “Physician Payment Sunshine” provisions of the Affordable Care Act. These provisions, originally introduced as a separate bill by Senators Charles Grassley (R – IA) and Herbert Kohl (D-WI), will require Pharmaceutical and Medical Device companies to track and report all payments or “transfers of value” to physicians and teaching hospitals that exceed $10.00 (or essentially…everything).

The “Sunshine” provisions were designed to increase transparency in industry’s formal and informal relationships with medical providers. Ever since astute observers noticed that physicians could be influenced by financial considerations there has been concern that industry largesse could unduly influence research results, continuing medical education, prescribing, and other practice patterns. The thinking is, to paraphrase Justice Brandeis, “Sunshine is the best disinfectant.”

A public database of industry payments to physicians and teaching hospitals will go online by late 2014. This forthcoming transparency, on top of new COI regulations published by the NIH and Public Health Service that took effect last August, has resulted in significant movement on the part of hospitals and academic medical centers to put in place automated systems to collect and review conflict of interest disclosures and – just as important – to manage the conflicts uncovered through the disclosure process.

Technology to Improve COI Management

Compliance Officers and General Counsels in other industries should take note. Government contractors have obligations to identify and manage conflicts of interest under the Federal Acquisition Regulations (FAR). Many such contractors have tried to manage their COI obligations with paper surveys or simple generic online survey tools. These manual processes often collapse under their own weight, filling file cabinets or Excel spreadsheets with unusable, inaccessible data.

Newer, relational database tools are becoming more popular with organizations that need the ability to provide targeted survey questions to people with different reporting obligations, to direct COI survey responses to designated project managers and reviewers, to conduct detailed analysis on survey responses across projects, to produce customized reporting, and to maintain a database of archived responses.

Organizations seeking or managing federal contracts should periodically evaluate their COI management processes and systems to assess their effectiveness and to determine whether more up-to-date technological solutions could enhance operational efficiency.

(Bill Sacks is Vice President and co-founder of HCCS Inc., which provides online compliance training and workflow tools to organizations subject to federal regulations.  He can be reached at bsacks@hccs.com.)

Conflicts of interest monitoring

Most recently, we looked at auditing for COIs.  In this post, we examine what might be called auditing’s first cousin – monitoring, and particularly monitoring for COIs.

Monitoring is a broadly used concept in the C&E world.  It can refer both to monitoring by business personnel (front-line monitoring – or what is sometimes seen as part of the “first line of defense”) and also monitoring by a compliance or risk function (the “second line of defense”).

Auditing  (the “third line of defense”) differs from monitoring in that the former  a) occurs less in “real time” and b) is more  independent than the latter.

An example of COI monitoring by businesses/first line of defense is managers reviewing employee inputs into a gifts and entertainment data base.   Another – which overlaps with the more traditional notion of an internal control – is supervisors reviewing employee T&E reimbursement requests. (In this example the review can be considered the monitoring – at least to the extent that the supervisor is looking for COI-related information.  The necessity that the supervisor approve the request before the employee can be reimbursed is the more traditional control, at least under some definitions.)

An example of the second line of defense applied to COIs (in this case, third-party ones) is the practice in the pharma industry of C&E personnel attending some of their company’s events involving health care providers, to ensure compliance with fraud and abuse standards (which are COI based).  Another instance is where the C&E function gathers and reviews information through data bases, such as for gifts and entertainment (as mentioned above), and/or through certifications.

In the above examples monitoring essentially means preventing or detecting COIs.  But monitoring – both first and second line of defense types – can also refer to managing COIs that have been disclosed and approved.  This can be essential in various highly regulated fields, such as health care, where it may be impossible/undesirable to ban all COIs but where those that are permitted to exist must be carefully watched.

While not every organization needs to have robust COI monitoring, I believe that many organizations should do more to mitigate with this sort of approach than currently do, particularly given the abundant evidence that as individuals we don’t do a good job managing our own conflicts (as this is not an area where “inner controls” – i.e., our moral sentiments – provide much of a “defense”).

Auditing for Conflicts of Interest

Does your company’s C&E audit plan sufficiently address COIs?  Most companies presumably have some COI-related auditing, but far fewer deal with this important C&E area in a systematic way.

As with other C&E-related areas, COI-directed audits tend to fall largely into a “substance” bucket and a “process” one.

The former includes  (but is by no means limited to) certain measures that are necessary for all  companies – such as examining T&E records of corporate officers and other key individuals.  It should also include auditing based on industry-related COI laws and regulations (e.g., in health care/life science, government contracting or financial services), as well as cross-industry areas of legal risk (such as FCPA).

Of course, for companies with a risk of organizational conflicts there is a host of audit measures one might take. Perhaps less obvious, where companies face significant risks of causing third-party COIs  that should be audited.

The latter type of audit measures (for process) would look at COI-related:

Risk assessment processes.  Are they well designed? Are they being followed? Is the information from the process being fully used to inform other aspects of the C&E program?

Policies and communications.  Are the standards clear?  Is there a training and communications plan around COIs? What is employee understanding of applicable standards?

Procedures around disclosure, review and management.  As with other audit areas, this part of the effort would look at both design and operation — and also focus on the sufficiency of documentation.

– Accountabilities.  This includes both administrative accountability and discipline for violations (including the culpable failure by managers to prevent and detect violations by others).

Finally,   political and charitable contributions should, for some companies, be reviewed, not only for COIs but also the related issues of moral hazard or bias.