Risk Assessment

This section will examine ways to conduct COI-related risk assessments – both foundational assessments and ongoing ones.

Assessing private sector bribery risks

The near universality of bribery is captured in many stories, but my favorite is the joke made by former NY governor Al Smith, who, upon seeing a student reading a book in law library, supposedly said, “There is a young man studying how to take a bribe and call it a fee.”  The appeal of this story for  me is based largely upon my being a lawyer, but I imagine every business and profession has its own timeless tales about this ancient form of evil. However, what is relatively new under the sun is the expectation that business organizations no longer treat bribery as an inescapable facet of human nature (let alone a joke) but, rather, attempt to mitigate bribery risks using the same management skills  and sense of resolve that they would bring to other business challenges.

With respect to public-sector corruption, this has become reasonably well understood in recent years based on the strict enforcement of the Foreign Corrupt Practices Act.  The UK Anti-Bribery Act has had a somewhat similar effect for private sector bribery.   But, in allocating C&E resources to mitigating corruption risks,  it is important to recognize certain general distinctions between the two.

First, the economic impact of corruption in the former type of cases is likely to be passed on to the public itself, not borne by the victim organization in the transaction.  In other words, more than private sector corruption, the public sector species involves negative externalities, which suggests that economic incentives are less likely to lead organizations in the latter sphere to undertake strong anti-corruption self-protection measures than is true for those in the former.  And that relative degree of defenselessness, in turn, presumably translates into a higher likelihood of corruption (at least with respect to large-scale corrupt acts – the realm of gray-area gifts/entertainment and  other “soft” conflicts of interest is another matter).

Second, and again speaking as a very general matter, public sector corruption is likely to be more impactful than the  private sector kind because it frequently threatens efforts that are necessary for the well-being of society as a whole (e.g., the administration of justice, tax collection, environmental protection, product safety).  Indeed, public sector corruption can help delegitimize the very idea of governmental action, which can have harmful consequences of various kinds. Perhaps in recognition of these relatively unique harms public sector corruption seems to be treated more harshly than is the private sector variety.

On the other hand, the very fact that corruption seems to be more likely and impactful in the public sphere can be lulling with respect to private sector corruption, and mislead companies into concluding that they need to do virtually nothing in regard to the latter.  Therefore, it is important to include private sector corruption in C&E risk assessments, taking into account, among other things, the C&E standards of customers and other private sector organizations with which your company deals,   relevant geographic culture, the organizational culture of the parties in question,  the controls of such organizations and pertinent  industry culture.

Note that these sorts of risk assessments can be challenging because the sources of private sector corruption risk are less well articulated in governmental compliance standards than is true with public sector risks.  Indeed, compared to often surprisingly “well-lit” public sector corruption risks, private sector ones tend to hide in dark corners.  But that makes a strategic approach to risk assessment all the more important. In other words, while for many companies devoting the bulk of one’s anti-corruption efforts to public sector risks makes sense,  it also creates an enhanced obligation of using private sector anti-corruption resources in a thoughtfully targeted way.

Piling on: where antitrust and conflicts of interest meet

The recent imposition of a record tying $500 million criminal fine in an antitrust case is an important reminder to C&E professionals about the need for strong measures in this risk area.  But while there’s a lot that can be said about antitrust/competition law generally, rarely is mention made of possible connection between that area of risk and the subject of this blog,  COIs.  Yet, historically there have been cases where the two meet, and understanding their points of intersection can in fact be useful for certain aspects of C&E program management.

One  well known – if not necessarily typical – example was in a case that was decided by the Supreme Court  thirty years ago (American Society of Mechanical Engineers  v. Hydrolevel) in which a nonprofit membership association that issued codes for various areas of engineering was sued by a company that sold safety devices for use in water boilers.  The basis for the suit was that an employee of a competitor of the plaintiff – who was working as a volunteer of the non-profit – caused the non-profit  to publish a letter saying that the plaintiff’s device was unsafe.   This conduct – clearly a COI on the part of the association – was held to be an antitrust violation.  Or, another way of looking at it was that the COI was the motivation for the antitrust offense.

More recently (and perhaps more typically in terms of how these two areas can intersect) cases brought against insurance brokers regarding certain un- (or under-) disclosed payments from insurance issuers – a COI – had antitrust elements, too, meaning that the  insurers allegedly agreed among themselves to refrain from competing against each other in order to help protect this COI-laden state of affairs.     And in a related vein, in the famous (at the time) specialty steel cost-plus corruption cases  competitor suppliers took bidding instructions from a “quarterback” so that a long standing kickback scheme would not be disrupted.

This sort of connection between antitrust and COIs doesn’t happen frequently.  But it is predictable enough so that C&E professionals should – in connection with risk assessment and investigations – be alert to the possibility of it occurring in or to their respective organizations.



Conflicts of interest and industry culture

In the C&E world, culture most often refers to the culture of an organization.  In this connection, an earlier post discussed how permitting COI violations near the top of an organization can undermine the sense of “organizational justice” among employees generally – and thereby diminish the C&E program as a whole.

C&E-related culture also commonly refers to the culture of a given geography.  For instance, as this prior guest post by Judith Irwin of the Institute of Business Ethics describes, in some places what is considered a COI by Western standards might be seen an ethical mandate in other places.  (“Take the example of nepotism in Africa. In Africa, where family bonds are highly valued, nepotism is a common practice, and an employee may face ostracism for not hiring a relative for a position at the firm.”)

But there is also a third dimension to the intersection of culture and C&E that is too often overlooked: industry culture.

An example of this unrelated to COIs is that in the chemical industry some years ago there seemed to be a culture that encouraged sharing of information among competitors.  This contributed, predictably,  to a high incidence of antitrust violations.

And, industry culture can be relevant to COI risks, too.  For instance, the advertising business (at least in the U.S.)  is one in which gift giving/entertaining is pretty prevalent and so even an organization that has strong COI policies may wish to devote extra C&E-related attention to its employees (typically in marketing or procurement) who interact with members of that industry. (The Wal-Mart ad agency case from a few years back – discussed briefly here  – offers a pretty good lesson in how important that can be.)

Beyond the COI risks that industry culture can create in a company’s functions (as in the advertising example) culture can be risk causing vis a vis distinct business lines or units within a company, particularly a large decentralized one. So, for example, a large energy company whose principal business is a regulated utility that needs to maintain the trust of key regulators should be mindful of  the reputational danger of a casual approach to COIs in its unregulated subsidiaries. (Note that this sort of situation can also involve “moral hazard” –  a topic of occasional discussion in this blog.  Specifically, the risks of adversely impacting the interests of the organization as a whole might not be fully felt by the risk-taking unregulated business.)

As a general matter industry culture is not as significant a cause of risk as organizational or geographical culture.  But it can be potent, particularly in industries with a high degree of inter-company mobility, such as financial services.  And,  industry culture should be considered in all organizations’ COI risk assessments.


A world of risk

As is true with conflicts of interest, C&E risk assessment is the source of near endless interest to me. (No wonder I don’t get invited to parties!)

The importance of risk assessment is obvious from the many cases where the failures to understand or sufficiently address risk have led to C&E catastrophes. But the benefits of risk assessment are not limited to preventing failures. It can also be a “delivery device” for introducing new ideas and information – such as those found in behavioral ethics – into C&E programs, and thereby help keep such programs vibrant.

My interest in risk assessment goes back aways. I believe that a book chapter I wrote in 1993 for Compliance Programs and the Corporate Sentencing Guidelines was the first instance in which conducting a stand-alone C&E risk assessment – then called a “liability inventory” – was proposed (although obviously the COSO framework, which had a compliance component, predates that).  And this interest stretches into the future,  as I recently authored the risk assessment section for a commemorative guide being published this fall by the Ethics and Compliance Officer Association in connection with that organization’s 20th anniversary. (Hope to see you at the conference!)

For those who share an interest in risk assessment, here’s a link to a page on the Corporate Compliance Insights web site collecting several years’ worth of risk assessment pieces that I have written, with a “greatest hits” post that ran today.


Informal fiduciary duties and criminal liability

No, I don’t mean a fiduciary duty wearing loafers and khakis. (That, of course, is a casual fiduciary duty.)  An “informal” fiduciary duty is a duty of trust that arises even absent traditional fiduciary relationships, such as agent-principal or employee-employer.

In an important recent decision, a federal appeals court held that that independent contractors who have no formal fiduciary relationship with the government nonetheless can be prosecuted for “honest services” fraud for taking bribes based on a breach of “a comparable duty of loyalty, trust, and confidence.”  See US v Milovanovic.     There are several things about this holding that are worth noting, as described in this analysis by the Jenner &  Block law firm (registration required).    First, the court’s “formulation of an informal fiduciary relationship, the breach of which could trigger criminal liability for honest services fraud where the alleged fiduciary takes bribes or kickbacks, is extremely broad…. Second, the …opinion arguably makes even subcontractors susceptible to prosecution for honest services fraud…Finally, the Milovanovic case does not appear to be limited to government contractors.”

The decision – which has been the subject of some criticism for its breadth  – indeed appears to be a significant addition to the landscape of COI-related legal risk, at least from a criminal law perspective.  (Here is an article on informal fiduciary duties and civil liability.)

However, from an ethics-based  risk assessment logic standpoint, informal fiduciary relationships have always been worth paying attention to because even in the absence of a legal duty betraying the trust of others could have an adverse reputational impact and, under any mainstream ethical standard (e.g., utilitarianism, deontology or virtue ethics) , is clearly wrong.  And perhaps the Milovanovic opinion will serve as a reminder of the need to consider these types of relationships in identifying and addressing COI risks.

 For more on what makes a COI a crime, see this post  by criminal defense attorney Patrick J. Egan

“Type 2” Conflicts of Interest, Risk Assessment and “Inner Controls”

In his comprehensive taxonomy of conflicts of interest in the financial services industry ,  Professor Ingo Walter of New York University distinguishes between the kind of conflicts  that a firm has with its clients (“Type 1” conflicts) and conflicts between a firm’s clients (“Type 2” COIs).   Because the coverage of the COI Blog is not focused on this (or indeed any) industry we have  devoted little attention to the latter.  However, last week the UK’s Financial Services Authority imposed, in a Type 2 case, what is evidently its largest COI-related fine ever against a firm (Martin Currie), and this seems a good occasion to discuss these sorts of conflicts.

As briefly described in this article  the firm “caused one client to enter into an ill-advised transaction which rescued another client from serious liquidity concerns…  Both of the two … clients focused on making investments in the China market and were managed by Martin Currie from its Shanghai office. In April 2009, Martin Currie caused the rescued client fund to invest around £15m in an unlisted bond issued by an offshore Chinese firm, the FSA said. Martin Currie failed to ensure that the bond’s valuation or the rationale behind the investment were properly scrutinised at the time of the transaction and it proved to be a poor investment for the client, whose fund halved in value over the next two years. While the investment was detrimental to that fund, it had significant advantages for the other client in question, which was facing serious liquidity concerns due in part to its exposure to illiquid investments in a single offshore Chinese entity.”

Note that Type 2 conflicts pose risks not only for financial services firms.  They can also arise in law firms (where such COIs are far more common than are the Type 1 variety), and other contexts, too – e.g., consulting firms that do not fully disclose how commercial relationships with one client can impact the advice given  to others (such as in technology  procurement).

Indeed, it may be non-obvious Type 2 COIs that create the greatest risk for some organizations precisely because they have not been spotted.  And even where these are known they may not be fully appreciated,  because the self interest in Type 2 COIs may be less obvious (though no less real) than in Type 1 conflicts; i.e., those faced with the former may be particularly at risk due to the relative absence of “inner controls.”  For these reasons, all sorts of organizations should at least consider in their risk assessments whether Type 2  COIs could be an issue for them.

Assessing Conflict of Interest Risks: the Sixth and Final Post in this Series

Prior posts in this series  (see link in first paragraph of this post) covered the need (as a matter of law and sound practice) for conducting COI risk assessments; the ways to use risk assessment information in compliance efforts; and a possible analytic framework for assessment, looking at the reasons and capacities for, and impacts of, COIs.  In this post, we make several other points about COI risk assessment methodologies.

First, while COI related risk assessments often (and appropriately) focus on the “buy” side (i.e., procurement), selling related COIs can pose real risks, too.  In that regard, I can recall two cases of harmful COIs that flew under the radar of companies whose COI compliance efforts were largely buy-side focused.

Second, a COI risk assessment should also seek to determine what the risks are of “causing conflicts in others.”  That is, with respect to the parties with whom an organization deals (suppliers, customers, others), one should seek assess whether, how, why  and where the organization could create COIs within such a  party.

Third, a COI risk assessment should include moral hazard and behavioral ethics related risks.

Fourth, one should consider geographic dimensions of COI risk – particularly with respect to cultures in which “fairness” in business transactions is emphasized less than family ties and other personal relationships. (See Lori Tansey Martens’ posts for more information on different cultures’ approaches to COIs.)

Fifth, COI risks should be assessed on both a “gross” and “net” basis – with the former excluding and the latter including the impact of existing controls. This is necessary not only for an accurate assessment of current risks, but also to help prevent against backsliding in the future. 

Finally, a risk analysis should not only seek information about the current risks of COIs but also where future conflicts are reasonably foreseeable given the nature of industry-wide and other “macro” trends relevant to the organization, and possible changes to its business from acquisitions, new product or service lines or strategies or changes to distribution or sales methods and customer types.

Conflict of Interest Risk Assessments – Part Five: Impact

Prior posts in this series – which can be accessed here –  addressed the legal imperatives for conducting COI risk assessments; the ways to use risk assessment information in designing or enhancing various C&E program elements;  and two components of a suggested analytic framework for assessment – one of which concerns COI “reasons'” and the other COI “capacities.”  In this post we briefly examine the third such dimension – “impact.” 

Extensive information gathering efforts concerning the “impact” aspect of risk assessments are, in my view, often unnecessary with respect to many C&E risks.   I say this because the potential impacts of many C&E risks tend to be well known to a company’s law and compliance departments.  For instance, there is typically not much point in having executives vote on what they think the impact of an antitrust, bribery or employment law violation would be.

But with COIs an impact dimension can be important, because COI impacts tend to be less obvious than are those arising from many other types of C&E violations.  That is, such impacts often are more business related in general and trust related in particular, and less a matter of incurring legal penalties (although there are some significant exceptions to this – particularly in the financial services, government contracting, health care and life science areas).

For this reason, identifying all the significant ways in which a COI could be harmful to an organization’s various relationships of trust or other business interests can be useful for a number of purposes.  For instance, this information can play a role in developing or revising: 

– training and other communications – as these tend to be more effective to the extent they are specific about harms an organization faces from COIs;  and

– additional procedures, such as those designed to help avoid causing other people’s conflicts.

In addition, including impact – along with “reasons” and “capacities” – in the quantitative aspect of the COI mix can be useful for allocating C&E resources for such purposes as monitoring and auditing.

Finally, a COI risk assessment process can, to some extent, be combined with COI training for senior managers.  That is, when training senior managers on COIs one can use the process to gather – and test – an organization’s risk-related information, both concering impact and the other assessment dimensions.

Coming up: the concluding post in our COI risk assessment series.

Conflict of Interest Risk Assessments – Part 4: Capacities

Risk assessment is generally seen to be the most important – and often the most challenging – aspect of any compliance program, and for this reason we are exploring COI risk assessment in a six-part series in the Blog. The first two postings in this series addressed legal expectations regarding COI risk assessments and the C&E program uses to which information derived from a COI risk assessment should be put.   The third posting began the discussion of methodology by addressing one of three principal risk assessment dimensions – “reasons.”  In this posting, we examine the “capacities” dimension of COI risk assessment (and after this we’ll explore measuring the impact of COI risks).

“Capacities” – in the compliance risk analysis context – means a party’s ability to engage in harmful behavior.  In some industries, such capacities for harmful conflicts-based conduct are widespread.  An obvious example is the financial services industry.  Indeed, as noted several years ago by the SEC’s then Chief of Enforcement :  “Conflicts of interest are inherent in the financial services business. When you are paid to act as an intermediary, like a broker, or as another’s fiduciary, like an investment adviser, the groundwork for conflict between investment professional and customer is laid.”  More recently, and as described in a recent posting, there is a vast array of capacities for COIs in private equity firms that have been identified as of  possible concern to the Securities and Exchange Commission.  

Turning from client conflicts in the financial services field to internal ones in organizations of all kind, a key consideration for this aspect of risk assessment is the extent to which an individual exercises discretion over matters that could involve COIs.  Most obviously in this category are individuals in management or procurement positions.  But there are also many other, less obvious, functions that could have COI-risk creating capacities.

For instance, in a government contractor, HR could be seen as having the capacity to violate COI rules concerning hiring government personnel.  Or, in some companies, “corporate opportunities” will present real COI risks — e.g., particularly investment-related ones – for some employees (or agents) but not others.  (This type of COI – which will be the topic of future postings – refers to situations where as part of her work a director or employee identifies a business opportunity and takes advantage of it without making sure the employer has first had the opportunity to consider it.)  Similarly, for insider trading – which is partly COI-related – a capacities analysis would embrace the extent to which various individuals had access to material, non-public information from their employer.

Of course, a COI risk tends to be highest for individuals or functions where both “reasons” and “capacities” are significant, and in such instances companies should consider deploying a full range of C&E mitigation measures, e.g., targeted training, auditing and other controls.  The same is true with regard to COI risks for which only one of these dimensions is significant but the potential impact of a COI (to be addressed in the next post) is high.





Ben Franklin – Behavioral Ethicist?

We continue the discussion from our most recent post in this series on behavioral ethics on circumstances in which an individual’s ethical standards – her “inner controls” – may not reduce the risk of wrongful behavior as much as expected.   

Another set of circumstances that is relatively likely to lead to an ethical shortfall is where we do not know who will be impacted by a contemplated act.   As described in this paper by Deborah A. Small and George Loewenstein, in one study “subjects were more willing to compensate others who lost money when the losers had already been determined than when they were about to be” and in another “people contributed more to a charity when their contributions would benefit a family that had already been selected from a list than when told that the family would be selected from the same list.”  

Beyond their direct application to the area of charitable giving, these findings may be relevant to a broader range of ethics issues, and, for instance, could help explain the relative ease with which so many individuals engage in offenses where the victims are not identifiable.  

One example of this is insider trading – a crime which, although widely known to be wrong, seems utterly pervasive (based, among other things, on the extent of trading in securities right before public disclosure of market moving events).  A behavioral ethics perspective suggests that (at least part of) the reason for this “inner controls” failure is that the victims of insider trading are essentially anonymous market participants. 

Another  offense of this sort is government contracting fraud (where the victims tends to be everyone),  and indeed Ben Franklin famously described the risks of an ethics shortfall here as well as anyone could: “There is no kind of dishonesty into which otherwise good people more easily and more frequently fall than that of defrauding the government.”   Understanding why “otherwise good people” do bad things is much of what behavioral ethics is about.

From a C&E risk assessment perspective, the combination of behavioral ethics data and Franklin’s (eerily prescient)  insight suggests that companies should take extra measures (e.g., through training, auditing and other C&E tools)  to prevent and detect wrongdoing  in situations where legal or ethical violations would seem to be victimless – and hence where our “inner controls” could be weak . 

 In our next post in this series: behavioral ethics and the unexpected risk of doing good.