Risk Assessment

This section will examine ways to conduct COI-related risk assessments – both foundational assessments and ongoing ones.

A world of risk

As is true with conflicts of interest, C&E risk assessment is the source of near endless interest to me. (No wonder I don’t get invited to parties!)

The importance of risk assessment is obvious from the many cases where the failures to understand or sufficiently address risk have led to C&E catastrophes. But the benefits of risk assessment are not limited to preventing failures. It can also be a “delivery device” for introducing new ideas and information – such as those found in behavioral ethics – into C&E programs, and thereby help keep such programs vibrant.

My interest in risk assessment goes back aways. I believe that a book chapter I wrote in 1993 for Compliance Programs and the Corporate Sentencing Guidelines was the first instance in which conducting a stand-alone C&E risk assessment – then called a “liability inventory” – was proposed (although obviously the COSO framework, which had a compliance component, predates that).  And this interest stretches into the future,  as I recently authored the risk assessment section for a commemorative guide being published this fall by the Ethics and Compliance Officer Association in connection with that organization’s 20th anniversary. (Hope to see you at the conference!)

For those who share an interest in risk assessment, here’s a link to a page on the Corporate Compliance Insights web site collecting several years’ worth of risk assessment pieces that I have written, with a “greatest hits” post that ran today.

 

Informal fiduciary duties and criminal liability

No, I don’t mean a fiduciary duty wearing loafers and khakis. (That, of course, is a casual fiduciary duty.)  An “informal” fiduciary duty is a duty of trust that arises even absent traditional fiduciary relationships, such as agent-principal or employee-employer.

In an important recent decision, a federal appeals court held that that independent contractors who have no formal fiduciary relationship with the government nonetheless can be prosecuted for “honest services” fraud for taking bribes based on a breach of “a comparable duty of loyalty, trust, and confidence.”  See US v Milovanovic.     There are several things about this holding that are worth noting, as described in this analysis by the Jenner &  Block law firm (registration required).    First, the court’s “formulation of an informal fiduciary relationship, the breach of which could trigger criminal liability for honest services fraud where the alleged fiduciary takes bribes or kickbacks, is extremely broad…. Second, the …opinion arguably makes even subcontractors susceptible to prosecution for honest services fraud…Finally, the Milovanovic case does not appear to be limited to government contractors.”

The decision – which has been the subject of some criticism for its breadth  – indeed appears to be a significant addition to the landscape of COI-related legal risk, at least from a criminal law perspective.  (Here is an article on informal fiduciary duties and civil liability.)

However, from an ethics-based  risk assessment logic standpoint, informal fiduciary relationships have always been worth paying attention to because even in the absence of a legal duty betraying the trust of others could have an adverse reputational impact and, under any mainstream ethical standard (e.g., utilitarianism, deontology or virtue ethics) , is clearly wrong.  And perhaps the Milovanovic opinion will serve as a reminder of the need to consider these types of relationships in identifying and addressing COI risks.

 For more on what makes a COI a crime, see this post  by criminal defense attorney Patrick J. Egan

“Type 2″ Conflicts of Interest, Risk Assessment and “Inner Controls”

In his comprehensive taxonomy of conflicts of interest in the financial services industry ,  Professor Ingo Walter of New York University distinguishes between the kind of conflicts  that a firm has with its clients (“Type 1” conflicts) and conflicts between a firm’s clients (“Type 2″ COIs).   Because the coverage of the COI Blog is not focused on this (or indeed any) industry we have  devoted little attention to the latter.  However, last week the UK’s Financial Services Authority imposed, in a Type 2 case, what is evidently its largest COI-related fine ever against a firm (Martin Currie), and this seems a good occasion to discuss these sorts of conflicts.

As briefly described in this article  the firm “caused one client to enter into an ill-advised transaction which rescued another client from serious liquidity concerns…  Both of the two … clients focused on making investments in the China market and were managed by Martin Currie from its Shanghai office. In April 2009, Martin Currie caused the rescued client fund to invest around £15m in an unlisted bond issued by an offshore Chinese firm, the FSA said. Martin Currie failed to ensure that the bond’s valuation or the rationale behind the investment were properly scrutinised at the time of the transaction and it proved to be a poor investment for the client, whose fund halved in value over the next two years. While the investment was detrimental to that fund, it had significant advantages for the other client in question, which was facing serious liquidity concerns due in part to its exposure to illiquid investments in a single offshore Chinese entity.”

Note that Type 2 conflicts pose risks not only for financial services firms.  They can also arise in law firms (where such COIs are far more common than are the Type 1 variety), and other contexts, too – e.g., consulting firms that do not fully disclose how commercial relationships with one client can impact the advice given  to others (such as in technology  procurement).

Indeed, it may be non-obvious Type 2 COIs that create the greatest risk for some organizations precisely because they have not been spotted.  And even where these are known they may not be fully appreciated,  because the self interest in Type 2 COIs may be less obvious (though no less real) than in Type 1 conflicts; i.e., those faced with the former may be particularly at risk due to the relative absence of “inner controls.”  For these reasons, all sorts of organizations should at least consider in their risk assessments whether Type 2  COIs could be an issue for them.

Assessing Conflict of Interest Risks: the Sixth and Final Post in this Series

Prior posts in this series  (see link in first paragraph of this post) covered the need (as a matter of law and sound practice) for conducting COI risk assessments; the ways to use risk assessment information in compliance efforts; and a possible analytic framework for assessment, looking at the reasons and capacities for, and impacts of, COIs.  In this post, we make several other points about COI risk assessment methodologies.

First, while COI related risk assessments often (and appropriately) focus on the “buy” side (i.e., procurement), selling related COIs can pose real risks, too.  In that regard, I can recall two cases of harmful COIs that flew under the radar of companies whose COI compliance efforts were largely buy-side focused.

Second, a COI risk assessment should also seek to determine what the risks are of “causing conflicts in others.”  That is, with respect to the parties with whom an organization deals (suppliers, customers, others), one should seek assess whether, how, why  and where the organization could create COIs within such a  party.

Third, a COI risk assessment should include moral hazard and behavioral ethics related risks.

Fourth, one should consider geographic dimensions of COI risk – particularly with respect to cultures in which “fairness” in business transactions is emphasized less than family ties and other personal relationships. (See Lori Tansey Martens’ posts for more information on different cultures’ approaches to COIs.)

Fifth, COI risks should be assessed on both a “gross” and “net” basis – with the former excluding and the latter including the impact of existing controls. This is necessary not only for an accurate assessment of current risks, but also to help prevent against backsliding in the future. 

Finally, a risk analysis should not only seek information about the current risks of COIs but also where future conflicts are reasonably foreseeable given the nature of industry-wide and other “macro” trends relevant to the organization, and possible changes to its business from acquisitions, new product or service lines or strategies or changes to distribution or sales methods and customer types.

Conflict of Interest Risk Assessments – Part Five: Impact

Prior posts in this series – which can be accessed here –  addressed the legal imperatives for conducting COI risk assessments; the ways to use risk assessment information in designing or enhancing various C&E program elements;  and two components of a suggested analytic framework for assessment – one of which concerns COI “reasons'” and the other COI “capacities.”  In this post we briefly examine the third such dimension – “impact.” 

Extensive information gathering efforts concerning the “impact” aspect of risk assessments are, in my view, often unnecessary with respect to many C&E risks.   I say this because the potential impacts of many C&E risks tend to be well known to a company’s law and compliance departments.  For instance, there is typically not much point in having executives vote on what they think the impact of an antitrust, bribery or employment law violation would be.

But with COIs an impact dimension can be important, because COI impacts tend to be less obvious than are those arising from many other types of C&E violations.  That is, such impacts often are more business related in general and trust related in particular, and less a matter of incurring legal penalties (although there are some significant exceptions to this – particularly in the financial services, government contracting, health care and life science areas).

For this reason, identifying all the significant ways in which a COI could be harmful to an organization’s various relationships of trust or other business interests can be useful for a number of purposes.  For instance, this information can play a role in developing or revising: 

– training and other communications – as these tend to be more effective to the extent they are specific about harms an organization faces from COIs;  and

– additional procedures, such as those designed to help avoid causing other people’s conflicts.

In addition, including impact – along with “reasons” and “capacities” – in the quantitative aspect of the COI mix can be useful for allocating C&E resources for such purposes as monitoring and auditing.

Finally, a COI risk assessment process can, to some extent, be combined with COI training for senior managers.  That is, when training senior managers on COIs one can use the process to gather – and test – an organization’s risk-related information, both concering impact and the other assessment dimensions.

Coming up: the concluding post in our COI risk assessment series.

Conflict of Interest Risk Assessments – Part 4: Capacities

Risk assessment is generally seen to be the most important – and often the most challenging – aspect of any compliance program, and for this reason we are exploring COI risk assessment in a six-part series in the Blog. The first two postings in this series addressed legal expectations regarding COI risk assessments and the C&E program uses to which information derived from a COI risk assessment should be put.   The third posting began the discussion of methodology by addressing one of three principal risk assessment dimensions – “reasons.”  In this posting, we examine the “capacities” dimension of COI risk assessment (and after this we’ll explore measuring the impact of COI risks).

“Capacities” – in the compliance risk analysis context – means a party’s ability to engage in harmful behavior.  In some industries, such capacities for harmful conflicts-based conduct are widespread.  An obvious example is the financial services industry.  Indeed, as noted several years ago by the SEC’s then Chief of Enforcement :  “Conflicts of interest are inherent in the financial services business. When you are paid to act as an intermediary, like a broker, or as another’s fiduciary, like an investment adviser, the groundwork for conflict between investment professional and customer is laid.”  More recently, and as described in a recent posting, there is a vast array of capacities for COIs in private equity firms that have been identified as of  possible concern to the Securities and Exchange Commission.  

Turning from client conflicts in the financial services field to internal ones in organizations of all kind, a key consideration for this aspect of risk assessment is the extent to which an individual exercises discretion over matters that could involve COIs.  Most obviously in this category are individuals in management or procurement positions.  But there are also many other, less obvious, functions that could have COI-risk creating capacities.

For instance, in a government contractor, HR could be seen as having the capacity to violate COI rules concerning hiring government personnel.  Or, in some companies, “corporate opportunities” will present real COI risks — e.g., particularly investment-related ones – for some employees (or agents) but not others.  (This type of COI – which will be the topic of future postings – refers to situations where as part of her work a director or employee identifies a business opportunity and takes advantage of it without making sure the employer has first had the opportunity to consider it.)  Similarly, for insider trading – which is partly COI-related – a capacities analysis would embrace the extent to which various individuals had access to material, non-public information from their employer.

Of course, a COI risk tends to be highest for individuals or functions where both “reasons” and “capacities” are significant, and in such instances companies should consider deploying a full range of C&E mitigation measures, e.g., targeted training, auditing and other controls.  The same is true with regard to COI risks for which only one of these dimensions is significant but the potential impact of a COI (to be addressed in the next post) is high.

 

.

 

 

Ben Franklin – Behavioral Ethicist?

We continue the discussion from our most recent post in this series on behavioral ethics on circumstances in which an individual’s ethical standards – her “inner controls” – may not reduce the risk of wrongful behavior as much as expected.   

Another set of circumstances that is relatively likely to lead to an ethical shortfall is where we do not know who will be impacted by a contemplated act.   As described in this paper by Deborah A. Small and George Loewenstein, in one study “subjects were more willing to compensate others who lost money when the losers had already been determined than when they were about to be” and in another “people contributed more to a charity when their contributions would benefit a family that had already been selected from a list than when told that the family would be selected from the same list.”  

Beyond their direct application to the area of charitable giving, these findings may be relevant to a broader range of ethics issues, and, for instance, could help explain the relative ease with which so many individuals engage in offenses where the victims are not identifiable.  

One example of this is insider trading – a crime which, although widely known to be wrong, seems utterly pervasive (based, among other things, on the extent of trading in securities right before public disclosure of market moving events).  A behavioral ethics perspective suggests that (at least part of) the reason for this “inner controls” failure is that the victims of insider trading are essentially anonymous market participants. 

Another  offense of this sort is government contracting fraud (where the victims tends to be everyone),  and indeed Ben Franklin famously described the risks of an ethics shortfall here as well as anyone could: “There is no kind of dishonesty into which otherwise good people more easily and more frequently fall than that of defrauding the government.”   Understanding why “otherwise good people” do bad things is much of what behavioral ethics is about.

From a C&E risk assessment perspective, the combination of behavioral ethics data and Franklin’s (eerily prescient)  insight suggests that companies should take extra measures (e.g., through training, auditing and other C&E tools)  to prevent and detect wrongdoing  in situations where legal or ethical violations would seem to be victimless – and hence where our “inner controls” could be weak . 

 In our next post in this series: behavioral ethics and the unexpected risk of doing good.

 

 

Conflict of Interest Risk Assessments – Part Three

In the first posting in this series we discussed legal mandates and other reasons to assess COI risks and in the second we explored the uses to which assessment information and ideas can be put.  We now begin to examine risk assessment methodology.

One framework for assessing COI-related risks is to identify and analyze the “reasons” and “capacities” for conflicts on the part of all relevant individuals and entities – employees, various third parties and the organization itself.  This posting will address the reasons dimenson of risk assessment, which generally include “motivations” and “misunderstandings.”

Motivations are reasons to engage in wrongdoing purposefully, and an employee’s having a personal economic interest – e.g., ownership of or other revenue participation in an entity that does business with your organization – is the most obvious form of COI motivation.  But, less tangible personal interests can create motivations, too – such as, in some cases, reputation enhancement, political affiliations or professional development (all of which can lead to COI-related involvement with suppliers and other third parties), and one should consider what the relevant risks are in those respects.

Additionally, in some settings, a motivation can involve tending to others’ interests (although there is usually a self interest in doing so).  In a professional or financial services setting, a motivation for COI-based behavior can consist of reasons to place the interests of one client over that of another.  (E.g., Company A, which provides outsourcing purchasing functions to Companies B and C, could have a conflict if it buys for their accounts from Company D in the hope of getting more work from Company D.)   Another example of this type of conflict is serving on an outside board; for some kinds of organizations (e.g., those in highly entrepreneurial sectors of the economy) this is more likely to give rise to a COI than others, at least as a general matter.  So, a risk assessment for companies of this kind should identify foreseeable situations of this sort.

The other broad category of reason – “misunderstandings” – refers first to COI-related expectations that may truly not be understood, e.g., third-party standards.  But, this factor also encompasses standards that are known but under-appreciated, as COI rules might be in certain cultures or industries.   Note that risks of this sort tend to increase when business practices lag behind changes in enforcement strategies or expectations of other key third parties, such as customers.

Finally, while not fitting neatly into either the motivation or misunderstanding category, a reason for a COI can also be structural. An example is a small outpost of a big organization in a location where the organization’s key employees have close (family or friendship) relationships with the area’s principal local suppliers of key goods or services.

In the next post in this series we’ll continue the discussion of a COI risk assessment framework by looking at COI “capacities.”  But, before then we’ll continue our other ongoing series – on “moral hazard,” and also launch a new series – on “behavioral ethics and compliance.”

 

 

Conflict of Interest Risk Assessments: Part Two

Louis Sullivan famously said that form follows function, and the same principle applies to risk assessment as well as architecture. The first post in this series examined legal mandates and other reasons to conduct COI risk assessments.  In this post we will explore the uses to which the information and ideas developed in these efforts can be put; along with the legal mandates, these help to define the function of risk assessments.  In the posts to follow we will examine the form – or methodology – for  assessing COI risks.

Any COI risk analysis should not only serve to identify COI risks that need to be addressed but also to determine how best to use C&E  program resources for mitigating these risks  This may sound obvious but experience suggests that it is important to stress, as many companies don’t do nearly as much as they should in this respect – i.e., their risk assessments (COI or otherwise) don’t live up to their full potential in terms of making their C&E programs as effective as reasonably possible.

What is that potential? Among the possibilities here are using the information to:

– Revise the COI portion of the code of conduct and/or draft or revise a stand-alone COI policy document or other related written materials (e.g., FAQs on the organization’s intranet).

– Decide whether to deploy COI certifications and, if so, who should receive them and what their content should be.

– Create/revise COI provisions of supplier codes and other third-party-related measures (e.g., compliance certificates by agents and distributors, terms and conditions in purchase orders).

– Develop a plan and content for COI training and other communications for employees, directors and (as appropriate) third parties.

– Determine the best ways to audit for COIs and develop/revise plans and protocols for such audits.

– Decide whether COI monitoring is warranted and, if so, when and what form it should take.

– Structure/improve the COI disclosure approach, including policies and procedures for reviews of disclosed COIs.

– Develop a COI management mechanism for situations where COIs are permitted under specified terms and conditions.

– Determine whether technology should be deployed for COI disclosures, reviews and management.  If technology is not used, one should utilize the risk assessment to determine/review record keeping needs.

– Help the board of directors and senior executives meet their respective governance and management responsibilities regarding COIs.

– Determine whether/how to embrace customer and other third-party C&E standards, to avoid causing COIs in other.

– Lay the groundwork for targeted (i.e., efficient) follow-on COI risk assessments.

So, there’s a lot of uses to which COI risk assessment information can be put.  And, in the posts to come in this series we’ll explore how to gather and analyze that information.

 

 

Conflict of Interest Risk Assessments – Part One

Risk assessments are increasingly seen as essential to effective C&E  programs. This is true for programs generally, of course, under the 2004 amendments to the Federal Sentencing Guidelines for Organizations.  Risk assessments are also contemplated  for anti-corruption compliance  under the Good Practices Guidance of the OECD Anti-Bribery Working Group, the UK Bribery Act compliance guidance issued by the Ministry of Justice and settlements of various FCPA cases involving both compliance failures and model compliance programs.

With respect to COIs, at least for some industries, enforcement bodies have been very explicit about the need for risk assessments.  For instance, several years ago the Chief of Enforcement of the Securities and Exchange Commission issued a challenge to representatives of the financial services industry “to undertake a top-to-bottom review of [their]  business operations with the goal of addressing conflicts of interest of every kind. No one is in a better position than you to identify the conflicts that arise from a financial services firm’s efforts to pursue business profitability. I encourage you to approach the task systematically.”   Similarly, a regulation concerning C&E programs for pharmaceutical manufacturers indicates the need for COI risk assessments in that industry.

But even absent industry-specific guidance of this sort, the general expectation of the Sentencing Guidelines – as well as the pervasiveness  and potential impact of COIs throughout the business world – provides reason  enough for organizations of all kinds to conduct focused assessments  of COIs risks.

Additionally, the very nature of certain sorts of COIs – in particular, those involving personal interests of powerful individuals within an organization or long standing industry practices – suggests that absent a well-defined risk assessment process, some conflicts risks might go unaddressed.  Put otherwise, compared to many other areas of C&E risk, the identification and mitigation of COI risks is not “a machine that runs of itself.”

In this series of (approximately one a week, for the next month) posts we will examine ways to assess COI risks (typically as part of a larger risk assessment).   Among other things, we will a) suggest an analytic framework for such risk assessments, b) address specific issues/challenges in conducting COI risks assessments, and c) discuss how to use the information obtained by the assessment to mitigate COI-related risks.