Risk Assessment

This section will examine ways to conduct COI-related risk assessments – both foundational assessments and ongoing ones.

Conflict of Interest Risk Assessments: Part Two

Louis Sullivan famously said that form follows function, and the same principle applies to risk assessment as well as architecture. The first post in this series examined legal mandates and other reasons to conduct COI risk assessments.  In this post we will explore the uses to which the information and ideas developed in these efforts can be put; along with the legal mandates, these help to define the function of risk assessments.  In the posts to follow we will examine the form – or methodology – for  assessing COI risks.

Any COI risk analysis should not only serve to identify COI risks that need to be addressed but also to determine how best to use C&E  program resources for mitigating these risks  This may sound obvious but experience suggests that it is important to stress, as many companies don’t do nearly as much as they should in this respect – i.e., their risk assessments (COI or otherwise) don’t live up to their full potential in terms of making their C&E programs as effective as reasonably possible.

What is that potential? Among the possibilities here are using the information to:

– Revise the COI portion of the code of conduct and/or draft or revise a stand-alone COI policy document or other related written materials (e.g., FAQs on the organization’s intranet).

– Decide whether to deploy COI certifications and, if so, who should receive them and what their content should be.

– Create/revise COI provisions of supplier codes and other third-party-related measures (e.g., compliance certificates by agents and distributors, terms and conditions in purchase orders).

– Develop a plan and content for COI training and other communications for employees, directors and (as appropriate) third parties.

– Determine the best ways to audit for COIs and develop/revise plans and protocols for such audits.

– Decide whether COI monitoring is warranted and, if so, when and what form it should take.

– Structure/improve the COI disclosure approach, including policies and procedures for reviews of disclosed COIs.

– Develop a COI management mechanism for situations where COIs are permitted under specified terms and conditions.

– Determine whether technology should be deployed for COI disclosures, reviews and management.  If technology is not used, one should utilize the risk assessment to determine/review record keeping needs.

– Help the board of directors and senior executives meet their respective governance and management responsibilities regarding COIs.

– Determine whether/how to embrace customer and other third-party C&E standards, to avoid causing COIs in other.

– Lay the groundwork for targeted (i.e., efficient) follow-on COI risk assessments.

So, there’s a lot of uses to which COI risk assessment information can be put.  And, in the posts to come in this series we’ll explore how to gather and analyze that information.



Conflict of Interest Risk Assessments – Part One

Risk assessments are increasingly seen as essential to effective C&E  programs. This is true for programs generally, of course, under the 2004 amendments to the Federal Sentencing Guidelines for Organizations.  Risk assessments are also contemplated  for anti-corruption compliance  under the Good Practices Guidance of the OECD Anti-Bribery Working Group, the UK Bribery Act compliance guidance issued by the Ministry of Justice and settlements of various FCPA cases involving both compliance failures and model compliance programs.

With respect to COIs, at least for some industries, enforcement bodies have been very explicit about the need for risk assessments.  For instance, several years ago the Chief of Enforcement of the Securities and Exchange Commission issued a challenge to representatives of the financial services industry “to undertake a top-to-bottom review of [their]  business operations with the goal of addressing conflicts of interest of every kind. No one is in a better position than you to identify the conflicts that arise from a financial services firm’s efforts to pursue business profitability. I encourage you to approach the task systematically.”   Similarly, a regulation concerning C&E programs for pharmaceutical manufacturers indicates the need for COI risk assessments in that industry.

But even absent industry-specific guidance of this sort, the general expectation of the Sentencing Guidelines – as well as the pervasiveness  and potential impact of COIs throughout the business world – provides reason  enough for organizations of all kinds to conduct focused assessments  of COIs risks.

Additionally, the very nature of certain sorts of COIs – in particular, those involving personal interests of powerful individuals within an organization or long standing industry practices – suggests that absent a well-defined risk assessment process, some conflicts risks might go unaddressed.  Put otherwise, compared to many other areas of C&E risk, the identification and mitigation of COI risks is not “a machine that runs of itself.”

In this series of (approximately one a week, for the next month) posts we will examine ways to assess COI risks (typically as part of a larger risk assessment).   Among other things, we will a) suggest an analytic framework for such risk assessments, b) address specific issues/challenges in conducting COI risks assessments, and c) discuss how to use the information obtained by the assessment to mitigate COI-related risks.

Conflict of Interest Certifications

There’s one way to find out if a man is honest – ask him.  If he says, “Yes,” you know he is a crook.  Groucho Marx

There is, of course, something to this bit of Marxist logic. But, on balance, the benefits of “asking” in a C&E program can be considerable, and one asking-based tool that has existed for many years is the certification.

Should an organization require employees to execute on a periodic basis certifications regarding actual or apparent COIs?  If so, what should be the content of the certifications? And should an entire employee population receive them?

We will consider the first and third questions in this post and the other in the next post.

While not advisable for every entity, this type of process can, I believe, be useful for reminding employees (in a way that a terse general code of conduct certification  typically does not do) of the organization’s specific COI standards and requirements.  Certifications indeed often will surface  COIs that have not otherwise arisen through other C&E processes.  While they might elicit denials regarding  truly illicit behavior (Groucho’s thesis), that is less true of many other, less nefarious sorts of COIs.  As one  reader of the Blog wrote to us yesterday, “employees are often confused about  COIs and don’t think they have one when they do or at least when there is an  appearance of a possible conflict. [Certifications] seem to be a good way to help employees focus on specific activities that can present a conflict.”

However, certifications  are clearly not for everyone. Whether an organization should undertake this  sort of effort – which can require a substantial time commitment – depends on a variety of factors.  In effect, this is a form of risk assessment, which should typically include the following considerations:

Likelihood:  How likely is the process to uncover an  otherwise unidentified COI?  And, how likely is a certification to prevent an otherwise undeterred  COI?

Impact:  How harmful could such a COI be – meaning one that would likely be deterred or detected and addressed by the certification process but not other ways?

Other benefits:  Are there other high-risk activities (e.g.,“sensitive payments,” contacts with competitors) that should be added to a COI certification, and, if so, what does a likelihood and impact assessment of those topics add to the analysis?

Capacity:  Does your organization have the resources to follow-up on all “yes” answers or failures to respond?  (This is a deal breaker for many companies.)

Finally, this analysis should not necessarily be performed on an all-or-nothing basis.  Even if it does not make sense to require all employees to execute certifications – as, in my experience, is frequently the case – there may still reason to do so for managers and others in sensitive positions (e.g., procurement; “control” functions – such as law, finance, human resources and audit; and, in some organizations, sales).

To be continued…



Moral Hazard – Part Two: Risk Assessment and Incentives

The immediately preceding post introduced the concept of “moral hazard” to the blog.  In today’s post and others to follow we examine how C&E programs can address moral-hazard C&E-related risks.

The principal way to deal with such risks is, of course, through attention to compensation approaches. There are, in turn, two dimensions to this.

The first is to assess how current  (or planned) compensation approaches can create or exacerbate risks.  This can be done by building into the risk-assessment process questions addressed to all forms of compensation, meaning not only salary and annual bonuses but also such matters as business unit and project plans.   For example, a project plan that creates incentives for finishing the project by a certain time but does not sufficiently dis-incent unduly risky conduct (which, depending on the project, could involve a wide range of compliance issues) could be seen as creating moral hazard.

The second general approach focuses on the other side of the compensation coin, and specifically, mitigating risks through creating “positive”  (from a C&E perspective) compensation approaches.  Among the obvious possibilities here are including C&E-related criteria in decisions about promotions, salaries and bonuses, and also having tangible awards for truly exemplary ethical service.

A less obvious measure that can be taken in this regard is to give the chief ethics and compliance officer formal input into promotion and succession planning decisions, at least for senior positions.  Relatively few companies currently do this, but it can be a powerful way to correct for moral hazard and other risks.

Additionally, non-monetary forms of recognition for highly commendable ethical conduct can be helpful.   This can occur either centrally (such as mention in a company newsletter, as appropriate) or on a local basis. To facilitate the latter, companies should consider training managers on means to recognize (meaning here both identify and acknowledge) exemplary ethical conduct.

The third posting in this series will examine non-economic moral hazard issues and also board oversight as a control for moral hazard risks at the senior manager level.



Other People’s Conflicts

Samuel Johnson once famously said of some unfortunate soul, “He is not only dull himself, he is the cause of dullness in others,” and in this posting we’ll examine how companies can avoid the misfortune that sometimes comes from causing conflicts of interests in others.

To start, a brief bit of COI history.

Several years ago an advertising agency lost a highly lucrative account with Wal-Mart and – according to some press accounts at the time – part of the reason for the loss was the agency’s entertaining of a Wal-Mart executive in ways that allegedly caused her to violate that company’s code of conduct. Although the agency presumably violated no law, its loss of future revenue could be seen as costly as some of the largest criminal fines in history.

The case led many companies to add to their codes of conduct a requirement that in providing gifts, entertainment or travel to employees of third parties one must not cause those employees to violate their respective employers’ codes. But is such a provision by itself enough to mitigate risks of this kind?

For any given business organization, addressing this issue should, of course, be driven by an assessment of relevant risk. However, for all organizations it may be useful to consider the range of available C&E measures that can be taken here, and “work backwards” to determine if their respective risks warrant implementing the measure in question.

First, there is the language of the code itself. While at first blush a mandate that employees must not cause a violation seems strong, a preferable approach may be to specify that employees must ensure that they do not cause a violation. The latter sort of requirement (particularly if reinforced the right ways) suggests a higher and more meaningful burden on the employees who deal with third parties.

Second, companies can establish a practice of periodically collecting customers’ and other relevant third parties’ codes and disseminating gifts and entertainment language to at-risk employees and their respective managers. Even if it is not possible to do this for all third parties, the effort can be useful if codes for major customers are obtained.

Third, COI training can emphasize the importance of identifying and following relevant third-party standards. Fourth, companies can deploy “just-in-time” communications to at-risk employees around these issues.

Fifth, for organizations with relatively high risks in this area, managers can be required to monitor for compliance with third-party codes. Sixth, auditors might be tasked with including third-party standards in their audits.

Finally, note that this post deals with the topic of other people’s conflicts only at a very high level. There are many other aspects to this area. Indeed, the whole field of corruption by definition involves “causing conflicts in others,” and many of the largest criminal fines in history (specifically in the FCPA and health care fraud-and-abuse areas) have been precisely about that. The point of this post is to suggest that even without significant corruption risks, all organizations should consider whether they do enough to avoid creating third-party COIs.