Risk Assessment

This section will examine ways to conduct COI-related risk assessments – both foundational assessments and ongoing ones.

Risk assessment: law, economics, morality science…and liquor

Many years ago a client who was in the compliance department of a pharma company told me his strategy for conducting risk assessments.  He would schedule the interviews of sales people – a key, but typically difficult, constituency for nearly any risk assessment – to begin late in the work day, and after a while suggest that the discussion continue in a nearby bar.  As the drinks began to flow, so apparently did the information about risks.

Risk assessment is the foundation of an effective C&E program – certainly as a matter of common managerial sense, and increasingly as a matter of law.  In  connection with the latter, we recently passed the ten-year anniversary of the revised Sentencing Guidelines, which established risk assessment as an official C&E program expectation of the U.S. government; and on virtually the same day, the Italian government published important new competition law compliance  guidelines, discussed in this publication from the Baker & McKenzie law firm, which include a risk assessment component.

Still, meeting such expectations – by getting business people people to talk openly about the uncomfortable topic of risk – is as challenging as is anything in the C&E field.  So, what can you use to make these conversations succeed if, like most C&E professionals, your toolkit doesn’t include a liquor cabinet?

Part of the way for dealing with this challenge is to provide that the assessment is conducted under the company’s attorney-client privilege  and, beyond this, that no attribution to the sources of information will be included in the assessment report.  These are the tools of law, and deploying them can be essential to success in a risk assessment.

But offering confidentiality alone may not be enough because while it is typically in the clear interest of a company to have a thorough risk assessment, individuals’ interests often seem (and sometimes are) out of alignment with those of the organization. This is the realm of the economics-based concept of moral hazard, discussed in various prior posts of this blog that are collected here.

There is no panacea for dealing with this impediment – but hopefully one can make a persuasive appeal to an interviewee’s being a “C&E leader,” a formulation which seeks to blend considerations of personal and organizational benefit, to get the interviewee  to be truly helpful for the  risk assessment. Of course, for an approach such as this to work, it cannot be limited to the risk assessment process. Senior executives, and even the board of directors, need make clear through various intangible and occasionally tangible ways that such leadership is duly appreciated.

Finally, there is also a psychological dimension to the challenge of risk assessment.  As discussed in this recent article in Science  – “Morality beyond the lab” by Jesse Graham (which I learned of from the Ethics Unwrapped web site ),  various  “laboratory  studies have shown a ‘holier-than-thou’  effect, in which people over-optimistically predict their own future moral behavior but accurately predict the not-so-moral future behavior of others” – a view which has now been supported by the results of an important recent field study (by W. Hofmann, D. C. Wisneski, M. J. Brandt, L. J. Skitka, which is published in the same issue of Science). As summarized by Graham: “[T]he study suggests that moral life can largely be characterized by two kinds of events: noting one’s own good deeds and gossiping about the bad deeds of others.”

For those conducting risk assessments, the path suggested by this research is clear:  to the maximum degree possible, one should structure the inquiry so that it is not seen as asking about the interviewee’s own risks but those of others.  And, in providing information about others, at least in the aggregate, employees of an organization will likely be helping you analyze risks that in fact involve themselves.

One other point about the above-discussed research, which is that while I have highlighted its use for risk assessment there are other ways in which this aspect of  what Graham calls “morality science” can enhance the efficacy of a C&E program.  Mostly notably, it can be used in training and other communications to underscore the overarching behavioral ethics notion that “we are not  as ethical as we think,” which should help reinforce an appreciation for the help that C&E staff and other resources can provide to employees when  confronted with legal risks or ethical dilemmas.

For further reading on risk assessment, here’s a link to a complimentary e-book comprised mostly of my risk assessment columns in Corporate Compliance Insights.

For an index of posts on “behavioral ethics and compliance” please click here. 

The Caterpillar criminal investigation: culture, risk and “informal” duties of trust

As described in an article in today’s Wall Street Journal  (which may require a subscription for access): “Ten thousand railcars a month roll into [the] sprawling [Terminal Island] port complex in Los Angeles County. While here, most are inspected by a subsidiary of Caterpillar Inc. [Progress Rail Services]. … When problems are found, the company repairs the railcars and charges the owner. Inspection workers, to hear some tell it, face pressure to produce billable repair work. Some workers have resorted to smashing brake parts with hammers, gouging wheels with chisels or using chains to yank handles loose, according to current and former employees. In a practice called ‘green repairs,’ they added, workers at times have replaced parts that weren’t broken and hid the old parts in their cars out of sight of auditors. One employee said he and others sometimes threw parts into the ocean.”

Caterpillar is being investigated by the US Attorney’s office in Los Angeles, and it should be emphasized that no charges have yet been brought.  Still, the article provides some nourishing food for thought about two key topics in the C&E field, as well as one narrower but, likely for some companies, dangerously under-appreciated risk.

First, there is the issue of culture.  As noted in the article, current and/or former employees told the Journal that while ‘[t]hey weren’t instructed to do [these things], …some managers made clear the workers would be replaced if they didn’t produce enough repair revenue…Current and former employees interviewed said those who found large numbers of parts to replace didn’t receive extra pay, but they tended to be favored by the supervisors and sometimes honored with employee-of-the-month recognition. Employees said newer workers sometimes learned bad habits from veterans. ‘I was trained to do everything the wrong way,’ one current worker said. ‘I basically fell into a bandit’s nest.’”

And then there’s this piece of information: “Three years ago, two workers who were fired from a Progress Rail repair shop in Florida filed lawsuits making allegations similar to what the U.S. attorney is looking into at Terminal Island…. A lawyer who represented the two said the suits were settled on terms that barred them from discussing the case.”

Again it should be emphasized that this is only an article – no charges have yet been brought.  But, if these allegations turn out to be founded, then clearly the culture in Caterpillar’s Progress Rail business will – under current enforcement policy – weigh in favor of bringing criminal charges against the company, meaning, in the first instance, the Progress Rail subsidiary.

But what about Caterpillar itself?  Here, the key issue may turn on whether Caterpillar conducted a meaningful risk assessment after it bought Progress Rail in 2006. I recall, from various conferences at that time, that Caterpillar had a C&E officer and program  – and so if it did not look closely at Progress’s risks (then or since) a prosecutor might well wonder why.

Finally, besides broad lessons about culture and risk assessment, the Caterpillar matter – depending, of course, on how it turns out – may reinforce a narrow but important learning about risk for some companies.  That is, when a company expands its business from just manufacturing goods to providing services it often enters a new realm of risk – because its employees are effectively in a relationship of trust with customers that involves opportunities and motives to cheat beyond those in the context in which it is used to operating.  As described in an earlier post in Corporate Compliance Insights,   risk assessments typically should include “[e]xamining whether a company has any relationships (with customers or others) where the need for good faith and candor might not be sufficiently understood by employees or third parties acting on its behalf. Relationships such as these – which tend to involve a high degree of trust but not necessarily a formal fiduciary duty – may be rife with ethics risk potential.”

Businesses facing this risk typically should consider enhanced C&E mitigation measures, and as the Caterpillar matter progresses (pun not intended) it will be interesting to see what – if anything – the company did on this front. (For further reading on informal fiduciary duties  see this post. )

CEOs’ ethical standards and the limits of compliance

I’m not one who sees ethics and compliance as operating in wholly distinct spheres, and have long felt that they closely complement each other.  (For more on the general relationship between the two  see this piece from the SCCE’s C&E journal.)  But, of course, they are not the same thing, and to some extent each has reach that the other doesn’t.

More specifically, for any given organization, the boundaries of compliance are – to a significant extent – defined by risk assessment.  Compliance-related risk assessment can and should be done in an expansive and innovative manner (as discussed in this complimentary e-book ) but it is ultimately finite in ways that are less applicable to true ethical standards.  And when it comes to CEOs – who have near infinite capacity for engaging in mischief in their companies – the latter form of protection can be particularly important.

To take the example of conflicts of interest, a  prior post described how CEO COIs can be different than those faced by the rest of us and a NY Times story last week seems to illustrate that point.  It concerns a company (Questcor Pharmaceuticals) which appears to have timed  various corporate announcements with an eye toward boosting its stock price in advance of sales by the CEO pursuant to a “10b5-1” plan (which is an automated procedure to sell stock at specified future dates based on prior instructions).  I should stress that the case for the CEO’s stock sales being the motivation for the scheduling of the announcements in question is wholly circumstantial.  Still, a commentator from Bloomberg who set out to debunk the case ran the numbers and ended up essentially “rebunking” it – i.e., supporting by statistical analysis, at least to some degree, what the Times suspects.

Not being statistically adept, I have nothing to add about the specifics of this case (other than to say I hope the company’s board conducts an independent inquiry of the matter).  Rather, I mention the story because I have to believe that this sort of conflict of interest – assuming, for the purposes of discussion here, that the theory of wrongdoing is well founded – is unlikely to show up in most risk assessments, and thus  this illustrates the earlier point about the limits of compliance.  But from an ethics perspective, no CEO  (or board member or “gatekeeper”) could reasonably believe that gaming a 10b5-1 plan in this way was okay, as it would involve using the company’s resources for purely private purposes (clearly an ethical breach – but perhaps less easily shown to be a legal one).

Indeed, it is precisely because a COI like this is so unpredictable – the Times story seemed to suggest that it was indeed something new under the sun – that it is potentially harmful. That is, when an unforeseeable COI emerges it raises the question: If the CEO is capable of doing this, what other mischief is he or she up to?

What this means  is that the  primary damage to the shareholders is not whatever costs can be directly traced back to timing corporate announcements for the personal benefit of a executive –  an exercise that  would likely be too speculative to be meaningful; and, even if the costs were measurable, they would likely end up being a small amount.  Rather, the harm flows from a general loss of trust by shareholders from learning that a CEO puts their interests second and – because a CEO can influence her company in so many ways – not being able to monitor all the avenues of possible betrayal that might exist.

Understanding that sort of more general harm is one of the important ways an ethical perspective can supplement a more narrow compliance-based one. And it is part of the reason that boards and senior executives need to understand the importance of truly operating pursuant with high ethical – as well as compliance-related – standards.

Finally, for those who’d like to read more related to this topic please see Scott Killingsworth’s excellent paper on C-Suite behavior, discussed and linked to in this earlier post

A complimentary e-Book on compliance & ethics risk assessment

Corporate Compliance Insights has just published a complimentary e-Book –  Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions, based mostly on my CCI risk assessment columns over the past few years, but also including other materials.  The book covers a wide array of risk assessment ideas, methods, practices, tools and other noteworthy items  concerning  risk assessment scope and methodology;  approaches to different risk areas (e.g., competition law and corruption);  mitigation measures; the interplay of risk assessment and program assessment; and the ethics and social science dimensions of risk assessment.

The book can be downloaded here

I hope you find it useful

C&E risk action plans for mitigating COIs

Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment.  One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.

A risk action plan is a tool for  having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site,  I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.

Ethics and compliance should be friends – part one of an interview with Steve Priest

Steve Priest has had a storied career in the field of ethics & compliance.  Over the past two decades he has, among other things, consulted “on the ground” in 48 countries on every continent with over 25% of the Fortune 200, trained more than forty Boards of Directors and senior leadership teams and written numerous codes of conduct.   He has also conducted many E&C program assessments (and it has been my great pleasure to partner with him on a good number of these engagements).  And so, I was delighted that Steve agreed to be interviewed by the COI Blog.

In your twenty years in the field, has there always been a tension between law and ethics and, if so, how has it changed? Jeff, I am not surprised that you ask the hardest question first. In most companies, most of the time, there is little tension. But in some situations fine attorneys trained in zealous advocacy may overweight an effective short term defense strategy and undervalue long term ethics and reputational considerations. Perversely, the high stakes now visible in many compliance areas have heightened this tension.

Is this tension positive, negative or a bit of both?  Most of the time the legal thing and the ethical/right thing are the same, so there’s little or no tension. Now the rest of this will betray my ethics bias, but from my perspective when there is a tension it is NOT a good thing, because the short term legal emphasis often prevails over the longer term ethical perspective. Choosing the ostrich approach versus a “look and learn” model has prevented companies from conducting assessments or root cause analyses that could dramatically improve their operations. Defining a disclosure of an event of wrong doing as “in a gray area” rather than as the legal and right thing to do may provide a short term benefit, at the high risk of breaching trust with regulators.

What are some measures for companies to use each (ethics, compliance) to fortify the other? The primary measure is this: messaging to employees must consistently integrate ethics and compliance. Many employees have a knee jerk negative response to the word compliance. Just look up the definition in the dictionary to understand why. And, especially in highly regulated companies it has become segregated. Ethics, on the other hand, runs the risk of being marginalized as something merely nice to do. Put them both together in all messaging and you can tap into the strong preference employees have for doing the right thing and working for a company that does the right thing.

Do companies do enough to assess ethics – as opposed to traditional compliance – risks? No. Partly because it is squishier. Corruption risk assessment is easy—look at prosecutions, legal developments, Transparency International rankings, industry developments, reliance on third parties, etc. But assessing whether employees believe they can raise difficult issues, or that people are held accountable if they do the wrong thing—these questions can rarely be answered in a meeting room by a few people. And yet these attributes are probably more important in understanding compliance risk than the corruption probability in China. A company culture where employees believe they can raise difficult issues has lower risk of major problems in corruption, competition, money laundering, etc. because employees will raise concerns early and often. Conversely, if employees believe that the way to get ahead is to make your numbers and that living up the Code is not so important, then risks of corruption are substantially higher. Additionally, employee perceptions of the ethics of business practices can also serve as a canary in a coal mine for future compliance risks. Often employees have a sense that a practice “doesn’t feel right” or “isn’t fair for a customer” well before these practices gain the attention of the media, plaintiffs’ attorneys or prosecutors. So a good risk assessment has to understand cultural attributes, including the ethical dimension.

Steve can be reached at ethical@aol.com.

Part two of the interview will cover various challenges in providing effective ethics training.

Assessing private sector bribery risks

The near universality of bribery is captured in many stories, but my favorite is the joke made by former NY governor Al Smith, who, upon seeing a student reading a book in law library, supposedly said, “There is a young man studying how to take a bribe and call it a fee.”  The appeal of this story for  me is based largely upon my being a lawyer, but I imagine every business and profession has its own timeless tales about this ancient form of evil. However, what is relatively new under the sun is the expectation that business organizations no longer treat bribery as an inescapable facet of human nature (let alone a joke) but, rather, attempt to mitigate bribery risks using the same management skills  and sense of resolve that they would bring to other business challenges.

With respect to public-sector corruption, this has become reasonably well understood in recent years based on the strict enforcement of the Foreign Corrupt Practices Act.  The UK Anti-Bribery Act has had a somewhat similar effect for private sector bribery.   But, in allocating C&E resources to mitigating corruption risks,  it is important to recognize certain general distinctions between the two.

First, the economic impact of corruption in the former type of cases is likely to be passed on to the public itself, not borne by the victim organization in the transaction.  In other words, more than private sector corruption, the public sector species involves negative externalities, which suggests that economic incentives are less likely to lead organizations in the latter sphere to undertake strong anti-corruption self-protection measures than is true for those in the former.  And that relative degree of defenselessness, in turn, presumably translates into a higher likelihood of corruption (at least with respect to large-scale corrupt acts – the realm of gray-area gifts/entertainment and  other “soft” conflicts of interest is another matter).

Second, and again speaking as a very general matter, public sector corruption is likely to be more impactful than the  private sector kind because it frequently threatens efforts that are necessary for the well-being of society as a whole (e.g., the administration of justice, tax collection, environmental protection, product safety).  Indeed, public sector corruption can help delegitimize the very idea of governmental action, which can have harmful consequences of various kinds. Perhaps in recognition of these relatively unique harms public sector corruption seems to be treated more harshly than is the private sector variety.

On the other hand, the very fact that corruption seems to be more likely and impactful in the public sphere can be lulling with respect to private sector corruption, and mislead companies into concluding that they need to do virtually nothing in regard to the latter.  Therefore, it is important to include private sector corruption in C&E risk assessments, taking into account, among other things, the C&E standards of customers and other private sector organizations with which your company deals,   relevant geographic culture, the organizational culture of the parties in question,  the controls of such organizations and pertinent  industry culture.

Note that these sorts of risk assessments can be challenging because the sources of private sector corruption risk are less well articulated in governmental compliance standards than is true with public sector risks.  Indeed, compared to often surprisingly “well-lit” public sector corruption risks, private sector ones tend to hide in dark corners.  But that makes a strategic approach to risk assessment all the more important. In other words, while for many companies devoting the bulk of one’s anti-corruption efforts to public sector risks makes sense,  it also creates an enhanced obligation of using private sector anti-corruption resources in a thoughtfully targeted way.

Piling on: where antitrust and conflicts of interest meet

The recent imposition of a record tying $500 million criminal fine in an antitrust case is an important reminder to C&E professionals about the need for strong measures in this risk area.  But while there’s a lot that can be said about antitrust/competition law generally, rarely is mention made of possible connection between that area of risk and the subject of this blog,  COIs.  Yet, historically there have been cases where the two meet, and understanding their points of intersection can in fact be useful for certain aspects of C&E program management.

One  well known – if not necessarily typical – example was in a case that was decided by the Supreme Court  thirty years ago (American Society of Mechanical Engineers  v. Hydrolevel) in which a nonprofit membership association that issued codes for various areas of engineering was sued by a company that sold safety devices for use in water boilers.  The basis for the suit was that an employee of a competitor of the plaintiff – who was working as a volunteer of the non-profit – caused the non-profit  to publish a letter saying that the plaintiff’s device was unsafe.   This conduct – clearly a COI on the part of the association – was held to be an antitrust violation.  Or, another way of looking at it was that the COI was the motivation for the antitrust offense.

More recently (and perhaps more typically in terms of how these two areas can intersect) cases brought against insurance brokers regarding certain un- (or under-) disclosed payments from insurance issuers – a COI – had antitrust elements, too, meaning that the  insurers allegedly agreed among themselves to refrain from competing against each other in order to help protect this COI-laden state of affairs.     And in a related vein, in the famous (at the time) specialty steel cost-plus corruption cases  competitor suppliers took bidding instructions from a “quarterback” so that a long standing kickback scheme would not be disrupted.

This sort of connection between antitrust and COIs doesn’t happen frequently.  But it is predictable enough so that C&E professionals should – in connection with risk assessment and investigations – be alert to the possibility of it occurring in or to their respective organizations.

 

 

Conflicts of interest and industry culture

In the C&E world, culture most often refers to the culture of an organization.  In this connection, an earlier post discussed how permitting COI violations near the top of an organization can undermine the sense of “organizational justice” among employees generally – and thereby diminish the C&E program as a whole.

C&E-related culture also commonly refers to the culture of a given geography.  For instance, as this prior guest post by Judith Irwin of the Institute of Business Ethics describes, in some places what is considered a COI by Western standards might be seen an ethical mandate in other places.  (“Take the example of nepotism in Africa. In Africa, where family bonds are highly valued, nepotism is a common practice, and an employee may face ostracism for not hiring a relative for a position at the firm.”)

But there is also a third dimension to the intersection of culture and C&E that is too often overlooked: industry culture.

An example of this unrelated to COIs is that in the chemical industry some years ago there seemed to be a culture that encouraged sharing of information among competitors.  This contributed, predictably,  to a high incidence of antitrust violations.

And, industry culture can be relevant to COI risks, too.  For instance, the advertising business (at least in the U.S.)  is one in which gift giving/entertaining is pretty prevalent and so even an organization that has strong COI policies may wish to devote extra C&E-related attention to its employees (typically in marketing or procurement) who interact with members of that industry. (The Wal-Mart ad agency case from a few years back – discussed briefly here  – offers a pretty good lesson in how important that can be.)

Beyond the COI risks that industry culture can create in a company’s functions (as in the advertising example) culture can be risk causing vis a vis distinct business lines or units within a company, particularly a large decentralized one. So, for example, a large energy company whose principal business is a regulated utility that needs to maintain the trust of key regulators should be mindful of  the reputational danger of a casual approach to COIs in its unregulated subsidiaries. (Note that this sort of situation can also involve “moral hazard” –  a topic of occasional discussion in this blog.  Specifically, the risks of adversely impacting the interests of the organization as a whole might not be fully felt by the risk-taking unregulated business.)

As a general matter industry culture is not as significant a cause of risk as organizational or geographical culture.  But it can be potent, particularly in industries with a high degree of inter-company mobility, such as financial services.  And,  industry culture should be considered in all organizations’ COI risk assessments.

 

A world of risk

As is true with conflicts of interest, C&E risk assessment is the source of near endless interest to me. (No wonder I don’t get invited to parties!)

The importance of risk assessment is obvious from the many cases where the failures to understand or sufficiently address risk have led to C&E catastrophes. But the benefits of risk assessment are not limited to preventing failures. It can also be a “delivery device” for introducing new ideas and information – such as those found in behavioral ethics – into C&E programs, and thereby help keep such programs vibrant.

My interest in risk assessment goes back aways. I believe that a book chapter I wrote in 1993 for Compliance Programs and the Corporate Sentencing Guidelines was the first instance in which conducting a stand-alone C&E risk assessment – then called a “liability inventory” – was proposed (although obviously the COSO framework, which had a compliance component, predates that).  And this interest stretches into the future,  as I recently authored the risk assessment section for a commemorative guide being published this fall by the Ethics and Compliance Officer Association in connection with that organization’s 20th anniversary. (Hope to see you at the conference!)

For those who share an interest in risk assessment, here’s a link to a page on the Corporate Compliance Insights web site collecting several years’ worth of risk assessment pieces that I have written, with a “greatest hits” post that ran today.