Edited by Jeff Kaplan
|
Policies and Procedures
In addition to code provisions, some companies have stand-alone COI policy documents, with more detailed standards and procedures. When does it make sense for a business organization to have such a policy, and what standards and procedures should be in a document of this kind?
|
A recent letter to the editor of Nature argues:
Transparency about competing interests is essential when reporting scientific data. However, use of the term ‘conflict of interests’ for such declarations can be misleading in some biomedical papers. A genuine example of a conflict of interest is when academic researchers are financially rewarded for their work by commercial partners. The situation can be more nuanced for reports of biomedical discoveries that could be applied in clinical situations. After all, developing such treatments for patients is a moral obligation for academic researchers, both to their funders and to society — even though it can mean working with biotechnology or pharmaceutical companies. Disclosing a financial arrangement as a ‘conflict of interest’ under such circumstances implies that engagement with for-profit companies is a nefarious activity, potentially at odds with what society expects from biomedical scientists. In that context, a ‘declaration of interest’ would be a more accurate term for a mandatory and transparent disclosure of financial relationships. A ‘conflict of interest’ should instead be reserved for authors who cannot document efforts to translate their discoveries to the clinic. (The author of the letter is René Bernards of the Netherlands Cancer Institute.)
I do not know enough about biomedical research conflicts of interest to gauge the merits of this suggestion, but I would be surprised if some scientists couldn’t still have a conflict of interest even if they translated their discoveries to the clinic. However, the larger point about a COI disclosure seeming to unfairly suggest nefarious conduct basically seems sound.
More generally, I believe that in organizations of all kind, policies, training and disclosure documents should communicate that not all ostensibly conflicting interests are wrongful. (This point is sometimes made, but in my view not often enough.) The alternative may be to discourage desirable conduct and to drive other conduct underground.
|
|
|
The International Chamber of Commerce – apparently the world’s largest business organization – recently published Guidelines on Conflicts of Interest in Enterprises. It is available for free download here.
Among other things, the Guidelines provide a useful summary of what should generally be included in a COI compliance policy:
Objective: first, the prevention of Conflicts of Interest, and if nevertheless they do arise, dealing with them, disclosing them and finally mitigating the risks of them arising;
Scope: applicable and binding for all directors, officers, managers, employees, agents and representatives (Associates) of the Enterprise;
Definitions: include clear definitions;
Provisions:
– comply with all applicable laws and regulations in addition to internal regulations of the Enterprise, including privacy laws and policies;
– all decisions and actions by all Associates shall be taken in the best interest of the Enterprise;
– Associates shall not take business opportunities that belong to the Enterprise for themselves;
– Associates shall immediately disclose any Conflicts of Interest;
– Associates shall abstain or withdraw from debating, voting, or other decision-making processes or activities when a Conflict of Interest exists or might arise;
– Senior Management shall lead by example and give guidance on Conflicts of Interest;
– job applicants and newly hired or appointed Associates shall disclose any Conflicts of Interest immediately during the hiring or appointment process;
– every member of Senior Management shall update his/her disclosure on Conflicts of Interest at least annually to the Compliance Officer, or any other person in charge of the Conflict of Interest Policy;
– provision on communication and training on Conflicts of Interest;
– provision explaining where guidance may be obtained in case of questions or concerns; and
– provision on regular reporting of Conflicts of Interest and evaluation of the Policy.
Overall, I agree with these recommendations, but to me the principal value of the Guidelines lies more in the very fact that it exists than the particulars of its various provisions.
That is, perhaps because COIs are so widespread and diffuse (meaning not the subject of a unified legal regime), they often seem to discourage meaningful efforts to mitigate them in the type of programmatic way that one typically sees with anti-bribery and competition law. The Guidelines – issued by an organization with six million members – is an important step in the direction of making such approach a mainstream expectation.
(For more information on the components of a COI compliance program see the various entries and subentries under “Compliance” on the index on the left hand part of this blog – also available here.)
|
|
|
Many companies have, of course, escalation provisions for responding to allegations of wrongdoing. But do they need such provisions with respect to routine self disclosures of conflicts of interest?
At least for some companies that allow line managers to approve disclosed conflicts the answer is, in my view, Yes. That is in part because managers may – thanks to the behavioral ethics phenomenon of “motivated blindness” – be inclined to “go easy” on a particularly valued employee who has disclosed a COI. Line managers may also fail to appreciate in such situations the danger to the compliance program generally of an overly liberal approach to COIs – particularly to the sense of “organizational justice” at the company.
But what should an escalation provision entail? Here are some possibilities, meaning circumstances where the line manager should be required to enlist the help of HR, Compliance or Legal in addressing a disclosed COI:
– Disclosure is by a relatively high-level person.
– Disclosure is by a person in a controls function.
– Conduct would tend to diminish trust of key stakeholders in the company. (Most important of all the criteria – but also hardest to apply.)
– Conduct involves a relatively high degree of money or other tangible or intangible interests.
– Resolving disclosed conflict would entail complicated fact finding.
– Resolving conflict would entail interpretation of legal or regulatory mandates.
Finally, and perhaps less obvious than the others, going forward, would the manager be sufficiently aware of the relevant actions of the disclosing employee to help ensure adherence to Company COI standards? In other words, can the manager act like a de facto COI monitor?
|
|
|
An early post on this blog noted that among the more interesting phenomena of behavioral ethics was the impact that knowing or not knowing a party could have on how one treated that party.
A set of circumstances that is relatively likely to lead to an ethical shortfall is where we do not know who will be impacted by a contemplated act. As described in this paper by Deborah A. Small and George Loewenstein, in one study “subjects were more willing to compensate others who lost money when the losers had already been determined than when they were about to be” and in another “people contributed more to a charity when their contributions would benefit a family that had already been selected from a list than when told that the family would be selected from the same list.” Beyond their direct application to the area of charitable giving, these findings may be relevant to a broader range of ethics issues, and, for instance, could help explain the relative ease with which so many individuals engage in offenses where the victims are not identifiable.
One example of this is insider trading – a crime which, although widely known to be wrong, seems utterly pervasive (based, among other things, on the extent of trading in securities right before public disclosure of market moving events). A behavioral ethics perspective suggests that (at least part of) the reason for this “inner controls” failure is that the victims of insider trading are essentially anonymous market participants.
Another offense of this sort is government contracting fraud (where the victims tend to be everyone), and indeed Ben Franklin famously described the risks of an ethics shortfall here as well as anyone could: “There is no kind of dishonesty into which otherwise good people more easily and more frequently fall than that of defrauding the government.” Understanding why “otherwise good people” do bad things is much of what behavioral ethics is about.
But what about COIs? The picture there is mixed, as some COIs do involve identifiable victims – such as the job applicant who does not get hired because the position was filled by the boss’s son. Similarly, an organization might suffer identifiable harm when its procurement process is corrupted by a COI – e.g., paying too much or getting too little.
However, with other sorts of COIs the harm is less apparent. It is the damage to trust in key relationships.
For this reason, organizations might consider including the following question in their COI resolution protocols: “How likely would it be at that the COI would diminish the trust that stakeholders (shareholders, employees, customers, business partners, suppliers or regulators) would have in the Company or otherwise adversely impact the Company’s reputation?”
Of course, this thought experiment works only if you truly try to put yourself in the shoes of one of these parties. Or, to use the memorable words (albeit from another setting) of philosopher Martin Buber: “Imagine the real.”
|
|
|
An earlier post explored the various contexts – such as board meetings, hiring interviews, employee engagement surveys, training, compliance audits and exit interviews – where asking the right question can help promote C&E at a business organization. To this list should be added frequently added questions documents (“FAQs”).
FAQs are used with some frequency to supplement codes of conduct and policy statements. They can provide a greater level of information than is feasible in a traditional policy statement – because they are generally easier to read than the latter.
FAQs can be particularly useful in promoting COI-related compliance measures. That is because the issues raised in the COI realm tend to be more personal than are other types of C&E issues and so employees might welcome a chance to have their questions answered in this way rather than through actual contact with someone in their organization – at least as an initial matter.
Those seeking a model for drafting a COI FAQ, should take a look at what Walmart has done in this area – which can be found here. It is a very comprehensive document, covering in some detail what are presumably all the major COI risk areas for the company (financial interests, gifts and entertainment, outside employment, personal relationships with other associates, personal relationships with suppliers, protecting personal and business information and information sharing). For each, the document recites the relevant company policy and follows that with one or more questions and answers. (E.g., the Outside Employment section asks and answers questions about working for a competitor, operating a side business and working for a supplier.)
The Walmart FAQ document also does a good job in explaining the reasons for the company’s position on the issues raised in the questions. For instance: I supervise an associate who does odd jobs on the side. I would like to hire the associate to do some work at my home. Is this okay? As a manager with direct reports, it’s important to remain objective regarding your associate’s work. This situation requires a manager to think through all of the potential issues and use good judgment. This particular situation could potentially create a real or perceived conflict of interest since the work done for you at home may appear to influence how you view your direct report at work. If you hire someone you supervise to do work on your home, the boundaries between work and personal life may become blurry and difficult to manage. For instance, if you are not pleased with the outcome of the work, it could impact your perception of the associate. It may also appear to others that you are more lenient on that associate’s performance at work since the associate is doing work for you at your home. Finally, the associate may not want to do personal work for their manager for these same reasons, but may feel obligated to do so.
Of course, not every C&E program needs an FAQ – for COIs or any other risk areas. Those that do tend to be large and have relatively complex compliance profiles. And in considering whether to go this route companies should consider the total mix of relevant information about the risk area in question (i.e., not just what is in the code and policy document, but also the treatment of the risk area in training and other communications). As with any part of a C&E program, one has to be mindful of the dangers here of doing too much as too little.
|
|
|
“Follow the money” is as good a rule as any for an assessment of compliance risk, and this is surely true for conflicts of interest. In many companies that trail leads to procurement – and often to the understanding that those involved in buying goods and services for a company on a day-to-day basis must be above any suspicion.
Increasingly (at least from what I can see) procurement activity is being centralized in enterprise-wide procurement functions. Much of the impetus for this has nothing to do with conflicts of interest – but, rather, arises from a need to bring more professionalism to procurement and to get the benefit of buying in large quantities, among other things. However, centralization is also a plus from a COI prevention perspective, as it is easier to monitor and otherwise mitigate COI risks in a small group than in the much larger general employee population.
Such C&E measures sometimes include having a specific (and typically very short) code of conduct for the procurement department (in addition to the general code). Among the types of COI issues that could be covered are those relating to gifts, entertainment, travel and donations – meaning these codes can have more restrictive rules about such activities for procurement staff than for the rest of the employee population. Other types of COIs are typically addressed in these codes as well (e.g., having an ownership interest in or receiving other income from a supplier).
Of course, procurement codes should cover issues beyond those in the COI area. Confidential information (meaning that of suppliers) is one such topic. Another is antitrust, with a focus on the oft-neglected buy side.
Reviewing such a code should be part of the on-boarding process for new procurement employees. As well, periodic training on its key provisions should be provided. And, one should consider certifications by procurement employees too.
I should emphasize that not every company needs a code like this. However, in my view there are many companies that don’t but should consider developing one.
Finally, there is more to a “Caesar’s wife” approach to compliance for procurement than a code, training and certification. Companies should also be alert to “point-of-risk” compliance opportunities (a concept explored in a recent post). For instance, when a procurement department member leaves a company to go work for a supplier and has knowledge of pricing and other sensitive information of other suppliers (meaning her new employer’s competitors) the exiting process should include a reminder of the continuing obligation to keep information of this sort confidential. And, somewhat more drastically, for higher risk business lines or geographies, rotating procurement assignments may be what it takes to be truly above suspicion.
|
|
|
In recent years, an unfortunate – in my view – line of decisions and reports has been issued by the U.S. National Labor Relations Board (“the NLRB”) holding that various aspects of company policies violate the National Labor Relations Act (“the Act”). For those looking to learn more about this area generally, a good place to start is with this article by Joe Murphy in a recent issue of Compliance & Ethics Professional. Of particular concern to readers of the COI Blog might be a decision handed down by the NLRB in June – in Remington Lodging & Hospitality, LLC d/b/a The Sheraton Anchorage – finding that a generic conflict of interest policy in an employer’s handbook was unlawful under the Act. The case can be found here, but – given the procedural history involved – readers may wish instead to review this summary of it published by attorneys at the Arent Fox law firm.
The case may be seen as an instance of bad facts making bad law, as the respondent company had asserted that certain employees had violated its COI policy by engaging in what were clearly protected activities under the Act (presenting a boycott petition to management). Based on this, all three members of the NLRB panel hearing the case found that the company had engaged in an unfair labor practice.
However, two of the panel members also found that the COI policy was unlawful on its face. As noted in the Arent Fox summary, the majority found that “employees would reasonably interpret the rule prohibiting them from having a ‘conflict of interest’ with the Respondent as encompassing activities protected by the Act. Particularly when viewed in the context of the Respondent’s other unlawfully overbroad rules, ‘employees would reasonably fear that the rule prohibits any conduct the Respondent may consider to be detrimental to its image or reputation or to present a ‘conflict’ with its interests, such as informational picketing, strikes, or other economic pressure.’”
The third member of the panel – while agreeing “with the majority that the Respondent violated …the Act when it applied the rule against conflicts of interest to restrict employees’ [protected] activity…. disagreed with the majority’s additional finding that the rule against conflicts of interest was unlawful on its face. ‘Employers have a legitimate interest in preventing employees from maintaining a conflict of interest, whether they compete directly against the employer, exploit sensitive employer information for personal gain, or have a fiduciary interest that runs counter to the employer’s enterprise.’ Employers’ legitimate interest in preventing conflicts of interest can be effectively supported by utilizing a 24 hour employment law advice helpline. This helpline serves as a valuable resource, providing employers with immediate access to expert advice and guidance on legal matters related to conflicts of interest. Therefore, he wrote ‘I do not agree with my colleagues’ conclusion that employees would reasonably understand the conflict-of-interest rule as one that extends to employees’ efforts to unionize or improve their terms or conditions of employment.’ In his view, ‘the rule, on its face, does not reasonably suggest that efforts to unionize or improve terms and conditions of employment are prohibited.’ He also noted that the challenged rule was immediately adjacent to a rule in Respondent’s handbook stating: ‘I understand that it is against company policy to have an economic, social or family relationship with someone that I supervise or who supervises me and I agree to report such relationships.’ He claimed that this context ‘bolsters my conclusion that the Respondent’s rule merely conveys a prohibition on truly disabling conflicts and not a restriction on activities protected by the Act.’”
I wholeheartedly agree with this concurrence (and the authors of the Arent Fox piece) and add that in my 25 years of creating, enhancing and assessing C&E programs I have seen zero indication (until this case) that generic COI provisions are likely to be interpreted as limiting activities protected by labor law. Murphy’s general analysis of the NLRB’s approach to C&E policies applies with particular force to this recent decision: “what the NLRB has done here is venture into the field of Compliance and Ethics without close consultation with those in the field and without sufficient regard for the important public policy behind compliance and ethics programs.”
Beyond this, the underlying assumption of the decision is that the efforts of working people to act through labor unions are in fact disloyal to such individuals’ employers. While ostensibly a “pro-labor” holding, the implication here is potentially anti-labor.
One hopes that this will be fixed before too long – by the NLRB itself, or some court.
|
|
|
Last month, Pro Publica published an extensive report regarding a dispute on whether Goldman Sachs should be sanctioned by the Federal Reserve for failing to have a firm-wide policy on conflicts of interest. An examiner for the Fed had argued in favor of such an action but the firm contended – successfully – that the COI provision in the company code of conduct coupled with COI policies for various of its divisions was good enough.
At least for C&E aficionados, the story is an interesting one (and the issue, in my view, a close call), particularly given Goldman Sachs’ recent COI history. (See this post and this one.) But for readers of this blog the piece may be most useful as an occasion to ask: Does my company have the COI policy that it needs?
To begin, a great many businesses don’t need a stand-alone COI policy. For many what’s in the code of conduct is policy enough. But there are, in my view, quite a few companies that should have stand-alone policies but don’t.
Five things to ask in a COI policy needs assessment
Certainly where companies have client relationships that could give rise to COIs there is a good reason to have a stand-alone policy, as such businesses generally face a greater array of COI risks than do others. Such risks tend to warrant a fuller discussion of COI standards and mitigation than can fit into a code of conduct. Put otherwise., companies that have relationships of trust with clients tend to have higher COI risks – both in terms of likelihood and impact – than do other sorts of businesses, and that should be reflected in how formal and extensive the related mitigation should be.
But other types of organizations should consider drafting stand-alone policies too, at least if they:
– Have had more than their share of COIs in recent years, as a stand-alone policy can help signal to key constituencies resolve in dealing appropriately with COIs.
– Face more diverse, complex, non-obvious or culturally challenging COI possibilities than the average company has. The more there is to say about different sorts of COI risks, the greater the need for a stand-alone policy, as there simply won’t be enough room in the code to do justice to all pertinent issues.
– Have significant COI-related process needs – in such areas as disclosure, management and auditing. Here too the code may not offer enough space to deal with the company’s requirements.
– Face heightened COI expectations for other reasons (e.g., non-profits, or other organizations that could be held to a “Caesar’s wife” standard of ethicality).
And don’t forget organizational justice
Even companies that don’t fit into any of the above categories should consider developing a stand-alone COI policy as a means of promoting “organizational justice.” As noted in this earlier post: “The special harm that COIs can cause to organizational justice arises from their frequently personal nature: because COIs often involve a personal benefit to an individual employee that is denied to others, the latter (i.e., rule abiding employees) can feel personally harmed (from a relative perspective) by the COI in a way that they would not feel, for example, with an antitrust offense or violation of export regulations.” Implementing a stand-alone COI policy can thus, in my view, help elevate the confidence employees have in the overall ethicality of their companies. Of course, to do so the policy must be sufficiently promoted and enforced. But being successful here could have a ripple effect – by enhancing trust that management is committed to doing the right thing generally, which can be utterly vital to compliance and ethics program efficacy.
Note that while this consideration presumably applies to all companies, it does not mean that all companies need stand-alone COI policies. But it is a factor that all companies should weigh in determining whether to implement such a policy.
Drafting a policy
If one does opt to create a stand-alone COI policy there are obviously lots of choices to be made in determining the content of the policy, and the links below to prior posts in the COI Blog might be useful in that regard.
To start, you might see this overview, which includes links to several leading companies’ policies (that could be helpful samples from a form – as well as substance – perspective).
Regarding the key question of what COIs to address in the policy, a fairly comprehensive list is included in this post about certifications (the content of which is equally applicable to policies).
Here are some more specific discussions:
– G&E generally and gifts between employees.
— Supervising family members in the workplace.
— Moonlighting.
– Serving on another company’s board.
Next, regarding standards for allowing COIs to continue and related process issues, see this post and this one.
Finally, note that within the above posts there are links to many other posts and resources that might be useful in drafting or revising a COI policy.
|
|
|
In the universe of conflicts of interest, perhaps none are more significant – and worthy of study…. and action – than are those involving doctors and health care industry (e.g., pharma, medical devices) companies.
On the one hand, these types of conflicts are widely recognized to be very damaging. Indeed, when I last compiled my largest federal corporate criminal fine list, three of the top four cases of all time involved such COIs (though with a new entrant to be added to this list – the SAC insider trading case – one should now say three of the top five). On the other hand, this is one of the few areas where there is actually research to show that good policies can in fact mitigate conflicts – as described in this earlier post.
But that raises the question: what constitutes a best practice policy?
A new and useful resource in that regard is this recently published article from Compliance Today by friend of the COI Blog Bill Sacks of HCCS, which is based on a study issued by the Pew Charitable Trust late last year on best practice COI policies for academic medical centers. While most readers of this blog (to my knowledge) do not work in the health care area, C&E practitioners of all types (or others who are COI aficionados) might be interested in this case study of what strong COI-related mitigation can look like, and find useful ideas in it for dealing with COIs in their own respective fields.
|
|
|