Compliance

In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.

Imagine the real

 

An early post on this blog noted that among the more interesting phenomena of behavioral ethics was the impact that knowing or not knowing a party could have on how one treated that party.

A set of circumstances that is relatively likely to lead to an ethical shortfall is where we do not know who will be impacted by a contemplated act.   As described in this paper by Deborah A. Small and George Loewenstein,  in one study “subjects were more willing to compensate others who lost money when the losers had already been determined than when they were about to be” and in another “people contributed more to a charity when their contributions would benefit a family that had already been selected from a list than when told that the family would be selected from the same list.”   Beyond their direct application to the area of charitable giving, these findings may be relevant to a broader range of ethics issues, and, for instance, could help explain the relative ease with which so many individuals engage in offenses where the victims are not identifiable.  

One example of this is insider trading – a crime which, although widely known to be wrong, seems utterly pervasive (based, among other things, on the extent of trading in securities right before public disclosure of market moving events).  A behavioral ethics perspective suggests that (at least part of) the reason for this “inner controls” failure is that the victims of insider trading are essentially anonymous market participants. 

Another offense of this sort is government contracting fraud (where the victims tend to be everyone),  and indeed Ben Franklin famously described the risks of an ethics shortfall here as well as anyone could: “There is no kind of dishonesty into which otherwise good people more easily and more frequently fall than that of defrauding the government.”   Understanding why “otherwise good people” do bad things is much of what behavioral ethics is about.

But what about COIs? The picture there is mixed, as some COIs do involve identifiable victims – such as the job applicant who does not get hired because the position was filled by the boss’s son. Similarly, an organization might suffer identifiable harm when its procurement process is corrupted by a COI – e.g., paying too much or getting too little.

However, with other sorts of COIs the harm is less apparent. It is the damage to trust in key relationships.

For this reason, organizations might consider including the following question in their COI resolution protocols: “How likely would it be at that the COI would diminish the trust that stakeholders (shareholders, employees, customers, business partners, suppliers or regulators) would have in the Company or otherwise adversely impact the Company’s reputation?”

Of course, this thought experiment works only if you truly try to put yourself in the shoes of one of these parties. Or, to use the memorable words (albeit from  another setting) of philosopher Martin Buber: “Imagine the real.”

Conflict of interest self assessments

C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. For some companies it makes sense to do such a targeted assessment for conflicts of interests – particularly those responding to a significant COI violation or “near miss.”

The scope and approach of such assessments for any given company at any given time should vary based on a variety of circumstances. Hopefully, however, the following questions/comments can be helpful to some organizations seeking to determine whether/how to go down this road.

Risk Assessment. Has the company assessed COI risk? If so, has it used the results of the assessment(s) in designing and implementing other aspects of the COI program?

Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?

Culture. Are COI rules followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs?

Policies. Presumably nearly every business organization has a COI provision in its code of conduct – but there are also many that need but do not have a standalone policy as well.

Procedures. Are disclosure procedures clear, easy to use and well known? Do those tasked with reviewing COIs have sufficient knowledge and independence for the job?

Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions). Is training reinforced through other communications?

Auditing and monitoring. Is the COI disclosure practice audited? Same question for monitoring (of conditionally approved COIs)..

Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI self-assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

 

 

Conflict of interest risk assessment (part 2)

My latest column in Compliance & Ethics Professional. (Last page of PDF.)

I hope you find it useful.

Frequently asked questions about conflicts of interest

An earlier post  explored the various contexts – such as board meetings, hiring interviews, employee engagement surveys, training, compliance audits and exit interviews – where asking the right question can help promote C&E at a business organization. To this list should be added frequently added questions documents (“FAQs”).

FAQs are used with some frequency to supplement codes of conduct and policy statements. They can provide a greater level of information than is feasible in a traditional policy statement – because they are generally easier to read than the latter.

FAQs can be particularly useful in promoting COI-related compliance measures. That is because the issues raised in the COI realm tend to be more personal than are other types of C&E issues and so employees might welcome a chance to have their questions answered in this way rather than through actual contact with someone in their organization – at least as an initial matter.

Those seeking a model for drafting a COI FAQ, should take a look at what Walmart has done in this area – which can be found here. It is a very comprehensive document, covering in some detail what are presumably all the major COI risk areas for the company (financial interests, gifts and entertainment, outside employment, personal relationships with other associates, personal relationships with suppliers, protecting personal and business information and information sharing). For each, the document recites the relevant company policy and follows that with one or more questions and answers. (E.g., the Outside Employment section asks and answers questions about working for a competitor, operating a side business and working for a supplier.)

The Walmart FAQ document also does a good job in explaining the reasons for the company’s position on the issues raised in the questions. For instance: I supervise an associate who does odd jobs on the side. I would like to hire the associate to do some work at my home. Is this okay? As a manager with direct reports, it’s important to remain objective regarding your associate’s work. This situation requires a manager to think through all of the potential issues and use good judgment. This particular situation could potentially create a real or perceived conflict of interest since the work done for you at home may appear to influence how you view your direct report at work. If you hire someone you supervise to do work on your home, the boundaries between work and personal life may become blurry and difficult to manage. For instance, if you are not pleased with the outcome of the work, it could impact your perception of the associate. It may also appear to others that you are more lenient on that associate’s performance at work since the associate is doing work for you at your home. Finally, the associate may not want to do personal work for their manager for these same reasons, but may feel obligated to do so.

Of course, not every C&E program needs an FAQ – for COIs or any other risk areas. Those that do tend to be large and have relatively complex compliance profiles. And in considering whether to go this route companies should consider the total mix of relevant information about the risk area in question (i.e., not just what is in the code and policy document, but also the treatment of the risk area in training and other communications). As with any part of a C&E program, one has to be mindful of the dangers here of doing too much as too little.

Does your conflict of interest risk assessment do this?

My latest column in Compliance & Ethics Professional, available on page 2 of attached PDF.

I hope you find it useful.

A core value for our behavioral age

Groucho Marx famously said: “Those are my principles, and if you don’t like them… well, I have others.” When it comes to companies committing to follow key principles to guide their behavior – what are often called “core values” – there is clearly no shortage of options. Indeed, this posting on the Threads web site offers 500 ideas for those in the market for values.

One value that I see occasionally (but not frequently) selected for “core” status is humility. Kellogg, for instance, includes humility among several other core values.  Humility is not principally about ethics – Kellogg embraces an integrity value too (as is the case with a large number of companies). But I do see humility as having an important role to play in promoting compliance and ethics in business organizations, in several ways.

First, humility is a logical and arguably inevitable response to the vast body of behavioral ethics research showing “we are not as ethical as we think.”  Thinking and acting with humility is indeed a way of operationalizing behavioral ethics. (For a list of behavioral ethics and compliance posts click here. Also, please see this recent article in the NY Times on behavioral ethics and the notion of “servant leadership.”)

Second, humility is well suited for addressing ethical challenges that are based not on the purposeful failure to be honest but on the less well-appreciated dangers of being careless. (For a post on that click here.) Recognizing the limits of one’s abilities – which is part of being humble –  should help underscore the need for carefulness.

Finally, humility has the potential to resonate deeply in our political, as well as business, culture. By this I mean humility can help form part of a broader mutually supporting relationship between business ethics and what might be called societal ethics of the sort described in other posts.

From a professional viewpoint the benefits to the business side are of most immediate interest to me, but as a citizen (hopefully in the broad sense) I know that the societal dimension is of greater importance. So, let me close by quoting what is one of the best (albeit largely forgotten) expressions of humility’s role in societal ethics, which  can be found in Learned Hand’s “Spirit of Liberty” speech: “The spirit of liberty is the spirit that is not too sure that it is right [and] which seeks to understand the minds of other men and women…”  Delivered in 1944 – when the US and other democracies were engaged in a truly existential battle for survival – these words have never been more compelling than they are today.

Domestic bribery and code of conduct waivers

It was – at least according to this Blog – the most interesting COI story of 2015 (as of February of that year): the head of the New York/New Jersey Port Authority (the PA)  – David Samson – had persuaded United Airlines to reinstate a money-losing route that was convenient for his personal use in return for his giving them favorable treatment on certain PA matters. But what has happened since? And what can C&E professionals learn from it?

In July of 2016, Samson “pleaded guilty to one charge of bribery for accepting a benefit of more than $5,000 from” the airline. “At the same time, United–which was not criminally charged–agreed to pay a fine of $2.25 million and pledged to institute ‘substantial reforms’ to its compliance program.”  And earlier this month the airline settled related charges with the Securities and Exchange Commission.

Above all, that settlement – which involved violations of the FCPA’s books-and-records and internal accounting controls provisions – is a reminder that an effective anti-corruption compliance program must be addressed to domestic  bribery, as well as the foreign kind. In that regard, it is worth remembering that the US is not at or near the top of the Transparency International Corruption Perception Index: it is tied for 16th. And for certain parts of the country – including New Jersey, where Samson worked (and I live) – the picture is worse.

Yet, in my experience some companies don’t address domestic bribery risks with the same rigor that they do foreign ones – even those involving “cleaner” countries than the US.  So, this settlement may be a useful opportunity for companies to consider whether their anti-corruption policies and procedures – including risk assessment – are sufficient to address domestic bribery.

Less significant but perhaps more interesting to C&E practitioners is the SEC’s discussion of the issue of code of conduct waiver – and specifically the failure to get a waiver of the code’s gift provision in connection with the reinstatement of the unprofitable route. The SEC noted that a companion document to the code had provided that: “exceptions would be granted only in accordance with the following procedure: Generally, requests for exceptions must be submitted in writing to the Director – Ethics and Compliance Program.  Approvals for an exception will also be in writing and must be obtained in advance of the action requiring the exception.”  Yet “no one at United sought a waiver of United’s Code of Business Conduct prior to initiating the … Route for Samson’s personal benefit. Nor did anyone at United seek or obtain an exception to Continental’s Ethics and Compliance Guidelines [which was still in effect following the merger of the two carriers]  prior to initiating the … Route. As a result, no written record reflecting the authorization for the … Route was prepared or maintained, as required by United’s Policies.”

Code of conduct waiver-related requirements are based on, among other things,  rules of the New York Stock Exchange and SEC . They derive,, to some extent, from the Enron case.  Yet in recent years I’ve heard very little about them. That may be because the NYSE and SEC standards apply to a narrow band of senior officials at public companies. Yet waiver requirements can go beyond this, as United’s ostensibly did.

So, is there any takeaway for C&E professionals from this aspect of the United case? One idea would be to include questions about waivers in audit interviews – which might pick up information that a question about violations might miss. A second is to include a discussion of waivers in training boards and senior executives – who may have at one point known the Enron-related origins of the waiver provision requirement but have likely forgotten this piece of C&E history.

Finally, for those revising their codes of conduct, one might consider requiring that waivers be granted only upon a clear showing that doing so would be in the best interests of the Company – and that all meaningful circumstances surrounding a waiver be documented in a complete and accurate way. Indeed, given that the SEC has taken the occasion of the United case to speak about code waivers, this is an area where companies should take a moment to make sure they are doing everything right.

  • 2 years ago
  • Comments Off on Domestic bribery and code of conduct waivers

Conflict of Interest at Harvard and the Need for Deterrence

We are pleased to have this guest post from Jameson W. Doig, Visiting Research Professor of Government, Dartmouth College  and Professor Emeritus at the Woodrow Wilson School of Public and International Affairs.

On September 12, the Journal of the American Medical Association carried an important story regarding conflict-of-interest in research carried out at Harvard.  In the 1960s, the chairman of Harvard’s Nutrition Department and two of his researchers were given $50,000 (in today’s dollars) to provide a critical review of studies that had identified Sugar as a significant factor in coronary heart disease. Recently discovered files indicate that the Harvard researchers were in close contact with the Sugar Research Foundation, and that they shaped their analysis so it raised doubts about research studies that identified sugar as a causal factor (they suggested that instead “fat” had a key role in causing heart disease). On reviewing a draft, a SRF official said he was pleased with the results. The role of the SRF in financing and partially guiding the study was not revealed in the researchers’ report, which was published in the New England Journal of Medicine in 1967.

The study was completed in 1967 and all three researchers have now died. Even so, the case raises important issues in the field of deterrence. In my view, Harvard should review the evidence described in the JAMA article, and if the integrity of the researchers’ work was compromised significantly by their contacts with the sugar industry, the University should consider public action — formally announcing the negative findings, perhaps removing any Harvard awards given to the three, etc. Action of this kind should help to deter other researchers who may be tempted to carry out research shaped to benefit the funder. (If the allegations in the article are incorrect, the Harvard review should publicly challenge the JAMA implication of unprofessional faculty behavior.)

Although professional rules now ask researchers to reveal their funding sources, it is reasonable to expect that some will not fully comply. More important, revealing funding sources may not be a sufficient deterrent, when large sums to finance research and complex studies are involved. For example, Coca-Cola has recently funded studies on the links between sugary drinks and obesity; and the National Confectioners Association has financed and been actively involved in studies that raise doubts that eating candy is a factor in child obesity. The candy studies were carried out by researchers at two universities, in collaboration with an industry consultant. To protect the reputation of their own institutions, and to improve the quality of research said to benefit the public, university officials should actively monitor apparent conflicts of interest and take punitive action when appropriate.

A code of conduct for Caesar’s wife

“Follow the money” is as good a rule as any for an assessment of compliance risk, and this is surely true for conflicts of interest.   In many companies that trail leads to procurement – and often to the understanding that those involved in buying goods and services for a company on a day-to-day basis must be above any suspicion.

Increasingly (at least from what I can see) procurement activity is being centralized in enterprise-wide procurement functions.  Much of the impetus for this has nothing to do with conflicts of interest – but, rather, arises from a need to bring more professionalism to procurement and to get the benefit of buying in large quantities, among other things. However, centralization is also a plus from a COI prevention perspective, as it is easier to monitor and otherwise mitigate COI risks in a small group than in the much larger general employee population.

Such C&E measures sometimes include having a specific (and typically very short) code of conduct for the procurement department (in addition to the general code). Among the types of COI issues that could be covered are those relating to gifts, entertainment, travel and donations – meaning these codes can have more restrictive rules about such activities  for procurement staff than for the rest of the employee population. Other types of COIs are typically addressed in these codes as well (e.g., having an ownership interest in or receiving other income from a supplier).

Of course, procurement codes should cover issues beyond  those in the COI area. Confidential information (meaning that of suppliers) is one such topic.  Another is antitrust, with a focus on the oft-neglected buy side.

Reviewing such a code should be part of the on-boarding process for new procurement employees.  As well, periodic training on its key provisions should be provided.  And, one should consider certifications by procurement employees too.

I should emphasize that not every company needs a code like this. However, in my view there are many companies that don’t but should consider developing one.

Finally, there is more to a “Caesar’s wife” approach to compliance for procurement than a code, training and certification. Companies should also be alert to “point-of-risk” compliance opportunities (a concept explored in a recent post). For instance, when a procurement department member  leaves a company to go work for a supplier and has knowledge of pricing and other sensitive information of other suppliers (meaning her new employer’s competitors) the exiting process should include  a reminder of the continuing obligation to keep information of this sort confidential.  And, somewhat more drastically, for higher risk business lines or geographies, rotating procurement assignments may be what it takes to be truly above suspicion.

 

“Point-of-risk” compliance

Marketers have long known that “point-of-sale” display of products can be a powerful advertising tool.  But can its logic be put to work for promoting compliance and ethics?

I was recently asked by a client to fill out a vendor information form and noticed that in addition to seeking information from vendors the form required the employee proposing the hiring to certify that any conflict of interest involving the vendor had been disclosed and okayed by management and the C&E officer.  While I know that many companies have some form of COI certifications (see prior posts collected here), I can’t recall having seen one on a vendor information form of this sort before – even though the common sense of such a “point-of-risk” compliance approach seems pretty obvious.  Indeed, it is hard to think of any reason why a company wouldn’t do this.

Moreover, such an approach  is supported by behavioral science, as described in this earlier post.  And, as also noted in that post, beyond the COI risk area there is no shortage of  other “point-of-risk” compliance opportunities for many companies: “anti-corruption – before interactions with government officials and third-party intermediaries;  competition law – before meetings with competitors  (e.g., at trade association events);  insider trading/Reg FD – during key transactions, before preparing earnings reports;  protection of confidential information – when receiving such information from third parties pursuant to an NDA;  …  accuracy of sales/marketing – in connection with developing advertising, making pitches; and employment law – while conducting performance reviews…” (Note: in the earlier post I refer to this approach as “just-in-time” compliance, but on reflection think that “point of risk” is closer to the mark.)  Doubtless there are many others too.

I should stress that this suggestion does not imply an increase in the total amount of C&E education, which for some companies would be a non-starter.  Rather, a robust “point-of-risk” strategy might allow a company to decrease its use of less impactful communications, meaning principally those that  lack immediacy and context.

Thinking more broadly, a “point of risk” C&E communication strategies might work for teaching ethics in business schools and colleges. Writing last week in the Huffington Post,  William Steiger of the University of Central Florida’s College of Business Administration  argued that: “Business schools should use examples of ethical practices and decision-making throughout the curriculum, not just in the ethics class.” I agree (and indeed when I was teaching business ethics years ago made a similar proposal; I hope Steiger has more success with this than  I did).

Whether it is in the workplace or classroom, there is a growing need to  find ways to better communicate and otherwise support ethical expectations.  For many businesses and schools, a point-of-risk approach may be a good place to start.