Edited by Jeff Kaplan
|
Compliance
In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.
|
|
Relationships between relevant C&E “checking” categories can be confusing. For example, auditing can overlap with program assessment and with risk assessment. The line between auditing and investigations is not always well marked. Monitoring can overlap with program governance and management. Metrics are generally part of monitoring but are sometimes discussed separately. Encouraging reports of suspected violations can be seen as a form of monitoring – but is generally treated as a different animal. Other types of internal controls (e.g., pre-approvals) can also be viewed as a form of monitoring – but typically serve a different function. Monitoring differs from auditing in that it is less independent and more real time. Speaking generally, it is an under-utilized C&E function.
Monitoring by business people is often called “the first line of defense.” It can be the most immediate and least independent form of C&E checking.
Examples include:
- Reviewing pricing and other activities for any indicia of antitrust violations.
- Monitoring COIs that have been conditionally okayed.
- Reviewing invoices of third parties for any indicia of corruption or violation of other rules.
- Making sure that those expected to take in-person training in fact do so.
Two final points about monitoring.
First, it can serve to educate business people on C&E matters (learn by doing).
Second, it can provide a basis for incenting C&E in performance evaluations (or similar processes). For instance, managers who don’t do a good job in monitoring should have that shortfall impact their evaluations.
|
|
|
|
Under Department of Justice standards for the government’s evaluating compliance & ethics (C&E) programs companies should undertake program self-assessments from time to time.
What does this entail? At a minimum, it should include assessing the general components of the C&E program (e.g., compliance office, helpline, training) as well as corporate culture. And, for many companies, a “deep dive” into substantive areas of high risk, such as anti-bribery and competition law, should be be within the scope of the assessment.
Somewhat less common is companies assessing their conflict-of-interest (“COI”) compliance programs. This post will offer some ideas for use in conducting such an assessment.
Process
At the outset, I wish to stress that a COI program assessment need not be a standalone process. Rather, companies can – and in most instances, should – make it part of the larger program assessment.
Is COI included in your risk assessment?
Note that what this question asks is more than just whether there are actual COIs at the organization in question. Rather, the inquiry is about how likely and potentially impactful COI risks are.
As a practical matter this means:
– Determining how culture affects COI likelihood – as a matter of organizational, geographic and industry culture. Note that while the first two types of culture are commonly the focus of risk assessment, the third – industry culture – generally is not, but (in my view) should be,
– Determining what the opportunities for COIs are. This is a matter of having adequate financial controls, of course, but also entails looking at the “supply side” of opportunities to enter into COIs,
Note that there is no particular formulae for this. What is required is an act of “informed imagination.”
Also, it is particularly important to ask the impact question with COIs, because such impacts are often dismissed as “harmless.” Focusing on impacts in a COI risk assessment can help show why that is not the case.
COI policies and procedures
Presumably almost all companies have COI provisions in their respective codes of conduct, but not all have standalone policies. The latter aren’t typically mandatory but are generally a good idea where the subject may be too complex for a code provision to cover completely.
The most important topic for COI policies and procedures often concerns disclosure/approval. As a general matter disclosure should be made to – and approval required of – compliance, legal or HR. Allowing approvals by line supervisors – if necessary – should still entail notice to compliance, law or HR.
Training and communications
These should be driven by the risk assessment, and there is clearly no one size that fits all when it comes to COI training and communications. However, a fairly typical approach for a medium risk company would entail:
– COI as a module in code of conduct training for all employees delivered every year or two.
– Other training on a risk-based basis (such for managers or procurement).
– Other communications on a risk-based basis (e.g., about gift giving – to be disseminated during the holidays).
Auditing and discipline
Companies often review COI case files as part of site audits. Whether to do this – or other auditing – should be informed by the risk assessment.
Finally, from an organizational justice perspective, it is important that COIs be handled in a fair way. While fairness is important to how all C&E issues are resolved this is particularly so for COIs – given that COIs have an obvious personal dimension, e.g., hiring or promoting a relative arguably hurts other mployees more than other offenses would.
|
|
|
|
From “Do You Have a Conflict of Interest? This Robotic Assistant May Find It First” recently published in the NY Times:
What should science do about conflicts of interest? When they are identified, they become an obstacle to objectivity... Sometimes a conflict of interest is clear cut. … But other cases are more subtle, and such conflicts can slip through the cracks, especially because the papers in many journals are edited by small teams and peer-reviewed by volunteer scientists who perform the task as a service to their discipline.
The Times piece further notes: With such problems in mind, one publisher of open-access journals is providing an assistant to help its editors spot such problems before papers are released. But it’s not a human. Software named the Artificial Intelligence Review Assistant, or AIRA, checks for potential conflicts of interest by flagging whether the authors of a manuscript, the editors dealing with it or the peer reviewers refereeing it have been co-authors on papers in the past…(Note: prior coauthoring of an article by itself would not constitute a COI, but could be an indication of one.) The tool cannot detect all forms of conflict of interest, such as undisclosed funding sources or affiliations. But it aims to add a guard rail against situations where authors, editors and peer reviewers fail to self-police their prior interactions.
Note that the use of data mining for COIs is not new. Indeed, for many years, auditors have looked for matches between the addresses of employees and vendors. And anti-corruption compliance programs increasingly involve data mining, as is true of competition law compliance too
Moreover, the specifics of efforts like these will vary by industry. (E.g., the co-author relationships of the type referenced above would presumably be relevant only to businesses where publishing plays an important role.)
But for any company it is worth considering – based upon the company’s risk profile – whether there are any opportunities of this sort.
|
|
|
|
Here is a just-published article in Corporate Compliance Insights by Rebecca Walker and me on conducting assessments of conflict of interest compliance programs.
We hope you find it useful.
|
|
|
|
Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.
Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization. Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.
But understanding the general risks regarding COI may not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training, and other communications, auditing and accountability. (Note the other program elements – e.g., helplines, investigations, incentives, discipline – are obviously important too, but tend not to vary by risk area.)
Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.
– Any relevant COI history at the organization – violations, near misses and inquiries.
– Any relevant COI history at competitor or otherwise comparable organizations, to the extent known.
– Same inquiry regarding customers, suppliers and other third parties with which one does business.
– COI standards that are not fully understood or appreciated.
– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).
– Instances or prospects of prosocial COIs (“right v. right” risks).
– Industry-related risks.
– Cultural-related factors.
– Efficacy of process controls (particularly around COI disclosure/approval regimes).
Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.
|
|
|
|
The Coronavirus is,of course, creating considerable volatility in the stock market. With such volatility comes opportunity for investors to make profits, either honestly or otherwise. Are companies prepared for what might be an increase in insider trading risk?
In many companies the principal “owner” of insider trading compliance on best trading platforms like MetaTrader 4 for retail traders, is the corporate secretary or other member of the law department – not the compliance & ethics officer. That is generally fine, as the subject is of a fairly technical nature.
But in my view the CECO should still have a “line of sight” into insider trading compliance too. This is particularly so given that insider trading laws are – at least in part – conflict-of-interest based, and COIs are within the “heartland” of a CECO’s duties.
The basics
The core of an insider trading compliance program is the policy, which every public company (and some private companies) should have. A typical policy should cover the following
– Explanation of insider trading , including definitions of key terms such as “material” information, non-public information, purchase and sale. Personal experiences and ironfx scam can teach more about insider trading and how to handle it smoothly.
– Procedures to prevent insider trading, including preapprovals and black-out periods.
– Policy and procedures on “tipping.”
– Any additional transactions that are prohibited by the policy, such as trading in options in the company stock or buying on margin,
– Rule 10b5-1 trading plans.
– Penalties and enforcement.
The basics also include:
– Insider trading training and periodic communications.
– Certificates of compliance.
– Avenues for seeking guidance and reporting concerns.
The role of the CECO
Most of these items are, as noted above this is fairly technical. But an insider trading program can also have a broader cultural dimension.
For instance, as noted in an earlier post: insider trading should be seen as a form of private corruption, rather than as a more technical and indeed victimless form of wrongdoing, which it is sometimes seen as. This can give enforcement and compliance efforts a degree of moral force that they might otherwise lack.
Can the corporate secretary make the case about insider trading being a form of private sector corruption? Sure – but in all likelihood the CECO can do it better because she will be able to place insider trading within the larger conflict of interest framework. This could make both areas stronger.
Again, I’m not trying to take work from the corporate secretary. But having the insider trading program learning from the CECO could help companies strengthen their compliance in a time of heightened risk.
*****************************************************
You might be interested in this piece about abuses in the gifts and entertainment area being viewed as “soft-core corruption.”
|
|
|
|
In Testing Compliance, (published on the Harvard corporate governance web site, with the full paper available at SSRN), Brandon L. Garrett. Professor of Law at Duke Law School, and Gregory Mitchell, Professor of Law at the University of Virginia School of Law, note that “what makes the compliance enterprise deeply uncertain and problematic is that the information generated by compliance efforts is simultaneously useful and dangerous. However, documenting problematic behaviors creates a record that may be used against the corporation in future administrative, criminal or civil proceedings, or may become the subject of a media exposé. Officers and directors, and the in-house compliance team, may sincerely hope compliance programs are effective, but they may quite rationally avoid testing that hope. The end result will often be rational ignorance with respect to the effectiveness of corporate compliance programs. This dynamic—the hope that greater attention to compliance will reap benefits drives more resources toward compliance efforts, yet fears about what examining the effects of those efforts might reveal hinders validation of compliance programs—creates a ‘compliance trap’ that can ensnare corporations and regulators alike.” The authors “explore ways out of this trap.”
Among other things:
– They argue for government policies to promote more information sharing by companies about what works and what doesn’t in terms of C&E. While there is already some such sharing via compliance conferences and though various professional organizations there is clearly room for improvement here.
– They also note, based on compliance information published by Fortune 100 companies, that if such companies “are measuring the effectiveness of their compliance programs, they are not sharing it. It is also possible that what we see is what we get: active educational efforts focused on employee training and assessments of that training using employee surveys and reactive compliance efforts relying on whistleblower reporting and investigation of those reports. The public record reveals few active efforts to detect and remedy weaknesses within internal compliance systems.” I agree that sharing of this kind could be a powerful force in promoting strong C&E.
– They propose instituting a “legal mandate that organizations regularly test their compliance systems for effectiveness. But to incentivize companies to put in place strong compliance programs and audit those programs rigorously, the mandated reports should not increase their litigation exposure. ” I think implementing legislation to help companies avoid the “compliance trap” in this way would be very beneficial, though getting to such a safe place would – in my view – be a lengthy and difficult journey.
– They note: “Companies need to proactively test whether their employees, when given the chance to misbehave, really do. Such testing need not involve comprehensive data collection or expensive analytics, although firms increasingly use such tools, and consultants may market AI approaches to compliance. Rather, experiments, relying on blind performance testing of randomly sampled employees, can quite inexpensively measure whether employees comply in realistic work situations.” I note (as do the authors) that some this already happens but think there needs to be more of it. However, one must be careful to avoid the perception that employees are being treated as the subject of experiments.
Finally, there is much more to this piece and I encourage you to read it in its entirety.
|
|
|
|
Compliance programs have long been viewed (at least by me) as a “delivery device” for bringing behavioral ethics ideas and information into the workplace. And now something similar can be said about corporate governance.
In Corporate Law for Good People Yuval Feldman, Adi Libson (both of Bar-Ilan University) and Gideon Parchomovsky (of the University of Pennsylvania Law School) offer “a novel analysis of the field of corporate governance by viewing it through the lens of behavioral ethics.” As they note: “In the legal domain, corporate law provides the most fertile ground for the application of behavioral ethics since it encapsulates many of the features that the behavioral ethics literature found to confound the ethical judgment of good people, such as agency, group decisions, victim remoteness, vague directives and subtle conflict of interests.”
Of these, the topic of COIs is (predictably) is of greatest interest to me. The authors’ area of particular focus here is independent boards of directors. They note that independent directors may suffer from the “curse of partial independence. Their status as independent directors intensifies their self-perception as ‘objective’ agents, making them more susceptible to subtle conflicts-of-interest. As many scholars have pointed out, independent directors have a weaker type of a conflict-of-interest. According to behavioral ethics, this might cause those directors to be more rather than less biased, making it easier to ignore or justify self-interested decision-making.”
“Even though they have no formal ties to the management or major shareholders and do not receive direct benefits from them, some degree of non-formal ties are likely, which may make them less rather than more objective relative to other directors. Furthermore, it is mostly the management that effectively chooses independent directors, so even without any pre-existing ties, the management is to some degree the benefactor of the independent director. This subtle conflict-of-interest may lead independent directors to lean to return the favor by showing leniency toward the management, similar to the studies that have found tendency to take sides even when the actor does not derive direct gains from the triumph of the party she supports.”
“This analysis does not necessarily lead to the conclusion that the institution of independent directors should be abolished. On the contrary, independent directors have the potential to improve corporate governance, if measures are taken to address the subtle conflict of interest that undermines their performance.”
I agree with this analysis, as I do nearly everything said in this paper.
But one area that I found questionable was the finding that “building an atmosphere of a ‘corporate family’ and forming organizational loyalty is mostly perceived as an important value for investors, but under certain circumstances it may work to their detriment. Similar studies have found that ethical codes that use more formal and less ‘familial’ language—usage of the term ‘employee’ and not ‘we’—are more effective in curbing unethical behavior” (emphasis added). The principal support for this is a reference to an unpublished manuscript on file with authors, which left me eager to learn more about this contention.
|
|
|
|
In “Can Ethics be Taught? Evidence from Securities Exams and Investment Adviser Misconduct,” forthcoming in the Journal of Financial Economics, Zachary T Kowaleski of University of Notre Dame, Andrew Sutherland of the Massachusetts Institute of Technology, and Felix Vetter of the London School of Economics “study the consequences of a 2010 change in the investment adviser qualification exam that reallocated coverage from the rules and ethics section to the technical material section. Comparing advisers with the same employer in the same location and year, we find those passing the exam with more rules and ethics coverage are one-fourth less likely to commit misconduct. The exam change appears to affect advisers’ perception of acceptable conduct, and not just their awareness of specific rules or selection into the qualification. Those passing the rules and ethics-focused exam are more likely to depart employers experiencing scandals. Such departures also predict future scandals. Our paper offers the first archival evidence on how rules and ethics training affects conduct and labor market activity in the financial sector.”
This seems like a very important study and there are far too many aspects of it to provide a comprehensive summary here. But I was particularly struck by the following:
“[W]e find the misconduct differences across passers of the old and new exam persist for at least three years, which we would not expect if advisers merely memorize rules rather than draw more fundamental lessons about acceptable conduct from the ethics portion of the exam. In sum, this evidence suggests that our main results cannot be explained by compliance alone, and that the exam change altered advisers’ perceptions of acceptable conduct.”
“[T]he behavior of the least experienced advisers is most sensitive to the extent of rules and ethics testing. These results are consistent with the exam playing a ‘priming’ role, where early exposure to rules and ethics material prepares the individual to behave appropriately later.”
“[W]e find the exam’s coverage to be less pertinent to those advisers working at firms where misconduct is prevalent. Thus, the contagion of misconduct behavior appears to limit the effectiveness of training in preventing transgressions.”
“We study turnover among all Wells Fargo advisers, and find those passing the old exam are most likely to leave after the scandal broke.”
There is much more to the study than this and I encourage you to read the original.
|
|
|
