Compliance

In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.

Behavioral ethics training for managers

In “Companies Need to Pay More Attention to Everyday Unethical Behavior” – published last month in the Harvard Business Review  – Yuval Feldman, Professor of Legal Research at Bar Ilan University, argues:

Many large scandals have sounded the alarm on the need to monitor corporate corruption. The typical response from policy makers is to propose a patchwork of reforms to address various corporate transgressions. But by and large, these reforms focus on preventing gross and blatant violations of the law – and they ignore the more banal, ordinary acts of unethicality that are far more common in organizations. Numerous studies have documented the prevalence of practices such as stealing office supplies, inflating business expenditures reports, and engaging in behaviors that raise conflicts of interest. While these may sound negligible, these violations reduce trust over time and alter prevailing business and legal norms. Their aggregated effect can be quite harmful. Behavioral ethics research suggests that this type of misconduct occurs not because people are unethical or deliberately choose to act unethically, but because they fail to understand that their behavior is indeed unethical and can have harmful consequences. Thus, sanctioning rule breaking and looking for “smoking guns” will not prevent most employees from acting unethically. If organizations want to do a better job at preventing misconduct, they need to adopt a two-stage approach. The first stage focuses on increasing people’s awareness of the illegality and unethicality of their behavior. The second stage is about ensuring that employees clearly recognize that misconduct will be penalized.

Achieving what is contemplated by both of these stages could sound daunting – particularly the first. However, for companies that already have compliance and ethics (“C&E”) training for managers and supervisors there may be an opportunity to use that training to increase employees’ awareness of the sort of risks described by Professor Feldman.

That is, such training can be expanded to include:

– A brief explanation of the findings of the above-referenced behavioral ethics research.

– An explanation that managers’ C&E duties include identifying seemingly negligible risks in their respective parts of the organization that could over time adversely affect trust there.

– An expectation that these risks will be addressed by managers when speaking to the workforce (e.g., in townhalls, staff meetings, etc.) and through written communications.

Note that I am proposing a more or less “local” approach to this issue, as opposed to a top-down one, as I believe that having managers of various ranks involved in the process is necessary to make the effort risk based. Also, hopefully being given this role will lead managers to reflect on their own ethical performance.

Note that there is much more that can be done in communications and training to use behavioral ethics information and ideas to prevent and detect  wrongdoing. See prior posts collected in this index.

There is also more to be said about slippery slopes, some of which can be found in this prior post.

Finally, here is an article on drafting managers’ C&E duties.

Essential ingredients of an effective conflict of interest policy

In today’s edition of the FCPA Blog.

I hope you find it useful.

“Just-in-time” risk assessment

In 1994 I spoke at a meeting of a company’s executives that took place shortly before the end of the company’s financial quarter, and in the same session the CEO made the point that the executives needed to be vigilant against any mischief designed to dress up the quarter. This was my first exposure to “just-in-time” training/communication. And although more companies time their compliance measures in this sort of way now than did then (mostly because there are more measures to time), it is an area where many organizations can and should up their respective games.

The basic idea of just-in-time communications (also sometimes called “point of risk” communications) – as described in this post – is that compliance communications are most likely to have the desired impact if delivered shortly before exposure to the risk in question. As noted in that post, this mechanism could be used to address a wide range of risks: “anti-corruption – before interactions with government officials and third-party intermediaries; competition law – before meetings with competitors (e.g., at trade association events); insider trading/Reg FD – during key transactions, before preparing earnings reports; protection of confidential information – when receiving such information from third parties pursuant to an NDA; … accuracy of sales/marketing – in connection with developing advertising, making pitches; and employment law – while conducting performance reviews…”

To his discussion I would like to add the notion of a just-in-time risk assessment.  Specifically, when conducting risk (or program) assessment interviews or surveys, compliance personnel should inquire a) for any given area or risk, whether there is a need for just-in-time training/communications; and b) if so, what the specifics of such training/communications should be.

Finally, the need to look for opportunities of this sort can be added to lists of managers’ C&E duties (e.g., those set forth in the code of conduct, training for new managers, and perhaps personnel evaluations). This will not only help companies develop more “just-in-time” communications but will raise the level of managers’ C&E knowledge and commitment generally.

Conflict-of-interest policies and procedures

My latest column in C&E Professional (3rd page of PDF).

I hope you find it useful.

Deadly – and small – gifts and entertainment

Virtually every conflict of interest policy contains monetary limits for individual acts of gift giving or entertainment, but not all seek to quantify how many of such acts are permitted to occur in a given time period. This issue was raised in a particularly grim way – as described in this article in MarketWatch – by a recent study which “found that both deaths from opioid overdose and opioid prescriptions rose in areas of the country where physicians received more opioid-related marketing from pharmaceutical companies, such as consulting fees and free meals,…”

Relevant to the specific issue in this post, Magdalena Cerdá, director of the Center on Opioid Epidemiology and Policy at NYU Langone Health and the senior author on the study, stated: “A lot of the discussion around the pharmaceutical industry has been around high value payments, but what seems to matter is really the number of times doctors interact with the pharmaceutical industry,… ‘A physician’s prescribing pattern could be influenced more by multiple inexpensive meals than a single high-value speaking fee,’ she noted.”

She also said: “’We think it’s because the more times physicians interact with someone from the pharmaceutical industry, the easier it is to build a relationship of trust,… ‘We in no way think the prescribing is some kind of nefarious intentional behavior by physicians. The fact that it is the frequent, low-level payments that have the most effect shows that it’s more unintentional ‘…” Of course, unintentional conflicts tend to be more difficult to address than are intentional ones.

More generally, this finding  seems to me to be significant in a broad-based way as it presumably applies to other commercial contexts as well. And, compliance officers in all industries should make sure that their COI policies address not just high-value gifts and entertainment but also high volumes of such.

International Chamber of Commerce publishes conflict of interest guidelines

The International Chamber of Commerce – apparently the world’s largest business organization – recently published Guidelines on Conflicts of Interest in Enterprises. It is available for free download here.

Among other things, the Guidelines provide a useful summary of what should generally be included in a COI compliance policy:

Objective: first, the prevention of Conflicts of Interest, and if nevertheless they do arise, dealing with them, disclosing them and finally mitigating the risks of them arising;

Scope: applicable and binding for all directors, officers, managers, employees, agents and representatives (Associates) of the Enterprise;

Definitions: include clear definitions;

Provisions:

– comply with all applicable laws and regulations in addition to internal regulations of the Enterprise, including privacy laws and policies;

– all decisions and actions by all Associates shall be taken in the best interest of the Enterprise;

– Associates shall not take business opportunities that belong to the Enterprise for themselves;

– Associates shall immediately disclose any Conflicts of Interest;

– Associates shall abstain or withdraw from debating, voting, or other decision-making processes or activities when a Conflict of Interest exists or might arise;

– Senior Management shall lead by example and give guidance on Conflicts of Interest;

– job applicants and newly hired or appointed Associates shall disclose any Conflicts of Interest immediately during the hiring or appointment process;

– every member of Senior Management shall update his/her disclosure on Conflicts of Interest at least annually to the Compliance Officer, or any other person in charge of the Conflict of Interest Policy;

– provision on communication and training on Conflicts of Interest;

– provision explaining where guidance may be obtained in case of questions or concerns; and

– provision on regular reporting of Conflicts of Interest and evaluation of the Policy.

Overall, I agree with these recommendations, but to me the principal value of the Guidelines lies more in the very fact that it exists than the particulars of its various provisions.

That is, perhaps because COIs are so widespread and diffuse (meaning not the subject of a unified legal regime), they often seem to discourage meaningful efforts to mitigate them in the type of programmatic way that one typically sees with anti-bribery and competition law. The Guidelines – issued by an organization with six million members – is an important step in the direction of making such approach a mainstream expectation.

(For more information on the components of a COI compliance program see the various entries and subentries under “Compliance” on the index on the left hand part of this blog – also available here.)

Conflict of interest? Who decides?

Many companies have, of course, escalation provisions for responding to allegations of wrongdoing. But do they need such provisions with respect to routine self disclosures of conflicts of interest?

At least for some companies that allow line managers to approve disclosed conflicts the answer is, in my view, Yes. That is in part because managers may – thanks to the behavioral ethics phenomenon of  “motivated blindness” – be inclined to “go easy” on a particularly valued employee who has disclosed a COI.  Line managers may also fail to appreciate in such situations the danger to the compliance program generally of an overly liberal approach to COIs – particularly to the sense of “organizational justice” at the company.

But what should an escalation provision entail? Here are some possibilities, meaning circumstances where the line manager should be required to enlist the help of HR, Compliance or Legal in addressing a disclosed COI:

– Disclosure is by a relatively high-level person.

– Disclosure is by a person in a controls function.

– Conduct would tend to diminish trust of key stakeholders in the company. (Most important of all the criteria – but also hardest to apply.)

– Conduct involves a relatively high degree of money or other tangible or intangible  interests.

– Resolving disclosed conflict would entail complicated fact finding.

– Resolving conflict would entail interpretation of legal or regulatory mandates.

Finally, and perhaps less obvious than the others, going forward, would the manager be sufficiently aware of the relevant actions of the disclosing employee to help ensure adherence to Company COI standards? In other words, can the manager act like a de facto COI monitor?

Imagine the real

 

An early post on this blog noted that among the more interesting phenomena of behavioral ethics was the impact that knowing or not knowing a party could have on how one treated that party.

A set of circumstances that is relatively likely to lead to an ethical shortfall is where we do not know who will be impacted by a contemplated act.   As described in this paper by Deborah A. Small and George Loewenstein,  in one study “subjects were more willing to compensate others who lost money when the losers had already been determined than when they were about to be” and in another “people contributed more to a charity when their contributions would benefit a family that had already been selected from a list than when told that the family would be selected from the same list.”   Beyond their direct application to the area of charitable giving, these findings may be relevant to a broader range of ethics issues, and, for instance, could help explain the relative ease with which so many individuals engage in offenses where the victims are not identifiable.  

One example of this is insider trading – a crime which, although widely known to be wrong, seems utterly pervasive (based, among other things, on the extent of trading in securities right before public disclosure of market moving events).  A behavioral ethics perspective suggests that (at least part of) the reason for this “inner controls” failure is that the victims of insider trading are essentially anonymous market participants. 

Another offense of this sort is government contracting fraud (where the victims tend to be everyone),  and indeed Ben Franklin famously described the risks of an ethics shortfall here as well as anyone could: “There is no kind of dishonesty into which otherwise good people more easily and more frequently fall than that of defrauding the government.”   Understanding why “otherwise good people” do bad things is much of what behavioral ethics is about.

But what about COIs? The picture there is mixed, as some COIs do involve identifiable victims – such as the job applicant who does not get hired because the position was filled by the boss’s son. Similarly, an organization might suffer identifiable harm when its procurement process is corrupted by a COI – e.g., paying too much or getting too little.

However, with other sorts of COIs the harm is less apparent. It is the damage to trust in key relationships.

For this reason, organizations might consider including the following question in their COI resolution protocols: “How likely would it be at that the COI would diminish the trust that stakeholders (shareholders, employees, customers, business partners, suppliers or regulators) would have in the Company or otherwise adversely impact the Company’s reputation?”

Of course, this thought experiment works only if you truly try to put yourself in the shoes of one of these parties. Or, to use the memorable words (albeit from  another setting) of philosopher Martin Buber: “Imagine the real.”

Conflict of interest self assessments

C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. For some companies it makes sense to do such a targeted assessment for conflicts of interests – particularly those responding to a significant COI violation or “near miss.”

The scope and approach of such assessments for any given company at any given time should vary based on a variety of circumstances. Hopefully, however, the following questions/comments can be helpful to some organizations seeking to determine whether/how to go down this road.

Risk Assessment. Has the company assessed COI risk? If so, has it used the results of the assessment(s) in designing and implementing other aspects of the COI program?

Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?

Culture. Are COI rules followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs?

Policies. Presumably nearly every business organization has a COI provision in its code of conduct – but there are also many that need but do not have a standalone policy as well.

Procedures. Are disclosure procedures clear, easy to use and well known? Do those tasked with reviewing COIs have sufficient knowledge and independence for the job?

Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions). Is training reinforced through other communications?

Auditing and monitoring. Is the COI disclosure practice audited? Same question for monitoring (of conditionally approved COIs)..

Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI self-assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

 

 

Conflict of interest risk assessment (part 2)

My latest column in Compliance & Ethics Professional. (Last page of PDF.)

I hope you find it useful.