Edited by Jeff Kaplan
|
Compliance
In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.
|
|
G.K. Chesterton once said “There are no uninteresting things, only uninterested people,” but some would argue that that meant that he never saw a conflict of interest policy. You can bet that series of justly famous beer commercials won’t show The Most Interesting Man in the World line editing such policies.
But being a less interesting person, they do interest me. Indeed, more so than with most other risk areas, effective compliance here requires close attention to policy creation and maintenance, as a company must clearly define what it considers to be a COI and what its employees should do when faced with an actual, apparent or potential conflict. So, this post collects some resources and thoughts that may be useful for COI policy drafting/revising.
First, it is often helpful to start with a sample. While codes of conduct are – at least for public companies – essentially required to be posted on the web, the same is not true for more detailed COI policies (at least in the private sector – there are, by contrast, plenty of examples for universities and other non-profits to be found with a quick search). But a few corporate COI policies are available on the web, such as those of Best Buy, Novartis and PG&E (the last one is actually part of a code – but is quite detailed, and so worth including here).
Second, while it is helpful to start with a template, one also should base the policy on a COI risk assessment, as discussed in this series of prior posts.
Third, if you are part of a global company you should keep in mind cultural differences that are relevant to COIs as you draft or amend your policy.
Finally, in policy drafting/revising, consider how (if at all) you intend to “check” for COI compliance, such as through a certification regime, auditing, and/or technology-based controls, since with each of these the capacity for checking should inform (although not necessarily dictate) the provisions of the policy.
Fascinating stuff? Certainly not! But that’s okay, because often in the C&E realm what is most interesting is when things go wrong – and it is the mission of the C&E officer to keep work life happily boring.
|
|
|
|
Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment. One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.
A risk action plan is a tool for having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site, I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.
|
|
|
|
In today’s post we conclude our interview with Steve Priest. Information about Steve, and Part One of the interview, can be found here.
Should ethics training be a stand-alone offering or is ethics part of broader training (compliance, leadership, etc.)? Jeff, I wish I had 1%–even 1/10 of 1%–of the money companies have wasted on ethics and compliance training in the past 20 years. There is some evidence that training that is risk and role based—and is targeted, short and engaging—can improve employee perceptions of management commitment, and perhaps even decrease the likelihood that they will engage in stupid, unethical or non-compliant behavior. On the other hand, let’s look at the somewhat prominent school in Princeton, your beautiful town. Dan Ariely’s research there found that taking a week long morality course did not affect the rates at which Princeton students cheated in an experiment one week later. What did make a difference? A reminder right before the experiment about the school’s honor code. Short, sweet, targeted, proximate—these were the keys even before the Twitter/Angry Birds generation. So integration makes a lot of sense because we can have much more frequent, relevant touch points.
What works and what doesn’t when it comes to training boards on ethics? Same question with senior managers. In the past two months I had the opportunity to train the board of one of the world’s largest energy companies and one of the world’s largest retailers. In the latter case it was the third time they asked me. I think the secret is no secret: board members and senior leaders view themselves as very smart, successful, and ethical. And for the most part they are. Respecting that, and building training that is engaging and relevant to their roles and responsibilities works with senior leaders just like it does with front line employees. Cases and conversation make it real and relevant.
You’ve done ethics & compliance work in close to 50 countries. Can you describe some of the pitfalls that one can face when training without being sufficiently attuned to the local culture? A number of years ago I was conducting training in Moscow when a person raised his hand and said “You are from Chicago, right?” “Yes.” “Well, I am from Yekaterinburg, and we have hundreds of missiles aimed at you right now.” Usually the defensiveness is not so overt, but it is always in the room. The biggest danger is the perception of (misplaced) ethical superiority. That is, it is very easy for people to interpret that the reason that an American/Brit/etc. is coming over to conduct ethics/compliance training is because it is believed that the US/Great Britain is ethically superior to whatever country you are in. I address this head on first thing by talking about how I am from Chicago, listing several of the ethical challenges we have faced, and acknowledging that I don’t have all the answers but have become pretty good at thinking about these things. I also try to tap into local ethical heroes or foundations to illustrate that this is not a Western issue—ethics is important in every culture.
Thanks, Steve – wise words.
|
|
|
|
Steve Priest has had a storied career in the field of ethics & compliance. Over the past two decades he has, among other things, consulted “on the ground” in 48 countries on every continent with over 25% of the Fortune 200, trained more than forty Boards of Directors and senior leadership teams and written numerous codes of conduct. He has also conducted many E&C program assessments (and it has been my great pleasure to partner with him on a good number of these engagements). And so, I was delighted that Steve agreed to be interviewed by the COI Blog.
In your twenty years in the field, has there always been a tension between law and ethics and, if so, how has it changed? Jeff, I am not surprised that you ask the hardest question first. In most companies, most of the time, there is little tension. But in some situations fine attorneys trained in zealous advocacy may overweight an effective short term defense strategy and undervalue long term ethics and reputational considerations. Perversely, the high stakes now visible in many compliance areas have heightened this tension.
Is this tension positive, negative or a bit of both? Most of the time the legal thing and the ethical/right thing are the same, so there’s little or no tension. Now the rest of this will betray my ethics bias, but from my perspective when there is a tension it is NOT a good thing, because the short term legal emphasis often prevails over the longer term ethical perspective. Choosing the ostrich approach versus a “look and learn” model has prevented companies from conducting assessments or root cause analyses that could dramatically improve their operations. Defining a disclosure of an event of wrong doing as “in a gray area” rather than as the legal and right thing to do may provide a short term benefit, at the high risk of breaching trust with regulators.
What are some measures for companies to use each (ethics, compliance) to fortify the other? The primary measure is this: messaging to employees must consistently integrate ethics and compliance. Many employees have a knee jerk negative response to the word compliance. Just look up the definition in the dictionary to understand why. And, especially in highly regulated companies it has become segregated. Ethics, on the other hand, runs the risk of being marginalized as something merely nice to do. Put them both together in all messaging and you can tap into the strong preference employees have for doing the right thing and working for a company that does the right thing.
Do companies do enough to assess ethics – as opposed to traditional compliance – risks? No. Partly because it is squishier. Corruption risk assessment is easy—look at prosecutions, legal developments, Transparency International rankings, industry developments, reliance on third parties, etc. But assessing whether employees believe they can raise difficult issues, or that people are held accountable if they do the wrong thing—these questions can rarely be answered in a meeting room by a few people. And yet these attributes are probably more important in understanding compliance risk than the corruption probability in China. A company culture where employees believe they can raise difficult issues has lower risk of major problems in corruption, competition, money laundering, etc. because employees will raise concerns early and often. Conversely, if employees believe that the way to get ahead is to make your numbers and that living up the Code is not so important, then risks of corruption are substantially higher. Additionally, employee perceptions of the ethics of business practices can also serve as a canary in a coal mine for future compliance risks. Often employees have a sense that a practice “doesn’t feel right” or “isn’t fair for a customer” well before these practices gain the attention of the media, plaintiffs’ attorneys or prosecutors. So a good risk assessment has to understand cultural attributes, including the ethical dimension.
Steve can be reached at ethical@aol.com.
Part two of the interview will cover various challenges in providing effective ethics training.
|
|
|
|
Just in the past few months:
- A police officer was caught allegedly “moonlighting” as a pimp – and was fired.
- An IRS employee with broad supervisory authority (to decide, among other things, which taxpayers were audited) was found to have set up a private tax advisory business – and was charged with a violation of a federal conflicts of interest law.
- A business organization (which was already tainted by a high-profile COI scandal) was discovered to be allowing some of its salaried managers to “moonlight” as hourly workers for the organization – and was publicly embarrassed.
(Also worth noting – but not, in my view, as clearly wrong as the others: a judge in New Jersey is under fire for moonlighting as a stand-up comic.)
Moonlighting has been around for a long time. (For COI history-minded readers, here’s an interesting example involving a 19th century Chilean general who had a second job — as an agent for an arms contractor that sold to the Chilean military.) But due to macroeconomic headwinds, relatively pervasive job insecurity and the expansion of telecommuting the practice seems likely to grow in the future (although this is only a guess).
While the cases we read about tend to involve intentional breaches or stunningly bad judgment, moonlighting viewed more generally can be beneficial, and not only for the moonlighter. Most obviously, the second employer gets the assistance of an employee that might not otherwise be available to it. Less obviously, the first employer can benefit from the employee’s experience at the second job – although this wouldn’t be a factor in all cases. Still, all involved need to be mindful of relevant C&E issues.
First, if you are employed by a governmental body, know the law, as some violations – such as in the IRS case – are punishable by criminal prosecution. (Here is an overview of relevant federal law and here is one regarding employment with NY City.) Similarly, if employed in the private sector, know and follow your company’s moonlighting policy – which is often found in the conflict of interest section of a company code of conduct.
Second, if you are an employer, make sure you in fact have implemented a moonlighting policy – and note that the failure to have one could, in certain circumstances result in a violation of state “lawful conduct” statutes. (I don’t know about laws outside the US on this issue.)
Such policies typically include conflicts-of-interest provisions – barring/restricting employment:
- with a competitor company or a firm that does (or seeks to do) business with the organization – like a supplier or customer;
- in jobs that might entail use of the organization’s confidential information or commercial relationships; or
- where the work could otherwise adversely affect the organization’s image or interests.
Beyond such conflicts, these policies generally provide that a second job shouldn’t interfere with performance of duties required by the first – e.g., by making an employee too tired for the latter or causing her to use time that should be spent on the latter for the benefit of the former.
Third, these policies should be promoted and enforced. They should be the subject of periodic communications – and not just buried in an employment manual that no one reads. There should also be a formal process to help ensure that approvals are documented and justified and, from time to time, the company should check to make sure the policies are actually being followed.
Fourth, whether as a matter of practice or policy, the “second company” (i.e., one that is hiring the moonlighting employee), should enquire of applicants if they have received any necessary permissions from their principal employer. I.e., an ethical organization will want to make sure not only that it is free of conflicts of interest internally but that it is not causing conflicts in others.
Finally, for a post on COI issues potentially arising from service on an outside board click here.
|
|
|
|
The near universality of bribery is captured in many stories, but my favorite is the joke made by former NY governor Al Smith, who, upon seeing a student reading a book in law library, supposedly said, “There is a young man studying how to take a bribe and call it a fee.” The appeal of this story for me is based largely upon my being a lawyer, but I imagine every business and profession has its own timeless tales about this ancient form of evil. However, what is relatively new under the sun is the expectation that business organizations no longer treat bribery as an inescapable facet of human nature (let alone a joke) but, rather, attempt to mitigate bribery risks using the same management skills and sense of resolve that they would bring to other business challenges.
With respect to public-sector corruption, this has become reasonably well understood in recent years based on the strict enforcement of the Foreign Corrupt Practices Act. The UK Anti-Bribery Act has had a somewhat similar effect for private sector bribery. But, in allocating C&E resources to mitigating corruption risks, it is important to recognize certain general distinctions between the two.
First, the economic impact of corruption in the former type of cases is likely to be passed on to the public itself, not borne by the victim organization in the transaction. In other words, more than private sector corruption, the public sector species involves negative externalities, which suggests that economic incentives are less likely to lead organizations in the latter sphere to undertake strong anti-corruption self-protection measures than is true for those in the former. And that relative degree of defenselessness, in turn, presumably translates into a higher likelihood of corruption (at least with respect to large-scale corrupt acts – the realm of gray-area gifts/entertainment and other “soft” conflicts of interest is another matter).
Second, and again speaking as a very general matter, public sector corruption is likely to be more impactful than the private sector kind because it frequently threatens efforts that are necessary for the well-being of society as a whole (e.g., the administration of justice, tax collection, environmental protection, product safety). Indeed, public sector corruption can help delegitimize the very idea of governmental action, which can have harmful consequences of various kinds. Perhaps in recognition of these relatively unique harms public sector corruption seems to be treated more harshly than is the private sector variety.
On the other hand, the very fact that corruption seems to be more likely and impactful in the public sphere can be lulling with respect to private sector corruption, and mislead companies into concluding that they need to do virtually nothing in regard to the latter. Therefore, it is important to include private sector corruption in C&E risk assessments, taking into account, among other things, the C&E standards of customers and other private sector organizations with which your company deals, relevant geographic culture, the organizational culture of the parties in question, the controls of such organizations and pertinent industry culture.
Note that these sorts of risk assessments can be challenging because the sources of private sector corruption risk are less well articulated in governmental compliance standards than is true with public sector risks. Indeed, compared to often surprisingly “well-lit” public sector corruption risks, private sector ones tend to hide in dark corners. But that makes a strategic approach to risk assessment all the more important. In other words, while for many companies devoting the bulk of one’s anti-corruption efforts to public sector risks makes sense, it also creates an enhanced obligation of using private sector anti-corruption resources in a thoughtfully targeted way.
|
|
|
|
A federal indictment handed down this week charged a former CEO of CalPERS (the California Public Employees Retirement System), who had become a consultant to a “placement agent” just one day after leaving CalPERS, with defrauding Apollo Global Management in connection with Apollo’s payment of 14 million dollars in fees to the placement agent for its role in persuading CalPERS to hire Apollo to manage some of its funds. As charged in the indictment, Apollo asked the agent to have a CalPERS official sign a letter saying that they were aware of the placement agent’s role in getting Apollo the business, but CalPERSs’ officials – presumably concerned with the conflict of interest involved - refused to do so. So, the former CEO and a colleague at the placement agent allegedly created and presented to Apollo phony letters evidencing such approval.
This is a fairly unusual (as well as tangled) case and apparently leaves open a number of important questions regarding CapPERS and Apollo. But it also raises the broader and more general question which countless companies face on a frequent basis: what should be done to ensure that one’s employees and agents are complying with a customer’s COI standards, (a topic we haven’t explored since the early days of the blog)?
There are a number of possibilities here, including the following:
- Mandating that your company’s employees/agents comply with relevant customer standards, i.e., building such an expectation into your code of conduct, other policies and agency agreements.
- Training and otherwise communicating periodically to at-risk employees and agents on such expectations.
- Making an effort to ensure that employees/agents are in fact aware of applicable customer standards, such as by collecting and distributing relevant sections (e.g., on gifts, entertainment and travel) of customer codes of conduct to employees/agents who deal with such parties.
- Including such standards in one’s audit protocols.
- Contacting the customer with respect to specific contemplated actions that could raise COI issues under the customer’s policies or relevant law.
The last of these measures is, of course, the most delicate – and it is not something that companies tend to do for small-scale matters (e.g., taking a customer’s employee to lunch). However, for potentially weightier COI issues it is often warranted (and, of course, should be done where required by law – as was the case in the CapPERS matter).
Finally, it is worth considering that there are different types of effort that each of the above compliance measures can entail. For instance, regarding the delicate but potentially important customer-contact-related measure one can require that:
- Written notice be given to the customer (e.g., the supervisor of an employee of a government agency who one would like to invite on a business trip) – a one-way written communication.
- The customer confirm in writing its approval of the contemplated action (e.g., what Apollo sought to do here) - a two-way written communication.
- There there be an in-person or telephonic contact with the customer – to avoid the type of fraud that happened in the CalPERs case.
|
|
|
|
The U.S. Constitution is not, as the poet James Russell Lowell once reminded us, “a machine that would go of itself,” and neither is a compliance and ethics program. But, having a constitution can help a C&E program stand the test of time.
In the latest issue of Compliance and Ethics Professional I explore how a C&E program charter can serve in this role, and what such a constitution should generally entail. If you’d like to learn more please click here and go to the second page of the PDF.
|
|
|
|
Compliance-related communications constitute a large part of the day-to-day work of many compliance-and-ethics departments. But is this work being done in the most effective manner reasonably possible?
“Modeling the Message: Communicating Compliance through Organizational Values and Culture,” – published last fall by attorney Scott Killingsworth in The Georgetown Journal of Legal Ethics - provides a thoughtful examination of what we can learn about compliance communications from various findings of behavioral science. The article critiques the traditional approach to compliance communications – which focuses on avoidance of personal risks – as being premised on a “rational actor” theory that in recent years has been seriously undermined by the results of behavioral economics/ethics research. In this regard, Killingsworth argues: “Instead of conveying the message that compliance is non-negotiable, [the personal risk versus reward approach] implies that it may be negotiable if the price is right.” An additional source of concern is that this way of communicating may send the implicit message “that management does not trust employees. Potential side effects of this message range from resentment, to an ‘us-versus-them’ attitude towards management, to a reverse-Pygmalion effect in which employees may tend to ‘live down’ to the low expectations that are projected upon them.”
As an alternative, Killingsworth draws upon the behaviorist concept of “framing” to suggest that communications framed in terms of values and ethics are more likely to be effective in reducing wrongdoing than are traditional compliance communications. In that connection, he describes a study showing “that over eighty percent of compliance choices [in the workplace] were motivated by internal perceptions of the legitimacy of the employer’s authority and by a sense of right and wrong, while less than twenty percent were driven by fear of punishment or expectation of reward.” A second benefit to the values-based approach is that it can better serve as “a source of internal guidance in novel situations” than does the traditional alternative. Third, communications framed from the former perspective may enhance companies’ efforts to promote internal reporting of violations (obviously an important consideration in the Dodd-Frank era), a contention that he bases on a study which showed that “the reporting of compliance violations encountered dramatically different effects depending on whether the subjects considered a particular infraction morally repugnant or not.”
As well as discussing communications per se, Killingsworth’s piece examines “the messages implicit in key company behaviors, which can either reinforce, undermine, or obliterate explicit compliance messages.” So, while explicit communications are important, C&E officers must also “reach across functional boundaries to executive management and the human resources group and, if necessary, educate them about the principles of employee engagement and the value of consistent explicit and behavioral messaging that activates the employees’ values and brings out their [employees'] better natures.” The piece concludes with a list of other practical recommendations – concerning, among other things, culture assessments and communications strategies – for making all these good things happen.
Finally, I should emphasize that this posting only scratches the surface of what is in ”Modeling the Message: Communicating Compliance through Organizational Values and Culture,” and I strongly encourage both C&E professionals seeking to up their respective companies’ communications efforts and behavioral scientists seeking to learn more about how their work can be put to practical use in compliance programs to read the piece in full.
|
|
|
|
By Bill Sacks
On February 1st, 2013, the Centers for Medicare and Medicaid Services (CMS) released the final rules implementing the “Physician Payment Sunshine” provisions of the Affordable Care Act. These provisions, originally introduced as a separate bill by Senators Charles Grassley (R – IA) and Herbert Kohl (D-WI), will require Pharmaceutical and Medical Device companies to track and report all payments or “transfers of value” to physicians and teaching hospitals that exceed $10.00 (or essentially…everything).
The “Sunshine” provisions were designed to increase transparency in industry’s formal and informal relationships with medical providers. Ever since astute observers noticed that physicians could be influenced by financial considerations there has been concern that industry largesse could unduly influence research results, continuing medical education, prescribing, and other practice patterns. The thinking is, to paraphrase Justice Brandeis, “Sunshine is the best disinfectant.”
A public database of industry payments to physicians and teaching hospitals will go online by late 2014. This forthcoming transparency, on top of new COI regulations published by the NIH and Public Health Service that took effect last August, has resulted in significant movement on the part of hospitals and academic medical centers to put in place automated systems to collect and review conflict of interest disclosures and – just as important – to manage the conflicts uncovered through the disclosure process.
Technology to Improve COI Management
Compliance Officers and General Counsels in other industries should take note. Government contractors have obligations to identify and manage conflicts of interest under the Federal Acquisition Regulations (FAR). Many such contractors have tried to manage their COI obligations with paper surveys or simple generic online survey tools. These manual processes often collapse under their own weight, filling file cabinets or Excel spreadsheets with unusable, inaccessible data.
Newer, relational database tools are becoming more popular with organizations that need the ability to provide targeted survey questions to people with different reporting obligations, to direct COI survey responses to designated project managers and reviewers, to conduct detailed analysis on survey responses across projects, to produce customized reporting, and to maintain a database of archived responses.
Organizations seeking or managing federal contracts should periodically evaluate their COI management processes and systems to assess their effectiveness and to determine whether more up-to-date technological solutions could enhance operational efficiency.
(Bill Sacks is Vice President and co-founder of HCCS Inc., which provides online compliance training and workflow tools to organizations subject to federal regulations. He can be reached at bsacks@hccs.com.)
|
|
|
