The full promise of compliance programs

My most recent column in Compliance & Ethics Professional

A terrific alliance in the C&E space

Yesterday Kaplan & Walker LLP sent out this notice to friends and colleagues:

Happy New Year!

We are writing to let you know some very exciting news. Our friend and fellow compliance lawyer Amii Barnard-Bahn is joining Kaplan & Walker LLP as a new partner!

Amii is an extremely capable and well-respected compliance lawyer. She has been practicing in the field of compliance law since 2004 and brings a wealth of experience to the firm as an attorney, certified executive coach, and former Fortune 5 Chief Compliance Officer.

We are confident that Amii’s background will add an exciting new dimension to the Firm’s expertise. We will also be adding an office in Sacramento, California.  Amii can be reached at abarnardbahn@kaplanwalker.com. The press release announcing the addition of Amii to the firm is here.

To stay in touch with us, sign up to get updates on compliance law and business ethics delivered right to your inbox. We aim to send something out monthly, but you may hear more from us when things heat up in the C&E world.

Waiving conflicts of interest: whether, when, how

A well-trod hypothetical case.

The head of a company’s regional office is putting on a reception for its customers. She believes that the best vendor (in terms of price and quality) is a caterer owned by her brother. Would it be a conflict of interest (“COI”) to give him the business?

Two approaches to COIs

Certain areas of law and ethics lend themselves to a black-and-white enforcement approach. These are many of these areas – e.g., fraud, corruption and antitrust laws. But conflict of interest (“COI”) is generally not one of them.

That is, while some organizations bar COIs in all instances many others opt for allowing COIs to exist where appropriate.

What do we mean by appropriate?

A company should consider requiring that a COI waiver (whether it is called waiver or something else) be allowed only where doing so would clearly be in the best interest of the company.

The use of “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high a standard as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.

But it is still a high standard and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word “clearly” in a COI policy should itself be helpful.

Whose best interest?

The mandate concerning “best interest of the company” should be read broadly. It requires more than an absence of corruption or other outright misconduct.

Rather, it also specifies consideration of how the COI at issue could impact the ethical culture of the company.    That is, the process should assess how employees would likely be affected if the vendor was hired. The same is true of the impact on the vendor’s competitors.

Procedural component

Finally, there is the procedural component.

In brief, that those deciding whether to allow a COI are not themselves conflicted. (This means you regional officer.)

This is a complex topic that will be the subject for another post.

The company should also audit and monitor COI compliance.






Conflict of interest program assessments

Compliance program assessments come in all shapes and sizes.   For some – but not all – organizations it may make considerable sense to conduct a general program assessment.  For others targeted deep dive/program assessments may be more appropriate – particularly in the area of conflict of interest (“COI”).

What does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done this in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs? Is there sufficient compliance for projects?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones – understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.


Compliance Incentives, Risk Assessment and Moral Hazard

Compliance Incentives, Risk Assessment and Moral Hazard

“Moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks. This is a broad concept and should not be limited to compliance and ethics (C&E). But C&E professionals need to understand moral hazard and deal with it using the tools of their trade.

More specifically, moral hazard presents significant specific challenges to promoting C&E. That is, the law (most notably US Justice Department policy) provides for large fines for organizations convicted of federal offenses, but also provides that those who bear the brunt of such punishment (mostly the shareholders) are often different from the individuals who benefit from the wrongdoing in question (usually the executives or other high-ranking personnel).

Substantively this is not generally an area of great legal exposure for companies. But it can lead to significant business exposure of various kinds.

What does this mean for C&E professionals?

First and foremost, risk assessment should include financial incentives of the sort (e.g., salary, bonus, etc.) likely to be reviewed by Justice.

Second, the risk assessment should include non-financial moral hazard incentives. This includes reputational benefits. This is obviously tricky but  keenly important, at least at some companies.

Third, key personnel should be trained on identifying and addressing moral hazard. Included here are HR, finance, risk. and various members of management.  This can be done as part of broader training.

Fourth, audit and C&E should develop procedures for assessing compliance in this area. Included here are questions in culture surveys.

Fifth, to the extent possible personnel evaluation should consider moral hazard risk. But for some companies this might be a bridge too far.

Indeed, generally I am not saying that all organizations need to engage in a full-fledged version of each of these steps. That would indeed be overkill for many.

But all organizations should at least consider generally what their moral hazard needs are and should respond appropriately.

2023 behavioral ethics and compliance index

2023 behavioral ethics and compliance index While in the more than ten years of its existence the COI Blog has been devoted primarily to examining conflicts of interest it has also run quite a few posts on what behavioral ethics might mean for corporate compliance and ethics programs. Below is an updated version of a topical index to these latter posts.  Note that a) to keep this list to a reasonable length I’ve put each post under only one topic, but many in fact relate to multiple topics (particularly the risk assessment and communication ones); and b) there is some overlap between various of the post.INTRODUCTION – Business ethics research for your whole company (with Jon Haidt)– Overview of the need for behavioral ethics and compliance– Behavioral ethics and compliance: strong and specific medicine– Behavioral C&E and its limits– Another piece on limits

– Behavioral compliance: the will and the way

– Behavioral ethics: back to school edition

– A valuable behavioral ethics and compliance resource

– Strengthening your C&E program through behavioral ethics

–  Ethics made easy

  Have you checked your behavioral externalities?

– A behavioral ethics and compliance primer

 Happy anniversary, Corporate Sentencing Guidelines.



Risk assessment

–  Being rushed as a risk

–  Too big for ethical failure?

– “Inner controls”

– Is the Road to Risk Paved with Good Intentions?

– Slippery slopes

– Senior managers

– Long-term relationships

– How does your compliance and ethics program deal with “conformity bias”? 

– Money and morals: Can behavioral ethics help “Mister Green” behave himself? 

– Risk assessment and “morality science”

 Advanced tone at the top

 Sweating the small stuff

– The risk of good intentions

Mitigating Project Risks – The Under-Discovered Country | Conflict of Interest Blog





Communications and training

– “Point of risk” compliance

–  Publishing annual C&E reports

– Behavioral ethics and just-in-time communications

– Values, culture and effective compliance communications

– Behavioral ethics teaching and training

– Moral intuitionism and ethics training

– Reverse behavioral ethics

– The shockingly low price of virtue

– Imagine the real

– Behavioral ethics training for managers


Assessments and audits

– Behavioral ethics program assessments

– http://conflictofinterestblog.com/2022/02/auditing-the-auditors.html


Positioning the C&E office

– What can be done about “framing” risks

– Compliance & ethics officers in the realm of bias

 Behavioral ethics, the board and C&E officers

 Lawyers as compliance officers: a behavioral ethics perspective



– Behavioral Ethics and Management Accountability for Compliance and Ethics Failures

– Redrawing corporate fault lines using behavioral ethics

– The “inner voice” telling us that someone may be watching

–  The Wells Fargo case and behavioral ethics



–  http://conflictofinterestblog.com/2022/02/

–  Include me out: whistle-blowing and the larger loyalty”

– Behavioral Ethics and Whistleblowing | Conflict of Interest Blog


Incentives/personnel measures

– http://conflictofinterestblog.com/2022/12/hiring-ethical-employees.html

– http://conflictofinterestblog.com/2022/11/ethics-slobs-the-opposite-of-ethics-champions.html


Board oversight of compliance

– Behavioral ethics and C-Suite behavior

– Behavioral ethics and compliance: what the board of directors should ask


Corporate culture

– Is Wall Street a bad ethical neighborhood?

– Too close to the line: a convergence of culture, law and behavioral ethics

–  Ethical culture and ethical instincts


Values-based approach to C&E

 A core value for our behavioral age

– Values, structural compliance, behavioral ethics …and Dilbert


Responding to violations

– Exemplary ethical recoveries



Conflicts of interest/corruption

– Does disclosure really mitigate conflicts of interest?

– Disclosure and COIs (Part Two)

– Other people’s COI standards

– Gifts, entertainment and “soft-core” corruption

– The science of disclosure gets more interesting – and useful for C&E programs

– Gamblers, strippers, loss aversion and conflicts of interest

– COIs and “magical thinking”

– Inherent conflicts of interest

– Inherent anti-conflicts of interest

– Conflict of interest? Who decides?

– Specialty bias

– Disclosure’s two-edged sword

– Nonmonetary conflicts of interest

– Charitable contributions and behavioral ethics

– More on conflicts of interest disclosure


Insider trading

– Insider trading, behavioral ethics and effective “inner controls” 

– Insider trading, private corruption and behavioral ethics


Legal ethics

– Using behavioral ethics to reduce legal ethics risks












– New proof that good ethics is good business

– How ethically confident should we be?

– An ethical duty of open-mindedness?

– How many ways can behavioral ethics improve compliance?

– Meet “Homo Duplex” – a new ethics super-hero?

– Behavioral ethics and reality-based law

– Was the Grand Inquisitor right (about compliance)?

– Is ethics being short-changed by compliance?


Mitigating Project Risks – The Under-Discovered Country

Not all organizations have significant project-based compliance and ethics risks. But not all organizations that do  have  such risks have implemented sufficient mitigation measures in this regard.

The place to start is with a risk assessment, by which I mean:

– An overall assessment of projects, i.e., what are the risks generally of the types of projects a company faces,

– An individual assessment of projects that might differ in a material way from what is indicated by the general risk assessment.

Culture should play a significant role in project risk assessments.  Among other things the project staff may have a different time horizon than does the general employee population.  Such a time horizon might also warrant particular attention being paid to the area of compliance incentives.

A project presumably would not have its own code of conduct.  But – depending on the results of the risk assessment – it might create a policy for areas of complexity or great consequence,

Training and other communications should also be considered for projects.  In particular, role-based and just-in-time training – both hallmarks of “behavioral ethics” – could be warranted.

So should auditing and monitoring.  These mitigation measures may be especially useful in light of the result of risk assessment.

Finally, while projects typically do not generally have their own compliance officers, some assignment of responsibilities may be warranted depending on the organization’s risk.

Hiring ethical employees

In A Behavioural Economics Perspective on Compliance  https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3929624  Sheheryar Banuri (of the University of East Anglia) “reviews the behavioural economics perspective on compliance with rules (broadly) and with whistle-blowing and antitrust compliance (more specifically) culminating in a series of recommendations for organizations seeking to improve employee compliance and detection of potential infringements of the law.” The author focuses on: “four main points: First, is the importance of voluntary compliance (as opposed to enforced compliance). This is important because it carries a broader set of actions than enforced compliance (which typically pertains to behaviour that is observable).  Highlighting non-pecuniary rewards, such as benefits to society, reputational gains, and career impacts, are critical. Second, is the importance of perceptions and beliefs.  Focusing on whistle-blower protections and correcting beliefs regarding the risks (and potential losses) associated with reporting are critical. Third, beliefs are typically the result of social norms: shared expectations of behaviour.  Collecting information on norms and correcting misperceptions is an important way to increase compliance.  Fourth, selecting the right workers.  Selecting workers with strong preferences for compliance (those that are more pro-socially motivated) allows for increases in compliance without the need of strong monetary incentives.”

This issue “remains largely unaddressed in the literature on compliance, is the role of selection.”

More can be done regarding this area.

In an earlier post I noted that companies should create or enhance  ethics questions for employment interviews.

In some companies hiring interviews include a C&E component. A typical question of this sort is to ask the interviewee to describe a C&E challenge that she faced and how she addressed it.  Of  course, in doing this the questioner should make it clear that she is not asking for confidential information about any other company. Another approach is to present the interviewee with a hypothetical ethics quandary and to ask how she would deal with it.

This practice has several benefits:

– It helps the employer determine whether ethics is a strength or weakness for the candidate, which could impact the decision of whether to hire her.

– It sends a message to employment candidates that C&E is important to the company, which hopefully they will remember if they get the job.

– It sends a message within the company generally – and particularly to those who conduct interviews  – that C&E is important to the company. ,.

In my view this is a good practice. I also believe it should be a two-way street, meaning employees should also ask questions of their prospective employers.

This might be a question about the C&E program generally: Is it strong?  Is the tone at the top healthy?  Or, how does the workforce generally view C&E?

Another approach is to ask about risks of misconduct in the company’s industry.  Even where a company seems ethical, one might want to do extra due diligence if  the company’s competitors as well as others with whom they deal (customers, suppliers and others)  are routinely engaging in corrupt dealings.  Also, note that that the questions – whether posed by the candidate or employer – should vary by position, at least for higher-ups.  Certainly this would be true with interviews of board members, and maybe others near “the top.”  There are many other topics the candidates might ask about but one should not be seen as conducting an investigation. A balance should be struck.

Behavioral ethics: expanding notions of risk

In Behavioral Ethics Perspective on the Theory of Criminal Law & Punishment Hadar Dancig Rosenberg and Yuval Feldman of Bar-Ilan University identify ways in which behavioral ethics ideas and information can inform an understanding of risk. https://ssrn.com/abstract=4222232   While addressed to the realm of criminal law they are applicable to the design and management of compliance and ethics (“C&E”) programs too.

First, they pose the question of “whether misconduct that is easier to self-justify should be punished more harshly than unjustifiable misconduct.  Intuitively, from a retributive perspective criminal law scholars and laypersons might believe that the more serious and harder to justify the wrongdoing is, the harsher the punishment should be. Yet, from the perspective of deterrence, which focuses on the likelihood of a greater proportion of the population engaging in such wrongdoings prior to legal intervention, behavioral ethics mechanisms might support the opposite conclusion. The behavioral ethics approach may suggest that actions with greater normative ambiguity, which are therefore easier for more people to self-justify, should warrant harsher punishment.”

A second set of questions they suggest concerns motivations for the wrongdoing at issue, with “conventional criminal law theory suggest that punishment might be mitigated and reduced in cases where the motive for committing the crime is an altruistic one.  By contrast, the view of behavioral ethics research, which focuses on the mechanisms through which people can misperceive the morality of their own behavior, suggests that ‘good people’ might find it easier to cheat and be dishonest when the consequences of their wrongdoing is shared with others or reduced. This – like other aspects of behavioral research – argues in favor of other of stricter punishment in cases of virtuous motivations, the opposite of received wisdom.

Third, they discuss how “we should treat negligent parties who inadvertently takes unreasonable risks. They note the potential relevancy of behavioral ethics to the normative controversy over … justifications for criminalizing the negligent.” More on negligence and behavioral ethics can be found here. http://conflictofinterestblog.com/2022/06/the-full-promise-of-co”fmpliance-and-ethics-programs.html

A fourth example concerns the contagiousness potential of a certain act as a justification for harsher punishment: “People whose behavior is on the borderline between criminal and non-criminal are more likely to blur or cross this line, thereby expanding the acceptability and permissibility of acts which otherwise were more clearly perceived to be criminal. This, then, encourages others to follow suit. The unique danger of such misconduct derives from its potential to cause others to engage in activities that would otherwise be perceived as anti-social.”

The last context they discuss “involves the recognition that behavioral ethics highlights the strong effect of the circumstances of organizational settings on the likelihood of individuals committing wrongdoing. Understanding the magnitude of this effect might justify imposing criminal liability on organizations for using out-come oriented incentives as part of their pay structure.” There is lots to be said about this last point – particularly concerning recent compliance program guidance from the US Department of Justice.


Ethics Slobs: the opposite of “ethics champions”

In a recent post I noted that “the various investigations into President Trump and members of his administration and others have focused attention on an age-old debate whether careless wrongdoing is as reprehensible as is the intentional sort.”

The answer is, I believe, yes.

I further noted that “I do not have quantitative data on this issue but do have the wise observation of Samuel Johnson who once said: “It is more from carelessness about truth than from intentionally lying that there is so much falsehood in the world.”

Further, as the economy becomes more complex the need to fully address negligence risks will likely become even greater.  There will, I think, be more things to get wrong, and thus more of a need to make things right.

Some companies do a good job in educating managers on the need for carefulness on C&E matters, but many others could and should do more.  The same is true of governmental bodies.

What else can be said about dealing with “ethics slobs”?

First, the suggestion here is not to be taken too literally. A company should not, as a general matter, formally designate its employees as “ethics slobs, (unless they are being terminated).  But using a more dignified approach to calling out to this issue one can achieve a similar result.

Second, C&E personnel should keep track of “carelessness cases” that arise at the company. This could include violations of law or applicable policy that led to harmful activity even though there was no intentionally wrongful conduct.

Third, based on this inventory of “carelessness cases” one should address this area in company-wide training, other (e.g., targeted) training and other communications.

Fourth, company compensation schemes should be reviewed for carelessness risk.  Indeed, the importance of incentives has been been recently reenforced by Justice Department memoranda on C&E programs.

Finally, the pitfalls of being an ethics slob should be addressed in auditing, monitoring and risk assessment. Here – and elsewhere – what measures is what counts.