Conflict of Interest Blog

Who is the client?

My latest column in Compliance & Ethics Professional.

The Marx Brothers and Risk Assessment

From Duck Soup

Rufus T. Firefly

now, members of the cabinet…

[pounds gavel]

Rufus T. Firefly we’ll take up old business.

Cabinet Member : I wish to discuss the tariff.

Rufus T. Firefly : Sit down, that’s new business. No old business? Very well…

[pounds gavel]

Rufus T. Firefly : we’ll take up new business.

Cabinet Member : Now, about that tariff…                                                  

Rufus T. Firefly : Too late, that’s old business already. Sit down.

When a company acquires or develops a new business, risk assessment should be front and center in its plans. But that isn’t always how it works, particularly after an acquisition goes through and the acquisition becomes “old business.”

New businesses can be particularly risky for several reasons:

-The new business may operate in ways that are unfamiliar to the acquiring business.

-The key players – employees, suppliers , customers, third parties and others – may also be unfamiliar.

– The acquisition may create undue pressures to perform.

There are many ways to address challenges of this sort.  But a good starting place for many is to deal with the area in risk assessment governance documentation.

Moral hazard – the latest

As described in several earlier posts, “moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risk taking.  While most Americans presumably are not aware of this somewhat obscure term, the phenomenon itself  is pretty obvious (as well as terrifying with respect to COVAD -19 vaccination and climate change).

Moral hazard can also pose a significant challenge to promoting compliance and ethics. That is, the law provides for large fines for organizations convicted of federal offenses, but those who bear the brunt of such punishments (mostly the shareholders) are often different than the individuals who benefit from the wrongdoing (usually the executives or other high-ranking personnel).

The history of corporate business crime enforcement is, in part, an effort to close this moral hazard gap.

The latest page  in this history was written  two weeks ago by Deputy Attorney General Lisa O. Monaco  at the Keynote Address at the ABA’s 36th National Institute on White Collar Crime:

“To hold individuals accountable, prosecutors first need to know the cast of characters involved in any misconduct. To that end, today I am directing the department to restore prior guidance making clear that to be eligible for any cooperation credit, companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue. To be clear, a company must identify all individuals involved in the misconduct, regardless of their position, status or seniority.”

Note that this is not a new policy but, is, as Monaco says, a restoration of a prior one. Still, given the career-related incentives prosecutors have in case selection, it seems likely to me that her announcement will be seen as an encouragement to bring more cases against senior personnel than is currently done.

This is a small step toward closing the moral hazard gap, but is worth mentioning in C&E training and other communications as a way of getting the attention of senor personnel.

Redefining compliance recidivism

Last week Deputy Attorney General Lisa O. Monaco  announced in the Keynote Address at the ABA’s 36th National Institute on White Collar Crime:

“that all prior misconduct needs to be evaluated when it comes to decisions about the proper resolution with a company, whether or not that misconduct is similar to the conduct at issue in a particular investigation. That record of misconduct speaks directly to a company’s overall commitment to compliance programs and the appropriate culture to disincentivize criminal activity.

To that end, today I am issuing new guidance to prosecutors regarding what historical misconduct needs to be evaluated when considering corporate resolutions. This will include an amendment to the Department’s “Principles of Federal Prosecution of Business Organizations.” Going forward, prosecutors will be directed to consider the full criminal, civil and regulatory record of any company when deciding what resolution is appropriate for a company that is the subject or target of a criminal investigation.

Going forward, prosecutors can and should consider the full range of prior misconduct, not just a narrower subset of similar misconduct — for instance, only the past FCPA investigations in an FCPA case, or only the tax offenses in a Tax Division matter. A prosecutor in the FCPA unit needs to take a department-wide view of misconduct: Has this company run afoul of the Tax Division, the Environment and Natural Resources Division, the money laundering sections, the U.S. Attorney’s Offices, and so on? He or she also needs to weigh what has happened outside the department — whether this company was prosecuted by another country or state, or whether this company has a history of running afoul of regulators. Some prior instances of misconduct may ultimately prove to have less significance, but prosecutors need to start by assuming all prior misconduct is potentially relevant.

Taking the broader view of companies’ historical misconduct will harmonize the way we treat corporate and individual criminal histories, as well as ensure that we do not unnecessarily look past important history in evaluating the proper form of resolution.”

What does this mean for compliance officers?

Perhaps most importantly, companies need to review the breadth of their respective risk assessments. (Indeed, the new policy can be seen as creating a risk impact multiplier, meaning that a prior offense is, as a general matter,  more likely now than before to adversely impact a company in an investigation/prosecution.)     The same is true regarding culture and program assessments.  All of these should  be constructed/revised with the new standard of recidivism in mind, which for many companies will be more encompassing than what they currently deploy.

As well, the company’s C&E processes regarding remedial measures following discovery of wrongdoing should be robust and well documented. Even before Monaco’s announcement this was an area of weaknesses for many companies and all should take this opportunity to consider whether they need to make improvements.

Finally, and particularly for large, widely dispersed organizations, this new approach to recidivism underscores the need to have effective C&E management  and governance throughout the enterprise.  Among other things, directors should be informed of this important development.

Happy anniversary, Corporate Sentencing Guidelines

Monday, November 1 is the 30th anniversary of the Federal Sentencing Guidelines for Organizations, the set of legal standards that, more than any other, gave rise to the compliance & ethics field,

In his 2008 book Experiments in Ethics, Anthony Appiah made a strong and important case that behavioral science ideas and information should be used to address ethical challenges. But for me the most compelling ethics-related experiment of modern times comes from the realm of political – rather than behavioral – science: the experiment that began in 1991 with the advent of the Federal Sentencing Guidelines for Organizations and which continues to this day.

Although we have become accustomed to living in an “Age of Compliance,” the Guidelines were initially considered “developmental,” as the then Chair of the Sentencing Commission put it. The notion of government providing businesses with incentives for C&E programs and direction on how to make such programs effective was largely new and untested at the time. Of interesting historical note to behavioral ethics aficionados: before the Sentencing Commission chose its current C&E-program-based approach to preventing corporate crime it considered applying an “Optimal Penalties” strategy.  The Commission’s ultimate rejection of that approach – which was premised on a hyper-rational (“Chicago School”) view of how business crime occurs – in favor of one that promotes strong C&E programs can be seen as an early (albeit presumably intuitive) official endorsement of the behavioral science based view of human nature.

Thirty years later, it is fair to ask: has the  Guidelines experiment been a success?

It would be hard to prove or disprove success using traditional tools of measurement, since the Guidelines are, of course, a policy interacting with a wide range of real-world factors in an uncontrolled way, not a true self-contained experiment. But if the results were not positive to a significant degree then it is hard to imagine that other governmental bodies – in the U.S. and increasingly around the world  – would have followed suit to the significant degree that they have. While “success breeds imitation” is not an iron-clad rule, it is a pretty good description of what happens much of the time including, I think, in this instance.

Another way to think about success here is to imagine a “counterfactual” world where C&E wasn’t as important as it has become under the Guidelines approach. Would we be better off with little or no sexual harassment training or protection of whistleblowers in corporations? Would we want to work for or do business with a company that made little or no effort to prevent its employees and agents from engaging in corruption, bid rigging or fraud? Indeed, one doesn’t have to strain one’s imagination to picture these counterfactual possibilities: they are the way things used to be before the Guidelines, at least in many companies.

Looking forward, while a compliance-based strategy to business crime prevention no longer faces a serious threat from the Optimal Penalties view of the world, one does hear what are occasional critiques of the C&E approach from a behavioral science perspective (which is somewhat ironic, given the above-described history). The argument goes that C&E programs – by treating employees with suspicion, and thereby making employees resentful – can actually spawn wrongdoing.

As described in an earlier post, this does not ring true to me, at least not insofar as it concerns serious offenses. Although there is no question that some companies engage in overkill with aspects of their C&E programs, employees should not (and I think do not) feel resentful that their employers try to help keep them safe from the risk of being sent to prison and having their careers destroyed. And even if there is some resentment, that is presumably a small price to pay for preventing serious harm to company, employees and others.

Finally, I am very aware that my musings are themselves not scientific, and hope that the next 30 years  scholars and practitioners will find ways of assessing the efficacy of the many different strategies and tools for having C&E programs. There is lots of room for improvement in this area – and experimentation. At least to me, that’s much of what makes the field exciting to be part of.

But as to the basic notion of C&E  itself – I think that’s here to stay, not so much as a matter of proof but of logic. On this point I give the last word to Joe Murphy – the visionary lawyer who (together with Jay Sigler of Rutgers) first wrote about what was ultimately to become the Guidelines approach: “For those who ask ‘does compliance work,’ my response is to ask them, ‘does management work?’ One question makes as much sense as the other. C&E is a management commitment to do the right thing and management steps to make that happen. If you do not use management steps to do something in an organization, how on earth do you do so?”

 

The oldest conflict

Many years ago a client being vetted for a high-ranking post asked me if a question about prior ethical violations required him to disclose a long since concluded extramarital affair. I replied that this seemed beyond the scope of the question, and I would give the same answer if asked today. But a recent paper suggests a different way of looking at this area.

In “Personal infidelity and professional conduct in 4 settings”,  John M. Griffin and Samuel Kruger, both of the McCombs School of Business, University of Texas at Austin, and Gonzalo Maturana of the Goizueta Business School, Emory University: “study the connection between personal and professional behavior by introducing usage of a marital infidelity website as a measure of personal conduct. Police officers and financial advisors who use the infidelity website are significantly more likely to engage in professional misconduct. Results are similar for US Securities and Exchange Commission (SEC) defendants accused of white-collar crimes, and companies with chief executive officers (CEOs) or chief financial officers (CFOs) who use the website are more than twice as likely to engage in corporate misconduct. The relation is not explained by a wide range of regional, firm, executive and cultural variables. These findings suggest that personal and workplace behavior are closely related.”

The ramifications of these findings indeed  seem significant. Included is the negative implication for behavioral ethics: “our findings suggest that personal and professional lives are connected and cut against the common view that ethics are predominantly situational. This supports the classical view that virtues such as honesty and integrity influence a person’s thoughts and actions across diverse contexts and has potentially important implications for corporate recruiting and codes of conduct. A possible implication of our findings is that the recent focus on eliminating sexual misconduct in the workplace may have the auxiliary effect of reducing fraudulent workplace activity.”

For more on the connection between personal and professional ethics see this prior post.

Conflict of interest expertise

Here is my latest column for Compliance & Ethics Professional.

I hope you find it interesting..

Conflicts of interest: getting it wrong

In the nearly ten years that I have published this blog I have noted various studies and other sources of insight into the issue of whether individuals and organizations truly understand the negative impact flowing from disclosed COIs. See posts collected here.  (The latest contribution to this area is Bias in expert product reviews by Ben Vollaard of Tilburg University and Jan C. Van Ours of Erasmus University Rotterdamhttps:/ “Our findings suggest that reviewers’ ad hoc relationships with producers, often dismissed as `coming with the job’, can be very harmful.”)  https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3847682  

C&E professionals need to be aware of this body of knowledge, at least in a general way, as it can help enhance compliance efforts, including those involved in risk assessment and training,  This is particularly so at a high level in a company.

Finally, consider using the recent story in compliance communications within your company: “131 federal judges failed to recuse themselves from cases in which they had financial interest:” If dealing with COIs is difficult for judges, that underscores the need for others to make an extra effort to make sure they are doing so in compliance with applicable law and ethical standards.

 

Making the most of your risk assessment (part 2)

Here is a just-published post on risk assessment from the FCPA Blog.

I hope you find it useful..

 

Combining COI program and risk assessments

COI risk assessments and program assessments are two different things. But they can overlap to some degree and so it makes sense to consider how/how much they should fit under “one roof.” This is particularly so when both procedures are based principally on employee interviews, with some danger of duplication.

Beyond this, any risk assessment needs to consider the efficacy of mitigation (i.e., a program assessment component) and any program assessment need to take into account various risk factors. So, in determining how/how much the two processes can be combined, it makes sense to start with an analysis of a company’s need for specific information regarding each.

Risk assessments

Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.

Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization. Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.

But understanding the general risks regarding COI may not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training  and other communications,  auditing and accountability. (Note the other main program elements – e.g., helplines, investigations,  incentives, discipline  – are obviously important too, but tend not to vary by risk area.)

Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.

– Any relevant COI history at the organization – violations, near misses and inquiries.

– Any relevant COI history at competitors or otherwise comparable organizations, to the extent known.

– Same inquiry regarding customers, suppliers and other third parties with which one does business.

– COI standards that are not fully understood or appreciated.

– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).

– Instances or prospects of prosocial COIs (“right v. right” risks).

– Industry-related risks.

– Cultural-related factors.

– Efficacy of process controls (particularly around COI disclosure/approval regimes).  This is an area where the  overlap between the two types of assessment is particularly strong.

Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.

Program assessments

C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. (Still others have elements of both approaches, i.e., general assessments and deep dives.)

For some companies it makes sense to do such a targeted/deep dive assessment for conflicts of interests. This is particularly so for those responding to a significant COI violation or “near miss,” but it is also the case where the likelihood of COI risks is heightened due to geographic, organizational or industry cultural considerations.

More generally, what does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done so in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones –  understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

The same point should be made with respect to risk assessments – what I have provided above is a starter list – not the last word.