The late Leona Helmsley, a controversial real estate developer, is reported to have said that “only the little people pay taxes.” One might ask if the US Supreme Court has a similar view of ethics.
Reports in ProPublica this year detailed a pattern of behavior by Supreme Court justices that legal ethics experts said was far outside the norms of conduct for other federal judges. “ProPublica disclosed that Justice Clarence Thomas has accepted undisclosed luxury travel from Dallas billionaire Harlan Crow and a coterie of other ultrawealthy men for decades. Crow purchased Thomas’ mother’s home and paid private school tuition for a relative Thomas was raising as his son. Thomas also spoke at donor events for the Koch network, the powerful conservative activist group. Separately, ProPublica revealed that Justice Samuel Alito accepted a private jet trip to Alaska from a hedge fund billionaire and did not recuse himself when that billionaire later had a case before the court…Reporting from other outlets, including The Washington Post and The Associated Press, has added to the picture. The New York Times revealed that Thomas received a loan from a wealthy friend to purchase an expensive RV. A Senate investigation later found Thomas did not repay the loan in full.”
These and other disclosures led to considerable pressure to strengthen the Code of Conduct applicable to the members of the Court. Earlier this month the Court issued a code which sought to bridge what might be considered the ethics gap.
But did it do that?
As further noted in ProPublica: “The code does not specify who, if anyone, could determine whether the rules had been violated. The new Supreme Court code’s lack of any apparent enforcement process is ‘the elephant in the room,’ said Stephen Vladeck, a law professor at the University of Texas who studies the court.” “Even the most stringent and aggressive ethics rules don’t mean all that much if there’s no mechanism for enforcing them.”
This is different from the enforcement system applied to lower court judges “who are subject to oversight by panels of other judges, who review allegations of misconduct.”
Basic legal and ethics standards tend – as a general matter – to support the notion that powerful individuals and organizations should be the subject of more oversight than “the little people” – not less.
The approach taken by the Supreme Court weakens such standards and promotes wrongdoing– not only conflicts related but also a host of other sorts of misconduct. In my view it is very important that such standards be enhanced to be worthy of the “big people” to whom they apply.
Investigations are one of the more difficult and riskier activities of an C&E program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive C&E programs, in particular where the report was initially made to the C&E department, through a hotline or otherwise. The mishandling of C&E investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, C&E-related investigations are a serious business, and assessing them is therefore an important component of assessing an C&E program.
Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:
Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include…Keep reading this article on our website
The Value of Starting Simple: A Risk Assessment Spreadsheet
by Jeff Kaplan
For those just getting started with compliance risk assessments, the KISS approach can be invaluable. And by KISS, I mean “Keep it Simple with Spreadsheets.” Spreadsheets are not mandatory in conducting risk assessments, of course. But for the beginners in this area, they can be exceedingly useful.
Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.
Risk areas
The risk areas to be assessed generally include:
substantive areas of criminal law risk, such as corruption, antitrust, export control/trade, insider trading/confidential information, and fraud,
ethical, as well as legal, areas of risk, e.g., conflicts of interest,
in some instances, civil law, e.g., employment law, defamation.
Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.
Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment)…
For those just getting started with compliance risk assessments, the KISS approach can be invaluable. And by KISS, I mean “Keep it Simple with Spreadsheets.” Spreadsheets are not mandatory in conducting risk assessments, of course. But for the beginners in this area, they can be exceedingly useful.
Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.
Risk areas
The risk areas to be assessed generally include:
substantive areas of criminal law risk, such as corruption, antitrust, export control/trade, insider trading/confidential information, and fraud,
ethical, as well as legal, areas of risk, e.g., conflicts of interest,
in some instances, civil law, e.g., employment law, defamation.
Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.
Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment).
Risk scenarios
Risk scenarios are scenarios of the most foreseeable and significant ways in which relevant law/ethical standards could be violated on a line or staff unit basis.
For instance, it is not necessarily sufficient to identify a company as having a significant fraud risk, without identifying the type of fraud at issue e.g., consumer fraud, financial risk, tax fraud, etc.
Mitigation – both existing and recommended
Risk mitigation generally includes written standards, training, other communication, policies, procedures, assigned accountability, internal controls, auditing/monitoring and any other form of mitigation that varies significantly by risk area. Generally speaking, a more detailed discussion of existing controls will assist in yielding more helpful recommendations as to additional mitigation to consider. For example, rather than simply listing “training” as a control for a given risk area, it is helpful to discuss the type of training, how recently and how frequently it is conducted, for what audience, and even relevant feedback on effectiveness.
Risk mitigation for a risk assessment generally does not encompass controls such as the helpline, investigations, discipline, incentives and background checks, at least as a general matter. This is because those controls are operative with respect to all risk areas and do not generally control for particular risks. These areas should, of course, be subject to periodic assessment, but those efforts will likely be more in the nature of a program assessment than a risk assessment.
Finally, the breadth and depth of risk assessment for any given area will generally depend on various factors. E.g., if a risk assessment is being conducted following a violation at a company, that may suggest the need for a broader and deeper assessment than a risk assessment being conducted on a routine basis.
COI risk assessments and program assessments are two different things. But they can overlap to some degree and so it makes sense to consider how/how much they should fit under “one roof.” This is particularly so when both procedures are based principally on employee interviews, with some danger of duplication.
Beyond this, any risk assessment needs to consider the efficacy of mitigation (i.e., a program assessment component) and any program assessment need to take into account various risk factors. So, in determining how/how much the two processes can be combined, it makes sense to start with an analysis of a company’s need for specific information regarding each.
Risk assessments
Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.
Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization. Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.
But understanding the general risks regarding COI may not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training and other communications, auditing and accountability. (Note the other main program elements – e.g., helplines, investigations, incentives, discipline – are obviously important too, but tend not to vary by risk area.)
Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.
– Any relevant COI history at the organization – violations, near misses and inquiries.
– Any relevant COI history at competitors or otherwise comparable organizations, to the extent known.
– Same inquiry regarding customers, suppliers and other third parties with which one does business.
– COI standards that are not fully understood or appreciated.
– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).
– Instances or prospects of prosocial COIs (“right v. right” risks).
– Industry-related risks.
– Cultural-related factors.
– Efficacy of process controls (particularly around COI disclosure/approval regimes). This is an area where the overlap between the two types of assessment is particularly strong.
Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.
Program assessments
C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. (Still others have elements of both approaches, i.e., general assessments and deep dives.)
For some companies it makes sense to do such a targeted/deep dive assessment for conflicts of interests. This is particularly so for those responding to a significant COI violation or “near miss,” but it is also the case where the likelihood of COI risks is heightened due to geographic, organizational or industry cultural considerations.
More generally, what does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.
– Risk Assessment. Has the company assessed COI risk? If so, has it done so in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?
– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?
– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones – understand the harm that COIs could cause the company?
– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?
– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?
– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers? Does the training/other communication use the learning from “actual cases”?
– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).
– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?
Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.
The same point should be made with respect to risk assessments – what I have provided above is a starter list – not the last word.
“During his three decades on the Supreme Court, Clarence Thomas has enjoyed steady access to a lifestyle most Americans can only imagine. A cadre of industry titans and ultrawealthy executives have treated him to far-flung vacations aboard their yachts, ushered him into the premium suites at sporting events and sent their private jets to fetch him — including, on more than one occasion, an entire 737. It’s a stream of luxury that is both more extensive and from a wider circle than has been previously understood. Like clockwork, Thomas’ leisure activities have been underwritten by benefactors who share the ideology that drives his jurisprudence. Their gifts include:
“At least 38 destination vacations, including a previously unreported voyage on a yacht around the Bahamas; 26 private jet flights, plus an additional eight by helicopter; a dozen VIP passes to professional and college sporting events, typically perched in the skybox; two stays at luxury resorts in Florida and Jamaica; and one standing invitation to an uber-exclusive golf club overlooking the Atlantic coast. This accounting of Thomas’ travel, revealed for the first time here from an array of previously unavailable information, is the fullest to date of the generosity that has regularly afforded Thomas a lifestyle far beyond what his income could provide. And it is almost certainly an undercount.
“While some of the hospitality, such as stays in personal homes, may not have required disclosure, Thomas appears to have violated the law by failing to disclose flights, yacht cruises and expensive sports tickets, according to ethics experts.”
Thomas has denied all wrongdoing.
But is that the end of the matter?
Not in my view, in part because of the doctrine of resipsa loquitur.
As noted in Wikipedia: “Res ipsa loquitur is a Latin phrase, which literally translates to “the thing speaks for itself.”
And that, in my view, is the case here.
I should add that as a technical legal matter res ipsa loquitur is more applicable to personal injury cases than to the sort of cases where Justice Thomas’s personal ethics might be at issue. But the spirit of the law – which is one of getting to the truth of the matter – is every bit as applicable.
In a recently issued draft book chapter Jennifer Arlen of the New York University Law School addresses a wide range of issues facing the Compliance Function, including program assessment. She provides a very useful list of assessment methods.
Among other things, she writes that companies “can obtain the information needed to make these assessments through (1) internal reporting hotlines; (2) decision advisory hotlines; (3) well designed surveys given months after training to assess employees reactions to scenarios implicating choices between compliance and profits; (4) exit interviews; (5) adoption of an analytic detection system that incorporates data from internal hotlines, HR complaints about unethical behavior (including sexual harassment), consumer complaints, and (6) carefully calibrated performance indicators that can raise red flags about potential misconduct. Advances in AI assisted monitoring of performance and transaction data may also prove a boon to identifying ‘red flags’ or anomalies in data that may be predictive of suspicious conduct.”
Some of this is obvious but is still worth including for the sake of completeness. And other parts are not obvious, meaning they should be – but aren’t – included in some companies’ program assessment.
A company decides to implement what is in effect a zero-tolerance policy for violations of its code of conduct. Unexpectedly, this seems to have triggered a significant drop in the number of reports of violations being submitted to the company helpline. Evidently some employees felt that the new discipline policy was too harsh, and that they did not want to subject their colleagues to it.
This is, of course, an example of compliance being taken too far.
Another example concerns training. Not every employee of every company needs a full hour of antitrust or anti-bribery training each year.
There may indeed be lots of opportunities for improvement at any given company. However, I should emphasize that there are more—indeed, a great many more—companies that do too little C&E wise rather than too much.
Moreover, not all C&E areas are susceptible to being “too hot” to any significant degree. Auditing generally falls into this category, in my view.
Adopting a “Goldilocks” approach may help a CECO and others on the ethics team earn trust among other key players at the company, which can be invaluable in various settings.
Finally, companies wishing to have a Goldilocks approach to C&E can do so in part by tailoring their risk and program assessments to this task.
Designing and implementing a compliance and ethics (C&E) risk assessment can be a daunting task. This is true for many types of organizations, but it can be especially difficult for small businesses. Small companies often lack, among things, the resources, culture, enforcement-related incentives and relevant experience necessary to be successful in a risk assessment. For these and other reasons, it can be important for small companies to have an easy-to-use and effective risk assessment procedure.
Getting started
For many companies new to the C&E area the first step in designing/implementing a risk assessment (or, for that matter, taking many other C&E measures) should be assigning management responsibility for the process. In theory this should be straightforward, but that may not always be the case with small organizations.
That is, a small company without an in-house lawyer may need to appoint an executive with operations, HR, finance or other duties to be what is in effect a part-time C&E officer role for the risk assessment. However, that role is not a “machine that will run by itself.”
Therefore, extra care should be taken to document and reinforce the risk assessment responsibilities of the manager(s) responsible for the process, e.g., inclusion of compliance duties in job descriptions, strategic plans and other responsibility-defining company documents.
Outside counsel
Note that some companies hire outside counsel to assist with this effort. While often valuable, having outside counsel is not strictly necessary for every small company’s risk assessment process. For very small companies it might make sense to work through a business association, such as a trade association or chamber of commerce to hear from a compliance professional with experience in this area.
One benefit of having a lawyer is that the process of conducting interviews can be done under attorney-client privilege. That, in turn, should make it easier for interviewees to be candid.
Developing the risk list
The next step in this process is to develop an initial list of risks to be assessed. As described below this will be used for interviews of company personnel.
The starting point here can be the company’s code of conduct, if it has one. If it does not it can consider looking at publicly-available codes from larger companies in the same industry. While that does not assure that all relevant risks will be covered, it can be a helpful start. It is also advisable to follow industry and business news. A company could start by having the designated compliance person read the Wall Street Journal to keep up on developing compliance risks and areas where government agencies are focusing their enforcement efforts.
The initial risk list will often need to be modified in several ways; in fact, this can be true for even the largest, most sophisticated companies.
First, with some risk areas the topics seen in codes of conduct may already be an area of focus for the company, such as environmental, health, safety, privacy and fraud. For such risk areas, there is generally no need to “reinvent the wheel” and to reassess a risk that has already been on the company’s radar.
Second, and in a related vein, for some areas there may be a need for more granularity than what appears in codes of conduct. Examples include corruption and misuse of confidential information.
Finally for each item on the list the assessment should be of both risks involving wrongdoing by the company but also including areas where the company is the victim and might discover that it has a cause of action against others, such as competitors. Competition law may be a good topic in this regard.
Using the risk list
As noted above, the risk assessment process needs to involve conducting interviews of company personnel.
To that end, the company should distribute the draft risk list to those who will be interviewed.
Who should be involved in the process will, of course, vary by company. However, at least in my experience, staff involved in controls – law, audit, finance, HR, procurement – tend to do better with providing risk assessment information and ideas than do business people. However business people may be more aware of what is actually happening in the field, and may surface business activities that were not known to control personnel and that may raise unexpected risks.
What gets assessed
This is the heart of the risk assessment. It includes two types of analysis.
The first concerns the likelihood and impact of violations. It is, of course, quantitative information and is standard fare in risk assessments. In other words, how likely is it that a particular violation will occur, and what are the possible consequences if it does. However, there is a risk here that busy managers will underrate both of these factors. For example, while retaliation is a dangerous and prevalent risk, it is routinely downplayed by managers who think it “never happens here because we say we won’t tolerate it.”
An example of the assessment process can be seen for conflicts of interest (COI), assessing what is the likelihood and impact of different possible COIs, e.g., hiring relatives in a different part of the company (by business line and/or geography).
A second level of analysis is qualitative. It is more complex than the quantitative type – and more judgment based. It seeks to identify causes of risk and to use that information to identify areas for enhancement of mitigation.
For instance, are there parts of the company where particular risks are not sufficiently understood/appreciated? If so, should training and communications be enhanced?
The same inquiry should be made with respect to other causes of risk – e.g., undue pressure, weak process controls, misaligned incentives – all on both an enterprise and granular level.
Interviewees should also be asked for identification of any risks that are not, but should be, on the list.