Conflict of Interest Blog

Asking a good question as a path to ethical conduct

by Jeffrey M. Kaplan

The late Nobel Laureate in physics Isidor I. Rabi once said: ”My mother made me a scientist without ever intending it. Every other Jewish mother in Brooklyn would ask her child after school: ‘So? Did you learn anything today?’ But not my mother. She always asked me a different question. ‘Izzy,’ she would say, ‘did you ask a good question today?’ That difference – asking good questions – made me become a scientist!”

Employment-related questions

In The Road to Character, David Brooks notes that he once met an employer who asked every job applicant: “Describe a time when you told the truth and it hurt you.’”  This is, to my mind, a very good C&E-related question, as it can help identify those who practice, as well as preach, ethical behavior. It also reminds those asking the questions about the importance of C&E to the organization.  

A frequently used variation on this question is: “Describe an ethical challenge you’ve faced and how you dealt with it.”’  

And another approach is to present the interviewee with a hypothetical ethics quandary and to ask how she would deal with it.

(Of course in doing this the questioner should make it clear that she is not asking for confidential information about any other company.) 

This practice has several benefits:

– It helps the employer determine whether ethics is a strength or weakness for the candidate, which could impact the decision of whether to hire her.

– It sends a message to employment candidates that C&E is important to the company, which hopefully they will remember if they get the job.

– It sends a message within the company generally – and particularly to those who conduct the interviews – that C&E is important to the company.

I also believe the inquiry should be a two-way street, meaning employees should also ask C&E questions of their prospective employers.  This might be a question about the C&E program generally: Is it strong?  Is the tone at the top healthy?  Or how does the workforce generally view C&E?

Another approach is to ask prospective employees about risks of misconduct in the company’s industry.  Even where a company seems ethical, one might want to do extra due diligence if the company’s competitors as well as others with whom they deal (customers, suppliers and others)  are routinely engaging in inappropriate activities.

Also, the questions – whether posed by the candidate or employer – should vary by position, at least for higher-ups.  Certainly this would be true with interviews of board members, and maybe others near “the top.”

Finally, there are many other topics the candidates might ask about but one should not be seen as conducting an investigation. A balance should be struck.

Surveys

Of course, employment interviews are not the only setting in which it is important to ask good C&E-related questions. Another is employee engagement surveys, in which one commonly sees questions about relative comfort in reporting violations and perceptions of the ethicality of the organization’s management.

These are good topics for questions, and I think every company that fields an employee engagement survey should use them. But my favorite question of this sort  comes from a survey conducted by the Economist which measured respondents’ perception of the need for ethical flexibility to advance one’s career within an organization.  What I particularly like about this question is the focus on flexibility – which may be easier for respondents to admit to than asking outright about their engaging in ethical transgressions.

Audits

Yet another setting for asking C&E questions is the compliance audit. While most of what is done in C&E audits revolves around document reviews, interviewing employees can be part of the picture as well. Among the topics that should be considered for such questioning: Does the interviewee think that the company’s training is effective? In addition to producing useful information about training itself, posing this question may make it easier for employees to identify concerns about risks and actual violations. I.e., like the question above about ethical “flexibility,” questions about C&E training may offer a “soft” way of approaching a “hard” topic.

Moreover, questions about training can be asked not only in audits but as part of (and typically at the end of) the training itself.  One possibility here is to ask whether after the training the employee now feels that she understands how the company’s compliance program applies to her job – again, a variation on the “soft” question approach.

Exit interviews

Finding the right question can also be important in developing a C&E-component to a company’s exit interview template. Options include general culture questions, such as how do you rate our company as a values and ethics driven employer – with an opportunity to say why; specific questions about key aspects of the program, such as whether the departing employee understood all the options for reporting concerns; and, of course, asking whether the employee was aware of any unreported concerns.

I should stress that this post is not intended to cover the whole world of asking C&E-related questions.  Among the areas not addressed: the importance of Q&A in codes of conduct and approaches to asking questions in risk assessments.

Finally, to an extraordinary degree, boards of directors can have the power to impact a C&E program simply by asking the right questions. Here (on page 2 of the PDF) is an article which offers not actual questions but topics that boards can turn into questions in overseeing their respective companies’ C&E programs.

More on reverse conflicts of interest

Consider the following (disguised) case, from some years ago…

A company enters into a complex business arrangement where one of its managers has a relationship with the other entity.  The relationship is fully disclosed and approved pursuant to company policy on COI waivers.  After some  time, the arrangement runs into business difficulties.  Although the company has lived up to its contractual obligations, the other entity seems to feel that the company should have done more to make the arrangement work.  Based partly on that, some employees of the company question whether that entity had been promised more than was disclosed by the manager, causing the employees to take various defensive measures which put further strain on the arrangement. Ultimately, the arrangement collapses.

As a general matter, if properly disclosed and approved, some COIs can be waived (although some should not be permitted under any circumstances).  Such approvals can be either a true “green light” or subject to being managed on an ongoing basis, i.e., a “yellow light.”

Like many C&E-related determinations, this type of decision tends to be made based on a balancing of costs versus benefits (hopefully, with a reasonably high burden of showing that the latter outweigh the former).

The case above illustrates what I believe is a factor that should generally be considered by companies deciding whether to grant a COI waiver: whether there will be a reasonable possibility of over-compensating for the COI in ways that are harmful to the company.  The potential for such “reverse COIs” could turn on many factors – perhaps most significantly, on the extent to which the contemplated relationship must rely on trust.  (That is, the greater the need for trust, the greater the possibility of suspicion – at least as a general matter.)

I cannot say that I have seen many reverse COIs. But I did find noteworthy the following discussion: “Conflict of Interest Disclosure With High Quality Advice: The Disclosure Penalty and the Altruistic Signal” by Sunita Sah of the Johnson Graduate School of Management, Cornell University and Daniel Feiler of the Tuck School of Business at Dartmouth:

“In this paper, we explore whether laws requiring conflict of interest disclosure damage the advisor-advisee relationship more than is intended. Across six experiments (N = 1,766), we examine situations in which advisors give high quality advice but still must disclose a conflict of interest. As predicted, such disclosures yield negative attributions regarding the advisor’s character, even when advice is of high quality (and advisees have full information to judge advice quality), and even when the advisor’s professional responsibility and self-interest are aligned, or the advice runs counter to the advisor’s self-interest. This disclosure penalty decreases trust in honest advisors…” (emphasis added).

In short, a reverse COI experiment… of sorts.

Note that I am not suggesting that the prospect of a reverse COI should have significant ramifications for a typical company’s C&E program.

But the case described at the beginning of this post is unlikely to be unique in relevant part.

 Moreover, as time goes on: 

* The economy will become more complex and with it the sheer number of COIs should become greater too (what might be considered gross COIs).

*  Due to legal, ethical and professional developments COIs are more likely to be recognized (wrongly or not) (net COIs).

So, companies should consider some risk assessment and education around this area. 

A “moral hazard” moment for the Department of Justice?

Last week Deputy Attorney General Lisa Monaco spoke at an ABA conference on the federal prosecution of corporations. Among the new or enhanced policies in this area that she addressed was promoting the use of incentives in compliance programs.

“Our goal is simple: to shift the burden of corporate wrongdoing away from shareholders, who frequently play no role in the misconduct, onto those directly responsible. We intend to encourage companies who do not already factor compliance into compensation to retool their programs and get ahead of the curve.”

This and other recent Justice Department speeches represent a major development for the C&E world. 

But whether it lives up to its promise may require  planting deep roots in developing and implementing the Justice’s Department’s compensation-related  expectations. This won’t be easy. To succeed it may be useful to apply a “moral hazard” framework.

By way of background, “moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks.  It is precisely what Monaco is concerned about.

What would such an approach entail?

First and foremost is risk assessment.  The risk assessment component of moral hazard should include financial incentives of the sort, (e.g., salary, bonus, etc.) likely to be reviewed by Justice. This is pretty clear cut – at least in theory.

Second, the risk assessment should also include non-financial moral hazard incentives, including reputational benefits. It is obviously tricky but important, at least at some companies.

Third, key personnel should be trained on identifying and addressing moral hazards. Included here are HR, finance, risk, law and various members of management.  This can be done as part of broader training.

Fourth, audit and C&E should develop procedures for assessing compliance in this area. Included here are questions in culture surveys.

Fifth, to the extent possible personnel evaluations should include moral hazard risk. But for some companies this might be a bridge too far.

Indeed, generally I am not saying that  all organizations need to engage in a full- fledged version of each of these steps. That would indeed be overkill for many. But all organizations should at least consider generally what their moral hazard C&E needs are and should respond appropriately.

Are best practices good for compliance ?

In Copycat Compliance and the Ironies of “Best Practice”

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4089806

William R. Heaston of the Wharton School at the University of Pennsylvania argues:  

For too long, corporate compliance “best practices” have been hiding plain sight. While they are readily invoked, compliance scholars have yet to examine them in any depth. This Comment provides a corrective, arguing that a confluence of inter- and extra-organizational forces drive in many firms to engage in copycat compliance whereby they mimic other firms’ “best practice” compliance structures. This tendency reveals two potentially problematic ironies about so-called “best practices” in the corporate compliance domain. First, they tend to reflect common practices rather than practices that are, in fact, “best.” Second, a formalistic focus on copying common practices may well undercut some of the most important or “best of the best” practices in compliance management—the promotion of ethical behavior within corporations and the customization of compliance structures so that they mesh with prevailing organizational cultures. In light of these ironies, this Comment proposes a conceptual framework that may provide a basis for identifying more fruitful types of convergence on common compliance best practices. Such best practices would trade rote mimicry for a more functional approach that permits greater variation in compliance structures and processes to suit the particular operational, cultural, and ethical needs of implementing firm.

(Note that Heaston’s conceptual framework is too complex to cover in this short blog. I encourage you to read the piece in its entirety.)

Based on what I have seen in my 35 years working in the  compliance and ethics field I tend to agree that there is too much rote activity when it comes to designing and implementing compliance programs.

I also believe what this problem is indeed likely to be remedied over the course of time as enforcement personnel and other key players in the field become more sophisticated “consumers” of compliance.   

This is true of many C&E functions, but particularly so regarding risk assessment/management.  Unlike many other parts of a compliance program risk assessment can leave a program with “nowhere to hide,’ when it tries to demonstrate that  it has implemented all or part of a “best practice” program of the like.

The full promise of compliance programs

My most recent column in Compliance & Ethics Professional
http://bit.ly/3Y6Ao66

A terrific alliance in the C&E space

Yesterday Kaplan & Walker LLP sent out this notice to friends and colleagues:

Waiving conflicts of interest: whether, when, how

A well-trod hypothetical case.

The head of a company’s regional office is putting on a reception for its customers. She believes that the best vendor (in terms of price and quality) is a caterer owned by her brother. Would it be a conflict of interest (“COI”) to give him the business?

Two approaches to COIs

Certain areas of law and ethics lend themselves to a black-and-white enforcement approach. These are many of these areas – e.g., fraud, corruption and antitrust laws. But conflict of interest (“COI”) is generally not one of them.

That is, while some organizations bar COIs in all instances many others opt for allowing COIs to exist where appropriate.

What do we mean by appropriate?

A company should consider requiring that a COI waiver (whether it is called waiver or something else) be allowed only where doing so would clearly be in the best interest of the company.

The use of “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high a standard as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.

But it is still a high standard and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word “clearly” in a COI policy should itself be helpful.

Whose best interest?

The mandate concerning “best interest of the company” should be read broadly. It requires more than an absence of corruption or other outright misconduct.

Rather, it also specifies consideration of how the COI at issue could impact the ethical culture of the company.    That is, the process should assess how employees would likely be affected if the vendor was hired. The same is true of the impact on the vendor’s competitors.

Procedural component

Finally, there is the procedural component.

In brief, that those deciding whether to allow a COI are not themselves conflicted. (This means you regional officer.)

This is a complex topic that will be the subject for another post.

The company should also audit and monitor COI compliance.

Conflict of interest program assessments

Compliance program assessments come in all shapes and sizes.   For some – but not all – organizations it may make considerable sense to conduct a general program assessment.  For others targeted deep dive/program assessments may be more appropriate – particularly in the area of conflict of interest (“COI”).

What does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done this in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs? Is there sufficient compliance for projects?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones – understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

.

Compliance Incentives, Risk Assessment and Moral Hazard

Compliance Incentives, Risk Assessment and Moral Hazard

“Moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks. This is a broad concept and should not be limited to compliance and ethics (C&E). But C&E professionals need to understand moral hazard and deal with it using the tools of their trade.

More specifically, moral hazard presents significant specific challenges to promoting C&E. That is, the law (most notably US Justice Department policy) provides for large fines for organizations convicted of federal offenses, but also provides that those who bear the brunt of such punishment (mostly the shareholders) are often different from the individuals who benefit from the wrongdoing in question (usually the executives or other high-ranking personnel).

Substantively this is not generally an area of great legal exposure for companies. But it can lead to significant business exposure of various kinds.

What does this mean for C&E professionals?

First and foremost, risk assessment should include financial incentives of the sort (e.g., salary, bonus, etc.) likely to be reviewed by Justice.

Second, the risk assessment should include non-financial moral hazard incentives. This includes reputational benefits. This is obviously tricky but  keenly important, at least at some companies.

Third, key personnel should be trained on identifying and addressing moral hazard. Included here are HR, finance, risk. and various members of management.  This can be done as part of broader training.

Fourth, audit and C&E should develop procedures for assessing compliance in this area. Included here are questions in culture surveys.

Fifth, to the extent possible personnel evaluation should consider moral hazard risk. But for some companies this might be a bridge too far.

Indeed, generally I am not saying that all organizations need to engage in a full-fledged version of each of these steps. That would indeed be overkill for many.

But all organizations should at least consider generally what their moral hazard needs are and should respond appropriately.

2023 behavioral ethics and compliance index