Risk assessment, program assessment and conflicts of interest
In my most recent column for Corporate Compliance Insights , I explore points of intersection between C&E risk assessment and C&E program assessment – two important functions that, while conceptually distinct, overlap to a considerable degree with each other. In today’s posting I’d like to continue that discussion insofar as the two types of assessment are addressed to COIs.
First, COI risk assessment is – at least for some organizations – more challenging than assessment of any other law/ethics area, because of the extraordinary array of interests and intersections that can create COIs. For this reason, truly comprehensive COI risk assessments can cover a lot of ground – as reflected in a six-part series the COI Blog has run on this topic. Moreover, perhaps as much as any risk area, COI risks can be granular – further complicating the matter. (See this CCI article on “nano compliance” for more on the challenges of dealing with granular compliance risks.)
However, as with other C&E program matters it is essential that the perfect (which is truly unachievable in this case) not be the enemy of the good here – and so companies should begin somewhere. One approach to this is to develop an initial plan which – based on known risk factors and easily available data (e.g., from COI disclosures) – has attainable COI risk assessment goals for “year one” with other measures scheduled on a risk-tiered basis for later years. If undertaken in good faith and with reasonable dispatch, this route could offer meaningful protection for an organization in the event that its C&E program were scrutinized by the government (although whether it would do so in any given situation would depend in part on a host of other factors). Put otherwise, it could help show that a company’s failure to identify and address a harmful COI was not for want of trying.
Second, COI program assessment does, of course, depend in part upon the results of an organization’s risk assessment, and so – assuming that a company hasn’t conducted the latter – this might seem a reason to postpone consideration of the former. But there are many other aspects of program assessment, too – such as the overall strength of a company’s COI policies; training and communications; disclosure and management measures; auditing, monitoring and other forms of checking; enforcement; and oversight – by boards of directors as appropriate and perhaps even COI SMEs. Note that COI program assessments are presumably less common than assessments regarding anti-bribery and other major risk areas (such as competition law) which operate in a well defined statutory framework. But that does not mean the need for such efforts is low; indeed, it is precisely because of the sprawling nature of COI risks and related need for useful remediation that a program assessment can be important for this area – to make sure nothing meaningful slips through the cracks.
Additionally, it is possible to combine aspects of a program assessment and a risk assessment. For instance, an employee survey that asks, among other things, about perceptions of the company’s success in addressing COIs could serve a highly useful risk assessment function by identifying where within a company most significant COIs seem to be (assuming, that is, that the survey data can be sliced by business and/or geographical unit) and also a program assessment one of understanding areas for improvement in the overall approach to COIs. More generally, given the overlap between these two functions such an approach should be appealing for many companies.
A final point: whether it is a COI risk assessment, a program assessment or some combination of the two, it is essential not only to gather the information in question but also to turn that information into action plans. This may seem obvious but over the years I’ve seen quite a few examples of needs identified by these processes that went unaddressed.