Assessing conflicts of interest risks

Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.

Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization. Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.

But understanding the general risks regarding COI may  not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training,  and other communications,  auditing and accountability. (Note the other program elements – e.g., helplines, investigations,  incentives, discipline  – are obviously important too, but tend not to vary by risk area.)

Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.

– Any relevant COI history at the organization – violations, near misses and inquiries.

– Any relevant COI history at competitor or otherwise comparable organizations, to the extent known.

– Same inquiry regarding customers, suppliers and other third parties with which one  does business.

– COI standards that are not fully understood or appreciated.

– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).

– Instances or prospects of prosocial COIs (“right v. right” risks).

– Industry-related risks.

– Cultural-related factors.

– Efficacy of process controls (particularly around COI disclosure/approval regimes).

Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.