Assessing your conflict of interest compliance program
Under Department of Justice standards for the government’s evaluating compliance & ethics (C&E) programs companies should undertake program self-assessments from time to time.
What does this entail? At a minimum, it should include assessing the general components of the C&E program (e.g., compliance office, helpline, training) as well as corporate culture. And, for many companies, a “deep dive” into substantive areas of high risk, such as anti-bribery and competition law, should be be within the scope of the assessment.
Somewhat less common is companies assessing their conflict-of-interest (“COI”) compliance programs. This post will offer some ideas for use in conducting such an assessment.
Process
At the outset, I wish to stress that a COI program assessment need not be a standalone process. Rather, companies can – and in most instances, should – make it part of the larger program assessment.
Is COI included in your risk assessment?
Note that what this question asks is more than just whether there are actual COIs at the organization in question. Rather, the inquiry is about how likely and potentially impactful COI risks are.
As a practical matter this means:
– Determining how culture affects COI likelihood – as a matter of organizational, geographic and industry culture. Note that while the first two types of culture are commonly the focus of risk assessment, the third – industry culture – generally is not, but (in my view) should be,
– Determining what the opportunities for COIs are. This is a matter of having adequate financial controls, of course, but also entails looking at the “supply side” of opportunities to enter into COIs,
Note that there is no particular formulae for this. What is required is an act of “informed imagination.”
Also, it is particularly important to ask the impact question with COIs, because such impacts are often dismissed as “harmless.” Focusing on impacts in a COI risk assessment can help show why that is not the case.
COI policies and procedures
Presumably almost all companies have COI provisions in their respective codes of conduct, but not all have standalone policies. The latter aren’t typically mandatory but are generally a good idea where the subject may be too complex for a code provision to cover completely.
The most important topic for COI policies and procedures often concerns disclosure/approval. As a general matter disclosure should be made to – and approval required of – compliance, legal or HR. Allowing approvals by line supervisors – if necessary – should still entail notice to compliance, law or HR.
Training and communications
These should be driven by the risk assessment, and there is clearly no one size that fits all when it comes to COI training and communications. However, a fairly typical approach for a medium risk company would entail:
– COI as a module in code of conduct training for all employees delivered every year or two.
– Other training on a risk-based basis (such for managers or procurement).
– Other communications on a risk-based basis (e.g., about gift giving – to be disseminated during the holidays).
Auditing and discipline
Companies often review COI case files as part of site audits. Whether to do this – or other auditing – should be informed by the risk assessment.
Finally, from an organizational justice perspective, it is important that COIs be handled in a fair way. While fairness is important to how all C&E issues are resolved this is particularly so for COIs – given that COIs have an obvious personal dimension, e.g., hiring or promoting a relative arguably hurts other mployees more than other offenses would.