Self assessing your conflict of interest compliance program

C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. (Still others have elements of both approaches, i.e., general assessments and deep dives.)

For some companies it makes sense to do such a targeted/deep dive assessment for conflicts of interests. This is particularly so for those responding to a significant COI violation or “near miss,” but it is also the case where the likelihood of COI risks is heightened due to geographic, organizational or industry cultural considerations.

The scope and approach of such assessments for any given company at any given time should vary based on a variety of circumstances.  However, for many companies the effort should not be time consuming or intrusive.

What does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done so in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones –  understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (of conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI self-assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

 

 

Leave a comment
*
**

*



* Required , ** will not be published.

*
= 4 + 6