“Checking” – auditing, monitoring, certifications, self assessments and questions in exit interviews (among other things) – can play an essential role in nearly any COI compliance regime. See the several sub categories below for more information about some of the principal checking tools.

Conflict of Interest Certifications

There’s one way to find out if a man is honest – ask him.  If he says, “Yes,” you know he is a crook.  Groucho Marx

There is, of course, something to this bit of Marxist logic. But, on balance, the benefits of “asking” in a C&E program can be considerable, and one asking-based tool that has existed for many years is the certification.

Should an organization require employees to execute on a periodic basis certifications regarding actual or apparent COIs?  If so, what should be the content of the certifications? And should an entire employee population receive them?

We will consider the first and third questions in this post and the other in the next post.

While not advisable for every entity, this type of process can, I believe, be useful for reminding employees (in a way that a terse general code of conduct certification  typically does not do) of the organization’s specific COI standards and requirements.  Certifications indeed often will surface  COIs that have not otherwise arisen through other C&E processes.  While they might elicit denials regarding  truly illicit behavior (Groucho’s thesis), that is less true of many other, less nefarious sorts of COIs.  As one  reader of the Blog wrote to us yesterday, “employees are often confused about  COIs and don’t think they have one when they do or at least when there is an  appearance of a possible conflict. [Certifications] seem to be a good way to help employees focus on specific activities that can present a conflict.”

However, certifications  are clearly not for everyone. Whether an organization should undertake this  sort of effort – which can require a substantial time commitment – depends on a variety of factors.  In effect, this is a form of risk assessment, which should typically include the following considerations:

Likelihood:  How likely is the process to uncover an  otherwise unidentified COI?  And, how likely is a certification to prevent an otherwise undeterred  COI?

Impact:  How harmful could such a COI be – meaning one that would likely be deterred or detected and addressed by the certification process but not other ways?

Other benefits:  Are there other high-risk activities (e.g.,“sensitive payments,” contacts with competitors) that should be added to a COI certification, and, if so, what does a likelihood and impact assessment of those topics add to the analysis?

Capacity:  Does your organization have the resources to follow-up on all “yes” answers or failures to respond?  (This is a deal breaker for many companies.)

Finally, this analysis should not necessarily be performed on an all-or-nothing basis.  Even if it does not make sense to require all employees to execute certifications – as, in my experience, is frequently the case – there may still reason to do so for managers and others in sensitive positions (e.g., procurement; “control” functions – such as law, finance, human resources and audit; and, in some organizations, sales).

To be continued…



Other People’s Conflicts

Samuel Johnson once famously said of some unfortunate soul, “He is not only dull himself, he is the cause of dullness in others,” and in this posting we’ll examine how companies can avoid the misfortune that sometimes comes from causing conflicts of interests in others.

To start, a brief bit of COI history.

Several years ago an advertising agency lost a highly lucrative account with Wal-Mart and – according to some press accounts at the time – part of the reason for the loss was the agency’s entertaining of a Wal-Mart executive in ways that allegedly caused her to violate that company’s code of conduct. Although the agency presumably violated no law, its loss of future revenue could be seen as costly as some of the largest criminal fines in history.

The case led many companies to add to their codes of conduct a requirement that in providing gifts, entertainment or travel to employees of third parties one must not cause those employees to violate their respective employers’ codes. But is such a provision by itself enough to mitigate risks of this kind?

For any given business organization, addressing this issue should, of course, be driven by an assessment of relevant risk. However, for all organizations it may be useful to consider the range of available C&E measures that can be taken here, and “work backwards” to determine if their respective risks warrant implementing the measure in question.

First, there is the language of the code itself. While at first blush a mandate that employees must not cause a violation seems strong, a preferable approach may be to specify that employees must ensure that they do not cause a violation. The latter sort of requirement (particularly if reinforced the right ways) suggests a higher and more meaningful burden on the employees who deal with third parties.

Second, companies can establish a practice of periodically collecting customers’ and other relevant third parties’ codes and disseminating gifts and entertainment language to at-risk employees and their respective managers. Even if it is not possible to do this for all third parties, the effort can be useful if codes for major customers are obtained.

Third, COI training can emphasize the importance of identifying and following relevant third-party standards. Fourth, companies can deploy “just-in-time” communications to at-risk employees around these issues.

Fifth, for organizations with relatively high risks in this area, managers can be required to monitor for compliance with third-party codes. Sixth, auditors might be tasked with including third-party standards in their audits.

Finally, note that this post deals with the topic of other people’s conflicts only at a very high level. There are many other aspects to this area. Indeed, the whole field of corruption by definition involves “causing conflicts in others,” and many of the largest criminal fines in history (specifically in the FCPA and health care fraud-and-abuse areas) have been precisely about that. The point of this post is to suggest that even without significant corruption risks, all organizations should consider whether they do enough to avoid creating third-party COIs.