Edited by Jeff Kaplan
|
Risk Assessment
This section will examine ways to conduct COI-related risk assessments – both foundational assessments and ongoing ones.
|
Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.
Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization. Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.
But understanding the general risks regarding COI may not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training, and other communications, auditing and accountability. (Note the other program elements – e.g., helplines, investigations, incentives, discipline – are obviously important too, but tend not to vary by risk area.)
Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.
– Any relevant COI history at the organization – violations, near misses and inquiries.
– Any relevant COI history at competitor or otherwise comparable organizations, to the extent known.
– Same inquiry regarding customers, suppliers and other third parties with which one does business.
– COI standards that are not fully understood or appreciated.
– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).
– Instances or prospects of prosocial COIs (“right v. right” risks).
– Industry-related risks.
– Cultural-related factors.
– Efficacy of process controls (particularly around COI disclosure/approval regimes).
Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.
|
|
|
In today’s edition of the FCPA Blog.
I hope you find it useful.
|
|
|
My latest column in Compliance & Ethics Professional, available on page 2 of attached PDF.
I hope you find it useful.
|
|
|
Many years ago a client who was in the compliance department of a pharma company told me his strategy for conducting risk assessments. He would schedule the interviews of sales people – a key, but typically difficult, constituency for nearly any risk assessment – to begin late in the work day, and after a while suggest that the discussion continue in a nearby bar. As the drinks began to flow, so apparently did the information about risks.
Risk assessment is the foundation of an effective C&E program – certainly as a matter of common managerial sense, and increasingly as a matter of law. In connection with the latter, we recently passed the ten-year anniversary of the revised Sentencing Guidelines, which established risk assessment as an official C&E program expectation of the U.S. government; and on virtually the same day, the Italian government published important new competition law compliance guidelines, discussed in this publication from the Baker & McKenzie law firm, which include a risk assessment component.
Still, meeting such expectations – by getting business people people to talk openly about the uncomfortable topic of risk – is as challenging as is anything in the C&E field. So, what can you use to make these conversations succeed if, like most C&E professionals, your toolkit doesn’t include a liquor cabinet?
Part of the way for dealing with this challenge is to provide that the assessment is conducted under the company’s attorney-client privilege and, beyond this, that no attribution to the sources of information will be included in the assessment report. These are the tools of law, and deploying them can be essential to success in a risk assessment.
But offering confidentiality alone may not be enough because while it is typically in the clear interest of a company to have a thorough risk assessment, individuals’ interests often seem (and sometimes are) out of alignment with those of the organization. This is the realm of the economics-based concept of moral hazard, discussed in various prior posts of this blog that are collected here.
There is no panacea for dealing with this impediment – but hopefully one can make a persuasive appeal to an interviewee’s being a “C&E leader,” a formulation which seeks to blend considerations of personal and organizational benefit, to get the interviewee to be truly helpful for the risk assessment. Of course, for an approach such as this to work, it cannot be limited to the risk assessment process. Senior executives, and even the board of directors, need make clear through various intangible and occasionally tangible ways that such leadership is duly appreciated.
Finally, there is also a psychological dimension to the challenge of risk assessment. As discussed in this recent article in Science – “Morality beyond the lab” by Jesse Graham (which I learned of from the Ethics Unwrapped web site ), various “laboratory studies have shown a ‘holier-than-thou’ effect, in which people over-optimistically predict their own future moral behavior but accurately predict the not-so-moral future behavior of others” – a view which has now been supported by the results of an important recent field study (by W. Hofmann, D. C. Wisneski, M. J. Brandt, L. J. Skitka, which is published in the same issue of Science). As summarized by Graham: “[T]he study suggests that moral life can largely be characterized by two kinds of events: noting one’s own good deeds and gossiping about the bad deeds of others.”
For those conducting risk assessments, the path suggested by this research is clear: to the maximum degree possible, one should structure the inquiry so that it is not seen as asking about the interviewee’s own risks but those of others. And, in providing information about others, at least in the aggregate, employees of an organization will likely be helping you analyze risks that in fact involve themselves.
One other point about the above-discussed research, which is that while I have highlighted its use for risk assessment there are other ways in which this aspect of what Graham calls “morality science” can enhance the efficacy of a C&E program. Mostly notably, it can be used in training and other communications to underscore the overarching behavioral ethics notion that “we are not as ethical as we think,” which should help reinforce an appreciation for the help that C&E staff and other resources can provide to employees when confronted with legal risks or ethical dilemmas.
For further reading on risk assessment, here’s a link to a complimentary e-book comprised mostly of my risk assessment columns in Corporate Compliance Insights.
For an index of posts on “behavioral ethics and compliance” please click here.
|
|
|
As described in an article in today’s Wall Street Journal (which may require a subscription for access): “Ten thousand railcars a month roll into [the] sprawling [Terminal Island] port complex in Los Angeles County. While here, most are inspected by a subsidiary of Caterpillar Inc. [Progress Rail Services]. … When problems are found, the company repairs the railcars and charges the owner. Inspection workers, to hear some tell it, face pressure to produce billable repair work. Some workers have resorted to smashing brake parts with hammers, gouging wheels with chisels or using chains to yank handles loose, according to current and former employees. In a practice called ‘green repairs,’ they added, workers at times have replaced parts that weren’t broken and hid the old parts in their cars out of sight of auditors. One employee said he and others sometimes threw parts into the ocean.”
Caterpillar is being investigated by the US Attorney’s office in Los Angeles, and it should be emphasized that no charges have yet been brought. Still, the article provides some nourishing food for thought about two key topics in the C&E field, as well as one narrower but, likely for some companies, dangerously under-appreciated risk.
First, there is the issue of culture. As noted in the article, current and/or former employees told the Journal that while ‘[t]hey weren’t instructed to do [these things], …some managers made clear the workers would be replaced if they didn’t produce enough repair revenue…Current and former employees interviewed said those who found large numbers of parts to replace didn’t receive extra pay, but they tended to be favored by the supervisors and sometimes honored with employee-of-the-month recognition. Employees said newer workers sometimes learned bad habits from veterans. ‘I was trained to do everything the wrong way,’ one current worker said. ‘I basically fell into a bandit’s nest.’”
And then there’s this piece of information: “Three years ago, two workers who were fired from a Progress Rail repair shop in Florida filed lawsuits making allegations similar to what the U.S. attorney is looking into at Terminal Island…. A lawyer (click here to go on The Hogle Law Firm) who represented the two said the suits were settled on terms that barred them from discussing the case.”
Again it should be emphasized that this is only an article – no charges have yet been brought. But, if these allegations turn out to be founded, then clearly the culture in Caterpillar’s Progress Rail business will – under current enforcement policy – weigh in favor of bringing criminal charges against the company, meaning, in the first instance, the Progress Rail subsidiary. For any kinds of criminal charges, lawyer help for drug crime defense cases will solve the issue
But what about Caterpillar itself? Here, the key issue may turn on whether Caterpillar conducted a meaningful risk assessment after it bought Progress Rail in 2006. I recall, from various conferences at that time, that Caterpillar had a C&E officer and program – and so if it did not look closely at Progress’s risks (then or since) a prosecutor might well wonder why.
Finally, besides broad lessons about culture and risk assessment, the Caterpillar matter – depending, of course, on how it turns out – may reinforce a narrow but important learning about risk for some companies. That is, when a company expands its business from just manufacturing goods to providing services it often enters a new realm of risk – because its employees are effectively in a relationship of trust with customers that involves opportunities and motives to cheat beyond those in the context in which it is used to operating. As described in an earlier post in Corporate Compliance Insights, risk assessments typically should include “[e]xamining whether a company has any relationships (with customers or others) where the need for good faith and candor might not be sufficiently understood by employees or third parties acting on its behalf. Relationships such as these – which tend to involve a high degree of trust but not necessarily a formal fiduciary duty – may be rife with ethics risk potential.”
Businesses facing this risk typically should consider enhanced C&E mitigation measures, and as the Caterpillar matter progresses (pun not intended) it will be interesting to see what – if anything – the company did on this front. (For further reading on informal fiduciary duties see this post. )
|
|
|
I’m not one who sees ethics and compliance as operating in wholly distinct spheres, and have long felt that they closely complement each other. (For more on the general relationship between the two see this piece from the SCCE’s C&E journal.) But, of course, they are not the same thing, and to some extent each has reach that the other doesn’t.
More specifically, for any given organization, the boundaries of compliance are – to a significant extent – defined by risk assessment. Compliance-related risk assessment can and should be done in an expansive and innovative manner (as discussed in this complimentary e-book ) but it is ultimately finite in ways that are less applicable to true ethical standards. And when it comes to CEOs – who have near infinite capacity for engaging in mischief in their companies – the latter form of protection can be particularly important.
To take the example of conflicts of interest, a prior post described how CEO COIs can be different than those faced by the rest of us and a NY Times story last week seems to illustrate that point. It concerns a company (Questcor Pharmaceuticals) which appears to have timed various corporate announcements with an eye toward boosting its stock price in advance of sales by the CEO pursuant to a “10b5-1” plan (which is an automated procedure to sell stock at specified future dates based on prior instructions). I should stress that the case for the CEO’s stock sales being the motivation for the scheduling of the announcements in question is wholly circumstantial. Still, a commentator from Bloomberg who set out to debunk the case ran the numbers and ended up essentially “rebunking” it – i.e., supporting by statistical analysis, at least to some degree, what the Times suspects.
Not being statistically adept, I have nothing to add about the specifics of this case (other than to say I hope the company’s board conducts an independent inquiry of the matter). Rather, I mention the story because I have to believe that this sort of conflict of interest – assuming, for the purposes of discussion here, that the theory of wrongdoing is well founded – is unlikely to show up in most risk assessments, and thus this illustrates the earlier point about the limits of compliance. But from an ethics perspective, no CEO (or board member or “gatekeeper”) could reasonably believe that gaming a 10b5-1 plan in this way was okay, as it would involve using the company’s resources for purely private purposes (clearly an ethical breach – but perhaps less easily shown to be a legal one).
Indeed, it is precisely because a COI like this is so unpredictable – the Times story seemed to suggest that it was indeed something new under the sun – that it is potentially harmful. That is, when an unforeseeable COI emerges it raises the question: If the CEO is capable of doing this, what other mischief is he or she up to?
What this means is that the primary damage to the shareholders is not whatever costs can be directly traced back to timing corporate announcements for the personal benefit of a executive – an exercise that would likely be too speculative to be meaningful; and, even if the costs were measurable, they would likely end up being a small amount. Rather, the harm flows from a general loss of trust by shareholders from learning that a CEO puts their interests second and – because a CEO can influence her company in so many ways – not being able to monitor all the avenues of possible betrayal that might exist.
Understanding that sort of more general harm is one of the important ways an ethical perspective can supplement a more narrow compliance-based one. And it is part of the reason that boards and senior executives need to understand the importance of truly operating pursuant with high ethical – as well as compliance-related – standards.
Finally, for those who’d like to read more related to this topic please see Scott Killingsworth’s excellent paper on C-Suite behavior, discussed and linked to in this earlier post.
|
|
|
Corporate Compliance Insights has just published a complimentary e-Book – Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions, based mostly on my CCI risk assessment columns over the past few years, but also including other materials. The book covers a wide array of risk assessment ideas, methods, practices, tools and other noteworthy items concerning risk assessment scope and methodology; approaches to different risk areas (e.g., competition law and corruption); mitigation measures; the interplay of risk assessment and program assessment; and the ethics and social science dimensions of risk assessment.
The book can be downloaded here.
I hope you find it useful
|
|
|
Risk assessment is, of course, the foundation for effective compliance measures generally – and various prior posts describe what should be included in conflict of interest risk assessment. One of the keys to mitigating identified conflicts risks is through the appointment of a subject matter expert, as discussed here.
A risk action plan is a tool for having SMEs identify and help to address C&E risks. In a post earlier this week on the Corporate Compliance Insights web site, I discuss four practice pointers for success in designing and implementing such plans. While not focused on any one type of risk, I think the approach in the CCI piece could be particularly useful to mitigating COI (as well as other) risks in some organizations, given how diffuse COI risks often are in businesses.
|
|
|
Steve Priest has had a storied career in the field of ethics & compliance. Over the past two decades he has, among other things, consulted “on the ground” in 48 countries on every continent with over 25% of the Fortune 200, trained more than forty Boards of Directors and senior leadership teams and written numerous codes of conduct. He has also conducted many E&C program assessments (and it has been my great pleasure to partner with him on a good number of these engagements). And so, I was delighted that Steve agreed to be interviewed by the COI Blog.
In your twenty years in the field, has there always been a tension between law and ethics and, if so, how has it changed? Jeff, I am not surprised that you ask the hardest question first. In most companies, most of the time, there is little tension. But in some situations fine attorneys trained in zealous advocacy may overweight an effective short term defense strategy and undervalue long term ethics and reputational considerations. Perversely, the high stakes now visible in many compliance areas have heightened this tension.
Is this tension positive, negative or a bit of both? Most of the time the legal thing and the ethical/right thing are the same, so there’s little or no tension. Hence , you can also appoint will and powers of attorney to render your duties related to property.Now the rest of this will betray my ethics bias, but from my perspective when there is a tension it is NOT a good thing, because the short term legal emphasis often prevails over the longer term ethical perspective. Choosing the ostrich approach versus a “look and learn” model has prevented companies from conducting assessments or root cause analyses that could dramatically improve their operations. Defining a disclosure of an event of wrong doing as “in a gray area” rather than as the legal and right thing to do may provide a short term benefit, at the high risk of breaching trust with regulators.
What are some measures for companies to use each (ethics, compliance) to fortify the other? The primary measure is this: messaging to employees must consistently integrate ethics and compliance. Many employees have a knee jerk negative response to the word compliance. Just look up the definition in the dictionary to understand why. And, especially in highly regulated companies it has become segregated. Ethics, on the other hand, runs the risk of being marginalized as something merely nice to do. Put them both together in all messaging and you can tap into the strong preference employees have for doing the right thing and working for a company that does the right thing.
Do companies do enough to assess ethics – as opposed to traditional compliance – risks? No. Partly because it is squishier. Corruption risk assessment is easy—look at prosecutions, legal developments, Transparency International rankings, industry developments, reliance on third parties, etc. But assessing whether employees believe they can raise difficult issues, or that people are held accountable if they do the wrong thing—these questions can rarely be answered in a meeting room by a few people. And yet these attributes are probably more important in understanding compliance risk than the corruption probability in China. A company culture where employees believe they can raise difficult issues has lower risk of major problems in corruption, competition, money laundering, etc. because employees will raise concerns early and often. Conversely, if employees believe that the way to get ahead is to make your numbers and that living up the Code is not so important, then risks of corruption are substantially higher. Additionally, employee perceptions of the ethics of business practices can also serve as a canary in a coal mine for future compliance risks. Often employees have a sense that a practice “doesn’t feel right” or “isn’t fair for a customer” well before these practices gain the attention of the media, plaintiffs’ attorneys or prosecutors. So a good risk assessment has to understand cultural attributes, including the ethical dimension.
Steve can be reached at ethical@aol.com.
Part two of the interview will cover various challenges in providing effective ethics training.
|
|
|