Conflict of Interest Blog

Compliance incentives, risk assessment and moral hazard

Compliance incentives and moral hazard

Clarence Thomas: Res Ipsa Loquitur?

Clarence Thomas: Res Ipsa Loquitur?

As detailed today in Pro Publica        

“During his three decades on the Supreme Court, Clarence Thomas has enjoyed steady access to a lifestyle most Americans can only imagine. A cadre of industry titans and ultrawealthy executives have treated him to far-flung vacations aboard their yachts, ushered him into the premium suites at sporting events and sent their private jets to fetch him — including, on more than one occasion, an entire 737. It’s a stream of luxury that is both more extensive and from a wider circle than has been previously understood. Like clockwork, Thomas’ leisure activities have been underwritten by benefactors who share the ideology that drives his jurisprudence. Their gifts include:

“At least 38 destination vacations, including a previously unreported voyage on a yacht around the Bahamas; 26 private jet flights, plus an additional eight by helicopter; a dozen VIP passes to professional and college sporting events, typically perched in the skybox; two stays at luxury resorts in Florida and Jamaica; and one standing invitation to an uber-exclusive golf club overlooking the Atlantic coast. This accounting of Thomas’ travel, revealed for the first time here from an array of previously unavailable information, is the fullest to date of the generosity that has regularly afforded Thomas a lifestyle far beyond what his income could provide. And it is almost certainly an undercount.

“While some of the hospitality, such as stays in personal homes, may not have required disclosure, Thomas appears to have violated the law by failing to disclose flights, yacht cruises and expensive sports tickets, according to ethics experts.”  

Thomas has denied all wrongdoing.

But is that the end of the matter?

Not in my view, in part because of the doctrine of res ipsa loquitur

As noted in Wikipedia: “Res ipsa loquitur is a Latin phrase, which literally translates to “the thing speaks for itself.” 

And that, in my view, is the case here.

I should add that as a technical legal matter res ipsa loquitur is more applicable to personal injury cases than to the sort of cases where Justice Thomas’s personal ethics might be at issue. But the spirit of the law – which is one of getting to the truth of the matter – is every bit as applicable.

Does your compliance program assessment do this?

Does your compliance program assessment do this?

In a recently issued draft book chapter Jennifer Arlen of the New York University Law School addresses a wide range of issues facing the Compliance Function, including program assessment.   She provides a very useful list of assessment methods.  

Among other things, she writes that companies “can obtain the information needed to make these assessments through (1) internal reporting hotlines; (2) decision advisory hotlines; (3) well designed surveys given months after training to assess employees reactions to scenarios implicating choices between compliance and profits; (4) exit interviews; (5) adoption of an analytic detection system that incorporates data from internal hotlines, HR complaints about unethical behavior (including sexual harassment), consumer complaints, and (6) carefully calibrated performance indicators that can raise red flags about potential misconduct. Advances in AI assisted monitoring of performance and transaction data may also prove a boon to identifying ‘red flags’ or anomalies in data that may be predictive of suspicious conduct.”

Some of this is obvious but is still worth including for the sake of completeness. And other parts are not obvious, meaning they should be – but aren’t – included in some companies’ program assessment.

Most importantly, there are many other topics beyond assessment in Arlen’s chapter and I hope you have the opportunity to explore the whole draft

“Goldilocks compliance”

By Jeffrey M. Kaplan

Consider the following true story.

A company decides to implement what is in effect a zero-tolerance policy for violations of its code of conduct.  Unexpectedly, this seems to have triggered a significant drop in the number of reports of violations being submitted to the company helpline.   Evidently some employees felt that the new discipline policy was too harsh, and that they did not want to subject their colleagues to it.

This is, of course, an example of compliance being taken too far.    

Another example concerns training.  Not every employee of every company needs a full hour of antitrust or anti-bribery training each year.

There may indeed be lots of opportunities for improvement at any given company.  However, I should emphasize that there are more—indeed, a great many more—companies that do too  little C&E wise rather than too much.  

Moreover, not all C&E areas are susceptible to being “too hot” to any significant degree.  Auditing generally falls into this category, in my view.

Adopting a “Goldilocks” approach may help a CECO and others on the ethics team earn trust among other key players at the company, which can be invaluable in various settings.

Finally, companies wishing to have a Goldilocks approach to C&E can do so in part by tailoring their risk and program assessments to this task.

Risk assessment for small companies

Designing and implementing a compliance and ethics (C&E) risk assessment can be a daunting task.  This is true for many types of organizations, but it can be especially difficult for small businesses. Small companies often lack, among things, the resources, culture, enforcement-related incentives and relevant experience necessary to be successful in a risk assessment. For these and other reasons, it can be important for small companies to have an easy-to-use and effective risk assessment procedure.

Getting started

For many companies new to the C&E area the first step in designing/implementing a risk assessment (or, for that matter, taking many other C&E measures) should be assigning management responsibility for the process.  In theory this should be straightforward, but that may not always be the case with small organizations.

That is, a small company without an in-house lawyer may need to appoint an executive with operations, HR, finance or other duties to be what is in effect a part-time C&E officer role for the risk assessment.  However, that role is not a “machine that will run by itself.”  

Therefore, extra care should be taken to document and reinforce the risk assessment responsibilities of the manager(s) responsible for the process, e.g., inclusion of compliance duties in job descriptions, strategic plans and other responsibility-defining company documents.  

Outside counsel

Note that some companies hire outside counsel to assist with this effort.  While often valuable, having outside counsel is not strictly necessary for every small company’s risk assessment process.  For very small companies it might make sense to work through a business association, such as a trade association or chamber of commerce to hear from a compliance professional with experience in this area.   

One benefit of having a lawyer is that the process of conducting interviews can be done under attorney-client privilege. That, in turn, should make it easier for interviewees to be candid.

Developing the risk list 

The next step in this process is to develop an initial list of risks to be assessed.  As described below this will be used for interviews of company personnel.

The starting point here can be the company’s code of conduct, if it has one. If it does not it can consider looking at publicly-available codes from larger companies in the same industry. While that does not assure that all relevant risks will be covered, it can be a helpful start. It is also advisable to follow industry and business news.  A company could start by having the designated compliance person read the Wall Street Journal to keep up on developing compliance risks and areas where government agencies are focusing their enforcement efforts.   

The initial risk list will often need to be modified in several ways; in fact, this can be true for even the largest, most sophisticated companies.

First, with some risk areas the topics seen in codes of conduct may already be an area of focus for the company, such as environmental, health, safety, privacy and fraud.  For such risk areas, there is generally no need to “reinvent the wheel” and to reassess a risk that has already been on the company’s radar.

Second, and in a related vein, for some areas there may be a need for more granularity than what appears in codes of conduct.  Examples include corruption and misuse of confidential information.  

Finally for each item on the list the assessment should be of both risks involving wrongdoing by the company but also including areas where the company is the victim and might discover that it has a cause of action against others, such as competitors.  Competition law may be a good topic in this regard.

Using the risk list

As noted above, the risk assessment process needs to involve conducting interviews of company personnel.

To that end, the company should distribute the draft risk list to those who will be interviewed.

Who should be involved in the process will, of course, vary by company.  However, at least in my experience, staff involved in controls – law, audit, finance, HR, procurement – tend to do better with providing risk assessment information and ideas than do business people. However business people may be more aware of what is actually happening in the field, and may surface business activities that were not known to control personnel and that may raise unexpected risks. 

What gets assessed

This is the heart of the risk assessment. It includes two types of analysis.

The first concerns the likelihood and impact of violations. It is, of course, quantitative information and is standard fare in risk assessments. In other words, how likely is it that a particular violation will occur, and what are the possible consequences if it does.  However, there is a risk here that busy managers will underrate both of these factors.  For example, while retaliation is a dangerous and prevalent risk, it is routinely downplayed by managers who think it “never happens here because we say we won’t tolerate it.” 

An example of the assessment process can be seen for conflicts of interest (COI), assessing what is the likelihood and impact of different possible COIs, e.g., hiring relatives in a different part of the company (by business line and/or geography).

A second level of analysis is qualitative. It is more complex than the quantitative type – and more judgment based.  It seeks to identify causes of risk and to use that information to identify areas for enhancement of mitigation.

For instance, are there parts of the company where particular risks are not sufficiently understood/appreciated? If so, should training and communications be enhanced?  

The same inquiry should be made with respect to other causes of risk – e.g., undue pressure, weak process controls, misaligned incentives – all on both an enterprise and granular level.

Interviewees should also be asked for identification of any risks that are not, but should be, on the list.

Finally, small companies looking for ideas on C&E program design, development and maintenance should consider using Joe Murphy’s excellent book on  501 Ideas Compliance Ethics Program, and the SCCE white paper, A Compliance & Ethics Program on a Dollar a Day.

Conflicts of interest in our Gilded Age

Writing about the COI scandal regarding Justice Clarence Thomas in the most recent issue of Ethics Megatrends Kirk O. Hanson – a long-time thought leader in the business ethics field – argues that we should expect to see tighter standards concerning the receipt by Supreme Court Justices of gifts, entertainment and hospitality. 

He writes: There are three reasons we must, and I predict will, tighten conflict of interest standards for all public officials and in all aspects of public life in the coming months and years.

The first is the stark disparity in income between a public official and the billionaire or other wealthy person. The rich in our new “Gilded Age” are able to confer benefits of great value to the public official simply by inviting them to join the host for an extravagant weekend at an estate or private retreat, or a plush vacation on a private yacht or by private aircraft. The long-held exemption granted to meals and recreation in one’s private home is a joke when the home is a Hawaii beach estate or mountain hunting lodge.

Hanson further notes: The second reason conflict of interest standards will be tightened is the breadth of interests any wealthy American now has. While Harlan Crow [the gift giver to Justice Thomas] may not have had a specific case before the Supreme Court, the court’s decisions can affect the billionaire’s interests in dozens of indirect ways.  The court’s current hostility to the regulatory process itself can be a windfall for almost any billionaire today.

The third reason we have to tighten conflict of interest standards is the hyper-partisan environment. In this environment, public distrust is rife and the image of billionaires entertaining public officials is toxic. We must retain broad confidence in the decisions of judges, legislators and other officials. Democracy depends on it. 

I agree with this post, and think it is important.

First, the disparity in income – all other things being equal – seems likely to contribute to wrongdoing for a host of reasons (such as jealousy or economic need).

Second, as a matter of simple math, the more complex an individual’s interests  (both economic and social) the greater the conflicts. And – although I don’t have statistics on this –  I believe the sheer volume of interests is growing.

Third, what Hanson calls the hyper-partisan environment is – sadly –   a major part of the mix, and will be for some time.

Finally, this post contains what can be seen as some interesting research leads for the right grad student.

The Fox News case: defamation as a compliance risk

On the eve of trial Dominion Voting Systems secured a settlement of $787,500,000 in its defamation suit against Fox News for Fox’s false statements that Dominion had engaged in election fraud during the 2020 presidential election. 

There is undoubtedly much to be said about the compliance and ethics failings that led to the settlement, but I would like to leave everything political to others (at least in this post), and consider the defamation risks that all companies should consider.

Here are some initial thoughts about compliance.

Defamation is generally not considered to be in the first tier of compliance risks for corporations, the way that corruption, antitrust and fraud tend to be. But second-tier risks can still be significant.

Some specific components of a defamation compliance program might include:

– Risk assessment. Consider what kind of communications your salespeople have about competitors. . Given the nature of the products and services that you sell and the ways you go to market does defamation seem reasonably likely?

– Policies. Consider whether defamation should be mentioned in the code of conduct, a departmental policy or something else.

Training. Consider who should get targeted training on defamation. Consider what if any enterprise-wide training should be deployed.

– Procedures. For high-risk areas, consider preapprovals of risky activity by the legal department or other control functions.

– Third parties. Consider whether dealings with third parties pose special C&E challenges and so should be focused on in the risk assessment.

There’s much more to be said about this topic but hopefully this post will help some companies get started.

Compliance Officers as “ministers for the future”

In The Ministry for the Future   science fiction writer Kim Stanley Robinson draws a truly harrowing picture of the cataclysmic harm that climate change could inflict on our planet in the not-so-distant future.

Might compliance and ethics (C&E) officers play a part in advocating for the future?

His tale is also about how a newly conceived UN ministry might try to save the day.  The ministry is tasked with advocating “for the world’s future generations of citizens, whose rights, as defined in the Universal Declaration of Human Rights, are as valid as our own…”

At the outset, I should stress that I’m not arguing that C&E officers in companies and other otherizations should become professional futurologists.  That would be impractical and undesirable for various reasons.

But there is a role for C&E officers to ensure that their company advocates for future generations.  That role begins with consideration of moral hazard.

Notwithstanding its name, the concept of moral hazard originally had little to do with morality. Rather, it referred to the phenomenon that providing insurance tended to promote risky behavior by insured parties. Subsequently, moral hazard has been applied to a wide range of circumstances where incentives encourage unduly risky conduct by shifting the impact of a bad decision to a party other than the decision-maker.  Much of the debate over COVID-19 has involved moral hazard issues.

Moral hazard is not the same as conflicts of interest (COIs) or corruption. COIs and corruption generally require a breach of a duty of loyalty, whereas moral hazard does not. But they all involve conflicting interests having an adverse effect on ethical decision making and are close enough to each other to be considered “cousins.”

Of course, the “mother of all” moral hazards is climate change.  Additionally, the field of Environmental Social and Corporate Governance is built, in part, on moral hazard considerations.

But there are many other situations where the future generations need to be protected. And advocating for such interests is a good role for C&E officers, in part because of their experience in dealing with COI and corruption.

For this reason, it makes sense to consider that the C&E officer’s role regarding the rights of future generations could be to:

– Identify the types or activities at their organization that could cause significant harm to future generations (i.e., a form of risk assessment). This is a function both of the inherent riskiness of the activities in question and also the lack of advocacy for future generations.

– Identify or propose appropriate mitigation measures. This would include some degree of setting standards and delivering training/communications, among other things.

– Report to appropriate parties in the company on the measures taken and to be taken.

This is, needless to say, very general and addressing the needs of the future effectively would mean different things for different organizations. But hopefully it is a nudge the right direction.

What are the ethical pitfalls of being a parent?

My latest column in Compliance & Ethics Professional

Asking a good question as a path to ethical conduct

by Jeffrey M. Kaplan

The late Nobel Laureate in physics Isidor I. Rabi once said: ”My mother made me a scientist without ever intending it. Every other Jewish mother in Brooklyn would ask her child after school: ‘So? Did you learn anything today?’ But not my mother. She always asked me a different question. ‘Izzy,’ she would say, ‘did you ask a good question today?’ That difference – asking good questions – made me become a scientist!”

Employment-related questions

In The Road to Character, David Brooks notes that he once met an employer who asked every job applicant: “Describe a time when you told the truth and it hurt you.’”  This is, to my mind, a very good C&E-related question, as it can help identify those who practice, as well as preach, ethical behavior. It also reminds those asking the questions about the importance of C&E to the organization.  

A frequently used variation on this question is: “Describe an ethical challenge you’ve faced and how you dealt with it.”’  

And another approach is to present the interviewee with a hypothetical ethics quandary and to ask how she would deal with it.

(Of course in doing this the questioner should make it clear that she is not asking for confidential information about any other company.) 

This practice has several benefits:

– It helps the employer determine whether ethics is a strength or weakness for the candidate, which could impact the decision of whether to hire her.

– It sends a message to employment candidates that C&E is important to the company, which hopefully they will remember if they get the job.

– It sends a message within the company generally – and particularly to those who conduct the interviews – that C&E is important to the company.

I also believe the inquiry should be a two-way street, meaning employees should also ask C&E questions of their prospective employers.  This might be a question about the C&E program generally: Is it strong?  Is the tone at the top healthy?  Or how does the workforce generally view C&E?

Another approach is to ask prospective employees about risks of misconduct in the company’s industry.  Even where a company seems ethical, one might want to do extra due diligence if the company’s competitors as well as others with whom they deal (customers, suppliers and others)  are routinely engaging in inappropriate activities.

Also, the questions – whether posed by the candidate or employer – should vary by position, at least for higher-ups.  Certainly this would be true with interviews of board members, and maybe others near “the top.”

Finally, there are many other topics the candidates might ask about but one should not be seen as conducting an investigation. A balance should be struck.


Of course, employment interviews are not the only setting in which it is important to ask good C&E-related questions. Another is employee engagement surveys, in which one commonly sees questions about relative comfort in reporting violations and perceptions of the ethicality of the organization’s management.

These are good topics for questions, and I think every company that fields an employee engagement survey should use them. But my favorite question of this sort  comes from a survey conducted by the Economist which measured respondents’ perception of the need for ethical flexibility to advance one’s career within an organization.  What I particularly like about this question is the focus on flexibility – which may be easier for respondents to admit to than asking outright about their engaging in ethical transgressions.


Yet another setting for asking C&E questions is the compliance audit. While most of what is done in C&E audits revolves around document reviews, interviewing employees can be part of the picture as well. Among the topics that should be considered for such questioning: Does the interviewee think that the company’s training is effective? In addition to producing useful information about training itself, posing this question may make it easier for employees to identify concerns about risks and actual violations. I.e., like the question above about ethical “flexibility,” questions about C&E training may offer a “soft” way of approaching a “hard” topic.

Moreover, questions about training can be asked not only in audits but as part of (and typically at the end of) the training itself.  One possibility here is to ask whether after the training the employee now feels that she understands how the company’s compliance program applies to her job – again, a variation on the “soft” question approach.

Exit interviews

Finding the right question can also be important in developing a C&E-component to a company’s exit interview template. Options include general culture questions, such as how do you rate our company as a values and ethics driven employer – with an opportunity to say why; specific questions about key aspects of the program, such as whether the departing employee understood all the options for reporting concerns; and, of course, asking whether the employee was aware of any unreported concerns.

I should stress that this post is not intended to cover the whole world of asking C&E-related questions.  Among the areas not addressed: the importance of Q&A in codes of conduct and approaches to asking questions in risk assessments.

Finally, to an extraordinary degree, boards of directors can have the power to impact a C&E program simply by asking the right questions. Here (on page 2 of the PDF) is an article which offers not actual questions but topics that boards can turn into questions in overseeing their respective companies’ C&E programs.