Conflict of Interest Blog

Training managers on conflicts of interest

Conflict of interest certifications: Part One – Who and How

There’s one way to find out if a man is honest – ask him.  If he says, “Yes,” you know he is a crook.  Groucho Marx

There is, of course, something to this bit of Marxist logic. But, on balance, the benefits of “asking” in a C&E program can be considerable, and one asking-based tool that has existed for many years is the certification.

Should an organization require employees to execute on a periodic basis certifications regarding actual or apparent COIs?  If so, what should be the content of the certifications? And should an entire employee population receive them?

While not advisable for every entity, this type of process can, I believe, be useful for reminding employees (in a way that a terse general code of conduct certification does not do) of the organization’s specific COI standards and requirements.  Certifications indeed often will surface  COIs that have not otherwise arisen through other C&E processes. 

While they might elicit denials regarding truly illicit behavior (Groucho’s thesis), that is less true of many other, less nefarious sorts of COIs.  As one reader of the Blog wrote to us, “employees are often confused about COIs and don’t think they have one when they do or at least when there is an appearance of a possible conflict. [Certifications] seem to be a good way to help employees focus on specific activities that can present a conflict.”

However, certifications are clearly not for everyone. Whether an organization should undertake this sort of effort – which can require a substantial time commitment – depends on a variety of factors.  In effect, this is a form of risk assessment, which should typically include the following considerations:

Likelihood:  How likely is the process to uncover an otherwise unidentified COI?  And, how likely is a certification to prevent an otherwise undeterred COI?

Impact  How harmful could such a COI be – meaning one that would likely be deterred or detected and addressed by the certification process but not other ways?

Other benefits.  Are there other high-risk activities (e.g., “sensitive payments,” contacts with competitors) that should be added to a COI certification, and, if so, what does a likelihood and impact assessment of those topics add to the analysis?

Capacity:  Does your organization have the resources to follow-up on all “yes” answers or failures to respond?  (This is a deal breaker for many companies.)

Finally, this analysis should not necessarily be performed on an all-or-nothing basis.  Even if it does not make sense to require all employees to execute certifications – as, in my experience, is frequently the case – there may still reason to do so for managers and others in sensitive positions (e.g., procurement; “control” functions – such as law, finance, human resources and audit; and, in some organizations, sales). 

Conflict of Interest Certifications: Part Two – Content

In a recent post we discussed the “why” and “who” of COI certifications.  Below, we examine what is typically covered by a COI certification (the “what”)..

First, the basics tend to be questions around the following issues:

– Employment (of oneself or family members) with or consulting for an entity doing or seeking to do business with or competing against the company.

– Holding a financial interest (again, involving oneself or family members) in the above-described types of organizations.

– Employment of relatives at the company.

– Gifts, entertainment and travel involving any person or entity doing or seeking to do business with the company (including loans involving such persons or entities).

Sometimes these questions are asked broadly, other times in terms of the employee’s area of responsibility (e.g., do you have any procurement- or management-related duties concerning any entity in which you or a family member have an ownership interest?)

Second, less frequently one also sees questions concerning:

– Any other outside employment or consulting (i.e., regardless of whether it involves a competitor, supplier, etc.)

– Service on a board (of directors or advisors).

– Anti-corruption requirements – questions involving employees of governmental entities and, less commonly, union officials.

– Corporate opportunities.

– Purchases, sales or leases of property involving the company.

– Holding government office (presumably on a part-time basis) – which is generally relevant only to organizations that have significant dealings with a large number of local governmental bodies, like energy utilities; and

One should ask, in substance:  Do you have any other relationships, etc., that might reasonably be regarded as creating an actual or apparent conflict of interest with your responsibilities to the company?

Finally, note that this post is not offered as a comprehensive list of COIs. But it will hopefully be helpful to some of those in the C&E looking to move forward in this ever challenging area.

Expanding the mandate of trust

Should compliance officers be optimists?

Optimism generally correlates with success in the world of work.  As  noted in Canadian Lawyer Magazine,( “Martin Seligman of the University of Pennsylvania – who studies positive psychology – found that most optimists do better in life than merited by their talents alone.”

This finding apparently applies across a wide range of professions.  But with lawyers it was not the case.

“Seligman’s survey of law students found that pessimists got better grades, were more likely to make law review and got better job offers.” ‘In law,’ he said, ‘pessimism is considered prudent.’”

This would, in my view, likely not be a surprise to many people. But can something similar about pessimism be said for the compliance & ethics (“C&E”) field?  Does pessimism in the C&E field correlate with prudence (or any other virtue, for that matter)?  

I am not aware of any study like Seligman’s regarding pessimism and the C&E perspective.  However, I believe that having a pessimistic perspective can be important to achieving and maintaining C&E program efficacy. 

This is particularly true with C&E risk assessment.  Among other things, having an appropriately pessimistic view can be helpful in identifying risks that might be missed by a more positive thinking C&E professional. Indeed, C&E risk assessment involves identifying the various ways misconduct can occur and the reasons behind them, making a pessimistic perspective – at least for this exercise – essential.

The benefit of a pessimistic view is also, I believe, important with respect to C&E board/senior management oversight, communications, monitoring, audits and investigations, among other areas.  With each of these, having a suitably dark view of risk can help make those involved in C&E work be more effective than they might otherwise be.

But optimism does have its place in the compliance realm as well.  That is, so much of C&E is relatively new and untested, and an optimistic view may be necessary to secure buy-in to go forward with necessary but difficult measures.

Finally, my own perspective is that generally one needs some of both views.  And, in that connection, I have tried to live by the timeless guidance: one should be cynical but endlessly optimistic.

Reprinted with permission from , Compliance and Ethics:  Ideas & Answers

2024 Behavioral Ethics & Compliance Index

Jeffrey M. Kaplan

While in the more than twelve years of its existence the Conflict of   Interest Blog has been devoted primarily to examining traditional conflicts of interest it has also run quite a few posts on what behavioral ethics might mean for corporate compliance and ethics programs. Below is an updated version of a topical index to these latter posts.  Note that to keep this list to a reasonable length I have put each post under only one topic, but many in fact relate to multiple topics (particularly the risk assessment and communication ones). Finally, note that I have added “moral hazard” to the index. While not the same thing as behavioral ethics (moral hazard is mostly rooted in economics whereas behavioral ethics is rooted mostly in psychology), there is nonetheless substantial overlap between the two. I expect we will  hear more about the intersection of these areas in the future.  

INTRODUCTION AND OVERVIEW Business ethics research for your whole company (with Jon Haidt) Overview of the need for behavioral ethics and compliance  – Behavioral ethics and compliance: strong and specific medicine Behavioral C&E and its limits Another piece on limits Behavioral compliance: the will and the way – Behavioral ethics: back to school edition – A valuable behavioral ethics and compliance resource – Strengthening your C&E program through behavioral ethics –  Ethics made easy   Have you checked your behavioral externalities? – A behavioral ethics and compliance primer  Happy anniversary, Corporate Sentencing Guidelines.  

Risk assessment –  Being rushed as a risk –  Too big for ethical failure? – “Inner controls” – Is the Road to Risk Paved with Good Intentions?– Slippery slopes – Senior managers – Long-term relationships – How does your compliance and ethics program deal with “conformity bias”?  – Money and morals: Can behavioral ethics help “Mister Green” behave himself?  – Risk assessment and “morality science”  Advanced tone at the top  Sweating the small stuff – The risk of good intentions –– – –  

Communications and training – “Point of risk” compliance –  Publishing annual C&E reports – Behavioral ethics and just-in-time communications – Values, culture and effective compliance communications – Behavioral ethics teaching and training – Moral intuitionism and ethics training – Reverse behavioral ethics – The shockingly low price of virtue – Imagine the real – Behavioral ethics training for managers  

Assessments and audits – Behavioral ethics program assessments – – See later post for more on assessments  

Positioning the C&E office – What can be done about “framing” risks – Compliance & ethics officers in the realm of bias  Behavioral ethics, the board and C&E officers  Lawyers as compliance officers: a behavioral ethics perspective  

Accountability – Behavioral Ethics and Management Accountability for Compliance and Ethics Failures – Redrawing corporate fault lines using behavioral ethics The “inner voice” telling us that someone may be watching –  The Wells Fargo case and behavioral ethics  

Whistle-blowing – –  Include me out: whistle-blowing and the larger loyalty” – Behavioral Ethics and Whistle-Blowing  

Incentives/personnel measures – – See also posts on moral hazard below  

Board oversight of compliance – Behavioral ethics and C-Suite behavior – Behavioral ethics and compliance: what the board of directors should ask   

Corporate culture – Is Wall Street a bad ethical neighborhood? – Too close to the line: a convergence of culture, law and behavioral ethics –  Ethical culture and ethical instincts  

Values-based approach to C&E  A core for our values based behavioral age – Values, structural compliance, behavioral ethics …and Dilbert  

Responding to violations – Exemplary ethical recoveries

Conflicts of interest/corruption – Does disclosure really mitigate conflicts of interest? – Disclosure and COIs (Part Two) – Other people’s COI standards – Gifts, entertainment and “soft-core” corruption – The science of disclosure gets more interesting – and useful for C&E programs – Gamblers, strippers, loss aversion and conflicts of interest – COIs and “magical thinking” – Inherent conflicts of interest – Inherent anti-conflicts of interest – Conflict of interest? Who decides? – Specialty bias – Disclosure’s two-edged sword – Nonmonetary conflicts of interest – Charitable contributions and behavioral ethics – More on conflicts of interest disclosure

Insider trading – Insider trading, behavioral ethics and effective “inner controls”  – Insider trading, private corruption and behavioral ethics  

Legal ethics – Using behavioral ethics to reduce legal ethics risks  

PROGRAM SCOPE                                    

OTHER POSTS ABOUT BEHAVIORAL ETHICS AND COMPLIANCE – New proof that good ethics is good business – How ethically confident should we be? – An ethical duty of open-mindedness? – How many ways can behavioral ethics improve compliance? – Meet “Homo Duplex” – a new ethics super-hero? – Behavioral ethics and reality-based law – Was the Grand Inquisitor right (about compliance)? – Is ethics being short-changed by compliance?

Program Assessment and risk assessment  


Standards for waivers of conflicts of interest

By Jeffrey M. Kaplan

While some organizations bar conflicts of interest in all cases, many opt for allowing COIs to exist where appropriate. But how should appropriate be defined for these purposes?

One formulation that I have recommended to various organizations:

A COI may be approved only where doing so would clearly be in the best interest of the company.

Two comments about this.

First, the word “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.  But, it is still a high standard and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word in a COI policy should itself be helpful.

Second, the “best interest of the company” should be read broadly. It requires more than an absence of corruption or other outright misconduct. Rather, it also mandates consideration of how the COI at issue could impact the ethical culture of the organization and related matters.

(For more on COIs and harm see this piece from the FCPA Blog.)

But there are other dimensions to this area – consideration of the interests of the employee and the potential harm caused by the conflict.

With respect to the latter consideration (potential harm), we note that the position of the employee within the organization and the particular type of conflict at issue are important in determining the potential harm to the company from a conflict. For example, when the head of Procurement wants to engage a supplier that is owned by her spouse, there is much greater likelihood of harm than where the supplier’s spouse is a junior sales associate at the company.

As described by Joe Murphy, at least to challenge conventional thinking: “It is fair to make a big distinction between workers and managers/executives. I first saw this done in Europe, particularly in Germany.  For workers, the company does not own them.  Why does it have a right to tell them what to do, other than how to do their jobs while working?   Executives, on the other hand, have more power that can be abused, and they are getting more from the company.

Joe suggests a standard that ratchets up the higher the level of employee in the company.  A  higher standard may also be appropriate for all employees in particular functions, such as in procurement, E&C, and the legal department.

The second consideration – the interests of the employee – is also an important factor.  As Joe colorfully notes, “Why should a company control the employee, or have a say in anything they do off the job?  From that perspective, it is odd that we consider loyalty to one employer as almost sacred, on a quasi-religious level.  But why should it be, at least for the workers?” Indeed, if the position of the worker means that the conflict would not create harm, or that disclosure and controls are sufficient, then permitting the conflict (with controls) is likely the better course.  As Joe suggests, where an employee does not have real power to influence relevant decision making, it does not make sense “to treat companies as if they were sacred entities to whom total, all-consuming loyalty is owed by all who come in contact with them. Employees do not sell their souls and do not give up all other interests.” 

Does the Supreme Court think that ethics is only for the “little people”?

The late Leona Helmsley, a controversial real estate developer, is reported to have said that “only the little people pay taxes.”  One might ask if the US Supreme Court has a similar view of ethics.

Reports in ProPublica this year detailed a pattern of behavior by Supreme Court justices that legal ethics experts said was far outside the norms of conduct for other federal judges. “ProPublica disclosed that Justice Clarence Thomas has accepted undisclosed luxury travel from Dallas billionaire Harlan Crow and a coterie of other ultrawealthy men for decades. Crow purchased Thomas’ mother’s home and paid private school tuition for a relative Thomas was raising as his son. Thomas also spoke at donor events for the Koch network, the powerful conservative activist group. Separately, ProPublica revealed that Justice Samuel Alito accepted a private jet trip to Alaska from a hedge fund billionaire and did not recuse himself when that billionaire later had a case before the court…Reporting from other outlets, including The Washington Post and The Associated Press, has added to the picture. The New York Times revealed that Thomas received a loan from a wealthy friend to purchase an expensive RV. A Senate investigation later found Thomas did not repay the loan in full.”

These and other disclosures led to considerable pressure to strengthen the Code of Conduct applicable to the members of the Court. Earlier this month the Court issued a code which sought to bridge what might be considered the ethics gap.

But did it do that?              

As further noted in ProPublica: “The code does not specify who, if anyone, could determine whether the rules had been violated. The new Supreme Court code’s lack of any apparent enforcement process is ‘the elephant in the room,’ said Stephen Vladeck, a law professor at the University of Texas who studies the court.” “Even the most stringent and aggressive ethics rules don’t mean all that much if there’s no mechanism for enforcing them.”

This is different from the enforcement system applied to lower court judges “who are subject to oversight by panels of other judges, who review allegations of misconduct.”

Basic legal and ethics standards tend as a general matter – to support the notion that powerful individuals and organizations should be the subject of more oversight than “the little people” – not less.  

The approach taken by the Supreme Court weakens such standards and promotes wrongdoing– not only conflicts related but also a host of other sorts of misconduct. In my view it is very important that such standards be enhanced to be worthy of the “big people” to whom they apply.

Assessing the C&E Investigations Process

by Rebecca Walker and Jeff Kaplan

Investigations are one of the more difficult and riskier activities of an C&E program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive C&E programs, in particular where the report was initially made to the C&E department, through a hotline or otherwise. The mishandling of C&E investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, C&E-related investigations are a serious business, and assessing them is therefore an important component of assessing an C&E program.

Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:

  • Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
  • Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include…Keep reading this article on our website

The Value of Starting Simple: A Risk Assessment Spreadsheet

by Jeff Kaplan

For those just getting started with compliance risk assessments, the KISS approach can be invaluable.  And by KISS, I mean “Keep it Simple with Spreadsheets.”  Spreadsheets are not mandatory in conducting risk assessments, of course.  But for the beginners in this area, they can be exceedingly useful.   

Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.

Risk areas

The risk areas to be assessed generally include:

  • substantive areas of criminal law risk, such as corruption, antitrust, export control/trade, insider trading/confidential information, and fraud,
  • ethical, as well as legal, areas of risk, e.g., conflicts of interest,
  • in some instances, civil law, e.g., employment law, defamation.

Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.

Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment)…

Keep reading this article on our website


The Value of Starting Simple: A Risk Assessment Spreadsheet

by Jeff Kaplan

For those just getting started with compliance risk assessments, the KISS approach can be invaluable.  And by KISS, I mean “Keep it Simple with Spreadsheets.”  Spreadsheets are not mandatory in conducting risk assessments, of course.  But for the beginners in this area, they can be exceedingly useful.   

Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.

Risk areas

The risk areas to be assessed generally include:

  • substantive areas of criminal law risk, such as corruption, antitrust, export control/trade, insider trading/confidential information, and fraud,
  • ethical, as well as legal, areas of risk, e.g., conflicts of interest,
  • in some instances, civil law, e.g., employment law, defamation.

Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.

Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment).

Risk scenarios

Risk scenarios are scenarios of the most foreseeable and significant ways in which relevant law/ethical standards could be violated on a line or staff unit basis.

For instance, it is not necessarily sufficient to identify a company as having a significant fraud risk, without identifying the type of fraud at issue e.g., consumer fraud, financial risk, tax fraud, etc.

Mitigation – both existing and recommended

Risk mitigation generally includes written standards, training, other communication, policies, procedures, assigned accountability, internal controls, auditing/monitoring and any other form of mitigation that varies significantly by risk area. Generally speaking, a more detailed discussion of existing controls will assist in yielding more helpful recommendations as to additional mitigation to consider.  For example, rather than simply listing “training” as a control for a given risk area, it is helpful to discuss the type of training, how recently and how frequently it is conducted, for what audience, and even relevant feedback on effectiveness.

Risk mitigation for a risk assessment generally does not encompass controls such as the helpline, investigations, discipline, incentives and background checks, at least as a general matter.  This is because those controls are operative with respect to all risk areas and do not generally control for particular risks.  These areas should, of course, be subject to periodic assessment, but those efforts will likely be more in the nature of a program assessment than a risk assessment.

Finally, the breadth and depth of risk assessment for any given area will generally depend on various factors.  E.g., if a risk assessment is being conducted following a violation at a company, that may suggest the need for a broader and deeper assessment than a risk assessment being conducted on a routine basis.

Combining Conflict of Interest Program and Risk Assessments

COI risk assessments and program assessments are two different things. But they can overlap to some degree and so it makes sense to consider how/how much they should fit under “one roof.” This is particularly so when both procedures are based principally on employee interviews, with some danger of duplication.

Beyond this, any risk assessment needs to consider the efficacy of mitigation (i.e., a program assessment component) and any program assessment need to take into account various risk factors. So, in determining how/how much the two processes can be combined, it makes sense to start with an analysis of a company’s need for specific information regarding each.

Risk assessments

Conflicts of interest have long been seen as an area of significant risk. But that does not always translate into the conduct of meaningful risk assessments.

Part of the reason for this disconnect is a widespread belief that COI risks are already well known. Certainly every C&E professional knows that the major types of COI for most business organizations involve employees a) having financial ties to competitors and third parties that do or seek to do business with the organization, and b) hiring family and friends into the organization.  Similarly, the basics of the other two major COI categories – organizational and gatekeeper COIs – are generally understood by C&E professionals working in fields where risks of such conflicts are significant.

But understanding the general risks regarding COI may not be enough to generate the type of information that an effective risk assessment process requires, which is information that will help design or modify all the risk-sensitive elements of a program to mitigate COIs. These are policies, training  and other communications,  auditing and accountability. (Note the other main program elements – e.g., helplines, investigations,  incentives, discipline  – are obviously important too, but tend not to vary by risk area.)

Each assessment will vary in substance. But here are some areas of inquiry that may be useful to companies just starting out.

– Any relevant COI history at the organization – violations, near misses and inquiries.

– Any relevant COI history at competitors or otherwise comparable organizations, to the extent known.

– Same inquiry regarding customers, suppliers and other third parties with which one does business.

– COI standards that are not fully understood or appreciated.

– Weakness in “inner controls” (where – due to factors described in behavioral ethics research – moral constraints against wrongdoing are of diminished efficacy).

– Instances or prospects of prosocial COIs (“right v. right” risks).

– Industry-related risks.

– Cultural-related factors.

– Efficacy of process controls (particularly around COI disclosure/approval regimes).  This is an area where the  overlap between the two types of assessment is particularly strong.

Note that in some instances the inquiry can be done on an enterprise-wide basis but for others it should be granular (e.g., region, business line, function) too.

Program assessments

C&E program assessments sometimes have a general scope and sometimes are focused on a single substantive risk area – such as corruption or competition law. (Still others have elements of both approaches, i.e., general assessments and deep dives.)

For some companies it makes sense to do such a targeted/deep dive assessment for conflicts of interests. This is particularly so for those responding to a significant COI violation or “near miss,” but it is also the case where the likelihood of COI risks is heightened due to geographic, organizational or industry cultural considerations.

More generally, what does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done so in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones –  understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

The same point should be made with respect to risk assessments – what I have provided above is a starter list – not the last word.