Conflict of Interest Blog

More on reverse conflicts of interest

Consider the following (disguised) case, from some years ago…

A company enters into a complex business arrangement where one of its managers has a relationship with the other entity.  The relationship is fully disclosed and approved pursuant to company policy on COI waivers.  After some  time, the arrangement runs into business difficulties.  Although the company has lived up to its contractual obligations, the other entity seems to feel that the company should have done more to make the arrangement work.  Based partly on that, some employees of the company question whether that entity had been promised more than was disclosed by the manager, causing the employees to take various defensive measures which put further strain on the arrangement. Ultimately, the arrangement collapses.

As a general matter, if properly disclosed and approved, some COIs can be waived (although some should not be permitted under any circumstances).  Such approvals can be either a true “green light” or subject to being managed on an ongoing basis, i.e., a “yellow light.”

Like many C&E-related determinations, this type of decision tends to be made based on a balancing of costs versus benefits (hopefully, with a reasonably high burden of showing that the latter outweigh the former).

The case above illustrates what I believe is a factor that should generally be considered by companies deciding whether to grant a COI waiver: whether there will be a reasonable possibility of over-compensating for the COI in ways that are harmful to the company.  The potential for such “reverse COIs” could turn on many factors – perhaps most significantly, on the extent to which the contemplated relationship must rely on trust.  (That is, the greater the need for trust, the greater the possibility of suspicion – at least as a general matter.)

I cannot say that I have seen many reverse COIs. But I did find noteworthy the following discussion: “Conflict of Interest Disclosure With High Quality Advice: The Disclosure Penalty and the Altruistic Signal” by Sunita Sah of the Johnson Graduate School of Management, Cornell University and Daniel Feiler of the Tuck School of Business at Dartmouth:

“In this paper, we explore whether laws requiring conflict of interest disclosure damage the advisor-advisee relationship more than is intended. Across six experiments (N = 1,766), we examine situations in which advisors give high quality advice but still must disclose a conflict of interest. As predicted, such disclosures yield negative attributions regarding the advisor’s character, even when advice is of high quality (and advisees have full information to judge advice quality), and even when the advisor’s professional responsibility and self-interest are aligned, or the advice runs counter to the advisor’s self-interest. This disclosure penalty decreases trust in honest advisors…” (emphasis added).

In short, a reverse COI experiment… of sorts.

Note that I am not suggesting that the prospect of a reverse COI should have significant ramifications for a typical company’s C&E program.

But the case described at the beginning of this post is unlikely to be unique in relevant part.

 Moreover, as time goes on: 

* The economy will become more complex and with it the sheer number of COIs should become greater too (what might be considered gross COIs).

*  Due to legal, ethical and professional developments COIs are more likely to be recognized (wrongly or not) (net COIs).

So, companies should consider some risk assessment and education around this area. 

A “moral hazard” moment for the Department of Justice?

Last week Deputy Attorney General Lisa Monaco spoke at an ABA conference on the federal prosecution of corporations. Among the new or enhanced policies in this area that she addressed was promoting the use of incentives in compliance programs.

“Our goal is simple: to shift the burden of corporate wrongdoing away from shareholders, who frequently play no role in the misconduct, onto those directly responsible. We intend to encourage companies who do not already factor compliance into compensation to retool their programs and get ahead of the curve.”

This and other recent Justice Department speeches represent a major development for the C&E world. 

But whether it lives up to its promise may require  planting deep roots in developing and implementing the Justice’s Department’s compensation-related  expectations. This won’t be easy. To succeed it may be useful to apply a “moral hazard” framework.

By way of background, “moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks.  It is precisely what Monaco is concerned about.

What would such an approach entail?

First and foremost is risk assessment.  The risk assessment component of moral hazard should include financial incentives of the sort, (e.g., salary, bonus, etc.) likely to be reviewed by Justice. This is pretty clear cut – at least in theory.

Second, the risk assessment should also include non-financial moral hazard incentives, including reputational benefits. It is obviously tricky but important, at least at some companies.

Third, key personnel should be trained on identifying and addressing moral hazards. Included here are HR, finance, risk, law and various members of management.  This can be done as part of broader training.

Fourth, audit and C&E should develop procedures for assessing compliance in this area. Included here are questions in culture surveys.

Fifth, to the extent possible personnel evaluations should include moral hazard risk. But for some companies this might be a bridge too far.

Indeed, generally I am not saying that  all organizations need to engage in a full- fledged version of each of these steps. That would indeed be overkill for many. But all organizations should at least consider generally what their moral hazard C&E needs are and should respond appropriately.

Are best practices good for compliance ?

In Copycat Compliance and the Ironies of “Best Practice”

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4089806

William R. Heaston of the Wharton School at the University of Pennsylvania argues:  

For too long, corporate compliance “best practices” have been hiding plain sight. While they are readily invoked, compliance scholars have yet to examine them in any depth. This Comment provides a corrective, arguing that a confluence of inter- and extra-organizational forces drive in many firms to engage in copycat compliance whereby they mimic other firms’ “best practice” compliance structures. This tendency reveals two potentially problematic ironies about so-called “best practices” in the corporate compliance domain. First, they tend to reflect common practices rather than practices that are, in fact, “best.” Second, a formalistic focus on copying common practices may well undercut some of the most important or “best of the best” practices in compliance management—the promotion of ethical behavior within corporations and the customization of compliance structures so that they mesh with prevailing organizational cultures. In light of these ironies, this Comment proposes a conceptual framework that may provide a basis for identifying more fruitful types of convergence on common compliance best practices. Such best practices would trade rote mimicry for a more functional approach that permits greater variation in compliance structures and processes to suit the particular operational, cultural, and ethical needs of implementing firm.

(Note that Heaston’s conceptual framework is too complex to cover in this short blog. I encourage you to read the piece in its entirety.)

Based on what I have seen in my 35 years working in the  compliance and ethics field I tend to agree that there is too much rote activity when it comes to designing and implementing compliance programs.

I also believe what this problem is indeed likely to be remedied over the course of time as enforcement personnel and other key players in the field become more sophisticated “consumers” of compliance.   

This is true of many C&E functions, but particularly so regarding risk assessment/management.  Unlike many other parts of a compliance program risk assessment can leave a program with “nowhere to hide,’ when it tries to demonstrate that  it has implemented all or part of a “best practice” program of the like.

The full promise of compliance programs

My most recent column in Compliance & Ethics Professional
http://bit.ly/3Y6Ao66

A terrific alliance in the C&E space

Yesterday Kaplan & Walker LLP sent out this notice to friends and colleagues:

Waiving conflicts of interest: whether, when, how

A well-trod hypothetical case.

The head of a company’s regional office is putting on a reception for its customers. She believes that the best vendor (in terms of price and quality) is a caterer owned by her brother. Would it be a conflict of interest (“COI”) to give him the business?

Two approaches to COIs

Certain areas of law and ethics lend themselves to a black-and-white enforcement approach. These are many of these areas – e.g., fraud, corruption and antitrust laws. But conflict of interest (“COI”) is generally not one of them.

That is, while some organizations bar COIs in all instances many others opt for allowing COIs to exist where appropriate.

What do we mean by appropriate?

A company should consider requiring that a COI waiver (whether it is called waiver or something else) be allowed only where doing so would clearly be in the best interest of the company.

The use of “clearly” is intended to require a showing greater than a mere preponderance of the relevant facts. Of course, it is not as high a standard as “beyond a reasonable doubt,” which, in my view, would be widely seen as overkill in this setting.

But it is still a high standard and presumably would require rejection of any proposed COI where there was a lack of genuine clarity on this issue.  Indeed, given that COI problems often involve lack of clarity, the use of the word “clearly” in a COI policy should itself be helpful.

Whose best interest?

The mandate concerning “best interest of the company” should be read broadly. It requires more than an absence of corruption or other outright misconduct.

Rather, it also specifies consideration of how the COI at issue could impact the ethical culture of the company.    That is, the process should assess how employees would likely be affected if the vendor was hired. The same is true of the impact on the vendor’s competitors.

Procedural component

Finally, there is the procedural component.

In brief, that those deciding whether to allow a COI are not themselves conflicted. (This means you regional officer.)

This is a complex topic that will be the subject for another post.

The company should also audit and monitor COI compliance.

Conflict of interest program assessments

Compliance program assessments come in all shapes and sizes.   For some – but not all – organizations it may make considerable sense to conduct a general program assessment.  For others targeted deep dive/program assessments may be more appropriate – particularly in the area of conflict of interest (“COI”).

What does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.

– Risk Assessment. Has the company assessed COI risk? If so, has it done this in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?

– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs? Is there sufficient compliance for projects?

– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones – understand the harm that COIs could cause the company?

– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?

– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?

– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers?  Does the training/other communication use the learning from “actual cases”?

– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).

– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?

Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.

.

Compliance Incentives, Risk Assessment and Moral Hazard

Compliance Incentives, Risk Assessment and Moral Hazard

“Moral hazard” exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks. This is a broad concept and should not be limited to compliance and ethics (C&E). But C&E professionals need to understand moral hazard and deal with it using the tools of their trade.

More specifically, moral hazard presents significant specific challenges to promoting C&E. That is, the law (most notably US Justice Department policy) provides for large fines for organizations convicted of federal offenses, but also provides that those who bear the brunt of such punishment (mostly the shareholders) are often different from the individuals who benefit from the wrongdoing in question (usually the executives or other high-ranking personnel).

Substantively this is not generally an area of great legal exposure for companies. But it can lead to significant business exposure of various kinds.

What does this mean for C&E professionals?

First and foremost, risk assessment should include financial incentives of the sort (e.g., salary, bonus, etc.) likely to be reviewed by Justice.

Second, the risk assessment should include non-financial moral hazard incentives. This includes reputational benefits. This is obviously tricky but  keenly important, at least at some companies.

Third, key personnel should be trained on identifying and addressing moral hazard. Included here are HR, finance, risk. and various members of management.  This can be done as part of broader training.

Fourth, audit and C&E should develop procedures for assessing compliance in this area. Included here are questions in culture surveys.

Fifth, to the extent possible personnel evaluation should consider moral hazard risk. But for some companies this might be a bridge too far.

Indeed, generally I am not saying that all organizations need to engage in a full-fledged version of each of these steps. That would indeed be overkill for many.

But all organizations should at least consider generally what their moral hazard needs are and should respond appropriately.

2023 behavioral ethics and compliance index

Mitigating Project Risks – The Under-Discovered Country

Not all organizations have significant project-based compliance and ethics risks. But not all organizations that do  have  such risks have implemented sufficient mitigation measures in this regard.

The place to start is with a risk assessment, by which I mean:

– An overall assessment of projects, i.e., what are the risks generally of the types of projects a company faces,

– An individual assessment of projects that might differ in a material way from what is indicated by the general risk assessment.

Culture should play a significant role in project risk assessments.  Among other things the project staff may have a different time horizon than does the general employee population.  Such a time horizon might also warrant particular attention being paid to the area of compliance incentives.

A project presumably would not have its own code of conduct.  But – depending on the results of the risk assessment – it might create a policy for areas of complexity or great consequence,

Training and other communications should also be considered for projects.  In particular, role-based and just-in-time training – both hallmarks of “behavioral ethics” – could be warranted.

So should auditing and monitoring.  These mitigation measures may be especially useful in light of the result of risk assessment.

Finally, while projects typically do not generally have their own compliance officers, some assignment of responsibilities may be warranted depending on the organization’s risk.