Few challenges can exasperate corporate compliance officers as much as managing conflicts of interest. So when I had the good fortune several weeks ago to moderate a webinar on the subject, I took detailed notes. The compliance officers participating had plenty to say and I want to pass along those insights now.
First, lots of people (both the panelist speakers and the scads of compliance officers listening as attendees) took issue with the term “conflict of interest” itself. They argued that your COI management program should instead use the phrase “potential conflicts of interest” in policies and other communications to employees.
That emphasis is important, they said, because it gets to the heart of what makes a COI management program succeed: employees feeling comfortable enough to speak up about the conflicts they might have. When a company simply talks about “conflicts of interest,” that phrase is more likely to give employees the sense that they’ve done something wrong. Then they’re more likely to keep quiet.
Indeed, throughout the webinar we kept circling back to the point that an effective COI program depends on a good speakup culture. Even if the compliance team searches for conflicts of interest itself, and perhaps even finds them — you’ll never find them all, and you’ll never find conflicts you hadn’t expected. You need to create an environment where employees feel comfortable engaging with the compliance team, so they’ll do the work of disclosing COIs for you.
So before we even get to particular issues such as defining conflicts that should be reported or building investigation protocols, organizations need to spend time on the fundamentals: a strong tone from senior management that encourages ethical conduct; training for middle managers to listen when employees speakup; and anti-retaliation policies for all, so that employees know speaking up won’t put their jobs or careers at risk.
Only then can you proceed to the more nettlesome details of COI programs.
Defining Possible Conflicts
The webinar participants also spent a good deal of time talking about how to define the various conflicts of interest that you’d want employees to disclose. How does one compile that list?
As always, begin with a risk assessment: either review the results of your most recent one, or perform an assessment from scratch. Identify your most pressing compliance, litigation, and operational risks, and then reverse-engineer the conflicts of interest that could either arise from or worsen those risks. (Need a refresher on how to develop a good risk assessment? Consider how Commonwealth Edison rebooted its risk assessment process after a major enforcement action.)
For example, if your company is a global energy business with lots of FCPA risks, you would want employees to disclose any personal relationship they might have with overseas agents working on your company’s behalf. If you’re a healthcare company, you want physicians and nurses to disclose paid speaking engagements they might have with pharmaceutical firms, since that could lead to risks around the False Claims Act or the Anti-Kickback Statute.
We should also stress that conflicts of interest aren’t solely about compliance risks. For example, a senior executive dating a mid-level executive could lead to a sexual harassment lawsuit; or a purchasing agent might want to add his brother-in-law’s firm to your master vendor list, even though the brother-in-law’s goods are sub-standard. Those are conflicts that pose litigation and operation risks, respectively. They need to be addressed by your COI program just as much as compliance risks do.
Webinar participants were also emphatic that compliance teams should not present a detailed list of potential conflicts to the workforce. Employees might interpret that list as definitive, and then assume that unless their concern is an exact match for something on the list, they’re conflict-free.
Instead, draft policies or training materials that identify several broad categories of potential conflicts of interest, with one or two examples for each category. For example:
- Financial gain (the employee steers company business to a vendor in which he or she has an ownership stake);
- Personal gain (the employee is involved in the hiring or promotion of a friend, relative, or romantic partner);
- Career gain (the employee recommends working with an outside party that has already promised the employee a senior-level job).
Then stress that your categories and examples are not a definitive list, and include some “and any other possible conflicts” clause at the end. As one speaker said, “Our team tends to focus our learning on overarching principles, rather than a list of specific conflicts. We want our staff to grasp the concepts of the type of activity and the outcome that might raise the flag; not a checklist of things to avoid.”
But again: such an approach only works when employees feel comfortable speaking up about potential problems. Success is always, always about a strong speakup culture.
The Mechanics of COI Programs
To manage COIs at scale, you’ll need to use some sort of technology tool. (At least, I can’t see how a compliance team could efficiently track and investigate hundreds or thousands of COIs using spreadsheets. If you do, email me and share your secret sauce.)
In that case, you’ll need to integrate your COI program into your internal reporting and case management efforts as much as possible. In the ideal situation, all three are components of one unified issues management program — one that automates as many tasks as possible, and generates plenty of data for analytics.
So go back to that detailed list of potential conflicts we mentioned in the previous section. The more comprehensive the list is, the more precisely you can classify possible conflicts. That, in turn, helps you route potential conflicts to the best people within your enterprise (HR, legal, procurement, and so forth) for investigation. It also lets you develop templates to help guide those investigations (say, what evidence to seek and what documentation to preserve) and to accelerate the resolution of cases.
From there, we can see other potential benefits fall into place. The more you can automate COIs and case management, the more metrics you can track. Some might show deep flaws within the organization that need to be addressed with new policies; say, way too many employees who have paid side gigs with potential vendors. Others might show shortfalls within your own operations: taking too long to investigate COIs because your team is too small or lacks the necessary skills.
All of those benefits, however, depend on a clear understanding of your potential conflicts and a solid grasp of how each category of conflict should be investigated. Then can you build the correct workflows to handle COIs, and those workflows are the key to automation and data analytics.