Assessing Conflict of Interest Compliance Programs

Many compliance and ethics (C&E) program assessments are of what might be considered a general scope – meaning they are not focused on a particular area of risk. Other assessments are – in whole or in part – directed at specific risk areas. These occur particularly frequently with respect to anti-corruption compliance, but also in the areas of competition law, government contracting, export control and others.

However, too few companies assess their conflict of interest (COI) compliance measures, either as part of a general program assessment or on a standalone basis. Here, we explore what organizations can do in this regard.

Why Conduct a COI Program Assessment?

First, more so than with other risk areas, COIs have a personal dimension (e.g., an employee hiring a family member or making a personal investment). This can make it more difficult for the relevant employee to be objective in addressing the issue.

The personal aspect of COIs necessitates stronger policies, procedures and other program controls that can withstand powerful pressures in the heat of a dispute. An assessment can help provide assurance that sufficient controls are in place and that they are working effectively.

A second reason for a COI assessment is that COIs are relevant to a wide variety of other risk areas, such as misuse of company resources, corruption, gifts and entertainment, insider trading and others. Because of this, COI can be seen as a sort of super risk area (or perhaps an ethical foundation for other areas) – with correspondingly heightened assessment needs.

Third, addressing cultural dimensions of C&E is increasingly important to enforcement personnel, boards of directors and others who – in one context or another – might have occasion to do their own assessment of a program. How a company handles COIs can play a major role in shaping its ethical culture, providing further reasons to do an assessment in this area.

Finally, as noted above, COI program assessments do not have be conducted on a standalone basis; rather, they can be built into a general assessment. Thus, cost and employee time needed should usually not be an impediment to assessing COI compliance measures.

What to Assess

First, a good place to start is with a COI risk assessment – evaluating how the COI risk assessment is being conducted. The need for this step may not seem obvious since the main types of COI risks are generally well-known. For most organizations, they are economic relationships (e.g., ownership, employment, receipt of gifts) involving customers, competitors and suppliers and family employment issues. However, a risk assessment helps a company understand not only the “what” but also the “who,” “when,” “where,” “why” and “how” of particular COI risks, which can be key to deploying mitigation efforts in an efficient and effective way.

Second, written policies and procedures are – as one might expect – critically important in this area. All codes of conduct should have COI provisions, and some companies also have standalone policies in this field. In assessing whether the latter is indicated for any given organization, one should consider whether the likelihood or impact of a COI could be great. Also relevant to this issue – and to determining the efficacy of policies and procedures generally – is if the likely COI issues at a company are particularly tricky or complex. This part of an assessment should also consider if the policies are clear and understandable; if they are available in relevant languages and are easily accessible; if they are periodically distributed; and how frequently they are accessed.

Third, certification/disclosure process is another key part of a COI program. The threshold assessment issue here is who should be required to execute certifications. Depending on the results of the risk assessment, these can be required (a) for either some or all employees (depending on their respective risk profiles) and (b) either on a standalone basis or part of a broader (i.e., multi-risk) process. The risk assessment should also determine whether to have detailed certification provisions (e.g., listing all the major areas of COIs) or to address this aspect of certification in a broader way.

Note that most companies seem to do these annually; that is, in our view, generally advisable. However, a less frequent cycle may be acceptable for some – assuming the company communicates that employees must disclose on a timely basis any meaningful changes since the most recent prior certification. Among other things, the assessment should consider the extent to which such disclosures are made.

Also note that companies should consider some transaction testing of reviews of disclosures as part of the assessment. How many transactions should be tested will vary based on a variety of factors, with one option being conducting a small number of these to start and, based on the results of that initial effort, determining whether more is needed. Depending on the scope of the assessment, one might also do transaction testing on gifts and entertainment compliance.

Training and communications are another necessary part of an effective COI compliance program. In assessing this aspect of a COI program, one should first review the type and amount of COI training that a company requires of its employees. For low-risk employees, it may generally be enough to devote a module of the general code of conduct e-learning course to COIs. But higher-risk employees should generally also get in-person training on COIs (which can be part of a broader compliance training session). Additionally, managers need to receive guidance — through training or otherwise – on how to handle COIs disclosed to them by their subordinates. At some organizations, this is part of general compliance training for supervisors.

For this part of the assessment, one should also determine whether the training material is impactful and conveys the dangers of COIs and related compliance challenges. A discussion of behavioral ethics can be helpful in this regard.

Another issue in creating a COI compliance program is who decides if a disclosed COI may be allowed to continue (with or without mitigating conditions). This needs to be established and included in pertinent compliance governance documentation (such as a compliance program charter). There are various possibilities here, but if line management is given the ultimate call, they should at least be required to consult on the matter with (depending on the company) legal, HR and/or compliance. An assessment should consider the efficacy of the approval procedures and the relevant governance documentation.

Finally, the compliance program should be subject to auditing. The assessment should review both audit protocols and actual audits on COI.

Also, for higher risk COI areas, monitoring — which can take many forms —should be considered as well. As with other parts of the program, the specifics of these elements should be dictated at least in part by the risk assessment. (For instance, one might — depending on the results of the risk assessment — allow an employee to serve on a board conditioned on monitoring the board service to make sure nothing has changed to alter the COI risk calculus permitting service.) Based on our experience, COI assessments often find room for improvement with respect to monitoring.