Wednesday, March 3, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Assessing Conflict of Interest Compliance Programs

Most Companies' COI Protections Aren’t Robust Enough

by Jeff Kaplan and Rebecca Walker
June 3, 2020
in Compliance, Featured
conflict of interest concept, 2 businessmen with red and green arrows against each other

How recently has your organization evaluated its guardrails to protect against conflicts of interest? Most companies need work in this area. Jeff Kaplan and Rebecca Walker cover how to conduct a conflict of interest assessment.

Many compliance and ethics (C&E) program assessments are of what might be considered a general scope – meaning they are not focused on a particular area of risk. Other assessments are – in whole or in part – directed at specific risk areas. These occur particularly frequently with respect to anti-corruption compliance, but also in the areas of competition law, government contracting, export control and others.

However, too few companies assess their conflict of interest (COI) compliance measures, either as part of a general program assessment or on a standalone basis. Here, we explore what organizations can do in this regard.

Why Conduct a COI Program Assessment?

First, more so than with other risk areas, COIs have a personal dimension (e.g., an employee hiring a family member or making a personal investment). This can make it more difficult for the relevant employee to be objective in addressing the issue.

The personal aspect of COIs necessitates stronger policies, procedures and other program controls that can withstand powerful pressures in the heat of a dispute. An assessment can help provide assurance that sufficient controls are in place and that they are working effectively.

A second reason for a COI assessment is that COIs are relevant to a wide variety of other risk areas, such as misuse of company resources, corruption, gifts and entertainment, insider trading and others. Because of this, COI can be seen as a sort of super risk area (or perhaps an ethical foundation for other areas) – with correspondingly heightened assessment needs.

Third, addressing cultural dimensions of C&E is increasingly important to enforcement personnel, boards of directors and others who – in one context or another – might have occasion to do their own assessment of a program. How a company handles COIs can play a major role in shaping its ethical culture, providing further reasons to do an assessment in this area.

Finally, as noted above, COI program assessments do not have be conducted on a standalone basis; rather, they can be built into a general assessment. Thus, cost and employee time needed should usually not be an impediment to assessing COI compliance measures.

What to Assess

First, a good place to start is with a COI risk assessment – evaluating how the COI risk assessment is being conducted. The need for this step may not seem obvious since the main types of COI risks are generally well-known. For most organizations, they are economic relationships (e.g., ownership, employment, receipt of gifts) involving customers, competitors and suppliers and family employment issues. However, a risk assessment helps a company understand not only the “what” but also the “who,” “when,” “where,” “why” and “how” of particular COI risks, which can be key to deploying mitigation efforts in an efficient and effective way.

Second, written policies and procedures are – as one might expect – critically important in this area. All codes of conduct should have COI provisions, and some companies also have standalone policies in this field. In assessing whether the latter is indicated for any given organization, one should consider whether the likelihood or impact of a COI could be great. Also relevant to this issue – and to determining the efficacy of policies and procedures generally – is if the likely COI issues at a company are particularly tricky or complex. This part of an assessment should also consider if the policies are clear and understandable; if they are available in relevant languages and are easily accessible; if they are periodically distributed; and how frequently they are accessed.

Third, certification/disclosure process is another key part of a COI program. The threshold assessment issue here is who should be required to execute certifications. Depending on the results of the risk assessment, these can be required (a) for either some or all employees (depending on their respective risk profiles) and (b) either on a standalone basis or part of a broader (i.e., multi-risk) process. The risk assessment should also determine whether to have detailed certification provisions (e.g., listing all the major areas of COIs) or to address this aspect of certification in a broader way.

Note that most companies seem to do these annually; that is, in our view, generally advisable. However, a less frequent cycle may be acceptable for some – assuming the company communicates that employees must disclose on a timely basis any meaningful changes since the most recent prior certification. Among other things, the assessment should consider the extent to which such disclosures are made.

Also note that companies should consider some transaction testing of reviews of disclosures as part of the assessment. How many transactions should be tested will vary based on a variety of factors, with one option being conducting a small number of these to start and, based on the results of that initial effort, determining whether more is needed. Depending on the scope of the assessment, one might also do transaction testing on gifts and entertainment compliance.

Training and communications are another necessary part of an effective COI compliance program. In assessing this aspect of a COI program, one should first review the type and amount of COI training that a company requires of its employees. For low-risk employees, it may generally be enough to devote a module of the general code of conduct e-learning course to COIs. But higher-risk employees should generally also get in-person training on COIs (which can be part of a broader compliance training session). Additionally, managers need to receive guidance — through training or otherwise – on how to handle COIs disclosed to them by their subordinates. At some organizations, this is part of general compliance training for supervisors.

For this part of the assessment, one should also determine whether the training material is impactful and conveys the dangers of COIs and related compliance challenges. A discussion of behavioral ethics can be helpful in this regard.

Another issue in creating a COI compliance program is who decides if a disclosed COI may be allowed to continue (with or without mitigating conditions). This needs to be established and included in pertinent compliance governance documentation (such as a compliance program charter). There are various possibilities here, but if line management is given the ultimate call, they should at least be required to consult on the matter with (depending on the company) legal, HR and/or compliance. An assessment should consider the efficacy of the approval procedures and the relevant governance documentation.

Finally, the compliance program should be subject to auditing. The assessment should review both audit protocols and actual audits on COI.

Also, for higher risk COI areas, monitoring — which can take many forms —should be considered as well. As with other parts of the program, the specifics of these elements should be dictated at least in part by the risk assessment. (For instance, one might — depending on the results of the risk assessment — allow an employee to serve on a board conditioned on monitoring the board service to make sure nothing has changed to alter the COI risk calculus permitting service.) Based on our experience, COI assessments often find room for improvement with respect to monitoring.


Tags: board of directorsculture of ethicsmonitoringrisk assessment
Previous Post

Compliance Investigations in the Time of Coronavirus

Next Post

Effective Auditing and Monitoring: Evaluating Internal Controls at “CAMP”

Jeff Kaplan and Rebecca Walker

Jeffrey M. Kaplan is a partner in the Princeton, New Jersey office of Kaplan & Walker LLP. He has specialized since the early 1990s in the practice of compliance- and ethics-related law, including assisting numerous companies in developing, implementing and reviewing C&E programs and conducting C&E risk assessments. He has also reviewed programs for many official bodies in connection with settlements of enforcement actions. He is the co-author of a C&E legal treatise, author of several e-books — including “Compliance & Ethics Risk Assessment” — and book chapters and many articles on C&E, a frequent speaker at C&E conferences, editor of the Conflict of Interest Blog and formerly an Adjunct Professor of Business Ethics at NYU’s Stern School of Business.
Rebecca Walker is a partner in the law firm of Kaplan & Walker LLP, a firm that specializes in corporate compliance and governance located in Santa Monica, California, and Princeton, New Jersey. For over 20 years, Rebecca has specialized in advising clients on the development and implementation of compliance programs. She has also served as a monitor for the Department of the Air Force and as an independent consultant, reviewing programs for the U.S. Securities and Exchange Commission. Rebecca is the author of “Conflicts of Interest in Business and the Professions: Law and Compliance,” published by Thomson West, as well as numerous articles and studies. She chairs the Practising Law Institute’s Compliance and Ethics Essentials Institute in New York and the Advanced Compliance and Ethics Workshop in San Francisco and serves on the Advisory Board of “Compliance and Ethics Professional” magazine. Rebecca received her B.A. from Georgetown University and her J.D. from Harvard Law School.

Related Posts

Thinking Outside the Tick Box

Thinking Outside the Tick Box: Compliance Training as a Competitive Advantage

March 3, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
A director contemplates information at her desk.

Key Concerns for Directors in 2021: Recovery from COVID-19 Is Top Priority

March 2, 2021
Next Post
compliance monitoring and assistance program with silhouette of forest at bottom of image

Effective Auditing and Monitoring: Evaluating Internal Controls at “CAMP”

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Addressing systemic racism in the workplace SAI Global
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights