Presumably most business organizations have a conflict of interest (COI) policy. But the likelihood that they have a true — and effective — COI compliance program is quite a bit smaller.
What does such a program entail?
The starting point in developing a COI compliance program should be a risk assessment. This may not seem obvious since the main types of COI risks are generally well known — for most organizations they are economic relationships (e.g., ownership, employment, receipt of gifts) involving customers, competitors and suppliers; and family employment issues. Nonetheless, conducting a COI risk assessment is generally warranted because such an assessment helps a company understand not only the “what” but also the “who,” “when,” “where,” “why” and “how” of COI risks.
Having information of this sort can be crucial to the success of any risk mitigation effort, but that is particularly true for COIs — given the near limitless set of circumstances that theoretically could give rise to a COI, particularly in large organizations. So, being able to focus on real areas of vulnerability can be key to maintaining a sustainable COI compliance program over the course of time.
Note that a COI risk assessment need not be a standalone process but can be part of a broader compliance assessment effort. But in the latter case one must ensure that there is sufficient bandwidth for the COI aspect of the assessment.
Policies and procedures
All codes of conduct should have COI provisions and some companies also have standalone policies in this field. The latter is generally indicated where relevant COI risks are particularly complex or potentially consequential. But for many organizations a well-crafted COI provision in the code is policy enough.
The key procedure for a COI compliance program is, of course, the certification/disclosure process. Depending on the results of the risk assessment these can be required a) for either some or all employees (depending on their respective risk profiles) and b) either on a standalone basis or part of a broader (i.e., multi-risk) process.
Note that most companies seem to do these annually, and that is generally advisable. However, a less frequent cycle may be fine for some — assuming the company adequately communicates that employees must disclose on a timely basis any meaningful changes since the most recent prior certification.
Training and communications are another necessary part of an effective COI compliance program. For low-risk employees it may generally be enough to devote a module of the general code of conduct e-learning course to COIs. But higher-risk employees should also get in-person training on COIs (which can be part of a broader compliance training session). As well, managers need to receive guidance — through training or otherwise – on how to handle COIs disclosed to them by their subordinates.
Another issue in creating a COI compliance program is who decides if a disclosed COI may be allowed to continue (with or without mitigating conditions). This needs to be established and included in pertinent compliance governance documentation (such as a compliance program charter). There are various possibilities here, but if line management is given the ultimate call they should at least be required to consult on the matter with (depending on the company) law, HR and/or compliance.
Finally, the compliance program should be subject to auditing. For higher risk COI areas monitoring — which can take many forms — should be considered as well. As with other parts of the program, the specifics of these elements should be dictated, at least in part, by the risk assessment.
Jeffrey M. Kaplan, pictured above, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP and editor of the Conflict of Interest Blog. He has practiced in the compliance & ethics field for nearly 30 years. He can be contacted here.