by Jeff Kaplan
Compliance program assessments come in all shapes and sizes. For some – but not all – organizations it may make considerable sense to conduct a general program assessment. For others targeted deep dive/program assessments may be more appropriate – particularly in the area of conflict of interest (“COI”).
What does one look for in a COI program assessment? Hopefully, the following questions/comments could be helpful to some organizations seeking to determine whether/how to go down this road – and if so, how far.
– Risk Assessment. Has the company assessed COI risk? If so, has it done this in a documented way? Has it used the results of the assessment(s) in designing and implementing other aspects of the COI program? Beyond this, does the company have a good sense of its areas of jeopardy from what might be called “the risk assessment of everyday life”?
– Governance. Have the respective COI oversight roles of the board of directors and senior management been formalized? Do they receive appropriate reports of COI program activity? Are there sufficient escalation provisions regarding COIs? Is there sufficient compliance for projects?
– Culture. Are COI rules truly followed or are there double standards? What is the sense of “organizational justice” vis a vis COIs? Same question re: the “tone at the top.” Do employees – particularly senior ones – understand the harm that COIs could cause the company?
– Policies. Presumably nearly every business organization has a COI provision in its code of conduct. But there are also many that need but do not have a standalone policy as well. Is your company in this category? Also, is your COI policy well known and readily accessible? Is it reviewed periodically by the C&E officer?
– Procedures. Are disclosure and related COI procedures clear, easy to use and well known? Do those tasked with reviewing COIs have enough knowledge and independence for the job? Are the reviews sufficiently documented?
– Training/other communication. Is there enough training given relevant COI risks (which tend to be high for senior managers/board members and in certain functions, like procurement)? Is training reinforced through other communications, particularly from senior managers? Does the training/other communication use the learning from “actual cases”?
– Auditing and monitoring. Are the COI disclosure practice and other aspects of the program audited? Same question for monitoring (e.g., conditionally approved COIs).
– Responding to allegations/request for guidance. Do employees feel comfortable seeking guidance on possible COIs? Are investigations truly independent? Are violations of the COI policy treated with sufficient seriousness? Does the company conduct a “lessons learned” analysis of significant COI failures?
Of course, there is much more that could be included in a COI program assessment (and I encourage you to browse the blog for ideas in this regard). But hopefully the above will be a useful foundation for starting.
The first time I saw Kristy Grant-Hart she put on a show about magic compliance dust and then brought the audience to reality by breaking the news that there is
In our years of assessing compliance and ethics (C&E) programs, my partner Jeff Kaplan and I have pinpointed several key attributes that we consider essential to an effective program, including