Six steps on how to assess a conflict of interest situation in your organisation.

The content of this article is applicable to business leaders and department managers who uncover conflicts of interest, and also to those who are tasked with investigating such situations. Conflict of Interest is receiving greater focus as white collar fraud gains interest.

We start with some conflict of interest examples, which could relate to: a Sales Manager signing on a customer with excessive discounts, or a Procurement Officer buying goods & services from a vendor at very high prices. At the senior company official level a conflict of interest could relate to a Director having inside knowledge of a strategic deal relating to a 3rd party which is partially owned by the same Director. Note that these examples do not imply such cases actually exist for the roles mentioned. Keeping these hypothetical examples in mind, the six steps below offers guidance on how to assess any conflict of interest situation you uncover:

1) Assess the relationship between the parties involved: Firstly you need to consider whether the two conflicted parties have any relations. But that is not enough. How close is that relationship? Are they just friends? Everyone has friends who may do business with their companies so just being friends is not enough. Is the friendship very close where special favors are possible? If the parties are first family members then there is clear conflict existing. If they are relatives then this could be considered close enough relations. However those that collude for the first time, may not be assessed as having close relations, and would lean more towards fraudulent acts.

2) Disclosure of conflict of interest: Now that we can ascertain there is a conflict relationship between the two parties, was this declared to the Line Manager? Either verbally or in writing. If not disclosed then this could be considered a violation of the company's rules. However, being closely related and not disclosing is still not enough to conclude your assessment. There needs to be the act of violation, i.e. the conflict transaction.

3) Acts of violation rising from the conflict: Was there any business transactions taking place between the company and the conflicted parties? A special lower priced sale to a conflicted customer? Or higher priced purchase from a conflicted vendor? Even preferential selection process with no loss on price, is considered a conflict transaction. So it is fair to say that not all conflicts cause losses. The conflict of interest acts could then be evaluated on a basis of unfair advantages.

4) Managing declared conflicts: Assuming the conflict of interest was declared. Did the Line Manager take necessary steps to ensure the conflicted person does not participate in a conflict transaction? If my brother is the Account Manager of a local office cleaning company and I could be the Branch Manager who decides on selecting a cleaning company, then my Line Manager should be the decision maker to ensure I do not participate in a transaction where I have a conflict of interest. Also evaluate, whether the conflicted person incorrectly declare their interest so as to mislead the Line Manager? Undeclared conflicts could raise suspicion but just being undeclared is not conclusive. The most you could conclude is that a company rule was violated. Therefore all points of this article need to be considered especially the role of the conflicted person.

5) Assessing the role of a conflicted party: There could be a close relationship existing, possibly a non-declared conflict but it is still possible that the conflicted party has nothing to do with the highlighted business transaction. Using the earlier example, but my brother runs a national cleaning service and my company is selecting a national service provider through a panel which I am not part of and my branch is too small in relation to the deal. Then there is no concern at all even if there is conflict relationship. Without the conflicted persons direct involvement therein, it could just be normal sale or purchase under normal business processes. So then there is no conflict transaction existing. The role of the conflicted person in being directly or indirectly involved needs to be assessed. Influence on the business transaction is also an aspect to consider as indirect involvement may be common for those who want to cover their tracks or those who are not the decision makers.

6) Possible consequences: After applying the above, you will be in a good position to conclude your assessment or investigation regarding the conflict of interest situation. If the company rules exist, the conflicted person was aware of the rules, they had not declared the conflict, they were directly involved in the transaction, and there could even be unfair benefits, then this is a full house conflict of interest scenario for the toughest consequence to be considered. The most common internal consequence would then be dismissal depending on your company’s rules and any significant loss of trust in the conflicted person. If some aspects of the above (1)-(6) were inconclusive then a lower consequence of warnings or coaching should be considered. These consequences should be followed up with implementing improvements to the internal controls of the company for all process weaknesses identified.

In closing, it is intended that the above serves to guide Business Leaders, Managers and Investigators on how to reach a conclusion regarding a conflict of interest case in a constructive and clear manner. It will also assist in shaping your case report with a convincing structure. The guidance is not limited to the above as fixed steps but you should take into consideration the details of the conflict to decide on which final steps are required to conclude your case.

< Written by Dipesh Narsai>






 

Risk Management: the missing culture and behavior?

Most of us are aware of the ISO31000 principles for Risk Management. The creation of a framework, risk assessment workshops, risk categories and registers, mitigating actions, monitoring and reporting. This is an over summarization of an excellent set of guidelines which is globally respected.

Ultimately such principles and approaches should result in a change to behavior in managing risks at the executive top tier of an organization. It should further result in behavioral changes to middle management and supervisor personnel. And in a risk management matured company, the resulting behavioral change should be observed at the broadest workforce levels. Such an entity is considered to have a strong risk management culture.

Safety for many “nuts and bolts” companies is considered a top priority risk. It has taken companies many decades to develop a safety risk behavioral culture and most are still trying to find that reasonable "managed level of risk". The safety mitigation initiatives generally have high investment of time and money which continues towards infinity as there may never really be an end.

It may not always be possible for other top risks (Market share, Fraud, Cyber-attacks, Compliance. etc) to reach such integrated and embedded risk culture status like safety. This is probably due to the high cost and time requirements as individual risks.  However, should generic risk management culture and behaviors be achieved, this would encompass all those risks and thereby deliver a broader, more sustainable solution to managing risks.

Imagine an organization where everyone, and I mean every employee from the Production plant to CEO, who constantly thinks about risks in their area of work, thinks about mitigation steps and takes the required action. Now imagine all employees who consider risks outside of their focus area of work, and raise their views which result in actions. Imagine this taking place seamlessly as an organizational or an individual behavior where risk management is owned by everyone. Now that is the reasonable "managed level of risk" that Shareholders and Board Directors should want to achieve for a sustainable future.

How many business leaders can say, "This is what we work towards and achieving embedded risk culture is no longer a risk" in their organization? Or is your company still just operating a risk management system? Managing risks should be a cultural and behavioral journey for everyone in an organization, and should also require higher investment to progress through this change cycle.

< Written by Dipesh Narsai>




 

A mechanism to uncover critical non-compliances...

One mechanism to uncover critical non-compliances in your organisations: Whistle-blowing !!! Some interesting reading follows...

Non compliances can lead to major reputational damage to any company's sustainability, impacting its shareholders and its employees. There will be investigations by authorities and disruptions to business. Then there will surely be penalties from regulators which could cripple the company.  Even with good corporate governance in place, the risks remain if there is no effective whistle-blowing mechanism in place.

It just takes one person who knows of a major non compliance to say something. Even with the collusion and discretion that accompanies a fraud, somehow someone will witness it. And they need to have an option to report the matter with the required anonymity in case they fear victimization.

Here are some common concerns around the whistle-blowing tool:
How many false reports needs to be entertained? Why should petty issues be investigated? Should financial impact filtering be followed?

Some points of view (but not limited to): Not only will there always be unsubstantiated allegations, there will be many minor finger pointing complaints which should have been solved with a short talk between the parties involved. Therefore something is missing, for example, better dialogue between manager and employee at the first time the root causes takes place. So there is a solution to implement. One could even estimate that for every 10 minor complaints there will be one of greater interest. And possibly after 100 complaints, the one significant one may be uncovered which has a high impact on the company. What is the ratio in your organisation? There is also no science as to which complaint to investigate and which not to. It's a judgement that needs to be made and defended by the responsible governors of risk management.

There are for sure other concerns. However here is just a few more to note:
Why does no one use the Hotline and the anonymous reporting options provided? Why did the company leadership not know this major non compliance was taking place?

Some points of view (but not limited to): To technically have a Hotline as a tickmark is not enough. It should be promoted actively. Posters should be placed in key locations where employees congregate. Links should be visible on company internal websites. The whistle-blowing tool should form part of basic Code of Ethics training. Management should encourage its use as a final option should a person have no other alternative. Investigation outcomes may require consequences. And finally the tone needs to be set by the top leader of the organization that critical non-compliances should always be reported and victimization will not be tolerated for those reporting in good faith.

Whistle-blowing can infact serve as a good corporate governance tool to uncover critical issues in an organisation. It would require great investment from all to make it a sustainable success to mitigate compliance risks.

<written by Dipesh Narsai>