Jeffrey M. Kaplan (firstname.lastname@example.org) is a Partner with Kaplan & Walker LLP in Princeton, New Jersey, USA.
For many—indeed, most—risk areas, it is sufficient to spell out rules and procedures in the code of conduct, as opposed to also doing so in a stand-alone policy. But when the issue is conflicts of interest (COIs), the latter approach may be warranted.
Why have a COI policy?
COI has always been an important and challenging area for compliance and ethics programs. Among other things, COI standards can be based on a variety of legal and ethical sources. A fair description of COI is where law and ethics meet. In this sense, it is different from risk areas based predominantly on a largely uniform statutory scheme, and thus there is a heightened need to spell out what is expected in this area.
Also, COIs are more likely to be seen as relevant to individual employees than are other risk areas (e.g., when the boss hires their son for a plum job, causing more qualified candidates to feel personally aggrieved). Having a full policy on COIs may be necessary to give such employees the comfort to express concern about an obviously delicate subject.
What is in a COI policy?
The key components of a COI policy include:
Definition: A key practice pointer is to include not only actual and apparent COIs but also potential ones.
Examples: The policy should set forth a nonexhaustive list of examples, including financial interests; outside employment/consulting; workplace relationships with family or friends; gifts, entertainment, and travel; and charitable donations.
Duty to avoid or disclose COIs: The hard-core COIs (e.g., working for a competitor) should be prohibited altogether. Others may be allowed if disclosed promptly and in writing to an appropriate person at the company, and approved by such person.
Who should be an approved approver? Disclosure to the individual’s line supervisor is appropriate, and in some instances, they can be the approver. But for anything controversial or consequential, the compliance, law, and/or human resources departments should have the final say.
The policy should also set forth the COI compliance measures the company takes, including training and other communications, auditing, and monitoring. Finally, there should be an ethics—as well as a compliance—component to the policy. Among other things, it should explain how harmful a loss of trust emanating from a COI can be.