Assess COIs properly to learn their true business impact

Take a step by step approach when tackling a mitigation strategy for one of the biggest risk areas in your company: COIs

EDITOR’S NOTE: This post is part two of a four-part series that examines Conflicts of Interest and how to manage such in today’s changing and complex workforce. Read part one.

If a board member came up to you at this moment and point blank asks what the likelihood of a COI risk occurring is on a 1-10 scale, would you be able to answer the question with conviction?

COIs can be intricate – even if one is staring you in the face, and that is due to the fact that COIs grow increasingly complex by the day. The typical COI that we know well, such as a personal relationship taking place in the workplace that goes undisclosed may have an established assessment process in place, but what about financial COIs such as ownership interest in a company or being paid for board membership? If not properly addressed and tracked, these could lead to fraud, embezzlement, money laundering and misappropriation of contracts. That’s not a path you want to be going down.

Do you know how to assess these kinds of risks when COIs look and feel so hyperbolic? While COIs change based on industry, business maturity, location and compliance involvement there are some tips that can be universally applied. Assessing risks are imperative to curb COIs before they get out of hand — and for the health of your compliance program.


For tips like these and other COI insights, sign up for the upcoming webinar hosted by OCEG, a non-profit think tank and industry leader in GRC management on April 28 from 2-3 p.m. EDT. Register here.


Assess COI risk likelihood and impact, then rank by severity.
Imagine you’re blindfolded and trying to shoot an arrow at a target 50 feet away. You’ve never shot an arrow before in your life. What is the likelihood of you hitting the target without a sheer stroke of good luck? It’s a safe bet to place on a slim to none chance. The same amount of chance can be applied to trying to determine the impact of a COI and its outcomes when you don’t know the likelihood of one popping up in the first place.

Start a thorough COI assessment by rolling up your sleeves and getting in the weeds.
Block a few hours off on your calendar, snag a cup of coffee and get to the tedious, yet most insightful, part of the assessment process: compile any and all COI history as far back as you possibly can. Categorize each by type (financial, relationship, security or privacy), how long they took to close (days, months, years), and the outcomes of each (approval or rejection, etc.). Next, develop an impact scale. What COIs have more or less impact on the company looking at what costs are associated with type of COI (legal fees, consulting fees, court fees or regulatory fines) and more intangible consequences like reputation damage, public perception or libel issues. Then, using the data from the outcomes and impact, develop a severity scale that determines what COIs are “light weight” meaning it could result in a proverbial slap on the wrist of a write up in the employee’s record or something more severe such as probation or dock in pay.

Understand the specific conflicts that affect different employee populations.
There are several types of COI that, if not identified and/or managed, may lead to a real or perceived bias in the performance and outcome of your company and the business it conducts. Take for example a financial conflict of interest (FCOI), which can occur when an employee has a Significant Financial Interest (SFI) that may be seen to affect decision-making. While the presence of a SFI may not mean there is a FCOI, when one does exist, it can be managed through a documented plan. You can then use that documented plan to map who may be affected by the FCOI in terms of employees, decision-making processes and departments across the organization.

Here’s a consulting example:

John consults for a small software company in the energy industry, similar to what your company does. He receives approximately $30,000 a year for consulting. While both companies are compliant with their relationship and expectations around John’s role at each company, as he was required to disclose his duties and responsibilities for both companies, this is a FCOI because his consulting work is related to your business, and this should be further reviewed and assessed. Additionally, John’s payment of $30,000 a year for consulting is considered a SFI because it exceeds the threshold for payment from a single entity over the last year. John will need to report this commitment of time to enable an assessment of any other conflicts to both companies.

How, if at all, does John’s consulting work affect the different employee populations in your company? Does John’s consulting work impact his decisions in the office in any way? Does this impact the engineering or development teams? The production and sales team? If so, this needs to be addressed and specifically communicated to the appropriate employees impacted as a result of John’s consulting firm. For example, will John be able to be in the same sets of meetings and privy to sensitive proprietary information? Will the IT department need to monitor his computer usage or limit him taking his computer offsite to reduce the risk of using the equipment at and for the consulting work? Will John get penalized for this in any way or asked to choose one job or the other?

Define acceptance thresholds for types of COIs .
Using the following categories as you go through your assessment will help you determine next steps. Look at a single COI incident in terms of the big picture. What are the outcomes of the COI? Then, determine if the COI is acceptable, acceptable under conditions or unacceptable under any conditions? Using these labels will determine your next step in disciplinary action – if any – and how to further route it through this assessment process.

  • Acceptable
  • Acceptable under certain conditions
  • Unacceptable under any conditions

Establish tighter controls for higher risk COIs.
Multi-level approvals — Once a threshold is applied, you can then bucket higher risk or “unacceptable under any conditions” COIs to be under higher levels of scrutiny and a more involved process. If one a deemed as unacceptable under any conditions, it then should be passed through multi-levels of approvals before terminating the employee or employees involved, for example.

Employee attestation to clearance conditions – Once a COI is deemed “acceptable under conditions” it’s then up to you to sit down with the employee(s) involved and walk them through the consequences of their actions, make sure they clearly understand, answer any questions they may have and then have them attest to any consequential conditions such as probation or demotion.

Disclosure refresh frequency –  This factor is important when it comes to the bigger picture of COIs. If you consistently and regularly refresh the disclosure process with your company and promote through high traffic channels such as posting the steps on a poster in the kitchen or bathroom stalls or using a company newsletter that is sent out weekly via email, knowing how to report a COI or disclose any information will be hard to miss. In doing so, you will be determining the following:

  • Set tone, objectives and decision-making guidance about COIs
  • Establish or refresh COI policies and training where needed
  • Establish technology and information management to support objectives

Modern methods of communicating disclosure processes and conducting risk assessments, you can easily extract data on what COIs are living and breathing in your organization from the following focuses:

Data focus
> Risk assessment results

  • Enterprise-wide risk assessment
  • Compliance risk assessment
  • COI-focused risk assessment
  • Culture surveys

>Training results
>Knowledge assessments
>Policy attestation results

The Impact
COIs, both real and perceived, call the objectivity and fair dealings of entire organizations into question. Conflicts may create or exacerbate risk in the form of bribery and corruption, harassment, discrimination, retaliation, insider trading, fraud and more. Customer, partner, investor and employee confidence in a business can be shaken – and long-term financial and reputational stability greatly diminished if misconduct is brought to light.

If companies leave conflicts of interest unaddressed and unmanaged, that could pay the price – in dollars and reputation.

OCEG Webinar Promo