Collecting conflict of interest (“COI”) disclosures has long been a compliance program best practice. Many organizations – particularly larger, publicly traded companies with international operations – require employees to disclose possible COI. More diligent organizations will go further and ask management (at a minimum) to disclose in writing any actual or potential COIs annually. Often it is a paper process. This is all well and good. But what happens next behind the compliance office curtain? How is the information compiled and processed? How are potential conflicts sifted out of all those completed forms? Is an individual employee’s disclosure information accessible in real time? Who can access the information? How is it updated?
Let's imagine for a moment the traditional quasi-technical solution. Compliance collects and scans the completed annual paper disclosures into a file system within a database. Maybe they're simply organized in a SharePoint site by date, or perhaps by name of the disclosing employee or the other party creating the conflict (i.e. giver of a refused gift, relative of an executive hired by the company, community board on which a manager is a director, etc.). Typically, these forms must be manually reviewed for any potential conflicts disclosed. Then many more FTE hours must be devoted to follow up and mitigation.
You want to know three things: (1) which employees have potential COI; (2) if these are true COI that require mitigation; and (3) whether mitigation was implemented and done promptly.
Or maybe these are electronic forms that avoid the headache of data entry. They are completed electronically, collected and stored in a database that is accessible and possibly searchable by only a few select staff in compliance, legal or perhaps HR. This is a better solution. However, no matter how disclosures are collected and stored, the management and data analysis process requires a lot of employee time and sweat.
Now think about the real purpose of collecting this data and how it can be used. The goals are disclosure and mitigation. You want to know three things: (1) which employees have potential COI; (2) if these are true COI that require mitigation; and (3) whether mitigation was implemented and done promptly. And you likely hope to do this with a simple automated solution to ensure disclosure capture, appropriate review, mitigation planning and completion of action items – all with a good documentation trail and minimal man-hours.
Next, visualize the perfect solution. You have technology that can, at its implementation, query every computer-enabled employee about COI. It can launch an annual COI questionnaire to management. And it can collect such disclosures from each new employee during orientation. All employees are in the database whether or not they had a COI to disclose because they all completed an e-questionnaire. Then any employee can update their COI disclosure with new information or a new COI at any time and it will automatically flag the file for review by the designated reviewer. That person will determine if the issue is an actual COI and if mitigation is needed. Next steps will be communicated directly to the disclosing employee outside of the system and documented in the software. Once mitigation is completed, the employee can log what was done in the database.
Then there is the issue of additional, periodic COI disclosures and updates – a questionable gift from a vendor; an employee’s sister who worked for a competitor has now quit her job. The best technical solution should allow an employee to update their COI disclosure online with a new COI or update, which would ping the reviewer to look it over and determine next steps.
Since compliance folks love sharing data, what if you could generate a variety of reports to manage these disclosures? For example - Who did/didn’t complete annual or new hire COI questionnaires? Which employees had something to disclose? Who had an actual COI? Which COI required mitigation? Was mitigation completed? What about integrating COI disclosures from different geographies, business units, year to year?
But most organizations already have too many separate databases. What if COI collection and mitigation reporting comprised just one component of a larger compliance management database? It can. Twenty-first century COI disclosure software can and should be capable of delivering on this wish list and more.
