Corporate conflict-of-interest policies come in many flavours. On the whole, they apply not only to employees but also to contractors and suppliers. The policies typically describe specific types of conflicts of interests and often principles to provide guidance on recognizing further conflicts.
Readers are encouraged, and sometimes required, to report perceived or actual conflicts to managers, senior management, a designated official such as an ethics compliance officer, a member of the board of directors, or a third-party ethics reporting provider.
It is somewhat asymmetrical however that while readers are encouraged, or required, to report on policy breaches they have personal knowledge of, corporations largely ask readers merely periodically certify they have not themselves contravened the policy over the reporting period. In other words it is unusual for corporations to request, or require, they certify they are not aware of any breaches committed by fellow employees, contractors, or suppliers.
Exceptions to the foregoing are usually limited to heavily regulated corporations such as military defence companies, banks, insurance companies, and companies which interact on a regular basis with government, or governmental institutions, in line with compliance legislation.
So why do most corporations fail to go the whole nine yards, and should they?
Whistleblower legislation attempts to balance the public interest in addressing wrongdoing against the duty of fidelity owed to one’s employer. The latter requires employees to act in the best interests of the corporation. Over time, exceptions have been created at common law, however the duty remains a strong one, giving rise to a kind of moral ambiguity with regard to whistleblowing in general.
There is also the concern as more exceptions are created, and the duty erodes, that whistleblowing could become inherently virtuous in the popular consciousness. This debate, though certainly a thought-provoking one, does not directly impact on conflict-of-interest disclosures since in the latter reports are submitted and investigated internally. The duty of fidelity does not come into play.
So what are the reasons? As in-house counsel you may very well be called upon to provide your recommendation for or against having a full-blown certification.
A reason sometimes espoused for not requiring readers to certify they are unaware of breaches committed by others is the corporation’s workforce is not “mature” enough or sufficiently trained to be able to identify conflicts, or raise conflicts properly to dispose of them.
In my opinion this reasoning does not hold water, and brings in to question the value of the certifications made by individuals indicating they have not themselves committed any breaches. Both require an ability to identify a conflict of interest, and certainly lack of training or experience is not a solid excuse.
When the issue has come up, my sense has been corporations are concerned that by taking this additional step they may be “opening the floodgates” and employees might “turn against each other” or against contractors or suppliers, and vice versa, affecting teamwork dynamics, morale, and relationships with suppliers.
My counter to that is the damage that can be done to an organization where wrongdoing evidently exists but is effectively “condoned” can be exponentially greater than the strain that may be placed on the corporation resources. The latter can be mitigated against through training and organizational and culture change, neither of which is rocket science.
Another concern sometimes voiced is that requiring in-house counsel to certify they are not aware of any transgressions by others creates a legal liability on employees. In my mind this is entirely consistent with those conflict-of-interest policies that state a person is required to report on all violations he or she is aware of, and failure to do so may lead to discipline, up to and including termination. Those policies do create a legal liability, and they are enforceable.
If we are prepared to impose such a legal requirement on employees, contractors, and suppliers, why drop it all of a sudden from the certification? By limiting the certification to breaches committed by the reader himself or herself is the employee any less liable for not reporting a breach committed by others which he or she is aware of?
At the end of the day I am not aware of any compelling legal or practical reason why corporations should not go the whole nine yards, other than the potential damage it may suffer if the matter either leaks to the public or is required to be publicly disclosed. If you are aware of any other compelling ground for stopping short I would be very glad to discuss it.
Even granted the concern corporations might have with respect to shooting themselves in their own foot, over the long term, solid corporate governance always prevails. We have seen the damage SNC-Lavalin’s reputation took on account of a series of startling scandals which became public, beginning in 2008. In the aftermath, the CEO was arrested and the senior management team was restructured, an anti-corruption manual was created, a new policy governing engagement with business partners was adopted, compliance officers were hired reporting to the chief compliance officer, compliance experts provided training for high-risk functions, an amnesty program was instituted encouraging employees to come forward, and an independent monitor was appointed reporting directly to the World Bank.
In hindsight, I would venture SNC-Lavalin would have preferred to have employees certify whether they were aware of the breaches, and handled the matters internally, perhaps nipping a number of them in the bud, rather than have them splashed all over the front pages of the Financial Post and The Globe and Mail. Going the full nine yards requires a small leap of faith, but one in-house counsel and corporations should take a closer look at, in my opinion.