The conflict-of-interest wake-up call
Most organizations do have a conflict of interest (COI) policy.
What they actually have, in practice, is this:
- Annual declarations
- Self-assessment
- Static registers
Legacy GRC will tell you that’s “good coverage.” It isn’t. It’s paperwork.
Conflicts of interest rarely blow up because they were hidden. They blow up because they were normalized, misunderstood, or never escalated until after a decision was made and challenged.
If you’re trying to run effective value-based GRC, conflict of interest is not a side policy. It is one of the clearest tests of whether your business can hit outcomes with integrity, not just speed.
This is the broader shift value-based GRC is pushing toward: building a way of working that drives responsible growth and holds up over time.
What is a conflict of interest (COI)?
Definition
“In general terms, a conflict of interest exists when an organization or an individual has competing interests, which might impair it’s or their ability to make objective, unbiased decisions.”
That “might” is doing a lot of work. Conflict of interest management is about preventing avoidable doubt before it becomes an issue you cannot undo.
Breaking down conflict of interest: the three types you need to manage
You need controls for all three, not just the obvious one.
#1 Actual conflict of interest
A real clash exists right now.
Example: A procurement manager is scoring vendors and one shortlisted supplier is owned by their sibling. They stay involved in scoring and recommending the supplier.
#2 Potential conflict of interest
Circumstances could become a conflict depending on what happens next.
Example: A senior engineer is leading the design of a new infrastructure project while in early talks to join a consultancy that bids for similar work. No offer exists yet, but decisions today could later benefit them personally.
#3 Perceived conflict of interest
Nothing improper has to happen for the damage to land.
Example: An executive responsible for regulatory compliance regularly socialises with senior staff at the regulator, including public conference appearances and informal dinners.
Perceived conflicts are where reputational risk kicks in. Regulators, investors, and the public judge appearances, not intent.
Why perception of a conflict of interest matters more than intent
If your conflict of interest program waits for proof of misconduct, it has already failed.
The real test is not whether an individual believes they are unbiased. It is whether a reasonable third party would question the independence of the decision.
Trust is lost long before wrongdoing is proven. By the time intent is debated, credibility is often already damaged.
A good illustration is US healthcare transparency. CMS runs Open Payments as a national disclosure program to promote a more transparent and accountable healthcare system, with a public database of payments from drug and device companies to clinicians and hospitals.
And the scale makes the point: CMS data shows that from 2018–2024 it published 88.25 million records covering $76.99 billion in payments and ownership and investment interests.
See how CoreStream GRC turns Open Payments data into real conflict of interest control.
The standard is simple: decisions must stand up to scrutiny, not just internal justification.
The 3 common causes of conflict of interest you should design for
#1 Financial conflicts
Arise when personal financial interests could influence, or appear to influence, professional judgment or decision-making.
Examples:
- Shareholdings or beneficial ownership in affected entities
- Outside employment or consulting that overlaps with official responsibilities
- Paid advisory or board roles connected to organizational decisions
- Gifts, hospitality, travel, or benefits that may create obligation or expectation
#2 Personal or relational conflicts
Occur when personal relationships create competing loyalties or perceived favoritism in professional decisions.
Examples:
- Family or close personal relationships linked to hiring, promotion, or procurement
- Romantic relationships within reporting or decision lines
- Political, charitable, or pressure-group affiliations connected to organizational activity
#3 Case, role, or decision-related conflicts
Happen when prior roles, responsibilities, or proximity to outcomes compromise independence in current decisions.
Examples:
- Previous involvement in matters now subject to oversight or approval
- Moving between regulator, supplier, advisor, or buyer role
Conflict of interest is one of the clearest places where value-based GRC becomes real, so here’s the operating model behind it.
Why traditional conflict of interest policies fails in practice
Here’s the honest list of common mistakes.
A) Company’s over-reliance on self-identification
People don’t always disclose because:
- they don’t recognize the conflict (“it’s just a relationship”)
- they don’t think it counts (“I’m not the final decision-maker”)
- they avoid friction (“this will slow us down”)
- They don’t want to cause issues
The bigger issue: tone from the top.
If the board and senior leadership are not actively setting the standard that disclosure is expected, supported, and protected, people get the message fast.
They start to believe disclosure is “not encouraged” because it creates hassle, delay, or scrutiny. And in environments where speed wins, anything seen as slowing things down gets quietly avoided.
So you end up with the worst outcome: a policy that exists on paper, but a culture that trains people to stay silent.
B) Annual declarations miss real-time change
Conflicts evolve when:
- roles change
- incentives shift
- relationships develop
- priorities move
Change is constant. Static defenses don’t keep up. That’s the core point in agile risk management: risk practices need to be as agile as the business they defend.
C) Registers create false confidence
A register is a list, not a control.
This is exactly the gap that our past client, UNT Health called out:
“HR had no system to do that… we had a lot of issues that came up that highlighted the fact that there was no repository of management plans and no central place to do it.”
Desiree Ramirez, Chief Integrity and Privacy Officer, UNT health
D) No clear decision owner means no resolution
Conflict of interest involves trade-offs. Trade-offs require authority.
Without a named decision-maker, everything turns into “noted,” and nothing changes.
A quick failure scenario that happens all the time
A senior stakeholder discloses they have a past consulting relationship with a bidder. It is logged in the register. No one assigns an owner to decide what to do. The stakeholder stays involved “for speed.” The bidder wins. A competitor challenges the award.
Now you have:
- A procurement delay
- A credibility problem
- Evidence that the organization knew and still proceeded without mitigation
Disclosure did not protect you. It increased exposure.
Why conflict of interest (COI) is a dynamic risk, not a static declaration
If you want conflict of interest (COI) to work at enterprise scale, treat it like a living risk system:
- Continuous disclosure, not annual form-filling
- Reassessment on change, not set-and-forget
- Embedded into decision workflows, not buried in a policy folder
Agile risk management lays out the operational logic: build shared expectations, clear roles, repeatable processes, and a single source of truth so you can respond as risks evolve.
“A strong reminder that conflicts of interest and ethics programs don’t fail because of missing policies — they fail because of poor execution, limited visibility, and tools people won’t use.”
Michael Rasmussen, GRC Pundit and GRC 2020 founder
What good conflict of interest management looks like at enterprise scale
A mature conflict of interest program prevents drama. It does not just clean up after it.
It also supports the “growth partner” role that efficient, value-based GRC demands, where governance, risk, and compliance help the business move faster with confidence, not slower with fear.
“Value-based GRC is about enabling your investors to back you and help you move faster.”
Paul Cadwallader, GRC Strategy Director at CoreStream GRC
The operating model of value based conflict of interest management
You want a living system tied to real decisions:
- Low-friction disclosure anytime, not once a year
- Risk-based triage, so minor items do not clog the pipe
- Clear escalation triggers, based on severity and decision type
- Named decision owners, with authority to impose mitigation
- Documented rationale, so you can defend the decision later
- Reassessment on change, because conflicts evolve
A simple ownership model that works
- Line manager or process owner decides on low-risk conflicts and applies standard mitigations
- Compliance, ethics, or legal reviews medium-risk cases, especially where procurement, regulators, or vulnerable stakeholders are involved
- Executive leadership and the board own material conflicts tied to strategic decisions, major contracts, senior appointments, or regulated outcomes
The goal is not perfection. It is defensibility.
The role of technology in conflict of interest management
Technology should reduce reliance on memory, gut feel, and inbox archaeology.
At enterprise scale, conflict of interest management cannot live in PDFs and shared folders. If you are buying or modernizing GRC software, compliance software, or compliance management software, your conflict of interest capability should support:
- Continuous disclosure and amendments over time
- Clear audit trails and decision rationale
- Automated triage and escalation based on severity
- Integration into procurement, third-party risk, HR, and case workflows where decisions are made
One warning: if the tool does not reflect how decisions actually happen, it will digitize weak governance instead of fixing it.
This is also why technology choice matters in efficient GRC. Our value based GRC guide notes that 50% of businesses are unsatisfied with their current governance, risk, and compliance tools. Moving to value-based GRC requires tools that support the operating model rather than forcing the business to bend around the software.
This is exactly what we pride ourselves on: making the right process easy to follow, and easy to prove.
As a past client of ours put it, put it:
“I like the way that the people can go in and complete it and then it automatically uploads we have a centralized place.”
April Daniel, Director of Compliance Operations, UNT Health
She then explained what that means in practice:
“It has cut down time tremendously… I’ve gone from days of trying to logistically get the information to minutes.”
April Daniel, Director of Compliance Operations, UNT Health
Closing: what enterprise leaders should take away
Conflicts of interest are inevitable, but silence and delay create risk fast. Perception matters as much as fact, and a register won’t protect you if nobody makes and documents the call.
That’s why conflict of interest belongs in governance, not HR admin: mature programs treat it as a living risk system tied to real decisions, with clear ownership and defensible outcomes.
This is exactly where value-based GRC becomes real.
OCEG’s definition is the right lens: reliably achieve objectives, address uncertainty, and act with integrity.
Conflict of interest is one of the clearest places integrity becomes operational, because it forces an organization to make defensible trade-offs under pressure.
Implementing value-based GRC also explains the upside: when decision-making is transparent and accountable, stakeholders trust you more. As our GRC strategy director puts it;
“Value-based GRC is about enabling investors to back you and helping you move faster because regulators and stakeholders trust you to do the right thing.”
Paul Cadwallader, GRC Strategy Director at CoreStream GRC
Good governance is not “be nicer.” It is making integrity executable under pressure.
Want to learn more about our conflict of interest solution?
Want a complimentary 1 hour workshop on quick fixes to achieve value based GRC from our experts?
Frequently asked questions about conflict of interest
Conflict of interest (COI) is any situation where personal interests, relationships, or outside roles could influence, or appear to influence, professional judgment. The “appear to” part matters because reputational and regulatory fallout often comes from perception.
1. Actual: a conflict exists right now.
2. Potential: circumstances could become a conflict depending on what happens next.
3. Perceived: even if nothing improper happens, a reasonable third party could question the decision.
Because trust is usually lost before misconduct is proven. If a regulator, auditor, competitor, investor, or journalist can make a credible case that the decision did not look independent, you are already on the back foot.
No. Disclosure is only step one. If you log a conflict and do nothing, you have created evidence that you knew and still proceeded. Protection comes from assessment, a clear decision, mitigation (where needed), and documented rationale.
1. Financial: ownership, investments, paid advisory work, gifts/hospitality, outside employment.
2. Relational: family, close personal relationships, romantic relationships in reporting lines, affiliations that create perceived favoritism.
3. Role and decision-related: revolving door moves, previous involvement in matters now under oversight, switching between buyer, advisor, supplier, or regulator context.
