I had a conversation recently with a compliance leader at a large financial services firm. Smart team, genuine commitment to doing things right. They'd just finished their annual COI campaign — 91% completion rate, cases processed and closed.
The team was proud of that number. And they should be. Getting 91% of employees to do anything is genuinely hard.
But when I asked what the program had told them about risk — which business units were most exposed, whether disclosure patterns had shifted year-over-year, how COI data connected to their third-party relationships — they paused.
"I guess we don't really look at it that way."
That moment stuck with me. Because I think it's more common than most of us want to admit.
The Hotline Wasn't Built for This
Here's something worth sitting with: most organizations manage conflicts of interest as a case type inside their ethics hotline or case management platform.
That made sense once. You needed a place to collect disclosures, track them, close them. The hotline was there. It was logical.
But it came with a set of assumptions that quietly shaped how organizations think about COI — and most of those assumptions are wrong.
The hotline is built to receive reports of things that have already gone wrong. Someone saw something. Someone said something. A case opens, gets worked, gets closed.
Conflicts of interest are categorically different. They're not incidents. They're conditions — ongoing, dynamic, relational states that exist across your employee population all the time, whether disclosed or not. Treating them like a case type means you inherit the wrong mental model for what you're actually trying to manage.
What We're Missing When COI Lives in a Queue
When I think about what a well-run COI program actually gives you, I keep coming back to three things that have nothing to do with case counts.
Organizational culture signal. When employees disclose proactively and specifically, that's a behavioral indicator of ethical culture — not just compliance. When disclosure rates drop, or submissions become vague, or certain teams consistently underperform, the program is telling you something important about culture that no engagement survey can capture.
Business unit and regional risk mapping. COI data, properly analyzed, shows you where risk is actually concentrating — not where leadership assumes it is. A regional sales team with unusual vendor relationships that never surface in disclosures is a risk signal. A business unit where no one has disclosed in three years is a red flag, not a clean bill of health.
Third-party risk intelligence. Your employees are connected to your vendors, suppliers, and partners in ways your TPRM function doesn't know about. COI disclosure is one of the only mechanisms that surfaces those relationships. But only if it's connected to the rest of your risk data — not siloed in a case queue.
None of this happens when COI is just another case type.
The COI Maturity Gap Is Real
What we see when we look at how organizations manage COI across the market is a consistent pattern. Most sit somewhere between Phase 1 and Phase 3 of a five-phase COI maturity arc.
Phase 1 is a policy. Somewhere. Disclosure happens when something goes wrong, not because a system prompted it.
Phase 2 is the annual campaign. Reminder emails go out. Most employees file something by the deadline. Completion rates get tracked. What was actually disclosed — and whether it changed any behavior — doesn't.
Phase 3 is where it gets interesting, because Phase 3 feels like success. There's software. There's a process. There are reports. But the data doesn't connect to anything. COI lives in its own silo, disconnected from third-party risk, investigations, gifts and entertainment, and HR data. The team generates activity reports, not risk insight.
Here's the thing about Phase 3: it's comfortable. It's defensible. It's also where invisible risk accumulates the fastest, because the program looks like it's working.
Explore the full GAN Integrity Conflicts of Interest Maturity Model
The Question I Keep Coming Back To
I was speaking with a group of compliance leaders a few months ago and someone asked a question that I've been sharing ever since:
"If a regulator asked you tomorrow to demonstrate — with complete supporting documentation — how a specific conflict of interest was identified, reviewed, resolved, and monitored in your organization over the last 12 months, how long would it take?"
If the answer is "a few minutes," you have a program.
If the answer involves anyone opening a spreadsheet or searching their inbox — you have a process. And regulators are getting better at knowing the difference.
Enforcement actions increasingly cite not just policy failures, but program failures. The absence of systematic monitoring. The inability to demonstrate ongoing oversight. The lack of connection between COI data and broader risk management.
A PDF policy and a case queue doesn't constitute a program in that environment.
What a Real Program Looks Like
The organizations I find most inspiring on this aren't necessarily the biggest or the most resourced. They're the ones who made a deliberate decision to treat COI differently.
Disclosure is always-on, not annual. Employees disclose when a conflict arises — at onboarding, at role change, when a relationship becomes relevant — not when the campaign reminder hits their inbox.
Data is connected. A COI submission that names a vendor is cross-referenced against the third-party risk register. An employee who discloses a board seat is linked to their procurement authority and investigation history.
Risk is visible before it becomes a problem. Patterns in disclosure data — spikes, gaps, concentrations by region or function — surface as leading indicators, not lagging ones.
Culture is measurable. Not just completion rate, but disclosure quality. Are employees disclosing proactively? With specificity? Is that improving year over year?
That's what a program looks like. And it's a long way from a hotline case type.
The Good News
The good news is that this isn't a technology problem — or at least, it doesn't start as one. It starts with asking different questions.
Not "did we collect the disclosures?" but "what are the disclosures telling us?"
Not "what's the completion rate?" but "what's the quality of what we're collecting, and is it improving?"
Not "is the case closed?" but "is the risk actually mitigated?"
The organizations that are asking those questions are building compliance functions that boardrooms trust, regulators respect, and employees genuinely believe in.
And that, to me, is worth getting right.
Curious where your COI program sits on the maturity curve? We've built a COI framework that helps compliance teams honestly assess their programs and identify the next step forward. Happy to share it — just reach out.
Colin Campbell is Gan Integrity's VP of Marketing with over 15 years of experience in the SaaS software and tech industry. Colin has led analyst relations and product marketing growth strategies in North America, EMEA, UK and APAC, growing revenues in multiple industries. At GAN Integrity, Colin drives market expansion, demand generation and significantly enhancing customer retention, with a talent for aligning marketing strategies with business goals to deliver results.