Forensics Today

Conflicts of interest: Under-disclosed, under-monitored, and under-mitigated

June 03, 2026

Key takeaways

Conflicts of interest are a pervasive, age-old business risk that begets many types of fraud (e.g., corruption, embezzlement, financial reporting fraud) in companies of all sizes and sectors. Yet, they’re often underestimated and/or under-mitigated, hardly treated as the enterprise risk they can easily and recently have become.
Many organizations have disclosure policies to identify problems at the outset (e.g., as part of employee onboarding or SOX compliance), but lack meaningful follow-through. Left unchecked, employee conflicts can lead to significant financial, legal, regulatory, and reputational harm.
Managing this risk can’t be a one-and-done, box-checking exercise. It requires end-to-end guardrails such as ongoing monitoring and disclosure requirements, escalation procedures, disposition tracking, mitigation protocols, and accountability mechanisms.

Conflicts of interest are among the oldest and most pervasive drivers of corporate misconduct, quietly underpinning frauds of various types, from corruption to embezzlement to financial reporting fraud. Yet despite their broad reach, conflicts are often viewed as isolated ethical lapses rather than systemic, company-wide risks. In reality, they can emerge in any organization, across any industry, and at any job level, often hiding in plain sight while creating the conditions for far more serious breakdowns.

Many organizations believe they have this risk covered. Internal disclosure requirements (e.g., embedded in onboarding, annual certifications, SOX compliance) are designed to surface potential conflicts. But identification without action isn’t enough. Too often, disclosures are treated as one-time events to be documented, filed, and forgotten. Without thoughtful analysis, clear ownership and guardrails, consistent monitoring, and visibility over time, previously identified conflicts can resurface years later, exposing companies to financial loss, regulatory scrutiny, cultural erosion, and reputational damage.

Recent cases show how unmanaged conflicts can escalate into enterprise-level crises, triggering investigations, raising concerns about the integrity of financial reporting and performance, and eroding shareholder trust. What may begin as a seemingly minor relationship or incentive misalignment can evolve into material fraud risk if left unchecked.

Managing this exposure can’t be a rote, check-the-box task or left to annual compliance certifications by individuals within an organization. It requires an end-to-end approach that includes structured intake and assessment, ongoing monitoring, escalation protocols, disposition tracking, and enforceable mitigation plans. In today’s data-rich environment, organizations have more tools than ever to do this better. Yet, many don’t make the effort, in part, because they underestimate the scope, scale, and severity of the risk.

By recognizing conflicts as a potential enterprise-level risk, you can move beyond documentation and better manage the overall life cycle of conflicts and the many fraud schemes they might enable.

Why is this risk underestimated?

Organizations often think of conflicts of interest as mere theoretical concerns involving the appearance of a conflict rather than a “real” risk. Say an employee discloses that a relative works for a supplier. If the employee has no direct involvement in vendor selection or oversight at the time of disclosure, the relationship might be deemed to pose no fraud risk. This mindset treats conflicts as static and binary—either present or not—rather than dynamic risks that can evolve with changes in roles, responsibilities, or business relationships.

In contrast, many organizations perceive fraud very differently. Fraud can lead directly to clear financial, regulatory, legal, and reputational harm, whereas conflicts pose an indirect, less obvious compliance risk. But the two are often closely related. And the failure to see this connection means that compliance programs tend to focus more on the symptom than the root cause.

As a result, your organization may have a process for disclosing conflicts but lack guidance on what to do with that information once disclosed. Few have formal processes and procedures for assessing and monitoring conflicts that are disclosed, let alone those that aren’t. The result is that nothing happens until a problem surfaces.

Example: As part of onboarding, a procurement employee discloses to her supervisor that her husband works at one of the company’s key suppliers. But because the husband is not in the supplier’s sales chain of command, the supervisor finds no actual conflict and does nothing with the information. Later, the husband is tapped to become the supplier’s national sales manager. By then, however, the employee’s supervisor has retired, the conflicts policy doesn’t require the prior disclosure to be updated or refreshed periodically, and there’s no monitoring of previously reported conflicts (e.g., scanning the husband’s LinkedIn account announcing the promotion). The conflict continues unnoticed, enabling the employee and spouse to devise a fraud scheme that operates under the radar for years.

Another reason conflicts are neglected is a widespread misconception that they’re small-dollar risks mostly involving low-level employees or insignificant suppliers. That’s misguided on two counts. First, conflicts can underlie many types of fraud and, when aggregated, the financial losses can be substantial. According to Occupational Fraud 2026: A Report to the Nations by the Association of Certified Fraud Examiners (ACFE), the average organization loses 5% of its annual revenue due to fraud, and the average loss per case is $1.475 million. Second, conflicts can sometimes result in “earthquake” events that jeopardize the organization’s brand and viability. Examples include companies that faced investigations following short-seller reports alleging, at least indirectly, that inadequately disclosed and/or inappropriately managed related-party transactions were artificially inflating the company’s financial performance.

“Short sellers only need to raise the appearance of conflicts to bolster a public short attack 'hit piece' designed to drive the stock price down. A well-functioning system of controls that detects and mitigates conflicts is critical for a company to be positioned to issue a prompt rebuke that reassures markets and regulators alike.”

Michael D. Blanchard,Partner, Morgan, Lewis & Bockius LLP

Sector impact: Variations on a theme

Although conflicts of interest can take shape in different ways from one industry to another, they pose the same fundamental risks to organizations of all types, sizes, and sectors.

Suppose a loan officer approves a series of commercial loans to a business owned by a close relative. The bank’s policies require disclosure and independent review of related-party relationships, but the officer bypasses those controls and routes the applications through standard approval channels without flagging the conflict. Because the loans perform initially, the activity goes unnoticed. Over time, however, credit quality deteriorates and losses mount, prompting an internal review that uncovers the relationship. What began as a hidden conflict escalates into credit losses, internal control failures, and potential regulatory inquiries, driven not by a lack of policy but by a failure to monitor and/or enforce it.

Imagine a surgeon helping to develop a medical device under a royalty arrangement with the manufacturer. The device maker records the relationship and pays royalties on all sales, including sales to the hospital network where the surgeon works and supervises other surgeons. The surgeon and team recommend and use the device in thousands of procedures. Patients and consumer advocates later discover the royalty arrangement and raise concerns to regulators, triggering a False Claims Act investigation.

A finance director at a fast-growing tech company might disclose a significant but minority ownership stake in a small vendor during onboarding. The company documents that the disclosure occurred and that it was deemed immaterial and therefore required no action. After rapid growth, the company reorganizes, promoting the finance director to procurement officer without ever revisiting the disclosure. The employee selects that same vendor for a multimillion-dollar contract. Without monitoring or reassessment, the conflict scales with the business, creating financial and reputational risk.

A sales manager discloses that his cousin owns a proposed distributor just outside his territory, but the company notes the territory difference, notes the cousin isn’t “immediate” family, and takes no further action. As it turns out, the sales manager and cousin grew up under the same roof and own other businesses together. The sales manager later gets promoted to VP and takes on a larger territory that includes his cousin’s distribution company. The newly promoted VP directs significant marketing allowances be paid to the distributor and gives it favorable pricing and exclusive, early distribution rights to the latest products. What began as a low-risk disclosure turns into significant margin leakage—and a potential fraud scenario—because the initial assessment was wrong and no one ever reevaluated the conflict.

In each example, a seemingly harmless or undisclosed relationship snowballed into a costly outcome that could have been avoided with some additional due diligence or better monitoring and follow-through.

The price of disappointing regulators and markets

Recent SEC and DOJ activity makes clear that federal regulators view conflicts of interest as a test of whether an organization’s compliance program actually works in practice. But regulators aren’t the only or even the first stakeholder to react when conflicts go unmanaged. Short sellers and other market participants increasingly scrutinize related-party relationships, incentive structures, and opaque transactions, often surfacing issues before regulators act. When they do, the consequences can be immediate—loss of confidence, share price declines, and, in many cases, follow-on regulatory inquiries.

“Recent enforcement actions make clear that the SEC is focused on whether a firm’s internal practices match what it tells investors and employees. The SEC is using conflicts of interest as a window into how compliance programs actually operate.”

Harris Fischman, Partner, Paul, Weiss, Rifkind, Wharton & Garrison LLP

Across examination priorities, enforcement actions, and corporate resolutions, the expectation is consistent. Companies should actively identify, analyze, manage, and monitor conflicts over time. The SEC has articulated this expectation explicitly in the case of financial institutions. Its FY2026 Examination Priorities report states that examiners evaluate whether a firm’s policies and procedures “are reasonably designed to address conflicts of interest” and, critically, whether those policies “are implemented and enforced.” This shifts the focus from documentation to execution. Examiners aren’t just asking whether a conflict was disclosed. They’re assessing whether the firm has guardrails in place to stop employees from putting their own interests ahead of client interests, and whether those guardrails operate effectively in practice.

SEC enforcement actions reinforce this point. In multiple recent cases, the regulator charged firms not only for disclosure failures but also for failing to adopt and implement policies and procedures reasonably designed to identify, address, and prevent conflicts-related violations. In short, the absence of an effective control framework is itself a violation. When conflicts surface publicly—whether through whistleblowers, journalists, or short sellers—firms should be able to demonstrate that they actively governed those risks, not merely documented them.

DOJ guidance and enforcement activities support this view. The Criminal Division’s guidance on Evaluation of Corporate Compliance Programs emphasizes that companies must maintain risk-based compliance programs that are integrated into business operations, with defined responsibilities, training, reporting mechanisms, and incentives. Prosecutors evaluate not only whether controls exist but also whether they’ve been tested and proven capable of preventing or detecting misconduct. Recent resolutions underscore this expectation by requiring companies to enhance compliance programs, implement and test controls, and report on their effectiveness over time.

“In a DOJ investigation, an undisclosed conflict of interest may be viewed by prosecutors not merely as a governance lapse, but as potential evidence of unlawful intent, prompting greater scrutiny and even enforcement.”

Douglas S. Zolkind, Partner, Debevoise & Plimpton LLP

Taken together, these signals point to a fundamental shift. Organizations often face dual accountability to regulators who expect strong operational controls and to markets that react swiftly when conflicts undermine trust. Disclosure is only the starting point. The real costs hit when companies fail to continuously monitor, reassess, and mitigate conflicts they’re aware of.

Implementing an enterprise, risk-based framework

Leading organizations are moving toward integrated frameworks that combine data, governance, and accountability to manage conflicts across their overall life cycle. The goal is to identify, assess, and control them in a consistent, defensible way. In practice, that means moving beyond a static, compliance-driven approach to one that’s risk-based, structured, and dynamic. The following actions provide a blueprint.

Adopt a risk-based model: Score and tier disclosures based on risk, focusing oversight and resources where your organization’s exposure is greater rather than treating all conflicts equally.
Treat disclosure as the starting point: Pair each disclosure with a defined review process, thoughtful analysis (asking the right questions), clear decisioning, and, if warranted, enforceable conditions and ongoing monitoring.
Monitor for undisclosed conflicts: Don’t rely solely on employee disclosures. Use data analytics to help identify hidden risks by linking employee and related-party data within the enterprise and the public domain to vendor, customer, or transaction data to find undisclosed relationships or patterns.
Leverage technology with human oversight: Use AI and automation to help standardize intake, scoring, and routing while maintaining human ownership and accountability for high-risk decisions.
Standardize decision-making: Establish clear frameworks and criteria for evaluating conflicts to help reduce inconsistency, bias, and reliance on individual discretion.
Document thoroughly and consistently: Record what was disclosed, how it was assessed, why decisions were made, and what expectations were communicated to the employee (including requirements to update disclosures as circumstances change). Weak documentation can undermine even well-managed conflicts.
Enforce, monitor, and reassess continuously: Implement controls such as recusal, supervision, or transaction restrictions, and actively confirm those conditions are followed over time. Reassess conflicts as roles, relationships, and business activities evolve, initiating reviews when key data points change.
Audit the program regularly: Test the effectiveness of controls, identify gaps, and evaluate whether the program is operating as designed. Use findings to help drive enhancements.
Build feedback loops and enterprise visibility: Use discrepancies between automated outputs and human decisions—and real-world outcomes—to refine risk models and improve program effectiveness. Aggregate conflict data to help identify trends, inform leadership, and support risk-based policy and control enhancements.