Conflicts of interest are one of those compliance risks that can look “small” on paper and still create outsized damage in the real world. They distort decision-making, trigger allegations of favoritism, and can become a gateway risk for corruption, antitrust misconduct, procurement fraud, or retaliation concerns. Even when no wrongdoing occurs, the perception that a decision was biased can be enough to erode trust with regulators, employees, and business partners.
ISO 37009 (first edition, 2025-09) provides practical guidance for organizations to identify, assess, resolve, and monitor conflicts of interest through a governance and risk-based lens, anchored in trust, integrity, transparency, and accountability. This article translates those guidelines into an actionable approach for compliance officers, legal teams, and mid-sized organizations.
What a conflict of interest is (ISO 37009 definition)
ISO 37009 defines a conflict of interest as a situation where an interested party has a personal interest or an organizational interest, directly or indirectly, that can compromise or interfere with the ability to act impartially in carrying out duties in the best interest of the organization.
Two clarifications from ISO 37009 matter in practice:
- A conflict of interest is not automatically corruption or misconduct. People can legitimately have private interests.
- The compliance failure is usually not “having” the interest, but failing to identify it early, disclose it, and manage it until reasonable objectivity and impartiality are achieved.
Personal interest vs organizational interest
ISO 37009 distinguishes the nature of the interest behind the conflict:
- Personal interest: individual interests that may affect impartiality (financial, family, business, professional, political, religious, gifts and hospitality, outside roles).
- Organizational interest: competing interests attributed to the organization (or parts of it, such as a department) that may bias decisions (for example, access to decision-makers, conflicting client obligations, confidential competitor information, subsidiary relationships).
In both cases, ISO 37009 emphasizes that the nature of the interest should be disclosed and available as documented information, with safeguards for privacy and confidentiality.
Types of conflicts of interest you should recognize
ISO 37009 highlights three core categories you should build into your policy, training, and workflows.
Actual conflict of interest
An actual conflict exists when the competing interest is real and current (or existed in the past) and can compromise impartiality.
Example: a manager participates in vendor selection while holding a financial stake in a bidder.
Apparent (perceived) conflict of interest
An apparent conflict exists when a competing interest can be reasonably perceived to compromise impartiality, even if it does not in fact.
This category is often underestimated. ISO 37009 explicitly links perceived conflicts to trust damage, even when safeguards exist.
Example: a procurement decision is made by someone whose close relative works for the selected vendor, even if the relative is not involved in the contract.
Potential conflict of interest
A potential conflict is not active yet, but could arise in the future if left untreated.
Example: an employee is negotiating employment with a business associate while still supervising that relationship.
Quick reference table for categorization
Category | What it means | Typical compliance response | Key risk if ignored |
|---|---|---|---|
Actual | Impartiality is compromised now (or was) | Immediate assessment, recusal, mitigation, documentation | Wrong decisions, misconduct, enforcement exposure |
Apparent | Reasonable perception of bias | Disclosure, transparency measures, defensible record | Trust erosion, internal disputes, reputational loss |
Potential | Could become a conflict later | Early controls, role adjustments, monitoring | A “surprise” conflict during audits or incidents |
Why conflicts of interest are risky for compliance
ISO 37009 treats conflict of interest as a risk by nature. Unmanaged conflicts obstruct objectivity and fairness in decisions and can contribute to corruption, wrongdoing, or the perception of wrongdoing.
Here is how that translates into real compliance exposure for mid-sized organizations.
They weaken the integrity of core decisions
Many high-impact decisions are conflict-sensitive:
- Vendor selection and third-party onboarding (anti-bribery and procurement integrity)
- Sales partnerships, distributors, intermediaries (commission structures, gifts, public-sector interactions)
- Hiring, promotions, compensation, and disciplinary actions (fairness, retaliation allegations)
- Internal investigations and case handling (independence, confidentiality)
- Competitive strategy and trade association activity (antitrust information exchanges)
- AI procurement and model deployment decisions (bias, incentives, governance under the EU AI Act)
When decision-makers are not impartial, your controls can exist on paper but fail operationally.
They damage trust (and trust affects cost and speed)
ISO 37009 explicitly links trust to measurable outcomes, namely the speed of business transactions and the cost of doing business. When stakeholders suspect favoritism or hidden interests, approvals slow down, escalations multiply, and relationships deteriorate.
This matters for compliance because trust is also what makes a whistleblowing channel usable, a policy credible, and an investigation defensible.
They create “gateway” risk across frameworks
Conflicts of interest are rarely a standalone topic. They often show up as a root cause across regulatory frameworks relevant to Naltilia’s audience:
- Anti-bribery programs (ISO 37001, Loi Sapin II): unmanaged gifts, outside activities, revolving doors, and conflicted third-party selection can become bribery red flags.
- Antitrust compliance (UNE 19603): conflicts can incentivize improper information sharing or biased participation in associations.
- Criminal compliance in Spain (UNE 19601): governance failures and conflicted oversight can undermine the effectiveness and credibility of a criminal compliance model.
- AML: conflicted onboarding decisions and “relationship-driven” exceptions can weaken risk-based controls.
- EU AI Act readiness: conflicts can arise when incentives to deploy AI quickly override risk assessment, documentation, human oversight, or procurement neutrality.
They make your program harder to defend during audits and investigations
ISO 37009 emphasizes that organizations should document, monitor, analyze, and assess conflict identification, declaration, and management so the organization has an auditable and defensible position.
That is the difference between “we had a policy” and “we can show impartial decision-making was protected.”
What ISO 37009 recommends: a practical management framework
ISO 37009’s approach is not just “collect disclosures.” It is a management framework designed to be embedded into governance and business processes.
The four principles to operationalize
ISO 37009 anchors conflict-of-interest management on:
- Trust: prevent both actual harm and perceived harm.
- Integrity: set behavioral expectations and respond to non-compliance.
- Transparency: make disclosure workable while respecting privacy and trade secrets.
- Accountability: clarify obligations, measure progress, report outcomes, and apply consequence management.
Leadership, policy, and roles
ISO 37009 is explicit about tone and ownership:
- The governing body (or top management in smaller organizations) should approve the policy, align it with strategy, ensure resources, and oversee effectiveness.
- Top management should establish and communicate the policy, integrate it into business processes and other management systems, ensure training, and review reports at planned intervals.
A strong conflict-of-interest policy is binding on relevant personnel and should clearly state that breaches can lead to remedial, disciplinary, or other management actions.
How to handle conflicts of interest step by step (ISO 37009 process)
ISO 37009 organizes handling into four recurring steps: identification, assessment, resolution, and monitoring. The most effective programs treat this as a workflow, not a one-time form.
Step 1: Identify conflicts early (and repeatedly)
ISO 37009 recommends periodic identification at all levels, using multiple sources:
- Disclosures (self-reporting)
- Risk analysis and risk mapping
- Audits
- Incidents and investigations
For personal conflicts, ISO 37009 recommends requiring disclosure at key triggers:
- At the beginning and end of the relationship
- When personnel are transferred or promoted
- When interests change significantly
- In any other situation where a conflict can arise
For organizational conflicts, ISO 37009 suggests ensuring visibility across business functions and periodically reviewing disclosures to capture changes.
Practical tip for mid-sized firms: identify a small set of high-risk processes where conflicts matter most (procurement, third parties, hiring, M&A, sales intermediaries, investigations, AI procurement) and embed COI checkpoints there.
Step 2: Make disclosure mandatory, timely, and safe
ISO 37009 expects disclosure to be mandatory, timely, accurate, and to define:
- Who discloses, how, and when
- Training and awareness requirements
- Duties of personnel and third parties to disclose
- Responsibilities of management to manage and resolve
- Notification of actions required to resolve
It also highlights two enabling controls:
- Protect disclosed information appropriately (ISO 37009 references information security and privacy considerations, and points to ISO/IEC 27001 for guidance).
- Establish a whistleblowing system for confidential or anonymous reporting (ISO 37009 points to ISO 37002).
Step 3: Assess the risk, not just the relationship
ISO 37009 recommends regular risk assessments related to conflict of interest at every level. For a specific case, assessment criteria should consider:
- Purpose and objectives of the organization
- Expectations of interested parties
- Uncertainties and potential consequences
- Resources of the organization
The assessment process should:
- Assess the roles of relevant parties
- Analyze and prioritize foreseeable risks
- Evaluate existing controls and their effectiveness
- Assess possible outcomes and mitigation options
This aligns naturally with risk-based approaches used in compliance management systems and risk standards such as ISO 31000.
Step 4: Resolve the conflict with proportionate measures
ISO 37009’s goal of resolution is to minimize risk. Measures should be reasonable and proportionate to the risk and the expectations of interested parties.
ISO 37009 lists resolution strategies that include:
- Identifying and disclosing the conflict before decision-making
- Avoiding the conflict with specific policies or actions
- Recusing or limiting involvement in a process or decision
- Recruiting an impartial third party to oversee
- Removing the cause of the conflict
- Restricting access to information or decision-making
ISO 37009 also recognizes reality: in some cases it may be necessary to accept the risk (for example, an owner’s position), but only based on a risk assessment and documented rationale.
Information barriers as a concrete resolution tool
Annex A of ISO 37009 provides practical guidance on “information barriers” to manage conflicts, especially organizational conflicts:
- Physical barriers (separate locations, restricted areas, controlled access)
- Electronic barriers (access controls, secure document management, authorized access lists, confidentiality instructions)
This is especially relevant for law firms, advisory teams, and corporate groups where parallel engagements can create conflicts.
Step 5: Monitor until the conflict stays passive
ISO 37009’s monitoring goal is to ensure resolved conflicts remain passive and do not become unacceptable again. Monitoring can include:
- Periodic interviews with the conflict holder
- Regular awareness sessions on benefits of managing the resolved conflict
- Regular training refreshers on conflict risk
The key operational point: a conflict is not “done” when a form is signed. It is “done” when it remains controlled over time.
Summary table: from policy to evidence
ISO 37009 step | What “good” looks like | What to document | Where teams lose time (and what to automate) |
|---|---|---|---|
Identify | COI prompts embedded in key processes, not just annual forms | COI register, triggers, risk areas | Manual chasing of declarations, inconsistent intake |
Disclose | Mandatory, timely, protected, with clear routing | Completed disclosures, access controls, audit trail | Email-based disclosures, unclear ownership |
Assess | Risk-based criteria, evaluates existing controls | Assessment notes, rationale, approval | Ad hoc decisions, no consistent scoring logic |
Resolve | Proportionate mitigation (recusal, oversight, barriers) | Mitigation plan, implementation proof | Mitigations not tracked to completion |
Monitor | Active follow-up until passive | Review logs, refreshers, status updates | “Set and forget” conflicts that resurface |
Common conflict-of-interest scenarios to include in training
ISO 37009 provides examples of at-risk situations (Annex A) that translate well into scenario-based training:
- Outside activities and parallel roles
- Access to confidential or inside information
- Gifts and other benefits
- Personal relationships
- Revolving doors
- Interactions with public officials
- Employment after leaving the organization
- Financial interests
- Access to the organization’s assets
- Competing duties
- Self-review (reviewing your own deliverables)
For mid-sized companies, these scenarios are most effective when tied to real workflows (procurement approval, distributor onboarding, RFP evaluation, internal investigations, AI vendor selection) and not presented as abstract ethics.
How this supports audits, certifications, and “defensible compliance”
Many organizations encounter conflicts of interest during:
- ISO-aligned audits (for example, compliance management systems such as ISO 37301 or anti-bribery management systems such as ISO 37001)
- Program maturity assessments
- Procurement reviews and third-party due diligence testing
- Certification journeys that include governance and risk components (often searched as “risk management certification” in procurement and partner contexts)
A conflict-of-interest framework aligned with ISO 37009 strengthens audit readiness because it produces a defensible chain: disclosure, assessment, decision, mitigation, monitoring, and evidence.
Frequently asked questions
Is a conflict of interest always misconduct? No. ISO 37009 is clear that a conflict of interest is not necessarily corruption or wrongdoing. The compliance expectation is that conflicts are identified, disclosed, assessed, and managed until impartiality is protected.
What is the difference between actual and apparent conflict of interest? An actual conflict compromises impartiality in fact. An apparent conflict is when a competing interest can reasonably be perceived to compromise impartiality, even if it does not. Apparent conflicts still matter because they can damage trust.
How often should we collect conflict-of-interest disclosures? ISO 37009 recommends disclosures at key lifecycle moments (start and end of relationship, transfers or promotions, significant changes of interest) and periodic review. Many organizations complement this with an annual refresh, but triggers are what prevent surprises.
What are the most common ways to resolve a conflict of interest? ISO 37009 lists options such as disclosure before decision-making, avoiding the conflict, recusal or limited involvement, third-party oversight, removing the cause, restricting access to information, and restricting participation in decision-making.
How do conflicts of interest relate to whistleblowing? ISO 37009 recommends establishing a whistleblowing system to allow confidential and anonymous reporting of wrongdoing related to conflicts of interest. ISO 37002 provides guidance on implementing such a system.
Make conflict-of-interest management operational with Naltilia
ISO 37009 is straightforward about the hard part: conflict-of-interest management only works when it is embedded in business processes, supported by repeatable workflows, and backed by documented evidence.
Naltilia helps compliance teams scale that operational approach by streamlining key building blocks such as regulatory risk assessment, remediation actions, tailor-made policies, automated data collection, and compliance workflow automation.
If you want to move from ad hoc disclosures to a consistent, auditable process, explore Naltilia at naltilia.com and see how a workflow-driven approach can increase capacity without lowering standards.
