Today I continue my Code of Conduct exploration with Eric Morehead, Principal of Morehead Compliance Consulting. After having reviewed the legal requirement and business purpose in Part I, the structure and form of your Code of Conduct in Part II; today we turn to design. An analogy from my grandmother’s days as a seamstress, to “measure twice and cut once” will serve you well on a Code of Conduct project.

You must begin with a determination of what you are trying to accomplish. It does not serve you to try and list every compliance risk your lawyer mind thinks your company might face. You should determine the values you want to communicate, what the expectations are for employees and how to call the hotline. Under such an approach, a Code of Conduct can be the jumping off point for training on the issues stated in it. The Code of Conduct can also form the hub of the wheel for other policies and procedures and written standards you want to communicate to relevant stakeholders.

Morehead advises you should give “some thought about how you’re going to get that Code out there to your employees and stakeholders” whether it is an Adobe .pdf document, which is accessible by pretty much any stakeholder anywhere across your organization, or via another method. Morehead said, “you need to know who’s out there, who you’re trying to reach and what’s the best way to reach them. That’s going to inform you know right, you know right off the bat whether you’re even going to consider doing a web implementation if you don’t have, if you have a significant amount of your population that’s not online or is in a location where they can’t get access to the web then that’s a nonstarter.”


One conundrum is whether and how to incorporate your ethical values into your Code of Conduct. Morehead emphasized they must be integrated into and integral to your Code of Conduct for if they are not and you “simply slap the value slap on the front of the document, it looks more like a Xerox error than that it’s purposeful in any way.” You can integrate values by incorporating them into your discussion of the risk topics in your Code of Conduct.

Morehead provided an example of integrity. He believes you can discuss integrity in several places in your Code of Conduct and pointed to internal reporting as an obvious location. Integrity can be discussed in the context of a no-retaliation policy. He also cited to the example of a corporate value of fun, noting, “Fun is hard but we managed to weave it in when we were talking about how and one place in particular that we talked about it was the workplace environment and what the expectations were. You know, we want to have a fun environment but we have to respect each other.” With values, you should consider them particularly if they have not been successfully communicated and there’s consideration internally that maybe they need to revised, to do that in conjunction with perhaps rolling out a new Code of Conduct, which allows the rollout to be part of that unveiling of the values language being communicated in several different areas.”


Another tool Morehead advises is to benchmark Codes of Conduct with others in your industry, even if you are “rewriting your Code of Conduct or starting from scratch.” Morehead suggests you should at “least have looked at pure organizations in your industry, organizations that maybe operate in the same geographic jurisdictions that you do, organizations that have a similar employee size. So not just peers only in your industry but peers, peer organizations otherwise. Take a look at what they’re doing, what, see what you like, see what you don’t like or again it doesn’t necessarily have to be a formal benchmarking but I think it’s important to spend some time at the beginning seeing what’s out there.”

If you have not updated your Code of Conduct for some time, there will probably be new areas that you need to incorporate into the updated version. Two obvious new areas of risk involve social media and cybersecurity. Morehead believes that such an exercise will help with your goal setting at the beginning of the project and allow you to move directly to what he calls the “heavy lifting piece, which is the text itself.”

Drafting and Redrafting

If you are starting from scratch an outline is a good way to go. If you are working from a current version, Morehead suggests you do at least two or three run-throughs with redlining the text to eliminate confusing language and unnecessary legalize that does not mean anything to anybody other than lawyers. An example here is the move from a US-centric focus on the Foreign Corrupt Practices Act (FCPA) due to the proliferation of other countries enacting anti-corruption legislation such as the UK Bribery Act and the Brazil Clean Companies Act and maybe even talk about other international standards as well.

Morehead related that this part of the project will seem like a “tennis ball has to be hit back and forth a few times” until you are able to achieve organizational sign-off. However, you can use this time to work on the design elements, while the text is being edited and re-edited.  Morehead cautioned this will be a time-consuming process and “if you’re really going fast maybe 12 weeks but usually more like 15 weeks to do that part of the process because that’s the hard part because you’re going to inevitably have, for most organizations of size, half a dozen that have to sign off internally.”


Although the Code of Conduct was not specifically mentioned in the Department of Justice’s (DOJ) recently released Evaluation of Corporate Compliance Programs (Evaluation), the over-riding concept of operationalization applies equally to your Code of Conduct drafting or updating exercise. This means you need to consider how are you going to involve the operational areas of your organization in that process, there is a clear DOJ expectation for this around your Code of Conduct.

Morehead suggests you engage a “small and manageable group that are going to do the actual redlines of the text. It’s just important to involve people in the process and different parts of the process so that you get that buy-in because it’s actually a smart move for launching the code a few months down the road too.” A key is to involve folks from different parts of your company.

Morehead suggests using the business folks to help develop Q&As or scenarios, which could answer common questions from the field. He notes, “there’s nothing better than having somebody in operations suggest to you what would be a good example or Q&A for safety because if that’s something they deal with on a day in day out basis they know where the pain points are. So there’s lots of different parts of this process where you can bring people in and bringing operational people, operational managers in is really important”. Indeed, the government will probably ask you who, outside the compliance/legal function, were involved and what their contributions were. (Insert-Document Document Document here!) Morehead concluded that by “getting those different perspectives I think is really important and bringing those people in early so that they can help participate in different parts of the process and again not necessarily reviewing the code and suggesting edits and drafts but actually helping you in the planning phase is really important.”

At this point, you have a completed version and all the relevant stakeholders have signed off. You are ready to begin your training, which we will take up tomorrow.

For more information on Eric Morehead, Morehead Compliance Consulting or to contact Eric Morehead, go to Morehead Compliance Consulting.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017