This week, I am exploring some of the compliance service offerings I make available to the compliance community through my consulting company, Advanced Compliance Solutions. Today, I discuss Code of Conduct updates.
Simply having a Code of Conduct, together with compliance policies and procedures is not enough. As articulated by former Assistant Attorney General Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” The 2012 FCPA Guidance stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to make certain that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its code.” Some of the questions I would pose to you include:
- When was the last time your policies and procedures were released or revised?
- Have there been changes to your company’s internal controls since the last revision?
- Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
- Are any of the policies and procedures outdated?
- What is the budget to create/revise your policies and procedures?
After considering these issues, the next step is to benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process which can be fully documented as a basis to include revisions to your compliance policies and procedures.
Get buy-in from senior leadership of your company. Your company’s highest level must give the mandate for a revision to compliance policies and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be consulted at every major step of the policies and procedures revision process if it involves a change in the direction of key policies.
Establish a core policies and procedures revision committee. A cross-functional working group would be ideal to head up your effort to revise your compliance policies and procedures and should include representatives from the following departments: Legal, Compliance, Communications and Human Resources (HR) and representation from domestic and international business units. Lastly, ensure you also include Finance and Accounting, IT, Marketing and Sales functions.
From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is important that you establish a timetable for the revision process and hold the representatives accountable for meeting their revisions.
Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates and preserves all the comments, notes, edits and decisions during the entire project. In addition to this use of technology in revising your compliance policies and procedures, you should determine if they will be available in hard copy, online or both. There must be a distribution plan, particularly if the code and compliance policies and procedures will only be available in hard copy.
Determine translations and localizations. The 2019 Guidance made clear that your compliance policies and procedures must be translated into local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures – no matter the language.
Develop a plan to communicate the revised policies and procedures. A rollout is always critical because it is important that revisions are communicated in a manner that encourages employees to review and use the policies and procedures on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised compliance policies and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. Also remember, with all things compliance; the three most important aspects are “Document, Document, and Document”. However, for each delivery or a new or revised policies and procedures, you must document that each employee received it.
These points are a useful guide to not only thinking through how to determine if your policies and procedures need updating, but also practical steps on how to tackle the problem. If it has been more than five years since the last update, you should begin the process now. It is far better to review and update, if appropriate, than wait for a massive Foreign Corruption Practices Act (FCPA) investigation to go through the process.
What is the bottom line? Set a timeline; stay on target, budget and set realistic expectations to deliver to your deadline. Finally, document your process of revision to demonstrate more complete operationalization of your compliance program as set out in the 2019 Guidance.