How can you work to operationalize the Code of Conduct as articulated in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs? The Evaluation focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the Evaluation that touch upon your Code of Conduct.

Prong 2, Senior Leadership and Middle Manage states the following:

Shared Commitment What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company? 

The Code of Conduct process should involve these corporate disciplines. Your Code of Conduct should enshrine your company’s values. Those are set by senior management and their input and support for any Code of Conduct project, whether initial draft or update, is critical.

Prong 4, Policies and Procedures states the following:

Designing Compliance Policies and Procedures What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

This question gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the Code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the three DOJ questions from the Evaluation in a manner consistent to support operationalization.

This project team diversity will also help to operationalize your Code of Conduct after implementation. You will have various business unit members invested in your new or revised Code of Conduct. This ownership will help not only in your internal marketing but demonstrate to employees the commitment to doing business ethically and in compliance to your entire workforce.

Prong 6, Training and Communication, states:

Form/Content/Effectiveness of Training Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?  

There are several different types of training, including live, interactive and online training. But in addition to training, your Code of Conduct can form the basis of ongoing communications throughout the organization. Through a Code of Conduct, a company has acknowledged certain risks and it can communicate those risks through effective use of a Code of Conduct. It can also serve as a jumping off point for training and communications about more focused topics and discussions led by employees outside the compliance department.

You can measure the effectiveness of your training through a variety of mechanisms including knowledge assessments, culture surveys, focus groups, tracking your internal intranet training, reporting of trends and even hotline calls. These techniques can help to drive compliance into the very fabric of your company by operationalizing compliance. Another important consideration around effectiveness for training, and the text of the Code of Conduct, is translations, or as the DOJ stated, “Has the training been offered in the form and language appropriate for the intended audience?”

Three Key Takeaways

  1. What has been the role of senior management in the creation or update of your Code of Conduct?
  2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your compliance program?
  3. How have your measured the effectiveness of your Code of Conduct training?


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

In this episode, I visit with Don Fischer, a San Francisco and Washington, based lawyer who is one of the country’s leading practices dedicated to assisting corporations, universities and research institutions with the development of comprehensive Export Control compliance and FCPA programs. He has extensive strategic and practical experience in helping implement cost-effective, risk proportionate compliance programs. Fischer has specific export control services include risk assessments, export process development, export licenses (EAR, ITAR and OFAC), Technology Control Plans, Requests for advisory opinions, Voluntary Disclosure investigations, Data security analyses, training and web content development.

In this episode we discuss, the following issues: -What are export controls?

-Which government agencies regulate exports?

-What’s a deemed export?

-Do these requirements only affect defense contractors?

-How do these requirements impact corporations?

-What are the consequences for getting this wrong?

-What are some of the challenges that companies face in becoming compliant?

-What is the best way for a company to implement necessary oversight of an export compliance program, in a cost-effective manner?

It is a fascinating exploring a type of compliance which converges with anti-corruption compliance more and more in the commercial corporation setting.

Don Fischer can be reached at

You can check out his law firm by clicking here.

 In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we provide an introduction to the new revenue recognition standard.

On our podcast, Compliance into the Weeds, Matt Kelly and I have put together a five-part podcast series where we explore implications of the new revenue recognition standard. Each podcast is short, 11-13 minutes, and deals with one topic from the new revenue recognition standard. It will go live at noon on each day this week. The schedule for this week is:

Monday, Part 1: Introduction

The prior revenue recognition standard was rules-based, while this new revenue recognition standard is principles-based. This was done deliberately as FASB is coordinating this rollout with how revenue is recognized in other parts of the world, specifically International Financial Reporting Standards (IFRS) which are put forth by the International Accounting Standards Board (IASB). This was a joint effort to have a one global approach to how companies recognize revenue and the process involves a lot more judgment. Kelly noted, “The good news is that you can exercise a lot more judgment and if you have good judgment you can finesse things to be much more reflective of what’s the economics of the deal.”

Tuesday, Part 2: What’s the logic of your transaction price?

In this episode, Matt and I discuss how to make a contract determination and then how to come up with a logical transaction price to base your revenue recognition on. In the grand scheme of this new revenue recognition standard, what FASB wants to achieve with this new rule is to bring more transparency to what is the logic of the economic action being reviewed. There is a five-step process for making this determination and judgments play a role at each step. This requirement will mandate many more internal company discussions to make the determination, including groups who have not traditionally been a part of such discussions. Lawyers and compliance practitioners will need to go far beyond simply the art of reading a spreadsheet to add value, they must be able to articulate the contractual obligations (written or oral), opine if they have changed from the pattern of a business practice and if the obligations have been completed or are ongoing.

Wednesday, Part 3: Shaking up software revenue recognition

In this episode, Matt and I take a deep dive into how the new revenue recognition standard will impact the software business. We consider how the new revenue recognition rule will ultimately allow some portion of the software sector, and possibly quite a lot of firms, to recognize more of their long-term contract revenue immediately. Yet, this brings about bigger strategic questions on how a software company might need to think about revenue patterns as such calculations may be much more volatile going forward. For investors, it also has serious implications around volatility, especially if you are trying to figure out what is the value of the company you are considering an investment in or purchase of going forward. It even has implications for business development representatives as it can impact the timing of bonuses based upon revenue recognition.

Thursday, Part 4: Auditors need to pay attention

In this episode, we focus on corporate disclosures, IFCR, audits and the Public Company Accounting Oversight Board (PCAOB). The PCAOB has made clear that audit firms are going to respond to this revenue recognition standard and everybody should be under no illusions. As we note throughout this series, there will be much more judgment by companies in making definitions or defining what the transactions and the values are for them. This means more documentation on the logic of the transaction price. Additionally, auditors have their own new inspection standards and they are required to pay more attention to judgment across the board. And now there is going to be more judgment in some of the most important revenue or financial lines that auditors look at in companies. Finally, auditors will be looking more closely at fraud risk because as there will be some circumstances where sales commissions could be higher because of the new revenue standard that would let some firms recognize more of a transaction more quickly.

Friday, Part 5: What does it all mean for compliance (and everyone else)?

In this final episode, we discuss what it means going forward. As you might expect from the Compliance Evangelist, I tend to see things through the prism of the compliance profession. This new revenue recognition standard intertwines two concepts. This first is the convergence and overlap between the compliance profession, compliance programs, compliance practitioners and internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.

Matt tends to see things through his journalist’s vision, with a bigger picture in front of him. He believes it is about coming up with the numbers, what goes into the calculation and how you can justify it going forward. A company is not losing or gaining money. However, when, and how, you recognize it will change. If your business falls into a category, where significant volatility will erupt, such as the software industry, you need to think through what the consequences of this change are for your organization.

I hope every compliance professional and many listeners beyond, will take in the entire podcast series. Our exploration of this topic drives home once again the broad base that a compliance practitioner needs, not only in their academic training, but in their professional experience.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

What about the training on your finalized Code of Conduct? While there have been criticisms of Code of Conduct training, if you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated Code of Conduct can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance as rollout is part of both communications and engagement. The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the Code of Conduct, through live or interactive training, the effectiveness can be better monitored and measured.

In a white paper, entitled “Top 5 Tips for Effective Code of Conduct Revisions, Eric Morehead noted that often companies have a formal launch of the Code of Conduct where senior management and the corporate compliance function “conduct on-site activities across the organization to promote the launch of the new Code, or launch interactive activities such as video competitions that ask stakeholders to such submit short videos on Code topics.” However, this is not the sole manner to have such a rollout as other companies “keep the message more informal but use frequent touchpoints, for example, through email or cascading messages through line managers, to keep up the drumbeat on compliance topics and reinforce the role of compliance.” The key is to exploit on the opportunity a new or revised Code of Conduct gives you to communicate in a 360-degree manner on your compliance program.

One of area in 2017 Department of Justice’s Evaluation of Corporate Compliance Programs that articulated a new emphasis was in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and even executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the United States, which can often provide employees with the opportunity to have confidential in-person discussions.

An important part of in-person training is the opportunity to interact with the audience through Q&A. There are a couple different approaches to Q&A. The first is to solicit questions from the audience. However, many employees are reluctant, for a variety of different reasons, to raise their hands and ask questions in front of others. This can be overcome by soliciting written questions on cards or note pads. A second technique is to lead the audience through hypothetical examples in which the audience is broken down into small discussion groups (up to five people) to discuss a situation and propose a response. However, with a worldwide, multi thousand-person workforce with multiple languages, an entire Code of Conduct roll-out based on live training may not be feasible.

Not surprisingly, and one of the key themes in compliance, is to understand your company and tailor your compliance program, including your Code of Conduct training, for your audience. Companies have to consider their audience when considering drafting the Code of Conduct, the kind of tone it is going to have, how long it is going to be and topics you are going to cover in the Code of Conduct; the same analysis is true for your training.

Most organizations put together custom training for their Code of Conduct rollout. Live training is generally viewed to be the most effective with online training next in effectiveness. One technique which as gained traction is a modular approach where you might identify 10 key risk areas and train on each in 10 minute segments throughout the year, one per month. This drives engagement and lessons complaints that employees have to take an entire hour for such training.

Another mechanism is more interactive training. When audience members are required to answer questions on an ongoing basis it can foster more engagement. It can also help to meet the DOJ requirement to demonstrate the effectiveness of training. Of course, gamification which is another form of interactivity and it has become more popular over the last few years. It also has the advantage of more favor with millennial members of the workforce.

However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the Code of Conduct and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

Three Key Takeaways

  1. Consider a video message from your CEO to help roll out your Code of Conduct initiation or update.
  2. Tailor your Code of Conduct training to your workforce.
  3. Consider interactive and modular approaches to Code of Conduct training.


This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Next is the design of your Code of Conduct. Through attention to detail in the design process, you should be able to come out at the end with a Code of Conduct which will help you to more fully operationalize your compliance program.

You must begin with a determination of what you are trying to accomplish. It does not serve you to try and list every compliance risk you might think your company may encounter. You should determine the values you want to communicate, what the expectations are for employees and how to call the hotline. Under such an approach, a Code of Conduct can be the jumping off point for training on the issues stated in it. The Code of Conduct can also form the hub of the wheel for other policies and procedures and written standards you want to communicate to relevant stakeholders.

You should also consider how you are going to distribute your Code to your employees and stakeholders. If it is through an Adobe .pdf document, which is accessible for most stakeholders across an organization or via another method. If a significant part of your workforce does not have access to computers, online production only will not work as the primary distribution platform.


One conundrum is whether and how to incorporate your ethical values into your Code of Conduct. You can integrate values by incorporating them into your discussion of the risk topics in your Code of Conduct. This aids in your roll out as a topic of interest in discussing your new or revised Code of Conduct. Integrity can be discussed in the context of a non-retaliation policy.


Another tool is to benchmark other Codes of Conduct. You should consider other companies in your industry, organizations that operate in the same geographic jurisdictions as your organization does and companies with a similar employee size. Consider what they are doing, determine what appeals to you and think about what might work for your organization.

If you have not updated your Code of Conduct for some time, there will probably be new areas that you need to incorporate into the updated version. Two obvious new areas of risk involve social media and cybersecurity. Such an exercise will help with your goal setting at the beginning of the project and allow you to move directly to the drafting of the text.

Drafting and Redrafting

If you are starting from scratch an outline is a good way to go. If you are working from a current version, you may want to go through a few drafts with redlining the text to eliminate confusing language and unnecessary legalization which is meaningless to anyone other than lawyers. An example here is the move from a US-centric focus on the FCPA due to the proliferation of other countries enacting anti-corruption legislation such as the UK Bribery Act and the Brazil Clean Companies Act, Chinese domestic anti-bribery laws and other standards as well.


Although the Code of Conduct was not specifically mentioned in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs, the over-riding concept of operationalization applies equally to your Code of Conduct drafting or updating exercise. This means you need to consider how are you going to involve the operational areas of your organization in that process, as there is a clear DOJ expectation around your Code of Conduct.

You should engage a focused group tasked with doing redlines of the text. A key is to involve employees from different parts of your company. It is just important to involve people from outside the compliance and legal functions in the process so that you get that buy-in from a wide variety of the corporate business units. This certainly can aid when the time for rollout comes.

Using your business folks to help develop Q&As, examples or scenarios, can help to address common questions from the field and can also be useful in making your Code of Conduct training more effective. Having somebody in operations suggest to you what would be a good example or Q&A because if there are issues the business unit deals with on a daily basis can be most useful. Further there are many different parts of this process where you can include employees into your Code development. This involvement will not only make your Code of Conduct more robust but it will help to further operationalize it by making it more applicable to the business folks. Indeed, the government will probably ask you who, outside the compliance/legal function, was involved and their contributions. (Insert-Document Document Document here!) Getting different perspectives is important but you need to include non-compliance teams early in the process by helping you from the planning phase through drafting and rewriting up to implementation and rollout.

Three Key Takeaways

  1. Get your business folks involved in your Code of Conduct from the outset.
  2. Your ethical values should be integrated into and integral to your Code of Conduct.
  3. How have you operationalized your Code of Conduct?


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.