What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. Document Document Documents your training and communication efforts.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com

There has been an interesting evolution of the structure and format of a best practices Code of Conduct over the past 10 years or so. Initially, my experience with Codes of Conduct was that they were written by lawyers, largely for lawyers. This included ‘thou shalts’ and ‘thou shalt nots’ liberally sprinkled throughout a lengthy written document. This was what is now referred to as Code 1.0. The compliance community then evolved Code 2.0, where the writing was less turgid, we moved to more employee friendly language and then somewhere along the line we started putting in hyperlinks and pictures.

There are two factors which a company should consider on the structure of Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use the Code of Conduct. These stakeholders can include such diverse groups as employees, shareholders and third parties on both the sales and supply side of your business. This may require multiple approaches.

The second point involves considering the thinly veiled land of the future of compliance by considering how will your Code of Conduct be viewed and used going forward. A simple example is the switch to mobile devices as a mainstay of corporate communications. Think about how laptops were viewed as the primary vehicle through which most employees and stakeholders interacted with training and resources for many organizations. Now many companies are going to mobile devices. Will you’re the format of your Code of Conduct work on those various platforms and perhaps some you have not yet considered?

With a current Adobe .pdf platform for instance, you can have a .pdf document because it is the easiest thing to provide to people who are looking at it on a phone on a PC on a tablet or want to print it out and hold the pieces of paper as it is the most compatible format out there. Also, you can embed some interactivity into a .pdf document. Such technology allows you to add functionality as it becomes available to you.

If your organization is one where communication is more free flowing and there is more free-wheeling internal communications, that should be reflected in your Code of Conduct form. This means if your organization is a startup in Silicon Valley or in a well-known fun-loving organization such as Southwest Airlines; there may well be more playful attitude and a more playful way to communicate Code of Conduct topics. Conversely if you work for a hierarchical energy services company, which communicates in a top down strategy, such playfulness is not appropriate. What you should strive for is a consistent communications strategy. If your employees and other stakeholders are accustomed to receiving communications in a certain style it would appropriate to maintain that style in your Code of Conduct. The key is to consider not just how the internal communication at your company occurs. Consider how does HR ops and marketing and other other corporate disciplines communicate. You should strive for a consistent communication strategy in your Code of Conduct.

Think about the evolution of the Code of Conduct from the type of document that was akin to an annual report to one that now addresses corporate culture. A Code of Conduct must speak to the typical important concepts such as values that define the ethical culture or should define the ethical culture of the company. Some Code of Conducts have been as long as 12,000 to 14,000 words but others can be quite short, only four to five thousand words. It all means there is no set length and the style of writing can vary. But it must ring true with your employees, stakeholder and shareholders.

Be sure to make your Code of Conduct readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your work force. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.

Three Key Takeaways

  1. Companies have moved past having a Code of Conduct in by lawyers for lawyers to a fully interactive Code for all employees.
  2. Consider how information is distributed at your organization as a basis for communication in your Code of Conduct.
  3. Your Code of Conduct must be readable, in both in English and native language for non-English speaking employees.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity
  3. Document Document Documents your training and communication efforts.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

The cornerstone of a best practices compliance program is its written standards. These include a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement and Non-Prosecution Agreement. These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA since that time, the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

Your Code of Conduct, policies and procedures should be grouped under the general classification of written standards, comprising three levels of written standards. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. A second step mandates that every company should have policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

Best practices now require companies to have additional written standards, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective written standards is to demonstrate that your compliance program is more than just words on a piece of paper.

Policies and Procedures

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the 2012 FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and procedures are the documents that implement these standards of conduct.

The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general dos and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company cans mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

While policies are not a guarantee that things will not go sideways, they are a line of defense if they do. The effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating ethically and proactively for the benefit of its stakeholders, its employees and the community it serves. If it is a company subject to the FCPA, it is an international company so that can be quite a wide community.

The 2012 FCPA Guidance ended its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that policies are applied fairly and consistently across your company for if compliance policies are applied inconsistently, there is a greater chance for employee dissatisfaction. This point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

Three Key Takeaways

  1. A Code of Conduct, together with policies and procedures have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one and other so you need to consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

Written standards are your first line of defense in the event of a FCPA violation.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Today focus in the Code of Conduct series is on the aspect of training on your finalized Code of Conduct. Eric Morehead, Principal of Morehead Compliance Consulting, joins me in this series. While there have been criticisms of Code of Conduct training, if you consider training as one source of your communication, the rollout of a new or updated Code of Conduct can be an opportunity. Morehead has noted that a Code of Conduct can be the “centerpiece of a broad communications and engagement plan.” The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the Code of Conduct, through live or interactive training, the effectiveness can be better monitored and measured. This can also be used as an

In a white paper, entitled “Top 5 Tips for Effective Code of Conduct Revisions, Morehead noted that often companies have a formal launch of the Code of Conduct where senior management and the corporate compliance function “conduct on-site activities across the organization to promote the launch of the new Code, or launch interactive activities such as video competitions that ask stakeholders to such submit short videos on Code topics.” However, this is not the sole manner to have such a rollout as other companies “keep the message more informal but use frequent touchpoints, for example, through email or cascading messages through line managers, to keep up the drumbeat on compliance topics and reinforce the role of compliance.” The key is to “capitalize on the opportunity a new Code gives you.”

One of area in the recently release Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) that had a new emphasis was in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. I asked Morehead what he has observed on what makes Code of Conduct training effective. Fortunately, from his professional background with Corpedia and the NYSC Governance Services, he is quite familiar with various types of training.

You can start with live training that can be held at the corporate headquarters with senior management and even executive involvement. Many companies will videotape a message from the Chief Executive Officer (CEO) to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the United States, which can often provide employees with the opportunity to have confidential in-person discussions.

An important part of in-person training is the opportunity to interact with the audience through Q&A. There are a couple different approaches to Q&A. The first is to solicit questions from the audience. However, many employees are reluctant, for a variety of different reasons, to raise their hands and ask questions in front of others. This can be overcome by soliciting written questions on cards or note pads. A second technique is to lead the audience through hypothetical examples in which the audience is broken down into small discussion groups (up to five people) to discuss a situation and propose a response. However, with a worldwide, multi-thousand person workforce with multiple languages, an entire Code of Conduct roll-out based on live training may not be feasible.

Not surprisingly, and one of the key themes in compliance, is to understand your company and tailor your compliance program, including your Code of Conduct training, for your audience. Companies have to consider their audience when considering drafting the Code of Conduct, the kind of tone it is going to have, how long it is going to be and topics you are going to cover in the Code of Conduct; the same analysis is true for your training.

Morehead believes most organizations put together custom training for their Code of Conduct rollout. It is typically online “and if it makes sense for them for their code of conduct training, and I think the same rules apply here, you want your training to really resonate with the audience that you’re trying to reach and I think the trends we see here, generally speaking, are that the code training is a lot shorter than it used to be in the past.”

He also suggested that your Code of Conduct training could be more modular in presentation. “For instance, if your company identified 12 key risk areas in the Code of Conduct, you could   train on six risk areas each year, instead of the full dozen. You could keep important topics like reporting and non-retaliation and similar aspects that always have to be talked about on an annual basis but maybe you split up the topics and try to shorten the length that way.”

Another mechanism Morehead has observed over the past few years is more interactive training. When audience members are required to answer questions on an ongoing basis it can foster more engagement. It can also help to meet the DOJ requirement to demonstrate the effectiveness of training. He also noted that “gamification which kind of goes hand in hand with interactivity has been talked about a lot over the last few years.” His understanding is that gamification and interactivity make “it a little bit more effective for millennial members of the workforce.”

At the end of the day, the reality is that just as with different types of codes making sense for different types of organizations the same is true for interactive training. As Morehead noted, “It may make sense for your population. It may not.” But it does mean you should consider your population, “take a look at the offerings that are out there to consider how does it fit into your organization.”

Morehead ended by noting that your “training really ought to bear some resemblance to the way you communicate in the Code and the topics that you communicate in the Code of Conduct.” It really does your organization no good, “If it’s completely divorced from that then you’re missing an opportunity to drive people from training to the Code and from the Code to you know better understanding the training. So you kind of missed, to use an overused term you’ve missed some synergy there if they are divorced from each other and they don’t really speak to the same topics or speak in the same way about those topics. So I would try to keep them similar and I guess that’s another call for considering a custom implementation rather than an off the shelf implementation”.

Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

Tomorrow I will conclude this week’s series by looking at a Code of Conduct update as a way to operationalize your compliance regime.

For more information on Eric Morehead, Morehead Compliance Consulting or to contact Eric Morehead, go to Morehead Compliance Consulting.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017