What about the training on your finalized Code of Conduct? While there have been criticisms of Code of Conduct training, if you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated Code of Conduct can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance as rollout is part of both communications and engagement. The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the Code of Conduct, through live or interactive training, the effectiveness can be better monitored and measured.

In a white paper, entitled “Top 5 Tips for Effective Code of Conduct Revisions, Eric Morehead noted that often companies have a formal launch of the Code of Conduct where senior management and the corporate compliance function “conduct on-site activities across the organization to promote the launch of the new Code, or launch interactive activities such as video competitions that ask stakeholders to such submit short videos on Code topics.” However, this is not the sole manner to have such a rollout as other companies “keep the message more informal but use frequent touchpoints, for example, through email or cascading messages through line managers, to keep up the drumbeat on compliance topics and reinforce the role of compliance.” The key is to exploit on the opportunity a new or revised Code of Conduct gives you to communicate in a 360-degree manner on your compliance program.

One of area in 2017 Department of Justice’s Evaluation of Corporate Compliance Programs that articulated a new emphasis was in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and even executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the United States, which can often provide employees with the opportunity to have confidential in-person discussions.

An important part of in-person training is the opportunity to interact with the audience through Q&A. There are a couple different approaches to Q&A. The first is to solicit questions from the audience. However, many employees are reluctant, for a variety of different reasons, to raise their hands and ask questions in front of others. This can be overcome by soliciting written questions on cards or note pads. A second technique is to lead the audience through hypothetical examples in which the audience is broken down into small discussion groups (up to five people) to discuss a situation and propose a response. However, with a worldwide, multi thousand-person workforce with multiple languages, an entire Code of Conduct roll-out based on live training may not be feasible.

Not surprisingly, and one of the key themes in compliance, is to understand your company and tailor your compliance program, including your Code of Conduct training, for your audience. Companies have to consider their audience when considering drafting the Code of Conduct, the kind of tone it is going to have, how long it is going to be and topics you are going to cover in the Code of Conduct; the same analysis is true for your training.

Most organizations put together custom training for their Code of Conduct rollout. Live training is generally viewed to be the most effective with online training next in effectiveness. One technique which as gained traction is a modular approach where you might identify 10 key risk areas and train on each in 10 minute segments throughout the year, one per month. This drives engagement and lessons complaints that employees have to take an entire hour for such training.

Another mechanism is more interactive training. When audience members are required to answer questions on an ongoing basis it can foster more engagement. It can also help to meet the DOJ requirement to demonstrate the effectiveness of training. Of course, gamification which is another form of interactivity and it has become more popular over the last few years. It also has the advantage of more favor with millennial members of the workforce.

However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the Code of Conduct and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

Three Key Takeaways

  1. Consider a video message from your CEO to help roll out your Code of Conduct initiation or update.
  2. Tailor your Code of Conduct training to your workforce.
  3. Consider interactive and modular approaches to Code of Conduct training.


This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Next is the design of your Code of Conduct. Through attention to detail in the design process, you should be able to come out at the end with a Code of Conduct which will help you to more fully operationalize your compliance program.

You must begin with a determination of what you are trying to accomplish. It does not serve you to try and list every compliance risk you might think your company may encounter. You should determine the values you want to communicate, what the expectations are for employees and how to call the hotline. Under such an approach, a Code of Conduct can be the jumping off point for training on the issues stated in it. The Code of Conduct can also form the hub of the wheel for other policies and procedures and written standards you want to communicate to relevant stakeholders.

You should also consider how you are going to distribute your Code to your employees and stakeholders. If it is through an Adobe .pdf document, which is accessible for most stakeholders across an organization or via another method. If a significant part of your workforce does not have access to computers, online production only will not work as the primary distribution platform.


One conundrum is whether and how to incorporate your ethical values into your Code of Conduct. You can integrate values by incorporating them into your discussion of the risk topics in your Code of Conduct. This aids in your roll out as a topic of interest in discussing your new or revised Code of Conduct. Integrity can be discussed in the context of a non-retaliation policy.


Another tool is to benchmark other Codes of Conduct. You should consider other companies in your industry, organizations that operate in the same geographic jurisdictions as your organization does and companies with a similar employee size. Consider what they are doing, determine what appeals to you and think about what might work for your organization.

If you have not updated your Code of Conduct for some time, there will probably be new areas that you need to incorporate into the updated version. Two obvious new areas of risk involve social media and cybersecurity. Such an exercise will help with your goal setting at the beginning of the project and allow you to move directly to the drafting of the text.

Drafting and Redrafting

If you are starting from scratch an outline is a good way to go. If you are working from a current version, you may want to go through a few drafts with redlining the text to eliminate confusing language and unnecessary legalization which is meaningless to anyone other than lawyers. An example here is the move from a US-centric focus on the FCPA due to the proliferation of other countries enacting anti-corruption legislation such as the UK Bribery Act and the Brazil Clean Companies Act, Chinese domestic anti-bribery laws and other standards as well.


Although the Code of Conduct was not specifically mentioned in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs, the over-riding concept of operationalization applies equally to your Code of Conduct drafting or updating exercise. This means you need to consider how are you going to involve the operational areas of your organization in that process, as there is a clear DOJ expectation around your Code of Conduct.

You should engage a focused group tasked with doing redlines of the text. A key is to involve employees from different parts of your company. It is just important to involve people from outside the compliance and legal functions in the process so that you get that buy-in from a wide variety of the corporate business units. This certainly can aid when the time for rollout comes.

Using your business folks to help develop Q&As, examples or scenarios, can help to address common questions from the field and can also be useful in making your Code of Conduct training more effective. Having somebody in operations suggest to you what would be a good example or Q&A because if there are issues the business unit deals with on a daily basis can be most useful. Further there are many different parts of this process where you can include employees into your Code development. This involvement will not only make your Code of Conduct more robust but it will help to further operationalize it by making it more applicable to the business folks. Indeed, the government will probably ask you who, outside the compliance/legal function, was involved and their contributions. (Insert-Document Document Document here!) Getting different perspectives is important but you need to include non-compliance teams early in the process by helping you from the planning phase through drafting and rewriting up to implementation and rollout.

Three Key Takeaways

  1. Get your business folks involved in your Code of Conduct from the outset.
  2. Your ethical values should be integrated into and integral to your Code of Conduct.
  3. How have you operationalized your Code of Conduct?


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

There has been an interesting evolution of the structure and format of a best practices Code of Conduct over the past 10 years or so. Initially, my experience with Codes of Conduct was that they were written by lawyers, largely for lawyers. This included ‘thou shalts’ and ‘thou shalt nots’ liberally sprinkled throughout a lengthy written document. This was what is now referred to as Code 1.0. The compliance community then evolved Code 2.0, where the writing was less turgid, we moved to more employee friendly language and then somewhere along the line we started putting in hyperlinks and pictures.

There are two factors which a company should consider on the structure of Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use the Code of Conduct. These stakeholders can include such diverse groups as employees, shareholders and third parties on both the sales and supply side of your business. This may require multiple approaches.

The second point involves considering the thinly veiled land of the future of compliance by considering how will your Code of Conduct be viewed and used going forward. A simple example is the switch to mobile devices as a mainstay of corporate communications. Think about how laptops were viewed as the primary vehicle through which most employees and stakeholders interacted with training and resources for many organizations. Now many companies are going to mobile devices. Will you’re the format of your Code of Conduct work on those various platforms and perhaps some you have not yet considered?

With a current Adobe .pdf platform for instance, you can have a .pdf document because it is the easiest thing to provide to people who are looking at it on a phone on a PC on a tablet or want to print it out and hold the pieces of paper as it is the most compatible format out there. Also, you can embed some interactivity into a .pdf document. Such technology allows you to add functionality as it becomes available to you.

If your organization is one where communication is more free flowing and there is more free-wheeling internal communications, that should be reflected in your Code of Conduct form. This means if your organization is a startup in Silicon Valley or in a well-known fun-loving organization such as Southwest Airlines; there may well be more playful attitude and a more playful way to communicate Code of Conduct topics. Conversely if you work for a hierarchical energy services company, which communicates in a top down strategy, such playfulness is not appropriate. What you should strive for is a consistent communications strategy. If your employees and other stakeholders are accustomed to receiving communications in a certain style it would appropriate to maintain that style in your Code of Conduct. The key is to consider not just how the internal communication at your company occurs. Consider how does HR ops and marketing and other other corporate disciplines communicate. You should strive for a consistent communication strategy in your Code of Conduct.

Think about the evolution of the Code of Conduct from the type of document that was akin to an annual report to one that now addresses corporate culture. A Code of Conduct must speak to the typical important concepts such as values that define the ethical culture or should define the ethical culture of the company. Some Code of Conducts have been as long as 12,000 to 14,000 words but others can be quite short, only four to five thousand words. It all means there is no set length and the style of writing can vary. But it must ring true with your employees, stakeholder and shareholders.

Be sure to make your Code of Conduct readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your work force. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.

Three Key Takeaways

  1. Companies have moved past having a Code of Conduct in by lawyers for lawyers to a fully interactive Code for all employees.
  2. Consider how information is distributed at your organization as a basis for communication in your Code of Conduct.
  3. Your Code of Conduct must be readable, in both in English and native language for non-English speaking employees.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity
  3. Document Document Documents your training and communication efforts.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

The cornerstone of a best practices compliance program is its written standards. These include a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement and Non-Prosecution Agreement. These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA since that time, the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

Your Code of Conduct, policies and procedures should be grouped under the general classification of written standards, comprising three levels of written standards. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. A second step mandates that every company should have policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

Best practices now require companies to have additional written standards, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective written standards is to demonstrate that your compliance program is more than just words on a piece of paper.

Policies and Procedures

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the 2012 FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and procedures are the documents that implement these standards of conduct.

The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general dos and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company cans mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

While policies are not a guarantee that things will not go sideways, they are a line of defense if they do. The effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating ethically and proactively for the benefit of its stakeholders, its employees and the community it serves. If it is a company subject to the FCPA, it is an international company so that can be quite a wide community.

The 2012 FCPA Guidance ended its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that policies are applied fairly and consistently across your company for if compliance policies are applied inconsistently, there is a greater chance for employee dissatisfaction. This point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

Three Key Takeaways

  1. A Code of Conduct, together with policies and procedures have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one and other so you need to consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

Written standards are your first line of defense in the event of a FCPA violation.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.