Codes of conduct are often described as the most important document in a compliance program. Codes help set the right tone for compliance and ethics (“C&E”) programs. They are educational tools that should serve to raise awareness and understanding of important company policies and legal requirements. They are also used at many organizations as the basis for periodic compliance training, and they should serve as a useful resource for employees. In addition, codes are used to promote reporting and to conduct investigations. When assessing a code, it’s important to do so in light of the code’s several purposes: awareness of the program and important policies; training and education; promotion of reporting and use in investigations; and promotion of an ethical culture.
Accessibility
In order for a code to be a successful vehicle for increasing employee awareness of relevant laws and policies, it must be accessible to employees. Government standards have emphasized the importance of code accessibility. For example, in the Resource Guide to the US Foreign Corrupt Practices Act¸ the Department of Justice and Securities and Exchange Commission note that “the most effective codes are clear, concise, and accessible to all employees.” When reviewing accessibility of codes, C&E professionals should consider accessibility both of the language of the code (including that the language is reasonably easy to understand and that translations are provided, as appropriate) and the more prosaic question of the ability of employees to “get their hands on” on the code so that it can serve as a resource where needed.
It is also important to consider the extent to which organizations measure both employees’ understanding of the concepts articulated in the code (is the code understandable to employees?) and their ability physically to access the code. As the Department of Justice noted in its recent revisions to the Evaluation of Corporate Compliance Programs Guidance Document, two important questions to ask when assessing a program are whether the code (and other policies and procedures) have been published in a searchable format for easy reference, and whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees. In addition, those assessing a code should consider how frequently employees are reminded of the code; are provided with copies of or links to the code; and are asked to certify their understanding and compliance with the code. All of these communication tools are important to ensuring employee awareness of a code of conduct.
Promoting a Culture of Compliance
Of course, a code of conduct cannot by itself create a culture of compliance and ethics. However, it can support such a culture, and it can help communicate an organization’s commitment to maintaining such a culture. In assessing a code’s ability to support an ethical corporate culture, one should consider the way in which the organization’s values are highlighted in and weaved into the code; the messaging by senior leadership both within the code and regarding the code; and the extent to which the code encourages employees and others to raise questions and concerns. The code should also make very clear that it is applicable to all employees (and, where appropriate, to directors and third parties) and that the company requires compliance with applicable law and company policy by all employees.
Discussion of the Most Important Elements of the C&E Program
Given that they are often considered the foundational document of a compliance program, codes should also discuss those aspects of a program that are most relevant to employees. This typically includes information about program structure; management support of the program; the company’s commitment to building a culture of compliance; the importance of asking questions and raising concerns and how to do so, including options for anonymous reporting; the company’s commitment to non-retaliation and appropriate investigations of concerns reported; and the potential penalties for non-compliance. Codes should typically also contain information regarding the heightened responsibilities of supervisors and managers with respect to the program.
Codes should be reviewed not only for inclusion of the above, but should also seek to ensure that the above information is communicated in strong and comprehensible language appropriate to the gravity of the topics. One should thus seek to understand not only if the above topics are contained in the code (which is, of course, the easy part), but also the extent to which communication of those topics is effective.
Discussion of the Most Important Policies and Laws
Unlike the long, “legal-ese” codes of the 1980s and 1990s, modern codes are expected to be concise – meaning reasonably short. That requires close attention to which company policies and laws are discussed in the code and how they are discussed. Here, an assessor should certainly be looking to ensure that the “bread and butter” legal topics are addressed (conflicts of interest, harassment and discrimination, insider trading (for public companies), anti-fraud, antitrust/competition law, etc.), and also should consider the extent to which organizations periodically review their codes in relation to their C&E risk assessment to ensure that higher-risk topics are addressed in an appropriate fashion. This requires assessment of not only the contents of the code, but also the way in which the organization determines the code’s contents and revises the code as the organization’s risks change.
A Training Vehicle
Many organizations utilize their codes of conduct as the basis for annual compliance training. Assessments should therefore also consider the value of a code as a training tool. This requires review of the training itself and the extent to which the code is the basis of effective training. Assessors should also consider the efficacy of any periodic code certification and disclosure exercise.
Investigations
While a well-written code can have significant value in raising awareness of the company’s commitment to compliance and ethics and of important legal and compliance policies, codes are also sometimes used in the context of compliance investigations. That is, if there is an allegation that an employee has acted in a manner that is inconsistent with or in violation of the code, the C&E team (or others) may need to investigate potential violations. That aspect of a code’s purpose highlights the critical importance of a code’s mandates being written clearly, of a code’s being accessible and of the code’s discussion of pertinent topics being complete. If an organization’s policies and prohibitions are not easily understood by and well communicated to employees, it may be unfair to hold those employees accountable for violations.
Important Additional Language
There are a few items that should be included in codes of public companies to ensure compliance with certain laws and regulations. Indeed, codes of conduct (for certain companies) are one of the few elements of a compliance program that are required by laws and regulations, such as the Sarbanes-Oxley Act and the New York Stock Exchange Corporate Governance Rules. This includes, for example, language regarding seeking guidance and raising concerns; the availability of confidential and anonymous reporting mechanisms; non-retaliation; and that certain waivers must be made by the board or a board committee and will be disclosed as required by law. Companies may also wish to include language disclaiming the creation by the code of rights in employees and third parties. Codes should be reviewed to ensure inclusion of required topics.
Approval by the Board and Senior Leaders
Because a code of conduct is a foundational document of the compliance program, it is important that the code have the imprimatur of both the board of directors and senior leaders of an organization. Someone tasked with assessing a code should confirm that both bodies have reviewed and approved the code and are asked to review and approve significant revisions to the code.
Periodic Review and Revision
Lastly, a code – and other C&E policies – should never be allowed to get stale. Codes should be reviewed and revised reasonably frequently in light of both the company’s changing risk profile (as addressed above) and changing best practices. When assessing an organization’s code, one should consider not only whether the code has been reviewed and revised on a periodic basis, but also whether there is a policy governance mechanism that requires and triggers periodic review and revision.