Industry guidance recommends that the first basic compliance element for an organization is to establish standards, policies, and procedures that prevent and detect criminal conduct. The standards/code of conduct and policies and procedures become the foundational tools with which you can build your compliance program.
Code of Conduct
First and foremost, the standards/code of conduct demonstrate the organization’s overarching ethical attitude and its organization-wide emphasis on compliance with all applicable laws and regulations. The code is meant for all employees and all representatives of the organization. This includes management, as well as vendors, suppliers, and those who are working on behalf of an organization (which are frequently overlooked groups). From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards within the code of conduct. For this reason, the code should be written plainly and concisely in an accessible style that is easy to understand. Using legalese in a code of conduct targets it toward a certain audience, rather than for the general population of employees.
Plain and concise language does not mean it should be generic, however. The contents of the code of conduct need to be tailored to the organization’s culture, business, and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in languages besides English and making it accessible for those with disabilities (i.e., using Braille or large print for anyone with visual impairments) as appropriate. When providing the code in different languages, the organization should test whether the translation is accurate with another translator and a test group of individuals who primarily speak the language in which the code was written.
Establishing an organization-wide code of conduct is a key recommendation of the Organisation for Economic Co-operation and Development (OECD), which in 2010 established the “Good Practice Guidance on Internal Controls, Ethics, and Compliance.” The OECD’s Working Group on Bribery, which authored the guidance, urges companies to establish:
1. Strong, explicit, and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs, or measures for preventing and detecting foreign bribery.
2. A clearly articulated and visible corporate policy prohibiting foreign bribery.
The OECD’s guidance is contained in its 2009 Anti-Bribery Convention, an internationally recognized document that has been ratified by its 38 member countries and 6 nonmember countries. While its primary focus is on preventing bribery, the Convention supports compliance programs with a larger focus, stating that its recommendations “should be interconnected with a company’s overall compliance framework.”
The code of conduct also provides a process for proper decision-making and for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, incorporating elements or standards into performance reviews. Compliance with the code must be enforced through appropriate discipline when necessary. Disciplinary procedures should be clearly stated in the code, and the penalty—up to and including dismissal—for serious violations of the code of conduct must be mentioned and consistently imposed to emphasize the organization’s commitment. Remember, the code of conduct is one of the most important and foundational pieces of infrastructure for your compliance program.
Code of Conduct—Purpose
To present overarching guidelines for employees to follow
To confirm that all employees comprehend what is required of them
To provide a process for proper reporting of potential noncompliance
To provide employees with a rationale for putting standards into everyday practice
To elevate corporate performance in basic business relationships
To confirm that the organization upholds and supports proper compliance conduct
Writing a Code of Conduct
How the code of conduct is written can vary. In some organizations, it is prepared at the board of directors’ level. In others it is the responsibility of a compliance officer or compliance committee. If you are in the position of drafting your organization’s code of conduct, there are many sources of sample materials to reference. Look for books with sample codes of conduct, or search for company websites that post their code of conduct online. Try tapping into your network to solicit codes of conduct from other organizations. However, it is inadvisable to take a code of conduct from another source, make minor tweaks, and try to make it fit your organization. Your code of conduct should reflect your organization’s spirit, tone, and culture. If the code does not fit your culture, securing employees’ participation and cooperation in the compliance program will be much more difficult.
There may not be a one-size-fits-all code of conduct, but there are certain elements that every code should include. Most codes begin with the official board of directors’ resolution approving the compliance program or the memo announcing the launch of the program. The code should begin with this strong endorsement from the highest levels of management. An endorsement signed by the board chairperson or the CEO makes the message personal and sends the message, “You have my word on it.” This executive message is the place to state unequivocally that everyone in the organization and all affiliates are expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. A strong message in support of staff is also in order. The code of conduct provides guidelines and tools developed to help employees in situations created by today’s confusing and complex environment. Staff honesty is not the issue. When a situation poses uncertainty, the code of conduct provides guidance for appropriate conduct or, in more challenging situations, offers the way to get answers within the organization.
The code of conduct might be seen as an elaboration on the organization’s mission or vision, both of which deserve a highly visible place in the code of conduct. Many organizations have identified specific values that help accomplish the mission. If your organization has values in addition to the mission, these too should be prominently featured in the code of conduct.
As a resource for all staff and affiliates, the code of conduct also should include a detailed outline of procedures for handling questions about compliance or ethical issues, beginning with a description of the organization’s chain of command. The best reporting mechanism is an open door. When a question arises, the goal is for an employee to feel comfortable approaching his or her supervisor, the first link in the chain of command. In the event the employee and the supervisor cannot resolve the issue, usually the department manager is the next step. If discussions with the supervisor and department head are not satisfactory, in some organizations the corporate human resources representative is called in. Ultimately, if a compliance-related matter cannot be resolved at the department head or human resources level, the corporate compliance officer (who represents executive management) gets involved. These steps should be delineated in the code of conduct along with a clearly stated promise of nonretaliation.
Not every employee will be comfortable talking to management, however, so alternate methods of reporting potential problems or posing questions should be covered. The code of conduct should provide a clear, concise explanation of how those alternate reporting methods work. For instance, some organizations list a hotline (or helpline) telephone number along with hours of operation. In this context, emphasize that all reports will be anonymous up to the extent the law allows and held in complete confidence. To the extent possible, it will help to outline the procedures for how the organization will respond to reports or questions. Can you promise that the compliance department will investigate all reports? Can you promise that all compliance-related questions or allegations—whether received through chain of command, the hotline, or other reporting mechanism—will be investigated within 48 hours? Such specifics are important to include but will be reassuring to staff only if they are achievable.
As a key element of an effective compliance program, every code of conduct should include a description of the resources available to employees if they want to raise an issue. Add phone numbers and email addresses for contact personnel as well as the compliance officer’s contact information.
The narrative section of the code of conduct can deal with a wide variety of issues. For instance, it can include summarized policies on sexual harassment, data privacy and security, and controlled substances. Every code needs to cover expectations regarding conflicts of interest and the acceptance of gifts and gratuities. See Appendix 5, Nonprofit Organization FAQS: Giving and Receiving Gifts. Areas of specific weakness or risk should be addressed in the code depending on the organization setting. Most importantly, the code must emphasize zero tolerance for fraud or abuse, a commitment to submitting accurate and timely accounting materials, and compliance with all laws and regulations. Consequences of malicious or uncorrected wrongdoing should be noted with a description of the progressive discipline procedures, if appropriate. Also, clearly state that everyone has a personal obligation to report any possible wrongdoing; not reporting makes an employee subject to discipline, too.
Code of Conduct: Content Checklist
[ ] Demonstrates an organizational emphasis on compliance with all applicable laws and regulations
[ ] Is written plainly and concisely so all employees can understand the standards
[ ] Is translated into several languages and accommodates disabilities as appropriate
[ ] Includes frequently asked questions or scenarios based on high-risk areas
[ ] Includes expectations for employees on interactions with other employees, vendors, and clients
[ ] Includes notice of individual accountability toward reporting potential areas of noncompliant conduct
[ ] Mentions organizational policies without completely restating them
[ ] Is consistent with company policies and procedures
[ ] Includes management’s responsibility to explain and enforce the code
The code of conduct holds the potential to be an abstract document, one that might not seem relevant to the daily work of individuals. Therefore, many organizations include a section with frequent scenarios or “examples of compliance violations” to help make the information more relevant to the general employee population. A mixture of general and specific scenarios is suggested. Sample general scenarios and questions might be:
I think I saw a violation of industry regulations. Whom should I contact?
Should I report a possible problem even if I’m not sure? Will I get in trouble?
What if my supervisor asks me to do something I think is wrong?
How can I be sure that my report will be kept confidential?
Finally, most codes of conduct come with an acknowledgement or attestation form. As a best practice, organizations should obtain a signed attestation on an annual basis. The attestation form requires employee signatures, emphasizes the importance of the code, and could provide certain legal advantages should there ever be a government inquiry. To encourage employees to return their attestation forms promptly, some organizations require signed attestations before new employees can be assigned perquisites, such as a parking space. Attestation forms should be filed in the employee’s official human resources file. The compliance department may also want to maintain copies. For an example form, see Appendix 6, Sample Attestation/Acknowledgement Form.
Communicating the Code
How to communicate the code is one of the most important considerations that a compliance professional makes. The code should be discussed during new employee orientation and each year in general compliance training. It should be available on the organization’s intranet and also made available in print, if requested. Remember, the code lays the foundation for the compliance program and its expectations for all employees.
When communicating the code of conduct to employees, understand that:
All employees must receive, read, and understand the standards on an annual basis.
Onboarding of new employees should include a discussion on the code.
A supervisor or qualified trainer should explain the standards and answer any questions.
Employees should attest in writing that they have received, read, and understood the standards.
Employee compliance with the standards must be enforced through appropriate discipline when necessary.
Discipline for noncompliance should be stated in the standards.
Don’t forget to communicate the code to vendors as well. For an example method of communication on the code to vendors, see Appendix 7, Sample Letter to Vendors Regarding the Standards of Conduct.