Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 12 – Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal of the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on a violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be an FCPA internal control violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity that has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.

Three key takeaways:

1. A Code of Conduct is a foundational document in any compliance regime.

2. The substance of your Code of Conduct should be tailored to the company’s culture, to its industry, and to its corporate identity.

3. “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

Categories
Blog

Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United’s operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former CEO, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to its 2016 Non-Prosecution Agreement (NPA) settlement with the DOJ, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

In the 2020 FCPA Resource Guide, 2nd edition, the DOJ and SEC stated:

A company’s Code of Conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.

The 2023 ECCP specified “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” The Antitrust Guidance also specified “If the company has a Code of Conduct, are antitrust policies and principles included in the document?”

The 2020 FCPA Resource Guide, 2nd edition, the 2023 ECCP and Antitrust Guidance go on to make it clear that it is difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its code.

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company upholds and supports proper compliance.

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company’s Code should emphasize it will comply with all applicable laws and regulations, wherever it does business. The code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The three most important things about your compliance program are “Document, Document, and Document.” The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very publicly announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith.

However, your Code of Conduct is not a static document to be put on a shelf and never reviewed again. For just as your compliance program is a living entity; it should be constantly evolving, the same is true for your Code of Conduct. If your company has not reviewed or assessed your Code of Conduct for five years, do so in short order, as much has changed in the compliance world. Some of the questions you should begin with include:

• When was the last time your Code of Conduct was revised?

• Have there been changes to your company’s business model since the last revision to the Code of Conduct?

• Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?

• Are any provisions of the Code of Conduct outdated?

• What is the budget to revise your Code of Conduct?

After revision of your Code of Conduct, you should develop a plan to communicate the revised document. A rollout is always critical because it is important that revisions are communicated in a manner that encourages employees to review and use the Code of Conduct on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance Code of Conduct roll out meeting where the revised Code is announced with great fanfare out across the company all in one day. Also remember, with all things compliance; the three most important aspects are “Document, Document, and Document”. However, for each delivery of revised Code of Conduct, you must document that each employee received it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct need updating, but also practical steps on how to tackle the problem. It is far better to review and update your Code of Conduct, than wait for a massive FCPA investigation to go through the process.

Categories
FCPA Compliance Report

FCPA Compliance Report – Jim Walton on LRN’s 2023 Code of Conduct Report

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Jim Walton to discuss LRN’s always great annual Code of Conduct Report.

Jim Walton is a well-known compliance professional with a background in engineering and a passion for assessing and improving corporate codes of conduct effectiveness. His perspective on this topic is shaped by his extensive experience, including his current role as a Director on LRN’s Advisory Services team, where he leads their code of conduct practice. Jim believes a company’s code of conduct should reflect its character, culture, and values, serving as a foundation for its ethical culture. He emphasizes the importance of the code being a useful resource for employees, providing guidance on ethical decision-making and access to detailed information and resources. Jim also acknowledges that there is always room for improvement in corporate codes of conduct, even among some of the largest companies in the world. Join Tom Fox and Jim Walton on this FCPA Compliance Report podcast episode to dive deeply into Codes of Conduct.

Key Highlights:

  • Evaluating the Effectiveness of Company Codes of Conduct
  • Codes of Conduct Evaluation and Best Practices
  • Comprehensive and User-Friendly Code of Conduct
  • Eight Dimensions for an Effective Code of Conduct

Resources:

Jim Walton on LinkedIn

LRN

LRN 2023 Code of Conduct Report

Tom Fox

Thread

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 6 – Operationalization of your Code of Conduct

How can you work to operationalize your Code of Conduct as articulated in the DOJ 2023 Evaluation of Corporate Compliance Programs (ECCP)? The 2023 ECCP focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the 2023 ECCP that touch upon your Code of Conduct.
The Code of Conduct design and implementation process enshrine your company’s values. Those are set by senior management and their input and support for any code project, whether initial draft or update, is critical. This gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First, diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the DOJ questions from the 2019 Guidance in a manner consistent to support operationalization.
All of these requirements point to getting out and making your Code of Conduct a part of the very fabric of your organization. By using some or all of these strategies, you will have a good starting point. But it is more than simply rollout and training. There must be ongoing communications as well.

Three key takeaways:

  1. What has been the role of senior management in the creation or update of your Code of Conduct?
  2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your Code of Conduct?
  3. How have you measured the effectiveness of your Code of Conduct training?

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 5 – Training on your Code of Conduct

What about the training on your finalized Code of Conduct? While there have been criticisms of code training, if you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated code can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance communications as rollout is part of both communications and engagement. The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the code, through live or interactive training, the effectiveness can be better monitored and measured.
Beginning with the DOJ’s 2017 Evaluation and continuing into the 2023 ECCP, is the DOJ’s emphasis in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the corporate office, which can often provide employees with the opportunity to have confidential in-person discussions.
However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the code and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct lesson, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

 Three key takeaways:

  1. Consider a video message from your CEO to help roll out your Code of Conduct initiation or update.
  2. Tailor your Code of Conduct training to your workforce.
  3. Consider interactive and modular approaches to Code of Conduct training.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 4 – Code of Conduct: Structure and Format

Next comes the evolution of the structure and format of a best practices Code of Conduct. Initially, my experience with this is that they were written by lawyers, largely for lawyers. This included ‘thou shalts’ and ‘thou shalt nots’ liberally sprinkled throughout a lengthy written document. This was what is now referred to as Code 1.0. The compliance community then evolved to Code 2.0, where the writing was less turgid, moved to more employee-friendly language, and then somewhere along the line we started putting in hyperlinks, pictures, and videos.
There are two factors that a company should consider in the structure of a Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use it. These stakeholders can include such diverse groups as employees, shareholders and third parties on both the sales and supply side of your business. This may require multiple approaches.
Be sure to make your code readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your workforce. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.

Three key takeaways:

  1. Companies have moved past having a Code of Conduct written by lawyers for lawyers to a fully interactive code for all employees.
  2. Consider how information is distributed at your organization as a basis for communication in your Code of Conduct.
  3. Your Code of Conduct must be readable, in both in English and native language for non-English speaking employees.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 3 – The Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in the regulator’s face during an enforcement action as proof of overall ethical behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in creating your company’s Code of Conduct?

Indeed violation of your Code of Conduct can form the basis of a domestic FCPA enforcement action. In an enforcement action involving United Airlines, Inc., a breach of the Code of Conduct by the Company CEO was determined to be an FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.
Your Code of Conduct should be tailored to your company’s culture, industry, and corporate identity. It should provide a mechanism by which employees trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company’s Code should emphasize it will comply with all applicable laws and regulations wherever it does business. The code must be written in plain English and translated into other languages so all applicable persons can understand it.

Three key takeaways:

1  A Code of Conduct is a foundational document in any compliance regime.
2  The substance of your Code of Conduct should be tailored to the company’s culture, industry, and corporate identity.
3  “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 2 – Clearly Articulated Written Standards

The written standard requirements have long been memorialized in the U.S. Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA issued. These requirements were incorporated into the 2012 FCPA Guidance and brought forward in the 2023 ECCP and FCPA Corporate Enforcement Policy. The U.S. Sentencing Guidelines assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e., a Code of Conduct.

Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.

Three key takeaways:

  1. A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one another, so consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 1 – Introduction to Written Standards

The cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy.
There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.

At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization. 

Three key takeaways: 

  1. The cornerstone of any best practices compliance program is its written protocols.
  2. Written standards work to prevent, detect and remediate.
  3. What are the specific written protocols you should have in your compliance program?

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Code of Conduct as an Internal Control

In 2016, the SEC announced one of the most interesting non-international-focused FCPA enforcement actions. It involved a clear quid pro quo benefit paid out by United Airlines, Inc. to David Samson, the former chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, New Jersey.

At the time, United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to influence the recipient improperly.” Only the United Board of Directors could grant a waiver to the code, and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s policies.”

The company was also sanctioned for not having internal controls to prevent such actions as those taken by Smisek. The SEC also found this was a violation of Section 13. This was in the face of detailing the protocol for the United instituting or reinstituting a route. The Order stated, “United had insufficient internal accounting controls to prevent approval of the South Carolina Route in derogation of United’s Policies.” All the underlying facts, enforcement theories, and remediation point towards the failure of internal controls when domestic bribery corruption occurs.

 Three key takeaways:

1. It is very unusual for the FCPA to form the basis of a domestic bribery violation.

2. A Code of Conduct can be an internal control.

3. Even a CEO must follow internal controls.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.