In today’s edition of Daily Compliance News:
Tag: Code of Conduct
Welcome to the Greetings and Felicitations, a podcast where I explore topics which might not seem to be directly related to compliance but clearly influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this episode 2, I consider the great structures of ancient Egypt and Greece and how they inform the building blocks of a compliance program: Code of Conduct, Policies and Procedures. Highlights include:
- Greek Column and Egyptian pyramid.
- What should go into your Code of Conduct.
- How should your policies be structured.
- How do implement policies through procedures.
- Training and communications of Code of Conduct/policies and procedures are mandatory yet complimentary strategies.
Resources
“Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.
I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”
From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.
In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.
In an article Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, stated a company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”
There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”
The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.
The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Resource Guide 2nd edition, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.
Another way to think of policies, procedures and controls was stated by Aaron Murphy, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”
Borrowing from an article in the Houston Business Journal, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”
Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.
Allen believes that there are five key elements to any “well-constructed policy”. They are:
- identify to whom the policy applies;
- establish the objective of the policy;
- explain why the policy is necessary;
- outline examples of acceptable and unacceptable behavior under the policy; and
- warn of the consequences if an employee fails to comply with the policy.
Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique.
The FCPA Resource Guide 2nd edition ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.
Join us tomorrow where we look at the Roman Arch and resourcing your compliance program.
Welcome to a special five-part podcast series on compliance insights, sponsored by Traliant. Over this series, we will discuss key issues that Traliant is helping to lead and define the online training industry going forward. Over this five-part series, I will visit with John Arendes, Chief Executive Officer (CEO) at the company, on what is new at New Traliant and what the Department of Justice (DOJ) has communicated to the compliance community regarding its expectations around online training and communications; Maggie Smith, Vice President of Human Resources at Traliant on the role of DEI in your corporate ESG program; and Scott Schneider, Head of Content Development at Traliant on your Code of Conduct and anti-corruption training. In this Episode 4, I visit with Scott Schneider, VP of Innovation at Traliant, on the evolution and importance of the corporate Code of Conduct. Highlights include:
- Culture is the key driver, and your Code of Conduct is the foundation for a broader discussion of what regulators look for in a compliance program.
- How has the Code of Conduct evolved?
- Your Code of Conduct should be more than simply aspirational, and your Code of Conduct training helps drive home values, ethics & culture.
Welcome to a special five-part blog post series on the New Traliant, sponsored by Traliant, LLC. Over this series, we will discuss key issues that Traliant is helping to lead and define the online training industry in going forward. I will visit with John Arendes, Chief Executive Officer (CEO), on what is new at Traliant and what the Department of Justice (DOJ) has communicated to the compliance community regarding its expectations around online training and communications; Maggie Smith, Vice President of Human Resources, on the role of diversity, equity and inclusion (DEI) in your corporate environmental, social and governance (ESG) program; and Scott Schneider, Head of Content Development, on your Code of Conduct and anti-corruption training. In Episode 4, I visit with Scott Schneider on the evolution and importance of the corporate Code of Conduct.
The corporate Code of Conduct has evolved as much as any part of a best practices compliance program. Early codes were often sold as statements about who we are and, as resources, that employees could use to make better decisions. Unfortunately, they tended to be written by lawyers, for lawyers with both formalistic and legalistic language. This created, as Schneider noted, “a clear disconnect that didn’t help employees a lot.” However, as Codes have evolved, he believes “companies have done a much better job and they began to phrase codes of conduct in terms of values and what a company stands for.” This has, in Schneider’s words “restored that connection between the code and the company.” Codes of Conduct also began to include features, language and content that was geared towards employees. This allowed employees who were trying to do the right thing, to use the Code “to figure out what decision should be made either because it provided guidance or because it at least put that guidance in the context of values that you could apply to your situation in making a decision.”
Once the language issue was overcome, the next step was around Code implementation for the devil is in the details. When a code said things like “our company does not discriminate”, it was, as Schneider expressed, “putting a stake in the ground.” If you understand the values in the Code that are motivating, an employee can look at a situation and say, at the very least, I need some help on this. A Code then begins to become something employees can begin to apply because the situation before a particular employee may not be exactly covered in the code. Additionally, companies began to develop resources around their Codes such as FAQs which presented information in a question-answer format in a manner that an employee could obtain an answer.
We next considered Code of Conduct training. Here, Schneider believes companies have room for improvement as the development of the Code itself, “took an arc towards something that is more meaningful, more relatable, more helpful. I do not think code training is quite there yet.” Oftentimes Code training is too formalistic. Many companies have “coalesced around this idea that the training should be modular so that you can train on various topics within your Code.” This includes one training module on what the Code says and then several others which are essentially summaries of law. “We’re kind of stuck that way. I think it leaves employees in the same place they were before with the bad codes, what you remembered as an employee was that I have to sign something that says I read it, even though I did not.” Schneider believes that too often, “employees take Code training because they have to,” and then say, “that’s done”. This loses the connection between the training and the company and the training and the employee. “So, there’s room for improvement for sure.”
One of these responses has been more focused, engaged training for the Code. There is an obvious tension for shorter and more in-depth training and sometimes it is difficult to make that trade off. The key is to understand what is important, what is the core message that you are trying to communicate? The details are often important in providing context and guidance. Schneider concluded, “I think that the key to having shorter training is to understand what’s important and what you want the takeaway to be. Moreover with longer modules, it means you cover fewer topics and the more likely the learner will tune out.”
Start with what is important, what is the takeaway, and then fill in the things that will bring that to life. It does not mean that you must cover every legal detail. Always try to remember who you are training. For the most part, “we are not training lawyers, we are not training judges, we are training employees. You want to help them understand the context of the issue, what they can do, with a focus on what they can do. With the idea that if they get out in the real world, they’ll be able to at least spot the danger and ask for questions.”
Join us for our next episode where we look at the evolution of anti-bribery/anti-corruption training.
Check out Scott Schneider podcast on the evolution of the Code of Conduct and Code training here.
In this episode of the FCPA Compliance Report I visit with Scott Schneider, Head of Content Development at Traliant. Scott has been in the compliance space for over 15 years and is passionate about the building blocks of a best practices compliance program, including Codes of Conduct. This week we take a deep dive into the foundational backbone of every compliance program, the Code of Conduct. Some of the highlights include:
· Importance of Code of Conduct training.
· Types of Code training.
· Why have a Code of Conduct?
· How does a Code of Conduct help establish culture?
· Key areas the Code should cover?
· How should a company develop its Code of Conduct?
· When should a Code be revisited or reassessed?
· The roles of Codes of Conduct and training down the road into 2025 and beyond?
Resources
Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.
In 2021, Snap Inc. released a new code of conduct with a theme of kindness evangelism. Hear Nicole Diaz, Global Head of Integrity & Compliance Legal talk about how the team worked on putting it together and why they considered it important to have a focus on kindness in a company code of conduct.
Nicole also shares some of the compliance considerations when working in a social media/tech company, as well as what’s on the agenda for the Snap Compliance program in 2022. We hear about her commitment to DEI also and how this has impacted Nicole’s approach to ethics and compliance.
The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to. If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it. You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast. Corporate Compliance Insights is a much appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
Join the Great Women in Compliance community on LinkedIn here.
One afternoon at 4 PM, you get a call from the local Securities and Exchange Commission office, and they say they want to come by in two days to review your company’s Code of Conduct. You ask them why they want to review your Code. They tell you that it is a foundational document of your compliance program and view it as an internal control and, therefore, enforce it under the FCPA. They want to review all aspects of your Code design, implantation, training, and rollout.
What steps do you need to take to demonstrate the robustness of your Code but also your training and ongoing communications on it?
How do you dig deeper and review the Code of Conduct design, implementation, and review process?
How do you make sure facts on the ground have not changed and that your Code is still relevant?
IN THIS NEW EPISODE, Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation, break down the steps you need to take to survive (and ace) the Code of Conduct investigation review by the SEC.
Major takeaways discussed in the episode:
✔️ Dig deeper and review the Code of Conduct design, implementation, and review process. Show any changes or amendments, what was the process for these actions. Finally, how do you make specific facts on the ground that have not changed and that your Code is still relevant?
✔️ Build a focus group and pull in people from teams in audit, finance, I.T., business folks, and procurement to assess the current Code to identify what works, what doesn’t, and what’s missing.
✔️ Another vital step is benchmarking. Search and see examples of codes, whether a private or public company, big or small, to benchmark against and identify where you think you should be and where others are in your industry.
✔️ Develop a code that you’re proud of and that you want to display to the world. It should reflect and be tailored to fit your organization and not any other.
✔️ Approval and buy-in from the Board and top management are necessary to lend credibility and authenticity to the Code’s core message. This serves as the organization’s Bible for how to operate.
✔️ Identify your Code of Conduct training protocol and require annual attestation that the Code of Conduct is read and understood by all employees and directors.
✔️ Checklist of evidence to present to the SEC
■ Creation/Design
● Focus group minutes
● Drafts and updates to prior code language
● Benchmarking data and session information
● Translations
● Code launch plan – detailing Communications, emails, mgr meetings, printouts, CEO video
■ Training
● Training records & attestations
● Transcript of Code of Conduct training
■ Operationalization
● Culture and compliance surveys
● The open rate on emails/click rate on Code on the intranet
● How often employees reach out with questions
● Hotline calls and investigations
● Are people making good choices? Root cause analysis of non-compliance
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. Hosted by the Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear and give you some lessons learned going forward.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in the creation of your company’s Code of Conduct?
The three most important things about your compliance program are “Document, Document, and Document.” The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very publicly announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith.
However, your Code of Conduct is not a static document to be put on a shelf and never reviewed again. For just as your compliance program is a living entity; it should be constantly evolving, the same is true for your Code of Conduct. If your company has not reviewed or assessed your Code of Conduct for five years, do so in short order, as much has changed in the compliance world. All of this has become much more clear in the age of Coronavirus. Some of the questions you should begin with include:
- When was the last time your Code of Conduct was revised?
- Have there been changes to your company’s business model since the last revision to the Code of Conduct?
- Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
- Are any provisions of the Code of Conduct outdated?
- What is the budget to revise your Code of Conduct?
Three key takeaways:
- Every formulation of a best practices compliance program starts with a written Code of Conduct.
- The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
- “Document, Document, and Document” your training and communication efforts.
In 2016, one of the most interesting non-international focused FCPA enforcement actions was announced by the SEC. It involved a clear quid pro quo benefit paid out by United Airlines, Inc. to David Samson, the former chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United’s operations at the company’s huge east coast hub at Newark, New Jersey.
The reason that it is so interesting from an enforcement prospective is that it is not foreign corruption but domestic corruption, therefore not subject to the foreign government official requirement of the FCPA. However, the actions of United’s former CEO, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials. That sounds suspiciously like a books and records violation of the FCPA. The $2.4 million civil penalty levied on United was in addition to its NPA settlement with the DOJ, which resulted in a penalty of $2.25 million. Former Chairman Samson also pled guilty for putting pressure on United to reinstitute a flight service which was near his weekend residence.
At the time, United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to improperly influence the recipient.” Only the United Board of Director’s could grant a waiver to the code and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s policies.”
Three key takeaways:
- It is very unusual for the FCPA to form the basis of a domestic bribery violation.
- A Code of Conduct can be an internal control.
- Even a CEO must follow internal controls.
