Together with the code of conduct, ethics and compliance policies are the foundation of an ethics and compliance program. Careful consideration must be taken when developing and implementing them to ensure their effectiveness.
What Do the Guidelines Say?
It is always best to begin with what is required. In the case of the company’s ethics and compliance program, the U.S. Federal Sentencing Guidelines are generally considered the standard. The guidelines say that an organization must “establish standards and procedures to prevent and detect criminal conduct” and “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program,” to all people in the company (employees, senior management, and the board) and potentially outside agents or third parties who act on behalf of the company.[2]
Standards and procedures referred to here are the code of conduct and other written policies and procedures a company has to mitigate compliance risks, educate employees, and provide guidance to enable them to do the right thing. Together, these written standards provide a framework for consistent business practice across an organization and are the foundation of the ethics and compliance program. They may consist of both principles-based policies, such as the code or corporate social responsibility policies, and rules-based policies such as anti-corruption, antitrust/competition, gift and entertainment, or information security policies. Principles-based policies set up a framework within which employees may make decisions that are consistent with the company’s principles and/or values. Rules-based policies provide very specific dos and don’ts for employees and do not allow for much interpretation. A good program includes a combination of these.
We Have a Code of Conduct: What Other Policies Do We Need?
The code of conduct likely covers all of the significant ethics and compliance risks a company/industry faces, but it may not be enough to guide employee behavior. Experience has shown that the most effective codes of conduct are principles-based, rather than outlining specific rules. They are often written at a high level to accommodate a broad, often global, audience. Because of this, they may not provide enough detail on each risk area to ensure employees are adequately informed and prepared to handle any applicable situation that may arise in their work. For risk areas requiring very specific guidelines for employees, rules-based policies are often required to supplement the code. A specific function (e.g., human resources, legal, IT) may adopt additional or complementary policies that are consistent with global policies for use within those functions or specific locations. A sample of this would be a finance-specific or regional policy based on local laws. Also, a global policy may include region-specific information to avoid having multiple policies with the same content.
To better understand what policies may be needed, start by reviewing your company’s risk assessment to identify the areas of significant compliance and ethics risk for your company/industry. Next, take an inventory of existing policies and procedures. Are there any gaps? If so, consider whether a new policy is needed. Some things to consider before drafting a new policy are:
-
Is this risk area adequately covered by our code of conduct?
-
Will an employee know how to comply with the principles outlined in the code of conduct?
-
Is this policy specifically required by a law or other commitment?
-
Who will this guidance apply to?
-
What has been done in the past to provide guidance to employees or resolve issues related to this risk area?
-
Will we be able to monitor and enforce this policy, and is its enforcement necessary to achieve company goals?
-
Is the investment required to properly develop, communicate, and enforce this policy reasonable in relation to the benefits/risk mitigation obtained?
-
Are there other options, i.e., might you be able to amend an existing policy to include this risk area?
-
Is the creation of this policy consistent with the company’s culture?
(See Appendix 3-H for Sample Policy Prioritization Matrix.)
Who Is Responsible for Developing New Policies?
Companies may take different approaches to policy development and management. It may be centralized or decentralized, but it is important to establish ownership and a clear and consistent process so people understand their roles and responsibilities.
In a centralized approach, policy development typically begins at the corporate headquarters with the ethics and compliance team or a cross-functional committee. The central team or committee identifies the need for the policy and prepares a draft that may be circulated to designated people with subject matter expertise in the business units for review. The business units may submit feedback, including possible revisions to address differences in local law or practice. The central team or committee has final approval authority. This approach has the advantages of avoiding duplicate or conflicting policies and ensuring that the company’s overall values and culture are represented across the organization. A disadvantage may be that, in order to achieve a common approach, you are unable to provide very specific local guidance to employees who may need it.
In a decentralized approach, policy development is at the local or business unit level. Local subject matter experts identify a need for a policy and draft the guidance. This enables them to more fully adapt the policy to local law and practices. Ownership at the business unit level typically allows for easier business unit buy-in and distribution to employees. A possible disadvantage is that there is a tendency to create more policies than may be necessary, and without proper corporate oversight, business unit policies may not take on the desired cultural tone or may even conflict with one another. Because of this, policies are often sent for review by a central team or committee before final approval, even when the decentralized approach to development is taken.
In either approach, there should be a clear owner of the process. That may be the ethics and compliance department, the legal department, or a cross-functional committee. The owner is responsible for ensuring that there is an established process and that it is consistently followed. The process should include steps, such as:
-
Establishing policy criteria and determining what is worthy of a policy vs. procedures or other form of employee guidance;
-
Identification of the subject matter expert or content owner;
-
Defining the process for development, review, and approval;
-
Planning for policy communication and/or training;
-
Identifying and maintaining a central policy storage location that is easily accessible by employees and ensures one “source of truth”;
-
Establishing policy compliance criteria; and
-
Defining a process for ongoing maintenance, such as periodic review and revision.
This process may be manual or automated using an internal platform, such as SharePoint or a third-party provider’s policy management tool. These tools often include document tracking, workflow, and storage capabilities, along with automated alerts for revision and ongoing maintenance.
(See Appendix 3-I for Sample Policy Development Workflow.)
What Makes a Policy Different from Procedures or Other Employee Guidance?
You may find that your company uses the term “policy” fairly loosely. Sometimes when you read a “policy,” it may actually be more of a list of procedures an employee must follow to accomplish something, rather than a position statement about the company’s view on a particular topic. Companies may create a “policy on policies” or meta policy to be clear on the criteria for what constitutes a policy versus a procedure or work instruction. This meta policy defines terms such as policy, procedure, work instructions, policy owner, subject matter expert, approver, etc. Sample definitions may include:
-
Policy: A written document or statement reflecting standards or rules that regulate or guide organizational action and employee conduct. Corporate (or global) policies generally apply to the entire organization and will outline who has specific authority or assigned accountability and what actions are required in specific situations.
-
Procedure: The process followed to comply with a policy. A procedural document describes the specific steps necessary to complete a particular process intended to implement and/or support a policy. Procedures include rule-based information and can vary between functions and business units.
-
Work instructions: The step-by-step instructions, including information and equipment needed to complete a specific task.
-
Approver: The person or department whose approval is required to implement the policy.
-
Owner: The individual or department responsible for the content and administration of the policy.
The meta policy also typically explains the process that must be followed for developing, approving, implementing, and maintaining the company’s policies and procedures. Defining the governance process is an important step toward ensuring a consistent approach to company policies.
What Should I Consider When Drafting Policy Content?
When drafting the content of the policy, you should keep in mind the organization’s culture to ensure that the tone of the policy is consistent with other company communications. Policies should be comprehensive, consistent, and easily accessible and applicable to the target audience. Some other considerations are:
-
Keep in mind your intended audience and use language that is clear and concise (appropriate for the reading level).
-
Ask yourself this question: After employees read the policy, do they know what they are supposed to do or not do?
-
Avoid legalese and absolute terms, such as “must” or “zero tolerance.”
-
Avoid gender-specific language.
-
Fully spell out or define acronyms and unfamiliar terms.
-
Include illustrative examples.
-
Use graphics or tables to organize content and make it easier to read or locate important details.
-
Don’t include detailed procedures as part of the policy document.
-
Avoid overly long documents or attachments.
Policies typically include the following elements:
-
Title: A short, descriptive title that is meaningful to the employee. The employee should be able to quickly identify the policy they are looking for by the title.
-
Scope: Describe who the policy applies to (all employees or a subset). Is it an enterprise-wide policy or applicable to only a specific business unit?
-
Owner: State who is responsible for the policy content and administration.
-
Approver: State the individual or group who approved the policy (for example, the chief legal officer or the board of directors).
-
Effective date: Date the policy becomes effective.
-
Purpose: A short statement that explains the objective for the policy. What is the company trying to achieve with this policy? For example, the purpose of a policy on intellectual property may be, “this policy is intended to help employees safeguard the intellectual property assets of ABC Company and its subsidiaries.”
-
Policy statement: The policy should set out the company’s position and the standard of behavior it expects of its employees. It should also include a statement as to the consequences for noncompliance.
-
Definitions: Explain the meaning of special terms and acronyms used in the policy.
-
References: Include written references or links to other related documents or policies.
-
Amendments: Include the date and purpose of any revisions.
Once the policy is drafted, it should be circulated to business units and other stakeholders for input. Once agreed, it should be submitted for approval by the relevant executive or committee. (See Appendix 3-J for Sample Policy Template.)
How Should the Policy Be Implemented?
There are many considerations when preparing for implementation. It is important to define the appropriate target audience to understand the scope of the implementation and any challenges that may exist.
-
Will you be rolling out to all employees or a subset who will be affected by the new policy? Do you need to communicate it to any group outside the company?
-
Are there any local requirements, such as vetting with unions or works councils, prior to implementation?
-
Will it be an online or printed/live delivery process (or combination)?
-
What languages do the people on the target audience speak, and how do they best receive communication?
-
Will there be required affirmation or training that accompanies the rollout of the policy?
-
Are there systems or procedures in place to monitor compliance with the policy?
-
What are the consequences of noncompliance? Will exceptions be granted, and if so, how will they be handled?
The answers to these questions and more will help you define your implementation and communication plan. (See Appendix 3-K for Sample Policy Implementation Master Tracker.)
The communication plan should include:
-
The objective of the communication;
-
The various vehicles used to communicate the message to employees (e.g., email, intranet story, newsletters, FAQs);
-
The different audience groups and required languages;
-
Key messages for leaders, supervisors, and any others who will be supporting the communication effort;
-
People responsible for either creating or delivering messages; and
-
A timeline for planned communication and/or training.
In a multinational organization, it is critical to translate the policy and all related communication and training into the local languages of the employees in the target audience. As with any translation, it will be necessary to have a local review to ensure a quality cultural translation prior to the rollout of any policy. (See Appendix 3-L for Sample Communication Plan.)
How Will We Keep the Policies Current and Ensure Their Effectiveness?
It is important to establish a process for ongoing maintenance of company policies. Identify triggers that indicate a need to add, modify, or remove a policy. Things like new or amended legislation or regulatory requirements, a change in business strategy, or a merger or acquisition may result in the need to add or revise a policy. Risk assessments and regular periodic reviews of existing policy content with owners or subject matter experts may help to identify necessary additions or revisions.
Policies may require revision if it is determined that they are not effective in driving the right behavior. Internal audits or other methods of monitoring compliance (such as helpline calls) may indicate that employees are not consistently following the policy. Digging in to understand the reasons for noncompliance may indicate that the policy is not clear in a certain area or that employees do not understand the policy or didn’t know it existed. In this case, gathering feedback from employees in the target audience may help to improve the policy. You may also determine, based on feedback, that a business process or practice has changed, and the policy no longer achieves the objective originally intended.
In these instances, when a policy revision is needed, the revision and the reason for it should be documented as part of the amendment history.
A centralized policy team that manages the policy program can be an effective and efficient way to ensure policies are properly maintained. Their responsibilities may include:
-
Working with policy owners, approvers, and committee members to assist with the review/revision of current policies within their respective department;
-
Formatting policies into a standard template and posting updates to the centralized policy library;
-
Conducting an annual review of policies and sending alerts to policy owners regarding outdated policies needing to be reviewed/updated;
-
Maintaining a consistent naming convention for all policies in global policy library;
-
Ensuring that the requirements of policy management are being met and there is one source of truth for corporate policies;
-
Encouraging cross-functional involvement in the policy management program; and
-
Following up on communication effectiveness when new or revised policies are established and distributed.
(See Appendix 3-I for Sample Policy Development Workflow and Appendix 3-K for a Sample Policy Implementation Master Tracker.)
How Will I Know If the Program Is Effective?
In 2020, the U.S. Department of Justice updated their guidance on evaluating the effectiveness of a compliance program. The guidance seeks to answer three fundamental questions about every aspect of the program:
-
Is the program well-designed?
-
Is the program being applied earnestly and in good faith?
-
Does the program work in practice?[3]
When evaluating the policy aspect of your program, you may ask yourself the following questions:
-
Are policies easily accessible to employees, and do they know where to find them?
-
Are policies easy to read and available in all necessary languages to ensure understanding?
-
Are new or revised policies communicated to all employees in the target audience, and is training provided if needed to ensure understanding?
-
Are policies periodically reviewed and kept current?
-
Are new policies developed to address new or evolving risks?
-
Are there methods in place to monitor understanding of, and compliance with, policies?
If you cannot answer yes to these questions, you may have some gaps in your program that need to be addressed.
Conclusion
Remember that the company’s policies are intended to “establish standards and procedures to prevent and detect criminal conduct” and you must “take reasonable steps to communicate” them.[4] An effective policy management program not only helps reduce risk in an organization but also enables employees to work in a much more effective and efficient manner to help the business achieve its goals.