Together with the code of conduct, ethics and compliance policies are the foundation of an ethics and compliance program. Careful consideration must be taken when developing and implementing them to ensure their effectiveness.
What Does the Guidance Say?
It is always best to begin with what is required. In the case of the company’s ethics and compliance program, the guidance put out by the U.S. Department of Justice (DOJ) is generally considered the standard. The U.S. Federal Sentencing Guidelines say that an organization must “establish standards and procedures to prevent and detect criminal conduct” and “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program,” to all people in the company (employees, senior management, and the board) and potentially outside agents or third parties who act on behalf of the company.[2]
Standards and procedures referred to here are the code of conduct and other written policies and procedures that a company has to mitigate compliance risks, educate employees, and provide guidance to enable them to do the right thing. Together, these written standards provide a framework for consistent business practice across an organization and are the foundation of the ethics and compliance program.
In the March 2023 update to the "Principles of Federal Prosecution of Business Organizations," the DOJ expands upon what is expected of an effective ethics and compliance program, including an organization's policies and procedures. Prosecutors are expected to "examine whether the company has a code of conduct that sets forth, among other things, the company's commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees." Additionally, "prosecutors should assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations." To determine whether a company has achieved this, the guidance states that prosecutors should evaluate the company's policies, procedures, and their process for managing them in the following areas:
Design: What is the company's process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness: What efforts have the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Accessibility: How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees' access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
Responsibility for Operational Integration: Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees understand the policies? In what specific ways are compliance policies and procedures reinforced through the company's internal control systems?
Gatekeepers: What, if any, guidance and training have been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?
Policies should cover all ethics and compliance risk areas faced by the company, as identified in their compliance risk assessment. They may consist of both principles-based policies, such as the code of conduct or ESG policies, and rules-based policies such as anti-corruption, antitrust/competition, gift and entertainment, or cyber security policies. Principles-based policies set up a framework within which employees may make decisions that are consistent with the company’s principles and/or values. Rules-based policies provide very specific dos and don’ts for employees and do not allow for much interpretation. A good program includes a combination of these.