Every compliance program begins with a code of conduct. The code of conduct expresses a company’s fundamental values and its commitment to living by them. Although a code of conduct is usually a very high-level document, it expresses values in very specific areas of interest to a company, from which more detailed policies and procedures follow. Those values may vary from industry to industry because the business activities of an industry may necessitate more emphasis on particular values. Those values may also vary because corporate leadership may have different priorities as well.
Through the U.S. Sentencing Guidelines and public guidance, the U.S. Department of Justice (DOJ) has expressed its view about important elements of a compliance program. The DOJ expects a compliance program to be “well-designed . . . adequately resourced . . . [and] work in practice.”[1] Recent guidance has directed companies to ensure their compensation schemes reward compliance functions and successes and impose significant financial penalties on those who engage in misconduct.[2]
A code can exceed “minimum requirements”
DOJ’s expectations and a company’s individual values are not mutually exclusive. For a compliance program to be well designed, it must address the most serious risks a company faces that are, in part, a product of its industry. Financial institutions need strong accounting controls to protect against sanctions violations and money laundering. Manufacturing companies need strong health, safety, and environmental programs to keep workers from being exposed to hazardous materials and dangerous workplaces and prevent pollution.
A compliance program may also be used to address other risks that reflect corporate priorities that are not necessarily the most severe but that senior leadership believes are nevertheless significant. For example, while compliance with anti-discrimination laws and regulations is a minimum requirement, a company may establish standards of conduct and processes to exceed the minimum requirements. Similarly, a company may also seek to meet higher environmental standards than law or regulation requires. The code of conduct can express these values and, at the same time, stand as a commitment to address DOJ’s concerns.
Common words in a code of conduct
The code of conduct must start with a commitment by senior leadership to creating a culture of compliance. Words often used to express that commitment include:
-
Honesty
-
Integrity
-
Ethical
-
Nonretaliation
-
Doing the right thing
-
Accountable
-
Fairness
These values apply across the board to all activity within the company, whether to meet DOJ standards or the company’s expectations.
At the same time, the code of conduct may express a commitment to other values. Words used to express that commitment may include the following:
-
Innovative
-
Diverse
-
Socially responsible
-
Sustainable
-
Environmentally sound
-
Community involvement
While some of these values are reflected in legal obligations, some also go beyond mere compliance with laws and rules. They attempt to create a higher ethos for a company. The code of conduct can express both a culture of compliance and a higher-level ethos.
A code of conduct will address different concerns for different industries while also addressing DOJ’s concerns. Words used in codes of conduct for different industries might include the examples listed in Table 1.
Manufacturing |
Professional Services |
Technology |
Education |
Financial Institutions |
---|---|---|---|---|
Safety |
Honesty |
Innovative |
Safe |
Honesty |
Quality |
Integrity |
Sustainable |
Diverse |
Integrity |
Environmentally sound |
Ethical |
Respectful |
Socially responsible |
Responsible |
Fairness |
Collegial |
Ethical |
Ethical |
Accountable |
Doing the right thing |
Professional |
Doing the right thing |
Socially responsible |
While not all these words address legal compliance, they are compatible and can be treated by the company in the same way it treats legal compliance. For example, failure to follow policies and procedures designed to ensure collegiality or innovation can be met with discipline.
Codes must tackle high-risk areas
A code of conduct must address these areas and, simultaneously, express a commitment to compliance in high-risk areas of interest to DOJ. To ensure that a code of conduct covers those areas, a company should look to its risk registers to see what risks have been evaluated and what higher risks have been identified. These include conflicts of interest, anti-bribery and corruption, financial reporting, financial accounting, safety, third-party relationships, and national security.
The most serious compliance risks are likely to be anti-bribery and corruption, third-party relationships, financial accounting and reporting, national security, and anti-trust. These areas provide the highest financial incentives for misconduct and corruption in the honest market for goods and services. DOJ will expect the code of conduct to address these kinds of risks.
Having a compliance program that focuses on major risks, however, is not enough without compliance personnel and processes to monitor and report on compliance and without being able to demonstrate that the program works in practice through appropriate remediation and discipline. The code of conduct can also make clear that it is not just a piece of paper; it can warn employees that misconduct will be dealt with effectively through a well-resourced compliance department staffed by respected company leaders with the full support of senior leadership.
Address incentives and reporting
Recent guidance from DOJ emphasized that compliance functions and successes should be incentivized through compensation and rewards.[3] Noncompliance must be met with full investigation and discipline, including termination, if appropriate. Financial misconduct may also result in the clawback of ill-gotten gains.[4] The code of conduct should include a commitment to these principles and how company systems and processes are used to support them.
Finally, but importantly, the code of conduct must make clear that reporting of misconduct is not optional. It should explain the multiple avenues of reporting misconduct—to a supervisor, human resources, senior management, or a third-party anonymous hotline. It should include a strong expression of a nonretaliation policy—that retaliation against a good faith reporter of misconduct will not be tolerated.
Conclusion
Organizations can successfully blend code of conduct elements critical to them with elements critical to DOJ. Some elements are necessary for an organization to establish a culture of compliance and satisfy DOJ that it is doing so. Other elements can express broader cultural themes within an organization without detracting from meeting DOJ’s requirements. In fact, aspirations higher than mere compliance with rules and laws can also inspire employees to be more compliant at all levels.
Takeaways
-
A code of conduct can be used as an expression of a company’s values beyond minimum legal compliance.
-
Expressing values in the code of conduct beyond legal compliance can help to establish a company’s higher cultural ethos.
-
While these higher values can be included in the code of conduct, the code must also address the U.S. Department of Justice (DOJ) priorities in preventing corporate crime.
-
Tools of compliance, such as a well-resourced and respected compliance department, the use of discipline and incentives, and an effective speak-up culture, can support both the company’s goals and DOJ’s priorities.
-
Using compliance tools to support higher company aspirations can enhance legal compliance throughout a company.