Code of Conduct, Compliance Policies and Procedures-Part IV

This is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

• When was the last time your Code of Conduct was released or revised?
• Have there been changes to your company’s internal policies since the last revision?
• Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
• Are any of the guidelines outdated?
• Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

1. Get buy-in from decision makers at the highest level of the company 

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

2. Establish a core revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

3. Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

4. Determine translations and localizations 

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” 

5. Develop a plan to communicate the Code of Conduct 

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.   Stay on Target 

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

This week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Codes of Conduct: what are they good for?

Ed. Note-today we have a guest post from Catherine Choe, a well known Code of Conduct maven. 

I had an interesting and frustrating conversation with a relative about the work that I do, which includes working with companies on refreshing their Codes of Business Conduct.  Despite working at a large, publicly traded, multinational corporation, I had to describe the Code twice before he recalled having certified reading the one at his company.  It got me thinking about why we have Codes and whether they’re doing an adequate job serving their purposes.

Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct.  There have been some very compelling articles discussing how important it is to teach employees that even actions that seem like minor misconduct should be reported.  I agree with this, of course, but I think that those of us in compliance & ethics should not lose sight of how difficult the decision to report major misconduct can be for many employees.

I recently heard a story about this that drove home how much anxiety the decision to report can cause.  I was having drinks with Sara, a friend I hadn’t seen in over a year.  Sara and I used to work together, and as we were catching up (i.e., gossiping) about former colleagues and mutual friends, she told me about something that happened to her a couple of weeks earlier.

Sara was attending a happy hour and chatting with Tracy.  Sara and Tracy started at the company on the same day and were in the same orientation group, where they bonded over their shared love of celebrity tabloids and became fast friends.  Over the years, Tracy worked her way up in the sales department to become a senior manager.  At the happy hour, Tracy shared details from the latest bonus trip that she had been selected to attend along with other top sales employees as a reward for outstanding performance.

It seems that in addition to her reputation for exceeding nearly every sales goal put in front of her, Tracy had also developed a habit of dating her colleagues.  In some instances, her partners were at her level, but most of the time, they were junior to her, although not in her reporting line.  All of her relationships were consensual, and she never exerted influence, positive or negative, over their careers.  Tracy simply found that it was more convenient, given the number of hours she worked and the days that she traveled, to find romance at work.  Management turned a blind eye to these activities, despite them being in contravention of company policy.  This was in part because of her performance and in part because nobody ever complained.

Tracy became involved with a junior colleague on the bonus trip and, as friends often do, was starting to share juicy details.  Tracy, wanting to show Sara what the junior colleague looked like, pulled out her phone to show Sara a picture.  Sara expected to see a head shot.  What she saw instead was a picture of the gentleman in question in the shower, with no idea that Tracy was snapping a photograph.

Sara shared the story with her boyfriend as an example of Tracy’s continuing refusal to grow up and a reason for the growing distance between the two friends.  Sara expressed discomfort at having been shown the picture and some sympathy for the gentleman who’d had his picture taken in an intimate moment without his consent.  Her plan for the future was to minimize contact and avoid spending time with Tracy.

Sara’s boyfriend, a lawyer, told her she had a responsibility to report Tracy’s behavior.  Sara disagreed, saying that the relationship was a consensual one between two adults.  In addition, Sara was concerned that Tracy might lose her job at a time when jobs were hard to find; Sara didn’t think it was right to interfere with Tracy’s livelihood

Sara’s boyfriend insisted that Sara report the incident, going so far as to say that if she didn’t tell someone in authority at the company, that he would call the company’s General Counsel to report the behavior himself.  He also noted that she might not have been as reluctant to raise her hand if the genders of the parties involved had been reversed.

Sara felt trapped.  Despite the egregious nature of Tracy’s behavior, Sara was torn between loyalty to her friend and doing what she knew in her heart was the right thing.  After several sleepless nights, she asked her boyfriend to consider calling the helpline rather than calling the GC, which she hoped would make it harder to trace the report back to her.  Out of sympathy for her distress, he agreed but told her she should check to see what her responsibilities were in the company’s Code of Conduct.

Sara downloaded the Code of Business Conduct from the company’s website and checked the Table of Contents and the index.  Both places directed her to the first section of the Code, which stated that employees, officers, and directors had a duty to report misconduct.  Defeated, Sara called the HR business partner for her department the next day.

Two things stood out to me when Sara told me this story:  (1) Sara’s reluctance to report the misconduct despite its egregiousness and (2) the role of the Code of Business Conduct in the resolution.  It’s true that if someone had reported Tracy when she first started dating her colleagues, she might not have reached the point of nonconsensual pictures in the shower, and then Sara would not have faced the dilemma she did.  Despite the existence of HR policies either forbidding romantic relationships at work or requiring their disclosure, workplace romances continue to occur.  As adults, we spend most of our time at the office with our coworkers.  Personal relationships are inevitable.

In addition, we often feel more loyalty to our coworkers than we do to the companies that employ us.  Our colleagues are people.  We work on projects together, we celebrate successes with each other, and we console each other when there are failures.  The collegiality that we build can improve productivity for the company.

Companies employ us.  They provide us with the money we need to shelter and feed ourselves and our families, but companies are not people.  The relationships we have with them are not personal.  What this means for C&E practitioners is that when we tell employees to report misconduct, no matter how small, the choice we are presenting is to be loyal to our coworkers or be loyal to the company.  Respect the teamwork and collegiality we’ve built, or “tattle” on our teammates for minor infractions of a Code that most employees skim once a year.  The decision to report, even in the face of serious misconduct, is gut-wrenching, especially if the bad actor is a friend or simply likeable.

Luckily for Sara’s company, the Code specifically cited a duty to report.  Companies often struggle with the decision as to whether to make reporting a duty or something more voluntary.  Making reporting a duty puts a burden on the company to ensure there are consequences for those who do not report misconduct.  Some decide that the administrative burden is too great or that they are uncomfortable with the potential impact it will have on the company culture.  After the conversation I had with Sara, I believe that the benefits outweigh those potential drawbacks.

We all know that our companies need Codes, so that our expectations around appropriate behavior are written down for employees.  We all know the general topics that should be covered in our Codes.  The level of sophistication in interactivity often depends on the level of technology sophistication of the employee base.  Many of us have gotten savvier about adding specific examples in our Codes to provide additional guidance.  We seem to take it for granted that employees will read the Code with the same attention and focus that we do.

The reality is that employees read the Code when forced to, either because of an annual certification campaign or because they face a dilemma.  In the former situation, employees skim, then sign; in the latter situation, employees look for an answer to a specific question.  Everyone in C&E has a checklist in mind of things that the Code should have and do.  At the top of my checklist is how quickly people like Sara can find the topic of her question and how clearly the Code answers it.  If employees are unable to find clear answers to their dilemmas quickly, the Code is not serving its purpose.

———————————————————————————————————————————————————————-

Catherine Choe  is Managing Member at TFL Compass (www.tflcompass.com), a compliance and ethics consultancy.  She is an authority on the business impact of C&E programs and has lectured widely on harmonizing C&E practices with business processes. Catherine is also an experienced and talented speaker with exceptional communication and presentation skills. She tweets regularly as the Code Maven (@CodeMavencc). She can be reached by phone at  408-337-2463  or email at cchoe@tflcompass.com. 

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

Revising Your Code of Conduct – Don’t Wait for Another Great Fire of London

In 1666 the dates of September 4 and 5 are generally recognized as the worst days of the Great Fire of London. The Great Fire started at the bakery of Thomas Farriner on Pudding Lane, shortly after midnight on Sunday, 2 September, and spread rapidly west across the City of London. The fire gutted the medieval City of London inside the old Roman City Walls. It is estimated to have destroyed the homes of 70,000 of the City’s 80,000 inhabitants. The City was rebuilt, with much of the old street plan being recreated in the new City, with improvements in hygiene and fire safety: wider streets, open and accessible wharves along the length of the Thames, with no houses obstructing access to the river, and, most importantly, buildings constructed of brick and stone, not wood. New public buildings were created on their predecessors’ sites; the most famous is St. Paul’s Cathedral and its smaller cousins, Christopher Wren’s 50 new churches.

Not all rebuilding requires such drastic destruction however. In a recent article in the Society for Corporate Compliance and Ethics (SCCE) Magazine, entitled, “Six steps for revising your company’s Code of Conduct” authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

When was the last time your Code of Conduct was released or revised?

Have there been changes to your company’s internal policies since the last revision?

Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?

Are any of the guidelines outdated?

Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful.

1.      Get buy-in from decision makers at the highest level of the company

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

2.      Establish a core revision committee

The authors believe that a cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the authors believe that Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

3.      Conduct a thorough technology assessment

The authors argue that the backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

4.      Determine translations and localizations

The authors emphasize that “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the SMEs and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

5.      Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” The authors believe that your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct meeting where the new or revised Code is rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.      Stay on Target

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

Logarta and Ward’s article provides a useful guide to not only thinking through how to determine if your Code of Conduct needs updating, but also practical steps on how to tackle the problem. If you are a compliance practitioner, I would urge you to take a look at your company’s Code of Conduct. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. Do not wait for a catastrophe like the City of London did with the Great Fire of London to rebuild. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Homestead Act and Doing Compliance

What was the single greatest transfer of property from the US government to its citizens? It was public lands that were given to persons willing to farm the land. Today we celebrate the 150^th anniversary of the Homestead Act, passed on May 20, 1862, which facilitated this donation. Under this law, any person, over 21, could stake a claim of up to 160 (later increased to 640) acres if they were a citizen or declared the intention to become a US citizen and agreed to farm the land for five years. In an article in the Saturday Wall Street Journal (WSJ), entitled “How the West Was Really Won”, author Fergus Borderwich quoted President John F. Kennedy who stated in celebrating the Centenary of the Homestead Act, “more than 1.1 billion acres of the original public [domain] have been transferred to private and non-federal public ownership.”

Borderwich goes on to write that it was farming that tamed and then settled the West. But more than simply planting, it led to technical innovations in agriculture, animal-feeding and water management. Land-grant colleges followed to provide educations to children of these homesteaders, which led to further growth and innovation. Borderwich quotes Bonnie-Lynn Sherow, “If you measure the achievement of homesteading by the value of today’s GDP alone, it was an enormous success.” From the article I gleaned that it was the day-to-day work of farmers, innovators, educators and a host of others that created the great breadbasket that is the United States.

This drove home to me that what a company really needs to accomplish regarding compliance is to do the day-to-day work in its company to help create and foster a culture of compliance. Recently May 7-11 was designated as “Compliance and Ethics Week”. One of the panelists I saw last week at the IQPC Upstream Contract Risk Management conference spoke about how his company celebrated this event and used it as a springboard to internally publicize its compliance program. Their efforts included three separate prongs: they were hosting inter-company events to highlight the company’s compliance program; providing employees with a Brochure highlighting the company’s compliance philosophy and circulating a Booklet which provided information on the company’s compliance hotline and Compliance Department personnel.

Inter-Company Events

These were ‘Lunch-N-Learn’ events hosted throughout the week. Topics included

• Monday: Navigate and Learn the Corporate Compliance Website;
• Tuesday: How to Determine if You Have a Conflict of Interest;
• Wednesday: Review of the company’s pre-approval procedures for gifts, travel and entertainment of non-US officials and employees of State Owned Enterprises;
• Thursday: Understanding the purpose and importance of the Company’s Alertline; and
• Friday: Ethical Behavior that Wins Business and Attracts Top Talent.

Participation in these events allowed the Compliance Department to meet informally with the business unit folks. Even in a corporate headquarters, most conferences are more formalized training but the ‘Lunch-N-Learn’ concept provides a more casual atmosphere and, therefore, better opportunities for interaction.

Cost: Sandwiches for lunch

Brochure

The Company regularly distributes a short Compliance Brochure. In the Brochure, which announced the company’s celebration of Compliance Week, it included the following phraseology that I quote in its entirety as I thought it was so eye-catching. The Brochure had spelled out ‘Compliance’ vertically and assigned phrases to each letter so that it reads as follows:

Commit to ‘Doing the Right Thing’

Observe the policies that apply to your job

Make compliance awareness a part of your job

Put Code of Conduct in assessable place

Lead by example

If in doubt, check it out

Attend educational and mandatory training sessions

Notify your supervisor of possible wrongdoings

Communicate openly and honestly

Ethics is a part of all activities

In addition to the above phrasing the Brochure included information on the Company hotline; contact information for the Compliance Department and a listing of some of the information available on the Company’s internal intranet site.

Cost: Regular printer paper

Compliance Booklet

The final piece of information provided during the company’s Compliance Week celebration was a four-page Booklet provided to each employee, specifically tailored to the Compliance Week celebration. It listed out several elements from the company’s compliance program and  the company’s Vision and Core Values. It also provided the contact information on the company hotline and contact information on the Compliance Department personnel. One of the most interesting things it listed was the company’s Compliance Department philosophy about what it believed it owed the company’s employees. This included the following:

• Guidance on the policies and procedures that apply to your duties
• Training to enable your compliance with all applicable policies and procedures
• Monitoring to ensure compliance with policies, procedures and laws
• An environment that will not tolerate retaliation against those who report compliance concerns in good faith

Cost: Thick printer paper

I have set out all of the above in some detail to demonstrate some of the lessons learned from the Morgan Stanley declination/Garth Peterson enforcement action. You can take steps right now, as in this minute, to help foster a culture of compliance in your organization. The Department of Justice (DOJ), in its Press Release regarding the declination, listed persuasive events such as training and as simply as email notices sent to Peterson. What is the cost of sending out an email notice? Not too high.

The Compliance Week celebration demonstrates, once again, that it is doing compliance which drives home not only the message of compliance within a company but also demonstrates to any regulatory body reviewing a company, that compliance is living part of the organization. So just as the Homestead Act created the opportunity for the taming and settling of the American West, it was the homesteaders, doing the work of farming which the Homestead Act was designed to foster, who made it a reality.

============================================================================================

We send out a big congratulations to Chelsea and all their fans for winning the UEFA Cup on Saturday evening.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Code of Conduct – The Cornerstone of Your FCPA Compliance Program

The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is the US Federal Sentencing Guidelines (FSG). They contain seven (7) basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

 In each DPA and NPA over the past 18 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the SCCE Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this in a Code by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena to do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasis it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are document, document and then document. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012