As many organizations already understand, a formal, written code of conduct is critical in order to transform ethical behavior into something more tangible for employees. Such a code is now a requirement for public companies, as mandated by the Sarbanes-Oxley Act and by the listing requirements of the major stock exchanges.
Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. For years, companies have implemented corporate compliance programs that generally are based on a published code of conduct and follow the infrastructure outlined under the Federal Sentencing Guidelines for Organizations. To be effective, each program's underlying elements should reflect the unique aspects of the organization's culture and management's operating style.
Typically, a code of conduct includes:
- A statement by the CEO that the organization is committed to conducting business with integrity, in accordance with the highest ethical standards and in compliance with all applicable laws, rules and regulations. This establishes the required "tone from the top."
- Practical examples of situations an individual might encounter, and guidance to help clarify how the code should be applied in each case.
- A discussion of the roles the organization's policies, structure, risk management and internal controls play in ensuring compliance with the company's ethical standards, including the role of personal accountability for adhering to the code.
- Recognition of the company's responsibilities to shareholders, employees, customers and other stakeholders.
- Prohibitions on and/or required disclosures related to conflicts of interest and restrictions on the use of confidential/proprietary information.
- Corporate guidelines, including policies on expenses, asset usage, vacations, insider trading, etc.
Communication, Disclosure and Enforcement
Disclosure of the code of conduct has not been consistent among companies. These are suggestions based on today's best practices:
- Write the code in a way that all employees can understand.
- Circulate the code internally to all employees on a regular basis (annually, at a minimum). Require everyone to acknowledge that he or she has read it, understands his or her responsibility to comply with it, and will report through appropriate channels any observed violations.
- Circulate the code externally to institutional investors and other constituents.
- Publish the code in the company's annual report and on its Web site.
- Conduct periodic employee training on the code and "audits" of the staff's understanding of it.
- Require periodic compliance self-assessments of selected employees using appropriate code provisions.
A code without discipline lacks substance. Management must take disciplinary action for violations on a timely basis, and lessons learned from violations should be communicated to employees and reinforced through training. An internal reporting mechanism should be put in place for employees to ask questions about ethics issues and report violations or breaches of company policy without fear of retribution.
Often, these reporting mechanisms take the form of an "integrity hotline," although some companies are establishing Web sites to receive reports and give reporting employees or outside parties the option of remaining anonymous. Management should have protocols in place to handle reported violations consistently, including use of legal counsel, coordination with law enforcement and timely reporting to senior management and the board, consistent with the Sarbanes-Oxley requirements for reporting fraud.
Watching for Ethics Warning Signs
A company's board of directors has three responsibilities with respect to the code of conduct. First, it must determine that the code is consistent with values that most stakeholders hold in the highest esteem. Second, it must comply with the code. Third, it must provide appropriate oversight to ensure management is operating the business in a manner consistent with the code.
- Directors should watch for the following key warning signs. If these and other "red flags" are noted, the board should investigate to determine whether there are integrity issues requiring attention at the highest levels of the organization. Where there is smoke, there may be fire.
- The extent to which the code of conduct is emphasized and reinforced by management in operating the company. There is little value to a code that is published but not consistently reinforced by management.
- The manner in which management engages the board. Management's relationship with the board could be a sign of how it engages its people. For example:
- Management brings only good news and highly structured presentations to board meetings, and the board rarely hears bad news until it is too late.
- Management only presents the board with plans for approval and rarely seeks input as plans are being developed. Insufficient time is devoted to forward-looking issues.
- The CEO controls the board's agenda, board meetings are highly regimented, and directors have little opportunity to discuss issues and concerns.
- Circumstances within the organization or aspects of its culture that could lead to unethical or dysfunctional behavior. Unless effectively managed and checked, past successes and growth -- along with sustained pressures to perform -- can breed a "warrior culture." This can lead to a cavalier attitude that spawns reckless initiatives, unhealthy internal competition, institutional resistance to bad news, a general lack of change readiness, unrealistic stretch sales and profit goals, variable compensation plans linked to those goals and insufficient attention to protecting the company's brand image.
- Direct or anecdotal evidence that the CEO and senior management lack credibility with employees. Such evidence might surface in employee surveys conducted by an independent consultant, or in other ways. Management may consistently make excuses for poor results and be unwilling to acknowledge its own errors. If the board notes that the CEO and executive management are unable to discern or are unwilling to admit when a strategy or its execution is not working, it can safely bet that employees have noted it as well.
- Direct or anecdotal evidence that certain business activities might be on the verge of running out of control. For example, is there evidence of a pattern of high-pressure sales practices, bullying negotiation tactics, disregard of regulatory authority or similar activities? If these conditions persist, could they lead to problems, even illegal acts or brand erosion?
- Identification of problem areas or process failures that may be a symptom of a potential ethics issues. When a significant problem or process failure occurs, is it a symptom of an ethical breakdown? If not, does it indicate a lack of clarity that, if addressed, might have helped mitigate the problem or even have avoided it?
- Requests to waive conflicts of interest or other significant ethics requirements. The board should pay close attention to requests from management to waive significant code provisions, including the immediate and long-term effects if a waiver is granted.
- The effectiveness of management's follow-up on instances of code violations and noncompliance issues reported by "whistleblowers" and third parties. The board should be informed of financial reporting issues raised by whistleblowers, as well as any lack of adherence to policies and procedures demanded by regulators and auditors. Any subsequent investigation, findings and the remedies taken should be disclosed to the board.
Ultimately, the best test of a code of conduct's effectiveness is whether it is practiced. When management's preferences, value judgments and operating styles are consistent with the highest standards of ethical behavior, the organization is better positioned to sustain a quality reputation that attracts and retains the customers, talent and capital required to grow the business and create enterprise value. In every industry, strong corporate ethics breed positive business results.
EVERETT GIBBS is managing director for Protiviti (www.protiviti.com
), an internal audit and risk consulting firm with over 30 offices in the U.S, Europe and Asia. For the nearest office, call 888.556.7420.