An effective code of conduct is essential to creating well understood behavioral norms and influencing employees’ decisions and actions. An effective code of conduct can minimize the chances for conflicts of interest and other wrongdoing that hurts the organization and its stakeholders. Here are seven essential steps to implementing a code of conduct.
1. Engage Stakeholders
A code of conduct lays out the values, principles and rules that guide peoples’ decisions and actions. It’s kind of like drafting a constitution for the organization – and that takes getting input from all the relevant stakeholders. The team drafting the code should engage all stakeholders, including employees, labor or worker representatives or employee resource groups, board members, investors and shareholders, community members, suppliers and partners and/or any other stakeholder who is impacted by the organization.
Stakeholder engagement surfaces different ideas and it also promotes buy-in across the organization. If the code drafters engage all stakeholders, then the resulting code of conduct will be a bottoms up agreement between everyone in the organization regarding their shared values and accepted norms of behavior.
2. Assess Risks and Impacts
In addition to core values such as integrity, respect, inclusion, etc., the code of conduct should also address relevant business topics. This requires an evaluation of the business processes and work-flows that could generate compliance risk for the business. Start with the product or service sold by the business and evaluate how the product or service is created.
Are there any social concerns or social impact from the nature of the product or service? Is there a negative impact on the community due to the product or service? What about the supply chain or third parties who contribute to the product or service? Are governing norms required for third party suppliers or partners?
Evaluate the relevant market and competitors and evaluate the go-to-market methods. Is the product or service sold and distributed internationally and is there a risk of bribery and corruption? Do industry competitors collude on pricing? These are all important questions to consider when implementing a code of conduct.
The idea here is to follow each step of how the company’s product or service gets created, marketed, sold and distributed and identify the relevant and largest compliance risks. Not all risks are the same and you don’t want to overwhelm people with every possible risk. So identify the top, most relevant risks and create procedures and norms of behavior to navigate and minimize those risks.
3. Draft the Code of Conduct
Your code of conduct is a document that sets out the standards, policies and norms of behavior that all employees and everyone affiliated with the company needs to comply with. As referenced above, it should outline all of the core values for how people are expected to treat each other and how people should make business decisions. Beyond these core social values, the code also needs to include those topics that are most relevant to the business and which pose the highest risk of negative impact.
The code should be written simply, for an employee audience and in a manner that makes it easy for employees to apply policies to their every day experience. In addition to simple, engaging writing, the code should be published and accessible to all stakeholders at all times.
4. Code Training and Communications
A code of conduct cannot stand on its own; it needs to be promoted and amplified by employee training and communications. Code of conduct training should be sponsored annually to the whole workforce and it should cover the core social values as well as the relevant topics that pose the highest risk to the organization.
Ideally the training should be highly relatable and engaging and take less than an hour for employees to complete. Code training is also an executive messaging opportunity to employees, and as such, it should be accompanied by an introductory video and/or messaging from one or more executives.
The content for the code training should be refreshed and/or reproduced each year so that it continues to engage employees with new video scenes, graphics, animation, etc. Sponsoring fresh content each year also shows the importance and priority of the code of conduct to employees.
In addition to training, it’s ideal to promote the code, or portions of the code, in posters, flyers, newsletters, micro lessons and other messaging tools so that employees experience the code several times a year and in multiple ways to maximize their awareness and retention.
Publishing a code of conduct will not enable or influence employees. Publishing and implementing a code of conduct and sponsoring an annual training will slightly influence employees. But publishing a code of conduct, sponsoring an annual training, conveying an executive video or written message and promoting the code throughout the year via posters, newsletters and micro lessons will definitely influence and guide employees’ behavior.
5. Monitor Risky Employee Behavior
A code of conduct is a published set of standards for employee and other stakeholder behavior in the business. While it’s great to communicate the code to the workforce, it’s equally important to have a two way communication with employees and have visibility into what’s really happening in the trenches. The only way to really do that is to survey employees about behaviors they witness or experience that are relevant to compliance issues.
This isn’t an annual climate or engagement survey. Climate surveys are designed to show employee productivity and retention. A risk survey should be able to determine and measure risk based on employee behaviors.
For example, do employees click on links or attachments from unknown senders? If so, there’s a pretty high risk for a cybersecurity incident.
Does the business interact with foreign officials or executives in state owned enterprises for business? If so, then there’s a risk for a violation of the foreign corrupt practices act (FCPA) and other global anti-bribery laws, and so on.
In addition to surveying employees, compliance professionals should also monitor the corporate hotline to see which behaviors are the subject of employee reports. If the business has done a good job in creating a speak up culture, employees may report concerning employee behavior, even if the behavior doesn’t directly affect the reporting employee.
In short, implementing a successful code of conduct involved monitoring for risky employee behavior will revolve around data generated by risk surveys and reported issues from the corporate hotline.
6. Address and Remediate Problem Behaviors
Clearly compliance teams are tasked with identifying and remedying compliance violations; it’s a basic minimum requirement. But just like talent management proactively anticipates employee engagement and retention trends, compliance professionals can do the same.
In order to proactively manage compliance risk, compliance professionals need to anticipate risk based on survey responses about behaviors that increase risk on compliance topics such as behaviors that increase risk for insider trading; cybersecurity; data privacy; bribery and corruption; antitrust; global trade; anti money laundering; protecting intellectual property and conflicts of interest.
The only way to do that is to create a set of investigation questions that probe for risky actions and embed those questions into a risk survey. At Emtrain, we actually embed those questions right into our online compliance training.
After successfully implementing Emtrain’s code of conduct training, compliance professionals can benchmark the employee sentiment data received from the risk survey. They can then assign a risk score to different departments or business units based on their ranking in the benchmark. The risk score becomes the proactive measure and tool for compliance staff to focus on the departments or business units engaging in the riskiest behaviors and change/remedy those behaviors to reduce risk.
7. Report Risks, Strengths and Behavior Changes
Certainly, compliance officers have a duty to report to their Board about compliance risks and strengths, as well as improved behavior based on remedial efforts. Historically, compliance officers will report lagging statistics such as the number of compliance violations, investigations or government prosecutions.
With risk surveys, compliance professionals can now provide leading indicators such as quantifying risk as low, medium and high and generating a risk “score” as benchmarked against similar organizations in the same industry. This proactive risk analysis provides the perfect opportunity for compliance officers to also share their remedial actions for the parts of the business engaging in more risky behaviors.
Lastly, the Department of Justice (DOJ) is increasingly expecting to see compliance programs that record and prove actual changes to employee behavior and a decrease in compliance risk. Unlike the past, the DOJ is no longer tolerant or accepting of one dimensional codes of conduct. This DOJ wants to see a bi-directional code of conduct where compliance officers are able to measure employee behaviors that cause risk and demonstrate that their program changed those behaviors.
Conclusion
To be effective, the code of conduct is far more than a published set of policies and practices that employees acknowledge once a year. Follow the 7 steps outlined above to guide your code implementation, and create an operational tool that measures and reduces compliance risk throughout the organization.
