How does your Code of Conduct inform your risk assessment and how in turn does a risk assessment inform your Code of Conduct training? I recently visited with Charlie Voelker, Director, Compliance Products at Skillsoft and Toby Ralston, Managing Director at StoneTurn on these topics and I was surprised the interconnected nature of these two seemingly disparate components of a best practices compliance program.
A. Code of Conduct
Obviously, your Code of Conduct is viewed as a foundational document by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), as they laid out in the FCPA Resource Guide, 2nd edition. Yet many compliance practitioners struggle with how to benchmark a Code of Conduct. Toby Ralston, Managing Director at StoneTurn believes there are a number of ways that a compliance professional could potentially benchmark a Code of Conduct, including an internal scorecard, industry peer or similar comparison.
We next considered some of the top risk areas that should be covered in a Code. Ralston believes that while “the notion of taking a risk-based lens to any organization’s Code may seem somewhat foreign, but it’s actually one of the easiest ways to keep your code relevant.” It helps you to continually monitor your organization’s overall risk profiles. For instance, what does your code currently say about social media and its use? Does it contain a section on social responsibility in the wake of black lives matter? The point is there are a number of reputational risks which you may need to consider.
Another area which many companies are moving towards is not simply having a static Code, literally set in stone, which has not been changed in many years. The DOJ has clearly moved towards Code as a dynamic document. A company must look at its risks and if those risks have changed or they are different, you may need to consider a Code revision.
Another area is “the notion of an organizational voice. It is important to have organizational input, continued organizational discussion, and that the Code be a living, breathing document where employees feel like they are invested in the document,” not just a senior management coming down from Mount Sinai with the Code of Conduct etched in stone tablets. Ralston believes that over the past five years or so, organizations have gotten better about this, particularly in stripping out the legal phrasing throughout a Code.
All of this reinforces the idea that your Code is a living breathing document. You can use it to reinforce your organization’s founding values and mission. Ralston tied it together in following manner, “I would estimate that nearly 80% of corporations include integrity is one of their values. What does that mean? Acting with integrity is a personal construct and without clear connections to your organization’s purpose employees may not be clear on what’s expected of them.” The bottom line is that a Code establishes the foundational level of what is expected of employees at any organization. The Code of Conduct is a great starting point.
B. How Your Code of Conduct Informs a Risk Assessment
It is axiomatic that your Code of Conduct is foundational to a compliance program. Charlie Voelker, Director Compliance Products at Skillsoft said, the “Code of Conduct is a way of capturing the risks and the issues that the organization faces. These are the major concerns that, that the organization has in terms of the type of business it is in, where it is operating and other factors of that nature.” Moreover, “by capturing those major issues within a training experience that is delivered across the organization and to all employees, it helps to level set everybody within the company in terms of what are those issues that are sort of top of mind for the company, what are the areas that as an employee needs to be focused on. Also, for employees, the Code of Conduct is a source of that information and also about where to go for more help. In many cases, a Code of Conduct will point to other policies or procedures or other resources that serve to provide that support that employees might need as they go about their day-to-day business.”
One of the key themes of the 2020 Update to the Evaluation of Corporate Compliance Programs (2020 Update) was of the importance of a risk assessment to all aspects of your compliance program. Additionally, the 2020 Update made clear the relationship between risk assessment and Code of Conduct training going forward. A risk assessment informs the content of the company’s Code of Conduct itself by identifying the topics and the issues that relate to the risks the organization faces.
When you consider Code of Conduct training as the foundation of all of the compliance training to be delivered within the organization; it becomes clear that everybody in the company needs to be familiar, even if only at a high level with the risks that the company faces on a day-to-day basis. Through aligning Code of Conduct training with the results of the risk assessment, you can ensure that the right content, the right messaging is being presented as part of that foundational Code of Conduct training. Moreover, by using your risk assessment to pinpoint key areas for training, you can have both a more focused and more effective Code of Conduct training.
Voelker noted that are several critical elements about a Code of Conduct. It is obviously foundational and equally importantly your Code of Conduct is something that needs to be known across the organization. While the Code of Conduct itself is foundational, Code of Conduct training should be used as a base to move into other areas significant to compliance and ethics. Voelker mentioned communicating to employees how to raise concerns, how to speak up, how to advocate is a key area for exploration in Code of Conduct training.
We concluded by considering the mandate from the 2020 Update that the corporate compliance function, compliance professional or Chief Compliance Officer (CCO) to utilize data. But more than even data, it was using all available information to inform the ongoing improvement of their compliance program. Voelker sees this as a logical follow up on the clear DOJ message around tailoring your compliance program to manage your organization’s risks. Your compliance program is not static but dynamic. This means one of the benefits of Code of Conduct training can help to provide a feedback mechanism that can be used in conjunction with the risk assessment. One area is around emerging risks which the home office may not have been aware of but arise in other geographic areas. Another is making modifications to the program, to adapt it to what is actually occurring in the regions. It also helps to evaluate whether the training is having an effect by reducing violations or in other areas such as additional reports to a hotline.
C. Conclusion
Most compliance practitioners do not set see the inter-relationships between each Hallmark of an Effective Compliance Program. They certainly do not seem self-evident. Yet by considering how you can use your Code of Conduct development to help your risk assessment and how your risk assessment can then inform your Code of Conduct and equally importantly, your training on it; you can begin to move towards continuous monitoring and continuous improvement in your overall compliance program. I hope you will join me as I continue to explore this insight.
[View source.]
