The Code of Conduct – A Cornerstone for Effective Governance

In today’s rapidly changing environment, two things are needed to achieve sustainable success. First, adaptive and agile organizations and cultures are most likely to sustain superior performance over time because they are best prepared to anticipate and adjust effectively to change. Organizations with adaptive cultures are proactive, entrepreneurial, creative and willing to take prudent risks. Second, if there is one other constant for success in a dynamic global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. These two attributes position companies to face change with confidence.

Business ethics reach beyond the moral code most are taught from childhood that enables us to differentiate between what is good and what is bad. Business ethics are the principles of conduct governing an organization and the individuals within it. These principles are defined through the day-to-day behaviors of managers and employees, creating a culture in which everyone is able to observe management’s actions and reactions in response to events.

The focus here is on observable actions, as they speak much louder than anything an organization’s leaders say. These observations lead, in turn, to an understanding of how individuals throughout the organization are expected to behave in various situations. In essence, business ethics help shape the tone at the top, as well as the tone in the middle. Both must be aligned to ensure principled behavior.

A formal, written code of conduct transforms ethical behavior into something more tangible and real in an organization. While a code has been considered a leading practice for a long time among many companies, it is now a requirement of the U.S. Securities and Exchange Commission (SEC) and by the listing standards of major stock exchanges. Companies are required to disclose their code on their websites.

That all said, even Enron had a world-class code of conduct. Words mean little by themselves. Below, we discuss a few steps for boards and management to consider in designing and implementing a code of conduct that is more than a montage of words.

Set the Tone

Governance is not just about rules and regulations. It is about corporate culture and the way a company conducts its business in an ethical, responsible way. “Tone at the top” is an often-used term because it captures the essence of where a commitment to responsible business behavior begins: with the CEO. From the top, the executive team follows the chief executive’s lead in fostering a strong ethical environment in their various dealings with employees, customers, suppliers, investors, creditors, insurers, regulators, competitors, auditors and other stakeholders – behavior observed by their direct reports and, either directly or indirectly, by many other individuals both within and outside the organization.

Simply stated, the process by which C-suite executives make decisions and the manner in which they communicate and implement those decisions can have just as significant an impact on the organization and its culture as the decisions themselves.

An open and empowering culture in which responsible business behavior is expected, as well as practiced at all levels of the organization, is fundamental to preserving reputation and brand image in the marketplace. An organization’s policies may specify what the board of directors and management want to happen, but the company’s culture influences what actually happens, as well as which rules are obeyed, sidestepped or ignored. That is why an effective tone at the top is so essential to provide employees a framework for decision-making as they deal with the inevitable ambiguities associated with complex business situations.

Put It in Writing – But Don’t Stop There

Codes of conduct are written for two reasons:

• To establish the organization’s expectations regarding ethical behavior and regulatory compliance.
• To provide employees with core values and other guidance in the event they find themselves in situations where the “right” answer may not be obvious.

While a written code is certainly preferable, there is no evidence that the investor community or the public at large have inferred that companies that have had a code for many years are more ethically managed than companies that only recently published a code. The absence of a written code does not necessarily mean the absence of a commitment to ethical behavior. Conversely, the existence of a written code without a supporting infrastructure for enforcement does not fully define an organization’s commitment to responsible business behavior, nor does it ensure the organization will actually behave responsibly when the crucial moment presents itself.

The operating style of supervisors, the frequency and substance of executive management’s communications, the openness and transparency of decision-making processes, the emphasis on compliance with laws and regulations, the manner in which management responds to ethical violations, the existence of effective monitoring processes and the organization’s day-to-day practices and rituals say much more to employees about what a company stands for and its leaders’ values than the publication of a written code. While a written code formalizes certain aspects of the organization’s commitment to ethical behavior and is an integral part of the governance process, it is neither a panacea, nor a substitute for a commitment at all levels of the organization to align personal interests with the organization’s interest.

Make the Code Robust

Most organizations find there is no single off-the-shelf approach to implementing a business ethics program. To be effective in making the program a part of an employee’s day-to-day decision making, its underlying elements should reflect the unique aspects of the organization’s culture, operating style and business model.

Typically, a code of conduct includes the following:

• A statement by the CEO that the organization is committed to conducting its business with integrity in accordance with the highest ethical standards and in compliance with applicable laws, regulations, internal policies and contractual obligations. Additional language may emphasize the proper handling of conflicts of interest between personal and professional relationships. A statement may also be included about avoiding specific illegal acts, e.g., deceptive advertising, illegal pricing practices, discrimination, harassment, etc.
• Practical examples of situations that an individual might encounter and that provide guidance to help clarify how the code should be applied in such situations.
• A discussion of the role the organization’s policies, structure, risk management and internal controls play in ensuring the organization’s business objectives are met, including the role of personal accountability. For multinational organizations, this discussion may address relevant international considerations.
• Recognition of the company’s responsibilities to shareholders, employees, customers and other stakeholders, e.g., management and the board have a responsibility to recognize the importance of sustainability issues to their stakeholders before taking on huge risky bets.
• Prohibitions on conflicts of interest, e.g., borrowing from the organization, accepting gifts from customers or vendors, entering into transactions with unapproved related parties, making political contributions, entering into relationships with unvetted third parties, etc. Material transactions or relationships that could reasonably be expected to create a conflict of interest should be reported to a designated person (or persons) for approval.
• Prohibitions of and restrictions on the use of confidential and proprietary information, as well as respect for the intellectual property rights of others.
• Various corporate guidelines, including expense policies, asset usage policies, third-party relationship due diligence, vacation policies (where the absence from a job is viewed as a control mechanism), insider trading, filing of personal tax returns, etc.
• Accountability for adherence to the code, with requirements for prompt internal reporting of violations to a designated person (or persons). The code should specify the consequences for breach of policy and unethical conduct and include provisions for reporting a summary of code violations to a designated committee of the board of directors.

A written code of conduct applies to everyone in a “boundaryless” organization. In a global marketplace, the code should extend to outsiders as a condition for doing business. There may also be more detailed code provisions required for executives in certain positions, such as job qualifications and specific responsibilities. For example, the SEC stipulates certain code provisions directed to senior executives involved with public reporting.

In writing their codes, companies should differentiate areas warranting one-up approvals (e.g., vacation policy) from areas requiring a waiver approved by the board (e.g., conflicts of interest).

Communicate and Disclose the Code

The following are suggestions for communicating and disclosing the code:

• Write the code in a way that all employees can read and understand. This includes publishing the code in several languages, if necessary, and considering the education and experience level of line employees.
• Circulate the code internally to all employees on a regular basis (annually at a minimum), and require everyone to acknowledge that he or she has read the code, understands his or her responsibility to comply with it and has reported through appropriate channels any violations he or she has observed.
• Circulate the code externally to institutional investors and other constituents. Publish the code on the company’s website (e.g., within the investor relations pages) and in the company’s annual report or, alternatively, refer readers to the company website where the code is posted.
• Post the code in break rooms, in employee manuals, etc. Conduct regular employee training on the code, e.g., annual reinforcement, orientation for new hires and experienced staff, etc.
• Conduct periodic “audits” of the workforce’s understanding of key elements of the code, e.g., scenario-based “ethical dilemma” tests. Use the results of these audits to evaluate the effectiveness of internal communications and training. Require periodic compliance assessments of selected employees using appropriate code provisions.

Reinforce the Code

A written code of conduct articulates both expected and unacceptable standards of behavior. However, a code without discipline lacks substance. Ethical behavior results from articulating standards clearly in both management communications and employee training, ensuring employees comprehend the standards through written acknowledgements and reinforcing the standards in practice every day.

In the event of violations, management must undertake timely disciplinary action. Experience has shown, and the U.S. Federal Sentencing Guidelines clearly specify, that organizations that do not respond strongly to violations of basic values invite further violations and risk fostering an environment where business ethics exist in writing only. That’s not good enough. Lessons learned from such violations should be communicated to employees and reinforced through training. An internal reporting mechanism should be in place for employees to ask questions concerning ethics issues and report ethical violations or breaches of company policy without fear of retribution.

Often, these reporting mechanisms take the form of an “integrity hotline,” although some companies are creating websites to receive issues and provide reporting employees or outside parties the option of remaining anonymous. When using these mechanisms, management should have protocols in place to handle reported violations consistently, including use of legal counsel, coordination with law enforcement, and prompt reporting to senior management and the board of directors.

Management and the board should be cautious about waiving provisions of the code. A waiver can be either a formal board approval obtained in advance or a de facto, post hoc approval granted after a violation is reported. The same result occurs – a provision in the code of conduct has been waived instead of enforced. In both cases, the waiver should be disclosed to investors. If significant changes are made to the code of conduct, such changes should also be disclosed.

Summary

Ethical expectations of business have been on a steady rise for some time, and organizations must meet these expectations. Executive management and the board need assurance that, no matter how demanding the performance expectations, employees will focus on doing the right thing. It is one way these demanding organizations can face the future with confidence. To that end, we’ve discussed the importance of setting the proper tone for responsible business behavior, writing the code of conduct, making the code robust and communicating, disclosing and enforcing the code.