Executives often talk of change being the one constant of today’s business environment. Adaptive cultures are most likely to sustain superior performance over time because they are best prepared to anticipate and adjust effectively to change. Organizations with adaptive cultures are proactive, entrepreneurial, creative and willing to take prudent risks. However, if there is one other constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior.
Business ethics go beyond the moral code most are taught from childhood that differentiates between what is good and what is bad. Business ethics are the principles of conduct governing an organization and the individuals within it. These principles are defined through the day-to-day behaviors of managers and employees, creating a culture in which everyone is able to observe management’s actions and reactions in response to events. These observations lead, in turn, to an understanding of how individuals throughout the organization are expected to behave in similar situations.
1. The extent to which the code of conduct is emphasized and reinforced by management in operating the company
2. The manner in which management engages the board
3. The existence of circumstances within the organization or aspects of its culture that could lead to unethical behavior
4. The existence of direct or anecdotal evidence that the CEO and senior management lack credibility with employees
5. The existence of direct or anecdotal evidence that certain business activities might be on the verge of running out of control
6. The identification of problem areas or process failures that may be a symptom of a potential ethics issue
7. Requests to waive conflicts of interests or other significant ethics requirements
8. The effectiveness of management’s follow-up on instances of code violations and noncompliance issues reported by “whistleblowers” and third parties
NOTE: For an expanded discussion of these warning signs, visit www.protiviti.com and go to the section highlighting Issue 5 of The Bulletin.
A formal, written code of conduct transforms ethical behavior into something more tangible and real in an organization. Such a code, while a best practice among many companies, is now a requirement mandated by the Sarbanes-Oxley Act, as interpreted by rules proposed by the U.S. Securities and Exchange Commission (SEC), and by the listing requirements of major stock exchanges.
Following are important steps for boards and management to consider in designing and implementing an effective code of conduct.
Set the tone
Corporate governance is not just about rules and regulations. Fundamentally, it is about corporate culture and the way a company conducts its business in an ethical, responsible way. “Tone at the top” is an often-used term because it captures the essence of where a commitment to responsible business behavior begins. It also refers to the manner in which the executive management team behaves with respect to employees, customers, suppliers, investors, creditors, insurers, regulators, competitors, auditors and other stakeholders – behavior observed by many individuals both within and outside the organization. The process by which C-level executives make decisions and the manner in which they communicate and implement those decisions can have just as significant an impact on the organization’s behavior as the decisions themselves.
Without question, the CEO sets the tone in every company. From the top, all levels of management within the organization often follow the CEO’s lead in fostering a strong ethical environment. The CEO’s commitment increases the effectiveness of company policies, processes, risk management capabilities and control systems. Perhaps most importantly, it helps to influence behavior that is not subject to even the most elaborate controls and reporting systems.
An open, fact-based and trusting culture in which responsible business behavior is expected as well as practiced at all levels of the organization is fundamental to preserving reputation and image in the marketplace. An organization’s policies may specify what management wants to happen, but the company’s culture determines what actually happens, as well as which rules are obeyed, sidestepped or outright ignored. A demonstrated commitment to an ethical business environment by executive management, starting with the CEO, is essential to provide all employees with a basis for decision making as they deal with ambiguities associated with complex business situations.
Put it in writing
Codes of conduct are written to (a) establish an organization’s expectations relative to business ethics and regulatory compliance, and (b) provide employees with assistance in the event they find themselves in situations where the “right” answer is not obvious. While a written code is a best practice and particularly important in today’s corporate governance environment, investors or the public should not infer that companies that have had one for many years are more ethically managed than companies that only recently published a code. The absence of a written code does not necessarily mean the absence of a commitment to ethical behavior. Conversely, the existence of a written code without a supporting infrastructure for enforcement does not fully define an organization’s commitment to responsible business behavior, nor does it ensure the organization will actually behave responsibly.
There are companies that have operated in the past without a written code but nevertheless have very strong cultures in which a commitment to ethical and responsible business behavior has been consistently demonstrated for many years. The operating style of supervisors, frequency and substance of senior management’s communications, openness of decision-making processes, emphasis on compliance with laws and regulations, manner in which management responds to ethical violations, existence of effective monitoring processes, and the organization’s day-to-day practices and “rituals” say more to employees about what a company stands for and its leaders’ values than the publication of a written code. While a written code formalizes certain aspects of the organization’s commitment to ethics and is an important part of the total fabric, it is neither a panacea nor a substitute for a commitment by managers at all levels of the organization to strong ethical practices.
Define a good code of conduct
For years, corporations in industries such as health care, government contracting, regulated utilities and financial services have implemented programs of corporate compliance. These programs are generally based upon a published code of conduct and follow the infrastructure outlined under Federal Sentencing Guidelines for Organizations. Most organizations have found there is no single “off the shelf ” approach to implement a business ethics program. To be effective, the program’s underlying elements should reflect the unique aspects of the organization’s culture and management’s operating style. Organizations implementing these programs to comply with recent regulatory requirements should consider the tone, style and level of authority necessary to make them part of any employee’s daily decision making.
Typically, a code of conduct includes the following:
- A statement by the CEO that the organization is committed to conducting its business with integrity in accordance with the highest ethical standards and in compliance with all applicable laws, rules and regulations. Additional wording may emphasize the proper handling of conflicts of interest between personal and professional relationships. This may include the principles that define the organization’s values when doing business – for example, an engineering services firm may state it will only accept those contracts for which
- it has the requisite experience and competence to service. A statement may also be included about avoiding specific illegal acts, e.g., deceptive advertising, illegal pricing practices, discrimination, etc.
- Practical examples of situations that an individual might encounter and that provide guidance to help clarify how the code should be applied in such situations.
- A discussion of the role the organization’s policies, structure, risk management and internal controls play in ensuring the above objectives are met, including the role of personal accountability. For multinational organizations, this discussion may address relevant international considerations.
- Recognition of the company's responsibilities to shareholders, employees, customers and other stakeholders, e.g., management and the board have a responsibility to recognize the importance of sustainability to its stakeholders before taking on huge risks that could take the company down if they make the wrong bet.
- Prohibitions on and/or required disclosures related to conflicts of interest, e.g., borrowing from the organization, accepting gifts from customers or vendors, related party transactions, political contributions, etc. Material transactions or relationships that could reasonably be expected to create a conflict should be reported to a designated person (or persons) for approval.
- Prohibitions of and restrictions on the use of confidential and proprietary information as well as respect for the intellectual property rights of others.
- Various corporate guidelines, including expense policies, asset usage policies, vacation policies (where the absence from a job is viewed as a control mechanism), insider trading, filing of personal tax returns, etc.
- Accountability for adherence to the code, with requirements for prompt internal reporting of violations to a designated person (or persons). The code should specify the consequences for breach of policy and unethical conduct and include provisions for reporting a summary of code violations to the board.
A written code of conduct ordinarily applies to everyone. Some organizations even extend the applicability of their code to outsiders as a condition for doing business. There may also be more detailed codes required for executives in certain positions, such as job qualifications and specific responsibilities. For example, the following points would almost certainly apply to senior executives involved with public reports:
- Responsiveness and accessibility to internal and external auditors, including prohibiting actions to limit the scope of the auditors’ work or restrict their access.
- Responsibility for the design and implementation of policies and processes to promote, as articulated by the SEC, “full, fair, accurate, timely and understandable disclosure” in public reports, including effective disclosure controls and procedures.
- Responsibility to report to management and the audit committee any disagreements between the senior financial officer and the auditors with respect to accounting principles or estimates, whether or not subsequently resolved.
- Employment prohibitions, e.g., the senior financial officer should be barred from resigning to join the external auditor until after an appropriate “cooling off ” period. Similarly, the company should not recruit a senior financial officer directly from the external auditor.
- Receipt, retention and treatment of accounting-related issues reported by “whistleblowers” consistent with procedures approved by the audit committee.
In writing their codes of conduct, companies should differentiate areas warranting one-up approvals (e.g., vacation policy) from areas requiring a waiver approved by the board (e.g., conflicts of interest).
Communicate and disclose the code
Disclosure of the code of conduct has not been a consistent practice by all companies. Following are suggestions based on today’s leading best practices:
- Write the code in a way that all employees can read and understand. This includes publishing it in several languages, if necessary, and considering the education and experience level of line employees.
- Circulate the code internally to all employees on a regular basis (annually at a minimum), and require everyone to acknowledge that he or she has read the code, understands his or her responsibility to comply with it, and has reported through appropriate channels any violations he or she has observed.
- Circulate the code externally to institutional investors and other constituents.
- Publish the code on the company’s website – many companies elect to place the code within their investor relations pages.
- Publish the code in the company’s annual report (or refer readers to the company website where the code is posted).
- Post the code in break rooms, in employee manuals, etc.
- Conduct regular employee training on the code (e.g., annual reinforcement, new employee orientation, etc.).
- Conduct periodic “audits” of the workforce’s understanding of key elements of the code, including scenario-based “ethical dilemma” tests. Use the results of these audits to evaluate the effectiveness of internal communications and training.
- Require periodic compliance self-assessments of selected employees using appropriate code provisions.
Broaden the focus of the code
A code of conduct may be expanded into a broader code of corporate governance. Alternatively, the code of conduct and the code of corporate governance may be two separate documents. The broader code would include the topics reviewed above but would also address areas such as the board mission, the roles and responsibilities of the board and its committees, the rights of shareholders, the company's philosophy regarding executive compensation, and the roles and responsibilities of senior executives, including the role of and interaction with auditors. (For more information on these topics, please see our addendum to this issue of The Bulletin – “Broaden the Focus of the Code” – located at www.protiviti.com.)
Reinforce the code
A written code of conduct articulates both expected and unacceptable standards of behavior. However, a code without discipline lacks substance. Ethical behavior results from articulating standards clearly in both management communications and employee training, ensuring employees comprehend the standards through written acknowledgements, and reinforcing the standards in practice every day.
Management must take timely disciplinary action for violations. Experience has shown and the U.S. Federal Sentencing Guidelines clearly specify that organizations that do not respond strongly to violations of basic values invite further violations and foster an environment where business ethics exist in writing only. Lessons learned from such violations should be communicated to employees and reinforced through training. An internal reporting mechanism should be put in place for employees to ask questions concerning ethics issues and report ethical violations or breaches of company policy without fear of retribution.
Often these reporting mechanisms take the form of an “integrity hotline,” although some companies are creating websites to receive issues and provide reporting employees or outside parties the option of remaining anonymous.
When using these mechanisms, management should have protocols in place to handle reported violations consistently, including use of legal counsel, coordination with law enforcement, and timely reporting to senior management and the board, consistent with the SarbanesOxley requirements for reporting fraud.
Management and the board should be cautious about waiving provisions of the code. A waiver can be either a formal board approval obtained in advance or a “de facto, post hoc” approval granted after a violation is reported. The same result occurs – a provision in the code of conduct has been waived in lieu of enforced. In both cases, the waiver should be disclosed to investors. If significant changes are made to the code of conduct, such events should also be disclosed.
The board’s role: Watch the warning signs
Over the long term, the credibility of the organization and the integrity of its people ultimately define its success or failure. The board has three responsibilities with respect to the code. First, determine that the code is consistent with values that most stakeholders will hold in the highest esteem. Second, comply with the code. Third, provide the appropriate oversight to ensure management is operating the business in a manner consistent with the code.
With respect to oversight, directors should keep an eye on key vital signs (see sidebar on cover). If a combination of these and other “red flags” are noted, the board should investigate them to determine whether there are integrity issues requiring attention at the highest levels of the organization.
Ultimately, the best test of the effectiveness of a code of conduct is whether it is practiced. When management’s preferences, value judgments and operating styles are consistent with the highest standards of ethical behavior, the organization is better positioned to sustain a quality reputation that attracts and retains the customers, talent and capital required to grow the business and create enterprise value. In every industry, strong corporate ethics breed positive business results.
Key Questions to Ask
Key questions for board members:
- Are you satisfied that the CEO and management team emulate and practice the company’s code of conduct?
- Does the board oversee management’s communication, monitoring, reinforcement and enforcement of the company’s code of conduct? Does the board have its eye on the warning signs?
- Is there a corporate governance code for the board setting forth its mission, roles and responsibilities, charter, committees, rights of shareholders, and other relevant matters?
- Has the board considered its policies and procedures for evaluating requests by management for waivers of the code of conduct?
- Does the company operate in environments that might increase the exposure to ethical violations and issues, e.g., foreign operations or an industry that is struggling?
Key questions for management:
- Are you satisfied with the tone at the top? Are the right messages being sent? Do employees see clear evidence that management “walks the talk” with respect to the company’s code of conduct? How do you know?
- Does the company have a written code of conduct? Has it been updated recently? If there is no written code, does management intend to write up a code to address applicable Sarbanes-Oxley and exchange listing requirements?
- If the code has not been updated recently, has management considered the requirements of the proposed rules relating to Section 406 of Sarbanes-Oxley that were recently released by the SEC?
- Is there an effective compliance infrastructure in place to reinforce and enforce the code of conduct as well as ensure satisfactory follow-up on code violations?
Bulletin (Volume 1, Issue 5)