Infotech and the law: Step-by-step guide to creating a corporate ethics program
- By Devon Hewitt
- Nov 06, 2003
In response to Enron and other corporate debacles, and to increased federal regulation, such as the Sarbanes-Oxley Act of 2002, companies are again examining their in-house compliance and ethics programs.
Here are a number of best practices that companies are employing in their compliance programs, ensuring that an internal program actually identifies and deters corporate criminal conduct.
Senior management endorsement of ethics. Senior management has to stand behind a corporate compliance program for it to be effective. It must be supported either by the board of directors as evidenced by a resolution or similar directive, or by a written policy executed by the chief executive officer, chief operating officer or chief financial officer. And it must be distributed throughout the company.
Written code of conduct for employees. The code should be written in simple, direct language and should address the company's expectations regarding employee conduct, applicable federal and state laws and any penalties for violating the company's expectations or the law.
Training. Ongoing employee education and training is essential to avoiding criminal conduct. Training should be tailored to an employee's specific responsibilities and risks. It should be repeated or updated throughout an employee's career with the company.
Ethics or compliance officer. To convey its commitment to a compliance program, a company must place responsibility for the program's implementation and enforcement with a senior manager. The manager, moreover, should not have other responsibilities that could distract him or her from this task.
Hotline for reporting suspected violations. A company should offer a toll-free hotline by which an employee can report suspected violations of law, corporate noncompliance or wrongdoing. The company should publicize the number and reassure employees that their calls will remain anonymous. The employees should also be assured that they will be treated with dignity and respect and, to the extent that they disclose their identities, they will not suffer retribution.
Monitoring and auditing. Supervisors should record the behavior of the employees they supervise to ensure their compliance with the code of conduct. Employees should observe the conduct of their fellow employees to ensure that noncompliance is reported. The company should periodically audit cost reports and time sheets and interview personnel onsite, if appropriate.
Investigation, discipline and reward. A company must require and provide resources for the investigation of reported violations. Once a violation is substantiated, the company must take disciplinary action. The company should also revisit its internal procedures if warranted. Companies should also reward employees and managers who have complied with the company's code of ethics, such as with positive performance reviews, salary increases or promotion.
Awareness. Repetition is the key to understanding. The company should repeat its ethics message at every opportunity in order to raise awareness among its employees -- on posters in the elevators, at company functions or on table tents on the cafeteria.
Document due diligence. A company should keep a record of the actions it takes to implement a corporate compliance program, such as employee training and the substance of investigations in response to reports of misconduct.
Obviously, a corporate compliance program needs to fit the business and the risks of the firm. A program that has each of these characteristics, however, is a good place to start.
Devon Hewitt is a partner of Government Practices at ShawPittman in McLean, Va. She can be reached at firstname.lastname@example.org.