Tools & Resources

First of all, congratulations! Completing a Code of Conduct project is a significant accomplishment. It not only represents a commitment to an ethical culture, but also the shared efforts of many stakeholders. It deserves a well-planned launch, and leveraging multiple channels to get the word out is a great strategy.

Consider starting early. We’ve seen companies tee up the launch with a set of rotating images from the Code and inspirational quotes from those who worked on it loaded onto company monitors. A video or series of podcasts from your CEO, your compliance officer, your HR director and other leaders can also help to set the stage and send a powerful advance message about your Code.

“Coming soon” posters in common areas, a banner in your lobby or announcements on your company intranet – all are ways we’ve seen companies generate conversation around their Codes in the weeks leading up to the launch.

On launch day, in addition to an announcement at a company meeting or town hall, why not throw a launch party to usher it in? We’ve heard of companies hosting games and contests that require employees to navigate their way through the Code and rewarding them with water bottles or other incentive items branded with the Code name or theme.

Don’t forget those outside of your company like customers, business partners, shareholders and prospective employees. An announcement about the release of your new Code on your corporate website can help reinforce the emphasis you place on high ethical standards.

Keep the Code alive post-launch through training bursts or quarterly awareness campaigns focused on Code topics. Distribute Code-at-a-Glance brochures to new hires. Post “What If” ethical dilemmas on your intranet and let employees weigh in – keep the conversation going. These kinds of strategies help companies keep their Codes top-of-mind and relevant.

When in doubt, offer guidance: examples, tips, and other information, all to help employees place their concerns in the context you provide.

The trick is in offering enough guidance to be useful, but not so much that the employee feels disempowered or confused. For example, you don’t want to offer so many examples, in so much detail, that the employee thinks, “Hmmm. My concern isn’t listed here, so I guess the hotline isn’t designed for it.” That’s the mistake of over-guidance, where you emphasize the importance of procedure (how to use the hotline) so much that it eclipses the overriding objective (alert management to potential misconduct).

Remember, the hotline is a tool for employees. So you want to give enough guidance that they understand how to wield the tool properly, and also understand that they’re permitted to use it in any situation that arises where the tool might be help.

On a practical basis, you can “nudge” employees into certain behaviors with the hotline, via well-placed and well-phrased guidance. For example, you know those forms you fill out, and at the end you encounter a question, “Are all the statements you made today truthful?” Research shows that people are likely to be even more truthful if you place that question at the beginning of a form: “Do you promise to answer all questions today truthfully?” (Consider the book Nudge, by Cass Sunstein, if you want to geek out on this research; there’s lots of it.)

Now apply that concept to hotline use and the concerns you cited above. Perhaps you can ask a question at the start: “Do you want to tell us your name, that we can contact you with further questions?” And perhaps to be thoughtful, at the end of their submission, ask again, “We want to be able to follow up with you. Will you still include your name so we can reach out?”

You can also give examples of common HR issues, and pathways to steer employees to HR with those concerns. For a telephone-only hotline, you could include those materials in training, or some visual examples on posters hung in the breakroom listing the hotline phone number. For web-based, interactive hotline reporting mechanisms, you can give those examples early in the intake process (“Does your concern seem similar? If so, you can always approach your local HR manager. He or she will be able to help.”)

Indeed, with web-based technology, you can even design questions to help you, the compliance function, understand that this is an HR concern, and then route the issue to the HR department. (Ideally, you’re also become best friends with the HR department, so that on the off-chance they do receive a serious compliance concern by mistake, they route the issue back to you.)

And of course, you should be performing analytics on your hotline activity to understand the types of HR concerns you commonly receive. (Sounds like you’re already doing some of that, if you’re benchmarking to NAVEX hotline data.) That analytics can inform the guidance you might incorporate into hotline training or other “pre-submission” materials — so employees will still use the hotline, but in ways that help you, too.

As with so much else in life, this situation could raise ethics and compliance issues, depending on the circumstances.

Assuming you get the job, the question is whether you could then use your supervisory role to benefit or harm your sister’s position at the company. Notice we didn’t phrase the previous sentence as whether you would — because if you would, that’s an ethics problem right there. The correct question is whether you could: whether the supervisory job would give you that power at all.

For example, even if you supervise the night shift, presumably you’ll sometimes talk with the supervisor of the day shift — your sister’s boss. In theory, you could use that newfound relationship to exert undue influence over your sister’s position. You could also feed information back to her, perhaps giving her advance notice of job cuts or passing along rumors about that vice president who’s about to be fired.

Again, we’re not saying that you personally would commit these types of misconduct. But from the company’s perspective, some manager with a sibling on the other shift could do these things. So the company needs to implement proper policies and procedures to assure that those abuses don’t happen.

At the least, that means you should have no power to review your sister’s job performance and decide questions of pay. Ideally it should mean you don’t discuss any work matters regarding your sister with the day-shift supervisor, or even HR or other parts of the company. Also remember that this confidentiality goes the other way, too: you can’t discuss sensitive work matters with her, either.  

The challenge here is that the company can create all the policies it wants; enforcing them will still largely depend on your own self-discipline, because you’ll always know how to communicate with your sister. What’s more, in the grand scheme of life, loyalty to your sibling is (almost always) more important than loyalty to your employer. If you deal with extremely sensitive information that could have significant impact on your sister’s life, or work in a fast-changing business where your sister might find herself out of a job quickly, or you work with another manager who wants to make a sexual come-on to her — can you always be sure that you’ll know what the right thing to do is?

My point is that it’s possible the company will decide that the necessary safeguards to give you the night-shift job aren’t worth the disruption. That’s tough to hear, but the company’s foremost interest is to keep the business working as efficiently as possible. That requires them to balance competing interests, and the equation may not work out in your favor. It’s nothing personal, but it’s possible. Good luck.

We have seen several ways to do this, but the most verifiable are probably adding the employee and/or manager responsibilities from your code of conduct to your review tool. For example, “Read and understand the Code” can be evaluated by ensuring the employee completed an attestation affirming s/he read it and understood it.  During the review, the manager can ask a couple of code-based questions to ensure true understanding of the code. “Use good judgment and avoid even the appearance of misconduct” may be somewhat more subjective; however, a good manager will be able to evaluate this behavior in his/her staff. The manager can also ask the employee to provide examples that support good performance of this responsibility. For managers, the responsibility to “set a good example” is a common inclusion in codes. The reviewing manager should be able to evaluate this, hopefully based on notes s/he has made and filed throughout the year. This also is a good criterion to invite examples from the employee being evaluated. Of course, “Comply with the Code and the law” should be one of the criteria, since behavioral standards are an important tool in defining the ethics you want to measure.

There really is no such thing as providing that type of information internally only. Every organization should assume that what they put on the intranet site about their HL reports will be shared by employees outside their organization. With that assumption, we recommend that at least annually organizations publish overall statistics on the numbers and types of issues received and resolved. Care should be taken on discussing specific discipline data but instead note that as a result of issues raised, a range of disciplinary actions have been taken. It is also important to use this opportunity to highlight that these reports were taken seriously and appreciated. Finally, we also recommend publishing sanitized cases as part of an ongoing communications plan.

The short answer is that in the purest, technical interpretation of corporate governance law and SEC rules, a company isn’t required to provide a telephone hotline as one reporting option. But you would need ironclad arguments demonstrating why your organization no longer needs a telephone hotline, and never will in the future.

Let’s start with the letter of the law and the rules. Section 301 of the Sarbanes-Oxley Act says that companies (specifically, the audit committee) must establish procedures for “confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” To implement that section of SOX, the Securities and Exchange Commission then adopted Exchange Act Rule 10A(m) for publicly traded companies—which just took Section 301 word for word, and turned it into an SEC requirement.

You’ll notice the words “telephone” and “hotline” aren’t in the above paragraph. As the SEC said in its adopting release back in 2003, that’s by design:

“We are not mandating specific procedures that the audit committee must establish… Given the variety of listed issuers in the U.S. capital markets, we believe audit committees should be provided with flexibility to develop and utilize procedures appropriate for their circumstances… We expect each audit committee to develop procedures that work best consistent with its company's individual circumstances to meet the requirements in the final rule.”

So by the letter of the law, you don’t need to offer a telephone hotline. The real question is whether you can fulfill the spirit of Section 301 without offering a telephone hotline.

That’s a difficult argument to make. I would even say that global companies with thousands of employees and diverse operations have a more difficult time making it, because your organization is more complex. Do all your employees have easy access to the Internet at all times? Will all of them, in every country where you operate, feel confident that online channels still protect anonymity?

Perhaps a company could make that argument. For example, if you get a constant flow of online reports but nothing over the phone, and no reports of retaliation from someone who rooted out an online identity; then, maybe, you could argue that the telephone line should be retired. But you won’t just need to make a convincing argument to your board or CFO—if the worst happens, you’ll also need to make that convincing argument to the SEC or other regulators, wondering why you retired the phone line.

The crucial issue is whether retiring a telephone hotline might impede someone’s ability to submit an anonymous report of misconduct—and lots of people get very skittish about protecting their anonymity when speaking up. Some day in the future, when we all have strong anonymizing software running on microchips implanted directly in our brains, then a telephone hotline will be obsolete. Is that day on the horizon? For most large companies, I wouldn’t risk it just yet.

You should tell them that, in the business world, as in life, decisions are not always black and white. Training is provided to help guide their decisions and actions, especially in gray zones. Training is one of the controls we have in place to lessen organizational risks by explaining what is right to do. Also it reinforces awareness of the tools and resources available to help employees make the best decisions. Training supports the compliance program goal to prevent, detect and correct potential misconduct before it causes damage to our colleagues, our stakeholders and our organization. That helps to keep the organization healthy and our stakeholders happy.

There are a few reasons why training needs to be repeated. First, there may be changes in our organization’s risk profile that require additions or changes to our standards. Employees need to know about them. Second, information must be repeated several times before people can remember it when they need it. This is why you will see periodic communications throughout the year from ethics and compliance to reinforce the training. Third, there may be industry or organizational events that warrant highlighting different topics. And finally, annual training shows an organizational commitment to doing the right thing and to making sure the work force understands what that means

If it seems that the investigation has become a common topic of discussion (or gossip). Consider holding a brief meeting with your team. Point out that investigations are part of a healthy process, but that the details of an investigation should be confidential. Employees should not be sharing sensitive information while the investigation is taking place. That said, keep in mind that employees may, depending on their status and which country they work in, have the legal right to discuss things that would affect their terms and conditions of employment. Therefore, before outright prohibiting discussions about the investigation, check in with your legal team for guidance.

While I have not conducted a scientific study or survey, I have reviewed numerous gift and entertainment policies for clients. I have seen various levels depending on the policy of the organization. The most liberal gift, entertainment and travel (GET) limits are “reasonable” but no dollar amount. The most stringent levels are “zero tolerance” or no gift allowed. The bulk of policies tend to have limits In between these two extremes and they use some level of dollar amounts. I regularly see $75, $100 or $250 as a limit on acceptable GET without the need for officer approval. Nevertheless, even in cases where the GET is below a dollar limit, there may be other requirements associated with approval. For example:

• Most prohibit cash or cash equivalents.
• Must be reasonable and customary in the industry and geography.
• Must have a demonstrable business purpose. Some require the giver and the recipient to be present at the entertainment or travel.
• Must not be offensive or exclusive (for example, a gentleman’s clubs or an otherwise exclusive club which might refuse membership based on race, gender, etc.).
• Some policies have a cumulative annual limit from the same firm or giver. This would prevent a law firm from giving seven $50 dinners to evade a $250 GET limit.
• Most prevent GET to or from foreign government officials without approval.

You don’t specify exactly what anti-retaliation efforts you want to increase, so I’ll answer your question in broad terms. Anyone wanting to improve anti-retaliation programs should look at how your organization handles two subjects: training, and reporting.

Successful training is really about how you communicate the importance of two points: (1) misconduct is frowned upon at the company; and (2) we want people to speak up about misconduct when they see it. What’s more, you need to think about how those messages reach two different groups: employees who might experience retaliation, and managers who might be tempted to do it.

The good news is that most people like those two messages above; people generally want to be ethical, and want to help their organizations succeed. So start by framing retaliation as one type of misconduct among many that the company doesn’t want to see, and that employees should feel comfortable calling out when they see it.

Managers need a bit more thought. Some might not understand what retaliation is from a legal standpoint (especially possible for overseas managers). Others might not know where the line exists between matters they can handle themselves, and matters that require a more formal investigation from your office. Some might believe they are trying to help the company, by stifling “troublemakers” who could embarrass the company by airing dirty laundry.

All those behaviors need training more nuanced than saying, “Retaliation is bad and we will punish managers who do it”—which can come across as intimidating, and may even drive some managers to cover up retaliation rather than report or admit it. You may even want to survey your managers somehow to assess their familiarity with retaliation, investigations, reporting, and employee discipline.

Reporting

Reporting, in contrast, is more about how you configure your internal reporting mechanisms to help you understand where anti-retaliation risk exists. You want to catalog as much information about the reports as possible: the number of retaliation complaints you get in absolute terms, the percentage relative to total complaints, the year over year change, the number of managers against whom retaliation complaints are filed, and so forth.

Metrics like those get you closer to answering the questions, “How is our culture? Does it respect ethics & compliance? Is our training working?”

That can get tricky because most complaints about misconduct don’t come through hotlines; they come through managers. So you need to look at your whole system for reporting incidents of any kind, and how you can gather all your incident reporting data in a way that lets you find the telling details that suggest problems with anti-retaliation.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A best practice approach to anti-retaliation includes five familiar elements:

1. Policy. Ensure that you have a clearly written policy statement against retaliation for reporting concerns or participating in an investigation. This may be a free-standing policy or standard that is included in your code of conduct and potentially repeated in other policy documents, such as your anti-harassment policy and employee handbook.
    
2. Reporting. The 2016 NAVEX Global annual hotline benchmark report revealed a much lower rate of reporting for allegations of retaliation (0.91%) than for all other types. At the same time, data released by the EEOC for FY 2015 showed retaliation to be the most frequently filed charge of discrimination, making up 45% of all private sector charges. It appears that employees report their concerns of retaliation externally much more often than internally. Therefore, it is critical to ensure employees know the internal resources available for reporting and are encouraged to use them.
    
3. Training and reinforcement communications. All employees must be trained on the anti-retaliation policy and what to do if they experience retaliation or see it going on. The policy should be reinforced in periodic communications to drive home the organization’s commitment and to ensure that all staff knows that retaliation can come from a peer as readily as from a manager. All management should be trained to avoid retaliating themselves and to recognize and address it appropriately in the workplace.
    
4. Monitoring. Many organizations require management to implement ongoing monitoring for any identified employee who has reported a compliance concern or participated in an investigation. In this situation, the employee’s manager is required to check in with the staff member monthly for 3-6 months, then periodically for up to a year, after the report/investigation event to inquire whether the employee has experienced anything believed to be retaliatory.  If the staff member confirms they have had such an experience, the manager must report it to the compliance office promptly for next steps. Performance of this monitoring is evaluated in the manager’s annual review.
    
5. Investigation and discipline. The NAVEX hotline benchmark report revealed a lower rate of substantiation (26%) than the overall median substantiation rate for all allegations (41%). It is best practice to ensure the quality of investigations is consistently good and that investigators are properly trained so that substantiation rates are optimal. Disciplinary action taken against retaliators should be shared in some de-identified form with the employee population. This may consist of sanitized case studies or annual communication of organizational reporting statistics. However it is released, employees need to know that retaliation is taken seriously and retaliators do suffer negative consequences for their actions.