Ethics: Why Have Codes of Ethics?
The Enron situation has caused all of us to look closely at business structures and at the ethics of business. Consumers have high expectations for the ethical standards and practices of financial institutions. We recently interviewed Sue Walters of Kraemer and Walters, LLC to get her views on ethics. Kraemer and Walters, LLC, is a firm that specializes in providing compliance and risk management support to mid-size and large institutions. They have dealt frequently with questions of business ethics and the policies and procedures businesses should have in place.
What can we learn from Enron?
While the saga of Enron continues to unfold, a report issued by a special committee of Enron's board makes it clear that an "across-the-board failure of controls and ethics at almost every level of the company" contributed to the organization's failure. The report cites: "a flawed idea, self-enrichment by employees, inadequately designed controls, poor implementation, inattentive oversight, simple (and not so simple) accounting mistakes, and overreaching in a culture that appears to have encouraged "pushing the limits" as causal factors. The report states, "Our review indicates many of these consequences could and should have been avoided."
To protect yourself, and your institution from these pitfalls, a review of your Code of Ethics and its administration is timely.
Why is a Code of Ethics important?
A Code of Ethics is important on many levels. It sets the "tone from the top" of the company's culture. An effective Code of Ethics establishes the ethical expectations for employees and management alike, and sets forth the mechanisms for enforcement and consequences of noncompliance. When the Code is perceived as an integral component of the organization's culture, is understood, followed and enforced, it can provide protection for the organization from the actions of a "rogue employee" under the Federal Sentencing Guidelines.
What should a Code of Ethics contain?
First of all, your institution's Code of Ethics must reflect your organization's policies, controls and processes. While it may be tempting to short-cut the process by "borrowing" policies from other institutions under the guise of following "best practices", unless those policies, controls, and processes adequately reflect your institution's unique organization and business practices, the Code will not be effective in providing guidance or offering protection.
Depending on your regulator, there may be specific requirements for contents in a Code of Ethics. In general, at a minimum, the Code should contain policies on: conflicts of interest, insider trading, gifts and hospitality, information security and privacy, recordkeeping, cooperation with investigations and audits, and, of course, a "whistleblower" provision. The whistleblower provision establishes procedures whereby employees can report, without fear of reprisal, suspected illegal or unethical activities by others within the organization. And, in light of current events, it would be wise to include in the Code the company's policies regarding political activities, particularly those concerning lobbying and political contributions.
The Code should set forth the process for its administration, including mechanisms to disclose and document any potential conflicts of interest or to obtain waivers from any particular policy or provision. It should also provide guidance to assist employees and ethics program management in evaluating specific circumstances, with the standard for behavior being: if all the facts and circumstances regarding the matter were made public, would the employee involved and the organization be proud to be associated with the activity? Additionally, the Code should provide referrals to resources on where to go for further information or guidance. You may want to consider having a separate Code of Ethics for your board of directors. There are many transactional components within an organization's Code that may not have applicability to outside directors, and conversely, there may be additional requirements that pertain only to board activities. Similarly, it may be appropriate to extend certain provisions of the Code beyond employees, to vendors, contract workers, service providers, counter-parties or related organizations.
How should a Code of Ethics be administered?
Here again, there is no "one size fits all" solution. In some companies the general counsel has oversight and administrative responsibility. In others, the responsibility rests with Human Resources, Risk Management, Audit, or Compliance. In other organizations, a special Ethics Committee is empowered specifically for purposes of oversight and enforcement. Regardless, of where the accountability lies organizationally, the important considerations in choosing an administrator are that: (1) accountability is clearly assigned, (2) the designated administrator has the organizational stature necessary to facilitate enforcement, and (3) it is assigned to someone who does not have a propensity to engage in illegal or unethical activities.
Important components of the administration of the Code include initial and on-going training and awareness efforts, with visible executive management participation and support; employee acknowledgment of receipt, understanding, and compliance with the Code; standards for documentation of exceptions; standards for investigation of suspected or reported wrongdoing; consistent enforcement; and, finally, periodic review of the Code to ensure that it is comprehensive and reflects the current organizational structure and business practices.
Issues to consider for a Code of Ethics:
- Employment conflicts and whether employees may work for other companies.
- Relationships of employees with other businesses in the market area. Laws, such as RESPA and Regulation O, give a framework for issues to consider.
- Acceptable types and value of gifts to give and receive.
- Reward and compensation systems.
- Work quality and productivity expectations.
- Representation of the institution (loyalty) outside of work.
ACTION STEPS
- Review your Code of Ethics. If you don't have one, take steps immediately to develop a Code of Ethics.
- Work from the top down and the bottom up. Find out what the Board of Directors and Senior Management expect from staff. Also find out what staff thinks the prevailing ethics standards are in your institution. If there is a gap, you need to take steps to close it.
- This is an excellent time to brief the Board on ethics and gain their support for a strong Code of Ethics. Schedule time for a Board briefing, attach this article to the Board materials. Try to leave time for discussion so that you can find out what the Directors expect.
- Review and compare your institution's marketing materials and sales programs with the stated Code of Ethics. Look for stress points. Then find out whether these stress points are managed or result in problems of an ethical nature.
- There is more to ethics than ethics. Consumer protection laws set a standard for customer treatment. Look at your most recent compliance audits and examination reports for issues relating to ethics.
- Review and revise your Code of Ethics. Use a team whenever possible. Make sure that the management of the Code is ongoing and active.
- Ask the ultimate question: if all the facts and circumstances regarding the matter were made public, would the employee involved and the organization be proud to be associated with the activity? If the answer is yes, you've done a good job.
Copyright © 2002 Compliance Action. Originally appeared in Compliance Action, Vol. 7, No. 6, 5/02