An effective ethics and compliance program starts with a well-written policy. Every policy will be unique, as each company must address the different circumstances that impact day-to-day operations. Many companies start with the basics by looking to the laws and regulations that impact businesses in a particular industry, region, country, etc. But in order to truly benefit from your investment in ethics and compliance, it’s the “above and beyond” actions that contribute to success. This post focuses on the “bare bones” structure of an ethics and compliance policy to make sure you have the basics covered. Once you have addressed each of the topics discussed below, then you can add in the extras that make your policy your own.
Start by identifying the ethical risks your company faces. An effective ethics and compliance policy provides solutions and guidance to help employees handle these situations properly. Evaluate the different industry-based or competitive pressures your company faces. You’ll also want to break your company down into different segments and address the ethical threats employees face based on their role in the company.
Here are 6 key elements that must be present in every ethics and compliance policy:
1. Complying with the law
Compliance with local and industry law are the essentials of compliance. I feel that companies need to challenge themselves by going above and beyond the law and focus on doing the right thing, but for the sake of the policy writing, laws need to be included and referenced. You need to list the laws that apply, this way, if an employee asks where it states that something is illegal, you can direct them to the specific law in the policy.
2. Defining unethical behaviour
Provide definitions and examples of unethical activities, such as harassment, discrimination, theft, fraud, retaliation, etc. Real life examples from situations employees could encounter in the workplace are great tools for communicating what isn’t allowed at work. If your company operates under a zero tolerance attitude, make that clear.
3. A statement of integrity
Every company should promote honest business. Many companies include their mission, vision and goals for employee conduct in this section of the ethics and compliance policy. According to the Canadian Centre for Ethics & Corporate Policy,
“A code of ethics usually proposes specific principles and rules of conduct. A key objective of a code is to provide guidance on expected behavior as well as rationale for that behaviour. A code also provides a way for a company to measure and monitor performance designed to achieve objectives and to instill values.”
4. Anti-bribery, gifts and entertainment
Establish a company policy regarding gifts and entertainment. Some companies allow gifts to be sent or received if the gift is under a given value. Others eliminate them altogether to reduce confusion and the risk of being accused of bribery. This is an issue with a lot of grey area- know the laws.
5. How to report unethical behaviour
Employees are likely to uncover unethical practices in the workplace before senior executives. To catch violators sooner, let employees know how to report misconduct. Include hotline phone numbers, Ombudsman information, website addresses and other information needed to file a complaint. This information is usually found at the beginning or end of the policy, or sometimes even both.
During some investigations, confidentiality isn’t able to be maintained because of the discovery of a crime or the presence of a court case. With this in mind, you still want to encourage employees to report incidents internally, so let them know that confidentiality will be maintained to the highest degree possible.
Creating a Template
One of my co-workers passed along this ethics and compliance policy template to me. The template was developed by the Sans Technology Institute, and has been made available for use within organizations. The sections outlined in this template cover majority of the issues that should be outlined in an ethics and compliance policy, but I would recommend using this as guidance only. As I mentioned at the outset of this post, make your policy specific to your company.
Don’t forget – make your policy public. Place the document on your company website to increase accountability and transparency.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here