The Society of Corporate Compliance and Ethics’ Code of Professional Ethics for Compliance and Ethics Professionals[2] sets a standard for all of us working in this field. To offer perspective, the following primer answers: what is the code about and what guidance does it offer us?
Background of the Code
The objective of the code was to set a standard for compliance and ethics professionals (CEPs) who promote ethics and compliance in companies and other organizations. This is a growing, global profession, and one that plays an increasingly important role in our society.[3] The standards are drawn from reviews of ethical standards in other fields, including the Health Care Compliance Association’s Code, which was written by Jan Heller, Mark Meaney, Jeffrey Oak, and myself. The original draft of the SCCE code was written by a committee of six members of the SCCE advisory board: Joe Murphy and Rebecca Walker, co-chairs, Urton Anderson, Michael Horowitz, Shelly Milano, and Marjorie Doyle. The draft was reviewed by the SCCE board and circulated to all SCCE members for comment. Valuable input from the membership was incorporated into the final version.
The code reflects the experience of other professions, in that the existence of ethical standards can strengthen those who work in a specific field by giving them external support for doing the right thing. It is a hallmark of a profession to set standards that address what is distinct about that field and the obligations that are part of that profession. It should be noted, however, that these rules are not a matter of law and are not binding on the companies who employ us. Rather, they are adopted by those of us in the profession as a mark of our commitment. However, companies may well want to adopt these standards for their CEPs as a sign of their commitment to having a vigorous compliance and ethics program.
Presented here is a brief overview of the code. For guidance on any questions, you should always refer to the actual code language; the full text of the code appears in the article immediately following this article. It is also available in a number of different languages on the SCCE website.
The code consists of four elements:
Preamble: This introduces the code and makes the important point that those in the compliance and ethics profession serve a critical role in helping to prevent and detect misconduct in organizations, and in promoting ethical conduct.
Principles: These are broad standards that set the framework for the detail provided in the specific rules.
Rules: These are specific standards and set the minimum level of conduct for CEPs.
Commentary: These are very important explanations and examples, designed to deal with specific questions. The drafters of the code did not want to create a document that simply sounds nice but does not provide practical answers to real-world questions. Instead, the objective was to address dilemmas we know practitioners face and provide specific guidance. Thus, the commentary is an essential part of the code.
The preamble sets the tone of the code and spells out some key definitions. One particularly important term that appears throughout the code is misconduct. This term includes both illegal and unethical conduct; it is not limited to violations of legal rules. This highlights that the work of CEPs is not just about complying with the minimum the law requires; we also seek an ethical culture in our organizations. This perspective can also be seen in the Sentencing Guidelines standards, as amended in 2004 to include as an aspect of a compliance and ethics program that the program “otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
The code also defines “highest governing body” to make clear that when escalation is necessary, the CEP needs to reach the highest point in an organization, where the ultimate power resides. In a complex organization this can be the parent company’s board, not just the board of a subsidiary.
After the preamble, the code is then divided into three sections, each based on a principle. The principles reflect our duties to three groups: the public, our clients, and the profession. As a profession, there is necessarily a duty to the public, which is the first obligation. While we certainly have a duty to those who pay us for our work, we also have a duty that transcends the paycheck. The second is to our clients—those who have hired or retained us to assist in their compliance programs. As the code makes clear, this duty is to the organization, not to management or any individual managers. The third is to the profession of compliance and ethics, including advancing the effectiveness of programs and promoting professionalism in this field. The following is a review of the code’s provisions, organized by principle.
Principle I: Obligations to the Public
Rule 1.1: This rule sets out what most would consider an obvious point: we may not help or be part of any misconduct.
Rule 1.2: CEPs must take the steps necessary to prevent misconduct—this is not a passive standard. CEPs cannot simply sit back and wait for others to seek advice. They must reach out to ensure the organization is acting properly and do what is necessary to head off misconduct. This also reflects the approach of the standards for compliance and ethics programs, such as those found in the Federal Sentencing Guidelines and the OECD Good Practice Guidance. If a program is passive, it does not meet the standards. Logically, the same is true for a CEP. The commentary adds that while the CEP must be active, the actions must be legal and ethical. If improper actions of a client cannot be stopped, the commentary takes the CEP to rule 1.4.
Rule 1.3: In a government investigation, the CEP needs to exercise sound judgment. It should be noted, however, that this reference is qualified by referring to legitimate government investigations. This recognizes that governments are composed of human beings and not all government actions may be legitimate. The standard thus leaves room to challenge government actions where there is a good faith basis to do so. However, as the commentary makes clear, it is never permissible to lie or obstruct investigations.
Rule 1.4: If a CEP becomes aware of proposed misconduct, rule 1.4 provides guidance. A CEP cannot consent to, or passively appear to go along with, misconduct. The CEP needs to object clearly. If this does not work, the next step is to escalate, including to the board where appropriate. Since this provision was drafted, revisions to the Sentencing Guidelines have added important perspective to this provision. The Guidelines now provide that companies may receive credit for their programs, even if high-level personnel are involved in a violation, if they meet certain standards. One of these is that the person responsible for the day-to-day operations of the program has direct reporting responsibility to the highest governing authority of the organization. Specifically, this means:
the individual has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program.[4]
The OECD standards, while less specific, call for the person responsible for the program to have the authority to report matters directly to the board.[5] Thus, the provisions of the code dovetail well with the developing legal environment.
If these steps fail, the CEP may consider resignation—but not too soon, since the CEP is in a position to fight misconduct and removing the CEP as an obstacle may make the misconduct more likely to occur. Lastly, if there is a legal obligation to report it, then the CEP must report. This provision of the code states a fundamental point—if there is a legal obligation to report something, the code supports compliance with the law. It does not add any external reporting obligations to those that already exist in the legal system.
When is escalation to the board of directors necessary? The Code’s commentary provides guidance on this determination. Specifically, escalation is called for when the CEP is directed to escalate matters by the board (e.g., by a prior board resolution, such as one adopting the Sentencing Guidelines’ language), when escalation to management has not worked, or when the CEP believes escalation to management is futile. Note, however, that these are examples, and escalation may be appropriate at other times as well.
If the CEP does resign in light of misconduct, they may not go quietly. Rather, the CEP must set forth in a letter to senior management and the board the reason for the resignation in full detail and complete candor. This is essential and part of the CEP’s duty to do what is necessary to prevent misconduct. If the rationale is spelled out in stark detail, management and/or the board may realize what they are doing is wrong and reconsider.
Principle II: Obligations to the Employing Organization
Rule 2.1: CEPs must be timely, competent, and professional. A professional needs sufficient education to do the job effectively and needs to stay current. The commentary reminds CEPs that they cannot be expected to know everything related to compliance and ethics, but they must be modest enough to admit this fact and seek out expertise as they approach new areas. They can do this by obtaining the education themselves or by working with others who already have this expertise.
This advice relates to a risk of working in a multidisciplinary field like compliance and ethics. Often CEPs enter the field with expertise related to one or more of the relevant disciplines. Lawyers, auditors, and human resources managers, for example, are frequent participants in the compliance and ethics field. There is a risk that, because they know one of the disciplines, they believe they are experts in the entire field of compliance and ethics. But each needs to recognize that there are areas of relevant expertise, such as adult education, motivation and incentives, communications, auditing, etc., where there is much more to be learned. Thus, an unspoken mark of a CEP is the humility to recognize how much they may not know about the many sides of this field.
Rule 2.2: CEPs should ensure, to the best of their abilities, that their employer complies with the law. But, as the commentary makes clear, this is just a leadership role—all employees have a responsibility to ensure compliance.
A similar message appears in the Sentencing Guidelines. In the Commentary to the Guidelines, item 2, it is noted:
High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program, shall perform their assigned duties consistent with the exercise of due diligence, and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.[6]
In other words, CEPs implement the program, but the managers are responsible for making it work and ensuring compliance.
On this point, OECD Guidance, item 3 is more succinct but very direct:
3. compliance with this prohibition and the related internal controls, ethics, and compliance programmes or measures is the duty of individuals at all levels of the company; [7]
No one can dodge responsibility by pointing to the CEPs. Compliance is everyone’s responsibility.
Rule 2.3: CEPs are to investigate indications of misconduct with appropriate due diligence. Of particular note is that this duty applies to any suspected misconduct whether “past, current or prospective.” Whereas a lawyer might advise not to bother with matters beyond a particular statute of limitations, a CEP knows that any misconduct may color the attitudes and culture of an organization, no matter how far back. If employees believe that wrongdoing was condoned in the past, this will certainly color their view of the company and affect the culture. Moreover, an effective compliance program must be diligent and avoid promoting those who have shown an inclination in the past to engage in misconduct and disregard the compliance program. Moreover, even past violations may reveal weaknesses in the control structure that remain in the present. So even conduct in the past beyond a statute of limitations is relevant for the compliance and ethics program.
The Commentary clarifies that while all issues require appropriate investigation, it is not necessary that the CEP personally conduct such investigations if others are positioned to do so. The CEP may report the matter to others following “established reporting procedures.”
Rule 2.4: CEPs have a duty to keep senior management and the highest governing body informed of the status of the compliance and ethics program, both as to implementation and areas of risk. The importance of this communications between the compliance professional and the board has been emphasized by the 2010 revisions to the Sentencing Guidelines and the OECD standards referenced in Rule 1.4 above.
This duty, in turn, reflects the duty of management and the board to monitor compliance, following the standards first articulated by the Delaware Chancery Court in the case of In re Caremark Int’l Derivative Litigation.[8] In Caremark the Delaware court (a highly influential court with respect to corporate law throughout the US) warned corporate boards that they face potential personal liability if their failure to assure there was a compliance program results in losses to their company.
Rule 2.5: If those who report misconduct are retaliated against, an organization’s compliance program will be severely undermined, and the organization may find itself subject to severe treatment by the legal system. Thus this rule requires CEPs not to aid or abet retaliation, and to pursue procedures designed to protect whistleblowers. Note that this calls for more than a simple policy statement; the CEP must “strive” to have procedures that ensure protection. This is an activist standard that requires concrete steps.
The commentary states that to the best of CEPs’ abilities, they should preserve the anonymity of those reporting employees who request this treatment and should conduct investigations with discretion to protect all those being investigated.
Rule 2.6: Treatment of confidential information is a sensitive issue for organizations and one that is addressed here by instructing CEPs to carefully guard such information against disclosure. However, protecting information is just one value, and other values such as health and safety must be considered also. For example, it may be impossible to conduct an investigation without those being interviewed coming to an educated guess about what is at issue and who raised the concern. Nevertheless, the investigation must still be conducted. Similarly, there could be circumstances where rapid action might risk disclosure of confidential information, but protection of human health and safety would take precedence. Even when action increases the risk of disclosure, appropriate steps should still be taken to minimize such disclosure risks.
Disclosure of confidential information may also be required through legal processes, such as a search warrant or discovery in litigation. However, the commentary reminds CEPs that there are privilege protections that may protect information and these can be used when appropriate.
Rule 2.7: As CEPs, we should avoid conflicts of interest and report anything that might constitute a conflict. But, involvement in a matter subject to such a report will not necessarily eliminate the CEP’s ability to participate in any given situation. The CEP’s experience may give valuable insight into the issue at hand, and the CEP may be the one best positioned to prevent or detect misconduct. The key is disclosure, so everyone knows of the CEP’s involvement. It is not in the public interest or the organization’s interest to invoke a zero tolerance rule to remove the CEP from any involvement in a matter simply because the CEP has had some involvement or interest. An active CEP will meet many people in an organization and become familiar with much that happens in that organization. A zero tolerance approach would penalize CEPs for doing their jobs well. It would also remove the very CEPs who may have the most insight and experience with important compliance and ethics issues. Rather, this rule and the commentary call for detailed written disclosure but not removal from the process.
For those professionals who work for corporations and other organizations, one of the most difficult challenges is recognizing that the professional represents the organization, not the individual officers and managers. It is certainly wise practice, of course, to develop good relations with these key individuals, but all concerned should understand that the organization must come first. Thus, if the general counsel, for example, tells the compliance professional not to “bother” the board with issues the CEO does not want them “meddling” in, the professional may not follow this suggestion. The board, as the highest representative of the client, has the first call on the professional’s loyalties. What may or may not make management comfortable is exactly the type of “duty of loyalty” issue this rule is intended to address. Similarly, the CEP may develop friendships with those managers with whom the CEP deals on a regular basis. But that friendship must come second if there is an issue between the interests of the managers and the best interests of the organization.
Rule 2.8: CEPs should be realistic when explaining what they and compliance and ethics programs can and cannot achieve. Most obviously, this means that a CEP should not promise an employer or client that a program can or will prevent all violations, or even that a program will meet governmental standards. A CEP could certainly discuss the preventative impact of a diligent program and its potential for convincing government to treat the company in a more positive way, but this should always be qualified and not categorical.
Principle III: Obligations to the Profession
Rule 3.1: We pursue our work with honesty, fairness, and diligence. We cannot agree to unreasonable limits on our professional work. For example, as the commentary makes clear, if a CEP is asked to conduct an investigation, but not to talk to certain employees or officers, this is not acceptable. If the limits placed on the CEP’s conduct are unreasonable, then the CEP must decline to participate in the activity and explain to the board why. Of course, the CEP has to accept that an organization may not have all the resources the CEP would like in an ideal situation. But this is very different from arbitrary restrictions placed on the CEP to protect specific individuals or keep the CEP away from sensitive issues. These types of restrictions are unacceptable.
Rule 3.2: Protecting the confidentiality of client information is essential for CEPs to function effectively in organizations. If the information clients provide us is exploited in litigation, it can seriously erode the effectiveness of compliance and ethics programs. If CEPs become litigation and discovery targets merely to advance the convenience of litigators, this can undermine clients’ willingness to allow CEPs to conduct such functions as audits, deep dives, helplines, and investigations. CEPs are encouraged to work with legal counsel to minimize litigation risks.
The commentary also reminds CEPs that they may not use the employer’s confidential information in ways that violate their legal duties, such as to commit insider trading.
Rule 3.3: Addressing the need for professional conduct, this rule tells CEPs not to make misleading, deceptive, or false claims about their qualifications, experience, or performance. For example, a CEP who does not have CCEP status should not imply that they do.
Rule 3.4: CEPs should not defame other CEPs. Thus, while the free market should be in play among CEPs, and they may compete vigorously among themselves for clients and employment, the legal limits of defamation should be observed in this competition.
Rule 3.5: CEPs need to keep up to date with the field and participate in professional dialogues and exchanges. We all benefit from learning about the experiences of others. The Sentencing Guidelines’ incorporation of “industry practice” as part of the standards for programs, and the many references in the field to industry and best practices, signal that sharing information and experience is a hallmark of the profession. The exchange of information and experience works best when it is open and mutual, meaning that this is more than the need to pursue continuing professional education; each CEP should also contribute to the exchange. Use of social media in the profession is one simple means to pursue this objective.
SCCE has adopted this code to help strengthen the field of compliance and ethics, to bring increased recognition to the professional status of compliance and ethics work, and to aid each of us in making difficult professional decisions. Ours is an important profession, and this code stands as a guide and resource in our daily work.