Chapter 3: Running an Effective Compliance Program

Compliance Policies, Procedures, and Codes of Conduct

By Sarah Elizabeth Campbell[1] ; Steven Ortquist[2] ; Greg Radinsky,[3] JD, MBA, CHC, CCEP; Alexandre C. Serpa,[4] CCEP, CFE, CPC-A; Caroline K. McMichen,[5] CCEP, CIA; Scott Robinson,[6] CFE, CHC, CPA; Vickie L. McCormick[7] ; and Dawn Ward,[8] MBA, CIA, CISA, CRMA, CFE

One of the core elements of a compliance program is having policies and procedures that promote the organization’s commitment to compliance and address specific areas of risk. Compliance guidance documents from the Office of Inspector General (OIG) state that the development and distribution of written standards of conduct in addition to written policies and procedures should be created and address specific risk areas of potential misconduct.[9] In developing such standards, policies, and procedures, the compliance officer should seek input from applicable business departments and individuals impacted by the policy in addition to any internal compliance committees, senior leaders, and the board of directors as appropriate.

Policy vs. Procedure

Organizations often use the term “policy” fairly loosely. Sometimes a “policy” may actually be more of a list of procedures an employee must follow to accomplish something, rather than a position statement about the company’s view on a particular topic. Organizations may create a meta-policy to define the criteria for what constitutes a policy vs. a procedure or work instruction. This meta-policy defines terms such as policy, procedure, work instructions, policy owner, subject matter expert, and approver. Sample term definitions may include:

  • Policy: A written document or statement reflecting standards or rules that regulate or guide organizational action and employee conduct. Global policies generally apply to the entire organization and will outline who has specific authority or assigned accountability and what actions are required in specific situations.

  • Procedure: The process followed to comply with a policy. A procedural document describes the specific steps necessary to complete a particular process intended to implement and/or support a policy. Procedures include rule-based information and can vary between functions and business units.

  • Work Instructions: These are step-by-step instructions, including information and equipment needed to complete a specific task.

  • Approver: The person or department whose approval is required to implement the policy.

  • Policy Owner: The individual or department responsible for the content and administration of the policy.

  • Subject Matter Expert: A person who has a deep understanding of the topic or process.

The meta-policy also typically explains the process that must be followed for developing, approving, implementing, and maintaining the company’s policies and procedures. Depending upon applicable regulatory requirements, an organization will want to set up a time period to periodically review its policies and procedures, such as every year or two. Defining the governance process is an important step toward ensuring a consistent approach to company policies.

In some cases, an organization may want to bring awareness to a regulatory area and provide guidance to its workforce. While organizations may differ in their approach, a policy typically includes rules that should be enforced. If an organization wants to provide guidelines that are not mandatory, it may prefer to issue a guidance document such as a “Question and Answer,” an email guidance notification, or some other communication document to bring awareness to recommendations in addressing a regulatory situation. Organizations should avoid implementing policies they cannot adhere to or are not willing to enforce.

Code of Conduct

After a risk assessment is conducted, and before any other activity or pillar is put in place, the next step is usually drafting policies and procedures. The code of conduct is the first document created. It is an industry standard for an organization to have a code of conduct that sets forth an organization’s commitment to compliance. The code of conduct will also focus on the organization’s commitment to comply with applicable federal and state laws, including laws related to fraud and abuse. A code of conduct allows the organization to have a central overview or summary document that serves to guide all other efforts in the design and operationalization of the compliance program. It doesn’t require too much detailing of each relevant topic, allowing the organization to set out the most relevant principles to be followed by employees before trying to detail every single policy and procedure that make up a compliance program.

Why have a code of conduct? A good code of conduct can be a powerful tool for an organization. It is a way for a company to tell employees about the company’s requirements and expectations. The code can also be the employees’ primary resource concerning:

  • Conduct that is or is not acceptable

  • How to decide what to do when there is not a rule that applies

  • What to do if they have a question

  • Who to tell if they suspect misconduct

The code can also encourage and empower employees. Employees may be more loyal to employers they believe are ethical. Such employees may also be less likely to engage in misconduct that can get the company into trouble or conduct that hurts the company, such as employee theft. Finally, employees who have been given guidance and tools that help them make compliant and ethical business decisions may feel more empowered to do so—and they may be more likely to do what is right.

Writing a Code of Conduct

An organization’s code of conduct should be drafted based on the organization’s needs, culture, and current times; it also should be unique to the organization. Otherwise, the code of conduct will not serve its purpose of being a useful guiding document for the organization’s employees.

Drafting an adequate code of conduct from scratch is not an easy task, but neither is it too complex. It should be approached as a multipart and finite task. Here are things to consider when writing a code of conduct.

Include a statement of values: In a rules-and-values-based program, the code should contain a statement of the values that employees can use to interpret how the rules should apply and determine what to do in the absence of a rule. Explicitly address management’s position that, although it is important for the company to be vigorously competitive and successful, it must do so using compliant and ethical business practices. Consequently, the “sale at any cost” approach is not acceptable. This can be a difficult message for employees to believe, so they need to see it backed up by management’s conduct.

Additional tips include:

  • Do not include a statement of values if it is not an honest reflection of the company’s culture and management. A statement of values that is broadly perceived as untruthful may be worse than no statement at all.

  • Align the statement of values with any other values and mission statements the organization has adopted. Explain how to handle situations that are not addressed by a rule.

  • Identify ways that employees can figure out the right thing to do, e.g., the newspaper test—would employees want to read about their conduct in the newspaper?

Choose media type and layout: There is no rule or legal requirement stating that a code of conduct needs to be in text or video format. No rules exist about having the code as a document hosted in a network folder or as an interactive, three-dimensional shape that can be rotated, zoomed in and out, clicked on, and moved around. Therefore, feel free to decide which format and media type will have the most impact, will be most useful, and will best engage the organization’s employees. More organizations have begun to modify their codes of conduct to make them interactive and include video content to further educate and train applicable individuals. Of course, there is always the matter of resources, which may limit options.

Make the format user-friendly and look attractive, with a well-organized layout that has plenty of white space. Employees are turned off by codes that look and read like legal documents. The code will not have the desired impact if employees do not read it because of its format. Ask a graphic designer to help with the layout and format. If a graphic designer is not available, use word art and graphic features available in Microsoft Word. Even if just the spacing and font type and size change, it will look better than a long narrative in regular font.

Design Tips

  • Use the talent you have in the organization. Your marketing and communications departments are experts at taking complicated information and communicating it in an easy-to-understand and appealing manner.

  • Use the compliance program’s brand to help “sell” the code to employees.

  • Try different formats within the document to move the reader’s eye.

  • Have plenty of white space, even if it adds a couple of pages to the length.

  • Use headers and titles for new topics.

  • Change font size, colors, and formatting.

  • Do not use the usual business document font.

  • Use bulleted and numbered lists.

  • Periodically change the format, so that some information is in full-width narrative and some in columns or tables.

  • Call out important information in some way to get readers’ attention. For example, use sidebars to provide illustrations or other information.

  • Incorporate graphics—even if it is just clipart.

Determine length: Again, there are no rules related to the length of a code of conduct. Think about what you want to achieve with the document. Do you want it to be a quick guide about your organization’s principles (short document) or do you want it to be comprehensive guidance on each relevant topic (long document)? Shorter codes tend to be easier to remember, are cheaper to print, allow for more flexibility in terms of format and platform, and will probably be more useful to colleagues.

Think about readability: The code of conduct should be written at an appropriate reading level and translated into other languages as appropriate. Aim for a readability level of 7th to 8th grade. Many codes have a post-graduate reading level. This can happen when codes are written by lawyers and are very legalistic in their tone and language. Use plain, direct language and uncomplicated syntax.

Readability Tips

  • Use an active voice rather than passive voice. Turn on “check grammar” in Word to help you. Go to Tools/Spelling and Grammar/.

  • Avoid repeated long references. Instead of using “Directors, officers, employees and contractors” repeatedly, use “you” or “staff” or “everyone.” This will make it a more personal and friendly document and lower your readability score.

  • Keep sentences to 14 words or less and paragraphs to no more than five lines. Use one- and two-syllable words.

  • Use the right word rather than the long word.

  • Be concise, using as few words as possible.

  • Avoid assumptions—define acronyms—and avoid jargon.

  • Check the readability statistics in Word. Choose the option to “show readability statistics” by going to Tools/Spelling and Grammar/Options. With this feature on, you can check the grade level of the text.

Think about tone: Use a consultative and helpful tone—not a series of threatening phrases, such as “thou shalt” and “thou shalt not.” Convey that the company wants to be successful, while also being compliant and ethical. Make the employee feel guided, not threatened. Additional tips include:

  • Use pronouns and other “friendlier” terms when referring to employees.

  • Use “us,” “we,” “our,” instead of “the company”—this promotes a sense of being in it together, rather than an “us vs. them” mentality.

  • Talk about how everyone can be successful and feel good about working for the company, not just how to avoid problems and legal violations.

Involve others: Involve a variety of people from different departments when writing the code. Select them from as many locations as possible and be mindful of including people from different cultural backgrounds. The compliance officer will still remain accountable for the final product but should not be the sole person responsible for its content. Involving more people will result in a code that is useful to all colleagues in your organization. It will also be seen as a group achievement and not just something that was created by the compliance folks.

Get feedback and revise: Keep in mind that this is an iterative process. Plan to review and discuss drafts of the code as frequently as possible with the organization’s top management. A useful code takes time to be completed. Don’t expect to have a code of conduct ready in a month. Plan to complete the code according to the size and complexity of the organization. The more complex the organization, the longer it will take to ensure that enough people, departments, and locations are involved and that adjustments are discussed and agreed upon. Host workshops, do online voting, run a competition, or use other creative ideas to both engage the organization and ensure the final content is relevant.

Content to Include

Don’t copy another organization’s code but do try reading various existing codes from different companies to understand the interesting and useful components of a code of conduct. A number of standard components are usually included in codes of conduct. Choose ones to include in your organization’s code. The most common and basic components are:

Letter from the CEO (or top executive): This should emphasize the organization’s commitment to its compliance program, urge all employees to be active agents in the organization’s journey to be compliant, include a call to action, and have a good example of what the company expects from its employees.

Organization’s values: Consider adding the organization’s mission and vision statement here, including how they relate to the code of conduct.

Definition of the code, including its purposes and objectives: This section will outline that the code of conduct serves as a reference document, where employees will get an overview of the organization’s compliance program and how to approach relevant risks. It should not provide all the answers to every question employees might have, but it should tell them how to find answers.

Questions and answers and/or scenario-based examples of relevant situations: Try to include tangible examples of good compliance practices or cases that may have occurred in the past, either from one of the founders or one of the employees of the organization. These could be spread throughout the document or concentrated in a separate section of the code.

Details on reporting misconduct: Given the relevance of this pillar of compliance programs, one section in codes of conduct is usually dedicated to providing details about how to report misconduct. Employees need to know that they are expected to notify the company if they think there is misconduct. They also need to know how to ask questions and report any concerns they have. Include answers to the following questions:

  • Whom do they contact?

  • Can they go to someone other than their boss?

  • Can they report a concern anonymously?

  • What will happen when they report a concern—what is the process?

  • Will anyone else know they reported a concern?

  • What if it is an employment issue?

You also want employees to believe the company takes their reports of possible misconduct seriously and that it will stop any misconduct. Placing this information after the statement of values and before the description of risks tells employees that the company wants to know about problems and fix them.

Information about Reporting—Tips

  • Employees are nervous about reporting problems—make them feel comfortable and secure in doing so.

  • Explain what an employee can expect when he or she reports a concern. Answer all of the questions listed, as well as any others your employees may have.

  • Tell employees what they can expect to be told or not be told about investigation results. For example, tell them they will not be told about employment action that resulted from a report because of the other employee’s right of confidentiality.

  • Tell employees that there can be instances in which there is additional information they are not aware of that can result in a decision that something is not misconduct—and that you may not be able to share that other information with them.

  • Provide multiple alternatives for reporting a concern so that if they are uncomfortable with one option, they have others.

  • Explain how they can anonymously report concerns.

  • Let employees know that there are times when an anonymous caller’s identity may be known. For example, if an employee who has been working with Human Resources also makes an anonymous call to the hotline, the company may be able to identify the anonymous caller. Explain how the company will deal with that type of situation.

  • Tell employees that if they report something anonymously, additional information is sometimes required to complete an investigation and if the anonymous reporter does not provide the requested information, the case may have to be closed.

  • Let them know that there are some types of issues, such as many employee relations issues, that may not be able to be handled anonymously.

Non-retaliation promise: Because employees are afraid of retaliation if they report a problem, the code must assure them that the company has, and strictly enforces, a non-retaliation policy. Employees are very concerned and sensitive about what can happen to them if they report a problem—especially about something management is doing. They are even more concerned if their boss is involved. The promise should include a commitment to discipline anyone who retaliates against another employee. The non-retaliation promise is not very meaningful if there are no real consequences to the retaliator. For example, include in your disciplinary policy a provision for disciplinary action for anyone who retaliates against another employee. The code should also instruct employees what to do if they think they are a retaliation victim. Tell employees to immediately contact Human Resources and/or call the hotline. Remind them that this type of issue cannot be addressed on an anonymous basis.

Other resources: Usually this section links to several other resources, such as the policies repository or a directory of compliance personnel, to which colleagues may refer to when the information they are seeking can’t be found in the code.

Risk area topics: This should include the requirements and guidance around each risk area. From this point forward, we will be talking about how to develop the risk content of the code.

Sample Codes of Conduct

If a company posts its code on its website, it is often, but not always, available on the “Corporate Governance” page. Codes of conduct from other organizations, even if they are from different industries, can be helpful to decide on the type of code your organization wants to develop. The following companies’ codes of conduct are available online. They tend to be for larger companies. Even if you are a small organization, these codes can still provide ideas about what may or may not work for your organization.

Developing Risk Content

The code of conduct is expected to address key risk topics applicable to an organization.

Remember—do not make the code the sole source of information about the company’s policies. Complete policies should be available elsewhere—typically a company intranet site. Include summaries of the most important policies in the code. Organize and write the policy summaries so they are intuitive and easy for the reader to follow and understand. Do not summarize all of the company’s policies—only those that are highest-risk issues or applicable to most employees. Either omit or include only a very brief discussion about any policies that are low risk or applicable to only a limited number of employees.

Here’s how you can begin writing those summaries. Make a list of the highest risk topics/areas and use them as a starting point. This list should be in the form of very direct/short statements and put in a sequential order based on the risk rating identified during the risk assessment phase. The next step is to create one direct summary statement for each of the risks listed. This statement summarizes what the organization wants to achieve or believes is the correct way to approach the topic. With the summary statement ready and agreed to by the group in charge of the code’s creation, it is time to further develop the message. For each of the summary statements, you will create one introductory paragraph detailing what your organization wants to ensure or achieve.

Try to avoid the impulse to turn the code into a procedural document. Keep the code as an organization’s guiding principles to mitigating key compliance risk areas. Here are some additional policy content tips:

  • If length is an issue, refer to the location of the other policies and focus attention on the highest risk issues for your business.

  • Organize the policies so that the flow is logical and intuitive to the reader.

  • Provide examples of appropriate and inappropriate conduct that the employees can recognize.

  • If possible, explain why the policy is good for them.

Possible Risk Areas/Topics to Include

Business Practices

  • Accurate Coding and Billing Practices

  • Accreditation and Surveys

  • Preventing Anti-Kickback/Bribes

  • Credentialing

  • Cost Reports

  • Business Courtesies (Receiving and Giving Gifts, Gratuities, and Entertainment)

  • Charitable Contributions

  • Deficit Reduction Act of 2005—False Claims Acts

  • Emergency Treatment (EMTALA)

  • Environmental Protection

  • Fraud, Abuse, and Theft

  • Government Contracting

  • Government Interviews of Company Employees

  • Information Practices, Including Health Information Privacy (Confidentiality)

  • Protecting Shareholder Rights or Nonprofit Tax Exempt Status

  • Regulatory Compliance

  • Research

  • Sales Agents, Consultants, or Other Professional Services

  • Truth in Advertising, Marketing, and Sales

  • Using Agents, Representatives, Contractors, and Consultants

Company Property, Records, and Procurement

  • Accurate Books and Records

  • Procurement Practices

  • Protecting Company Information, Ideas, and Intellectual Property

  • Records Retention

  • Software Protection, Acquisition, and Distribution

  • Trademarks, Service Marks, Use of Company Names, and Endorsements

Competition

  • Antitrust

  • Competitor Relations and Disparagement

Compliance Program

  • Compliance Hotline and Resources

  • Reporting Possible Misconduct

  • Investigations and Corrective Actions

  • Responding to Potential Compliance Issues

  • Making Ethical Decisions

  • Response to Governmental Inquiries

  • List of Compliance-related Policies

Conflicts of Interest

  • Avoiding Conflicts of Interest

  • Honoraria

  • Insider Trading

  • Outside Directorships

Employment Practices and Employee Conduct(focused only on compliance-related issues)

  • Child Labor

  • Community Activity

  • Discrimination and Harassment

  • Drug-Free Workplace

  • Employee Privacy

  • Labor Relations

  • Non-retaliation and Non-intimidation

Global Business

  • Accounting

  • Anti-Boycott

  • Export/Import Control

  • Foreign Corrupt Practices Act

  • Global Data Protection Regulation

  • International Boycotts

Health, Safety, and Security

  • Contagious Diseases, Including Bloodborne Pathogens

  • Emergency Action

  • Fire Safety

  • First Aid

  • Hazard Communication Program

  • Injury Records

  • Safety Committee

  • Severe Weather Information Services

  • Systems Computer Information Security

Computer Equipment and Resource Use

  • Electronic Mail Security

  • Employee Termination Encryption

  • Equipment Change Control

  • Firewall Management

  • Individual Accountability

  • Information Security Awareness

  • New Employee Security Awareness

  • Password Control

  • Portable Computer Security

  • Remote Access

  • Unauthorized Software Virus Detection

  • Wireless Technology

Political and Community Activities

  • Community Support

  • Lobbying

  • Personal Community Activities

  • Political Activities

Property Rights of Others

  • Competitive Information

  • Patient Privacy

Public Communications and Relations

  • Crisis Communications

  • Disclosure of Information to the Public, the Media, and Analysts

  • Responsible Use of Social Media

Distribution and Certification

Once the code of conduct is finished, the compliance officer needs to make sure that employees have access to it—either through distribution of a paper copy and/or posting it on the organization’s intranet. If an organization has an intranet, consider posting the code there and include links to other related documents available on the intranet (i.e., the employee manual).

Regularly and repeatedly remind employees about the code. Do not do so just once a year during annual training. Consistently speak or write about the issues addressed in the code in newsletters, meetings, emails, and any other employee communication avenues available. It keeps the code a priority in employees’ minds and informs new employees who did not receive previous messages.

Decide whether or not to require employees to acknowledge or certify that they received, read, and understood the code. If requiring acknowledgments or certifications, consider alternatives to the typical paper chase. For example, consider a web-based acknowledgment or making certification part of the annual review processes. Whatever methodology you adopt, make sure it is manageable.

Also decide whether to post the code on the organization’s website. An increasing number of companies do so, probably because they believe it reflects a significant commitment by the organization.

Code Document Maintenance

Codes of Conduct should be periodically reviewed to update areas impacted by modified federal and state laws and regulations. Maintain versions of the code as it is revised and updated. Note when new versions are created and archive older versions. This information may be important if an organization is investigated or subject to an enforcement action. Fines and penalties can be reduced under the organizational sentencing guidelines if an effective compliance program was in place at the time of the misconduct. To prove an effective compliance program, a compliance officer needs to know what was in effect when the misconduct happened. Clearly identify the version of the code on the document. Although there should be some type of reference within the code that identifies the version, track more detailed information (such as when it became effective) in a separate log. If not maintaining a separate log, include the effective date in the document.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings