This article originally appeared in the Wall Street Lawyer (July 2003).

Overview

In 2002, the passage of Sarbanes-Oxley heralded sweeping reforms affecting the content and preparation of disclosure documents by public companies. As part of the reforms, the legislation requires companies to disclose the fundamental business values by which the senior management of companies operate. More recently, the Securities and Exchange Commission approved listing standards of the New York Stock Exchange and the Nasdaq Stock Market that now require companies to have codes of ethics governing the conduct of all their directors, officers, and employees, and to disclose any waivers granted to directors and executive officers. This article explores the significant issues related to compliance with these new standards, and their effect on the operation of public companies.

Introduction

Outrage over ethical and financial misconduct by the senior management of public companies led to the passage of historic legislation redefining the roles and responsibilities of corporations and those who serve them. Greed (manifest in personal enrichment of officers at the expense of shareholders) and manipulation of accounting standards raised many questions about the values of those at the helm of organizations that rely on the public markets, as well as the system of checks and balances that exists in corporate America.

Congress and the Securities and Exchange Commission have since made significant changes in the oversight of public companies. They also have asked public companies to disclose the fundamental values by which they operate, and by which the conduct of executives may be measured. Senior management and directors are challenged to examine the "tone at the top" of their organizations, and to emphasize ethics and integrity in business decisions.

Many are aware that the collapse of Enron was preceded by the ill-advised decision of the company's directors to specifically waive provisions of the company's code of ethics. That decision allowed Enron's chief financial officer to benefit from transactions involving the company. [1] The precise facts of the directors' decision, reported extensively in the media (but only after the fact), led to proposed reforms by the New York Stock Exchange that were modified and incorporated in Section 406 of Sarbanes-Oxley.

Section 406 requires public companies to disclose whether they have codes of ethics and also to disclose any waivers of those codes for certain members of senior management. The Commission adopted specific rules implementing these requirements in January 2003. [2] More recently, the Commission approved significant reforms by the NYSE and Nasdaq that, among other things, specifically require companies listed on these markets to have codes of ethics applicable to all employees, senior management, and directors. [3] This article gives an overview of codes of ethics and the issues to consider in implementing the spirit and the letter of the new ethics requirements.

Commission Rules and Related Initiatives

New Item 406(a) of Regulation S-K requires companies to disclose:

• whether they have a written code of ethics that applies to their principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions;
• any waivers of the code of ethics for these individuals; and
• any changes to the code of ethics.

If companies do not have a code of ethics, they must explain why they have not adopted one.

A company may either file its code as an exhibit to the annual report, post the code on the company's Web site, or agree to provide a copy of the code upon request and without charge. Item 406 incorporates some, but not all, of the recommendations regarding a code of ethics offered by the NYSE Corporate Accountability and Listing Standards Committee. [4] These recommendations are reflected in the recently amended NYSE listing standards and are similar to changes to the listing standards for the Nasdaq Stock Market. As discussed below, the amended listing standards now affirmatively require all companies listed on these markets to have codes of ethics that encompass employees, officers, and directors.

What is a Code of Ethics?

A code of ethics outlines a set of fundamental principles. These principles can be used both as the basis for operational requirements (things one must do) and operational prohibitions (things one must not do). Typically, a code of ethics is founded on a set of core principles or values and is not designed for expedience. [5] These principles are illustrated with behavioral examples. Those subject to the code are expected to understand, internalize, and apply the examples in situations the code does not specifically address. Organizations expect that the principles, once communicated and illustrated, will apply in every case, and that failure to apply the principles can be a cause for disciplinary action.

How is a Code of Ethics Created?

To create a code of ethics, an organization must define its most important guiding values, formulate behavioral standards to illustrate the application of those values to the roles and responsibilities of the persons affected, review the existing procedures for guidance and direction as to how those values and standards are typically applied, and establish the systems and processes to ensure that the code is implemented and effective. Codes of ethics are not easily created from boilerplate. Ideally, the development of a code will be a process in which Boards and senior management actively debate and decide core values, roles, responsibilities, expectations, and behavioral standards. [6]

Typically, codes of ethics are divided into five sections:

1. The introductory section, in which the organization introduces the code and explains why is it is being promulgated, to whom it applies, and how it is to be used. The introduction also typically contains a personal statement by the CEO of his or her commitment to the values contained in the code, and a promise to act consistently with those values.
2. A statement of core values and principles with each defined in simple business language. Principles may be "moral" principles, such as honesty, respect, and fairness; they also may be "pragmatic/business" principles, such as excellence, profitability, quality, or customer satisfaction. Similarly, some values might be characterized as "ethical" (e.g., honesty and fairness) while others are more aptly described as "organizational" (e.g., excellence and sustainable development).
3. Behavioral examples illustrating each value/principle, with a clear statement that such illustrations are not intended to be inclusive or limiting. Often these examples involve the very types of dilemmas and ambiguities that an individual might encounter in his or her job and are supplemented with references to specific company policies.
4. A discussion of the organization's supporting systems–the infrastructure that supports the code. Typically, this includes such items as where to go for interpretation, how to report suspected misconduct, where to find answers to frequently asked questions, and whether these systems may be used anonymously. An organization generally will state its commitment to confidentiality and non-retaliation for the use of any of the supporting systems.
5. A statement regarding personal responsibility, indicating that it is each individual's responsibility to know and understand the expectations and requirements set forth in the code and to meet those standards. This can, and often does, include a statement that employees must report suspected misconduct and that failure to do so is itself a code violation. It will also typically affirm the potential for disciplinary consequences up to and including dismissal for code violations.

What Specific Provisions Are Required in the Commission's Code of Ethics?

While many companies have codes of ethics, the Commission's code pertains only to employees of public companies who have financial disclosure-related responsibilities. Item 406 defines a code of ethics as "written standards that are reasonably designed to deter wrongdoing and to promote:

1. Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;
2. Full, fair, accurate, timely, and understandable disclosure in reports and documents that a company files with, or submits to, the Commission and in other public communications made by the [company];
3. Compliance with applicable governmental laws, rules and regulations;
4. The prompt internal reporting of violations of the code to an appropriate person or persons identified in the code; and,
5. Accountability for adherence to the code."

Each of these five elements is examined below.

Honest and ethical conduct, including ethical handling of actual or apparent conflicts of interest

Because the Enron tragedy resulted (at least in part) from a waiver of provisions of that company's code of ethics relating to conflicts of interest, the concept of avoiding or ethically resolving conflicts of interest is the subject of a good deal of attention, especially as it applies to executive leadership and Boards of Directors. Potential conflicts of interest are present at all levels of an organization. For this reason, it is important to emphasize in a code the values underlying the prohibition of conflicted interests, including fairness, integrity, and loyalty. For example, in a discussion of loyalty, a code of ethics may discuss the need to separate personal interests from those of the organization. Additional reference points may offer direction to the employees, the Board, or senior management. For example, the NYSE standards require that a code discuss corporate opportunities, conflicts of interest, insider trading, confidentiality, fair dealing, and the protection and proper use of company assets.

Often, the remedy for a conflict of interest is to avoid the conflict. However, when conflicts are unavoidably present, disclosure and recusal may be required. We note that the Commission's definition of a code of ethics stops short of prohibiting conflicts of interest, in favor of assuring that those which arise are "handled" appropriately.

Many codes of ethics require executives and Board members to disclose any relationships that could create the appearance of conflicted interests–family or financial, past, present, or anticipated. Once disclosed, the conflict can be examined to determine if the conflicted party should participate in related decisions, or if it would be better for the conflicted party to recuse him or herself.

Full, fair, accurate, timely, and understandable disclosure

Of the five elements of the Commission's code, the only one that is specific to public companies relates to accuracy and timeliness of disclosure in public filings and other public communications. A more general statement of the requirement may be expressed as the value of "honesty." Honesty, for example, includes being candid, open, truthful, and free from deception and deceit–telling the truth, even when doing so may be difficult, and being forthcoming with all relevant facts and information. The core principle of telling the truth and coming forward with information in internal discussions is important.

In the Commission's code, the requirement for full disclosure, or honesty, is perhaps the most complex. The ultimate decision about whether or not to disclose information to the public may be difficult, since information may mislead as well as enlighten. Disclosure also involves consideration of accounting principles that are subject to multiple interpretations and could be manipulated to produce a desired outcome. The wish to meet the expectations of securities analysts with respect to specific performance measurements, in many instances, has taken precedence over an honest depiction of a company's results. Conversely, many well-intended companies may have favored conservatism over candor out of concern over legal liability.

In recent years, not only the precise substance (the literal accuracy), but also the means and manner of conveying the message has been the source of much discussion. Understandable disclosure has been a topic of specific attention in recent years. The Commission's Plain English Handbook, for example, encourages companies to "communicate successfully with their investors. . . . rather than sending them impenetrable documents." [7]

Moreover, recognizing the complexity and subjectivity of United States accounting standards, the Commission also has encouraged companies to state their assumptions with respect to the accounting principles that most critically affect their financial status and involve the most complex, subjective, or ambiguous decisions. Commissioner Glassman, among others, has encouraged companies to avoid taking a defensive approach to disclosure, through the use of boilerplate or mountainous information, and to ensure that the MD&A, particularly, provides "management's understandable and honest story of [the company's] finances and operations." [8]

Since the adoption of Item 406, many companies have distributed separate codes of conduct for their financial professionals that simply address disclosure requirements with language that parrots the rule. In other words, "you agree to provide full, fair, accurate, timely, and understandable disclosure in reports and documents that the company files with, or submits to, the Commission and in other public communications made by the company." [9] (Some companies use "complete and objective" rather than "full and fair.")

Beyond what is formally expressed, the measure of the success of any code of ethics will be the informal, private dialogue, truly representing the culture of an organization with respect to its disclosure policies. In these frequent conversations, individuals involved in the disclosure process sense the operational values of the organization, or "how things really work around here." In this environment, the "tone at the top" is critical in shaping the culture of fair and honest disclosure. The tone of senior management is reflected not only in the formal process a company uses to gather information, but also in the degree of trust that it creates in terms of encouraging discussion and debate on complex disclosure issues. In particular, it is important to note the extent to which the values of honesty and fairness are a legitimate topic of conversation in the disclosure process.

Compliance with applicable governmental laws, rules and regulations

Even prior to the adoption of Item 406, most codes addressed compliance with the law and regulations. All employees covered by a code of ethics should understand that they are personally responsible for knowing that laws and regulations apply to their position and for adhering to those legal and regulatory standards. Codes will also often direct individuals to resources for obtaining expert guidance, such as their immediate supervisors, an ethics office, or legal counsel.

Although this requirement might appear less complex or subject to interpretation than the demand for honesty, often codes go further. Many organizations recognize that being legal is not the same as being right, and urge their employees and others covered by their code to seek the higher standard–the spirit or intent of the law rather than simply the letter. These codes reflect the notion that legality is a necessary but insufficient standard of ethical conduct. Decision makers are expected to apply law, regulation, policy, procedure, company values, personal values, and societal expectations as the criteria for determining what is "right" or appropriate for the company.

The prompt internal reporting of violations of the code

Encouraging reporting

Internal reporting presents particular challenges for all organizations. Companies must communicate the employee's responsibility to protect the interests of the organization, including the reporting of observed or suspected misconduct. Our society is ambivalent about such an obligation and communicates conflicting messages. There are no "positive" names for the act of reporting (think "whistleblowing" or even "tattling").

Both the NYSE and Nasdaq listing standards require that companies encourage reporting of violations of their codes. Two organizational actions are necessary to encourage an employee to share sensitive information–particularly where the employee may not have all of the facts, but only suspicions. First, there must be assurance that the process is safe. A company must have an absolute commitment to the promise that there will be no retribution or retaliation for reporting observed or suspected wrongdoing. Second, the employee must have confidence that his or her report will be given serious attention. The company must be committed to conducting a thorough and effective investigation of any alleged misconduct, and it must communicate the value of such reporting in ways that reinforce both the safety and effectiveness of the process. [10]

To whom should the report be made?

Under the Commission's code, companies must identify an "appropriate person or persons" to receive information relating to violations. The Commission suggests that this person should be someone who is not likely to be involved in the matter giving rise to the violation. In addition, the person (or persons) to whom reports are made should have sufficient status within the company to engender respect for the code and sufficient authority to adequately deal with those subject to the code, regardless of their stature within the company.

The other challenge is impressing a reporting obligation on executives and members of a Board of Directors. This is more about leadership than policy. It is the responsibility of the CEO and the Chairman of the Board to be crystal clear about their expectation that misconduct will not be tolerated and that suspicion or knowledge of misconduct carries an affirmative obligation to report. The code of conduct and by-laws of the company must support the code provision, but it is unreasonable to presume that policy, in the absence of leadership, will yield the desired behavior.

Related to the issue of reporting ethics violations is the provision of Sarbanes-Oxley requiring a company's audit committee to establish procedures for the receipt, treatment, and retention of complaints regarding the company with respect to any accounting, internal accounting controls, or auditing matters. In effect, there must be an employee "hot line" to the audit committee. [11]

Accountability for adherence to the code

Generally, companies state that "violations of the code may result in disciplinary action, up to and including dismissal." But, predetermined consequences are not required by Item 406, and they undermine the company's ability to make decisions based on the unique circumstances in each case. [12]

A company's stated commitment to "appropriate disciplinary action" is credible only if employees believe disciplinary action will actually be taken. A "best practice" in this area is to regularly publicize the nature of employee misconduct and the resultant disciplinary response(s). Often this takes the form of quarterly reports provided to all management personnel for use in discussions with their employees. Without this formal communication, the organization must trust the "grapevine" to make the case that the organization consistently and predictably applies appropriate disciplinary action for employee misconduct.

Discipline summaries should not just be communicated internally, but should also be part of the regular reporting to the Audit/Ethics Committee of the Board. Part of management oversight is ensuring that senior leadership is taking all appropriate actions to ensure the effectiveness of all components of "an effective program to prevent and detect violations"; that includes encouraging reporting and punishing misconduct.

Who Must be Covered by the Code of Ethics?

The Commission's code of ethics only applies to a company's "principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions." Thus, for purposes of the Commission's disclosure requirement and waiver reporting provisions, the application of the code is very narrow and may be viewed as a minimum standard.

If a company has a code of ethics, many experts believe it should apply to all employees. Both the NYSE and Nasdaq listing standards, for example, require a much broader application of the code, extending the scope to encompass employees, officers, and directors. When there is one code for employees, another for senior financial officers or principal executive officers, and potentially one more for Board members and committees, the waters are muddied and too complex. The resulting confusion can lead to complications and perceived double standards within an organization that may undermine the integrity of the codes. Practical differences between Board and employee activities can be addressed by policy statements accompanying a single company-wide code.

How Should Waivers and Amendments be Addressed?

The Commission adopted rules requiring a company to make "immediate disclosure" on Form 8-K or via Internet of any change to, or waiver of, the company's code of ethics for senior officers. Form 8-K now requires disclosure of:

• The nature of any amendment to the company's code of ethics that applies to its principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions; and
• The nature of any waiver, including an implicit waiver, from a provision of the code of ethics granted by the company to one of these specified officers, the name of the person to whom the company granted the waiver, and the date of the waiver. [13]

Under these guidelines, only amendments or waivers affecting a narrow class must be disclosed. A similar standard is imposed by the NYSE and Nasdaq in their listing requirements. The two notable exceptions are that disclosure required under the listing standards must be made with respect to waivers granted to directors as well as "executive officers," and further that any waivers for these persons may only be granted by the board of directors of the company.

Under the Commission's rules, disclosure on Form 8-K must be made within five business days after the company amends its ethics code or grants a waiver in a way that affects the principal executive officer or senior financial officers. Alternatively, a company may use its Web site to disseminate this information, but only if it explained in its most recently filed annual report that it would disclose these events online, giving its Web site address.

Waivers

A "waiver" is the approval by the company of a "material departure" from a provision of the code of ethics. An "implicit waiver" is the company's failure to take action within a reasonable period of time regarding a "material departure" from a provision of the code of ethics that "has been made known to an executive officer." [14]

Because a code of ethics expresses the company's fundamental values, few waivers of its provisions are likely to be justified. However, matters get murky when it comes to the company's provisions concerning the "ethical handling of actual or apparent conflicts of interest," particularly when those provisions contemplate delegated approvals and decision-making for different types of actions. Consider, for example, a company with a legitimate business reason to select a vendor in which an officer or director (or a relative) has an ownership interest. Where independent approval of such a transaction (following full disclosure of the conflict) is required by a code, it is not clear that a "waiver" has occurred. Nevertheless, companies should be careful that they do not create the perception of a "double standard," which suggests that there is one set of ethical values that applies to senior management and a different one for rank and file employees. Moreover, in instances in which there is a process for reporting and resolving apparent conflicts, it may only be possible to define a "material departure" from the company's values by examining their application at all levels.

Amendments

As noted above, companies must disclose any amendments to their codes of ethics as they relate to the principal executive officer or senior financial officers. Presumably, this measure was designed to ensure that changes in a company's policies are not made for improper purposes and that an accurate code is available to the investing public at all times.

Once created, a code of ethics, much like a strategic plan, will not stand forever. Although the Commission, the NYSE, and the Nasdaq have not required any regular review of codes of ethics, we believe that companies should review their codes regularly to assess their utility given the changing demands of the organization, as well as the scale and scope of its operations. [15] It also is important to determine the degree to which the code is "integrated" into the company's formal and informal processes. Whether by surveys, interviews, factor analysis of decisions and discussions captured in minutes, or some other method, senior management and the Board should hold the code to a standard of relevance and utility to ensure that the agreed-upon core principles and values are not being perverted. Indeed, we believe that Board s should review information regarding the effectiveness of the company's ethics program on a periodic basis, even if specific revisions are not required.

The Importance of an Effective Ethics Program

In addition to the actual code of ethics, there typically are numerous support mechanisms that will determine the effectiveness of the company's overall ethics program. Central among these is a formal program to communicate the company's core values to company personnel. These programs, as well as the conduct and involvement of senior management, are far more important than the words of the code.

The creation and enforcement of an effective ethics program may offer substantial benefits to companies in terms of both legal and performance measurements. Clearly expressed values are important because they provide a touchstone that reduces the likelihood that any individual's personal values will exist in conflict with those of the company. The absence of an ethical tone also may negatively affect the company's reputation and present legal difficulties. Generally, it is assumed that whatever the nature of the organization's culture, it is the product of attention or neglect–both of which are attributed to senior management. As one commenter noted:

Rarely do character flaws of a lone actor fully explain corporate misconduct. More typically, unethical business practice involves the tacit, if not explicit, cooperation of others and reflects the values, attitudes, beliefs, language, and behavioral patterns that define an organizational operating culture. . . . Managers who fail to provide leadership and to institute systems that facilitate ethical conduct share responsibility with those who conceive, execute, and knowingly benefit from corporate misdeeds. [16]

Stakeholder value

Apart from legal requirements, at least two academic studies have suggested that a commitment by corporate management to follow an ethical code of conduct confers a variety of benefits. One study of the largest public companies found that companies that were publicly committed to following a code of ethical corporate conduct as part of their internal control strategy had higher performance in both financial and non-financial terms. [17] However, this study also concluded that the superior performance was not due to the mere existence of a legalistic code of ethics, but to the "tone at the top." In instances in which companies demonstrated superior performance, ethics codes reflected the values upon which the corporate culture was based. [18]

Enforcement guidelines

Ethics programs do more than foster business success. Organizations that emphasize ethical business conduct often are given greater deference by regulators and law enforcement authorities. In many cases, ethically-oriented organizations have positive reputations with law enforcement and regulators and enjoy the "benefit of the doubt." For example, having an effective ethics program may mitigate any sanctions imposed in legal actions. [19]

Under the Federal Sentencing Guidelines for Organizations of the U.S. Sentencing Commission,[20] an effective ethics and compliance program includes:

1. Establishing ethics and compliance standards and procedures;
2. Assigning specific, high level person(s) to oversee ethics and compliance;
3. Taking due care in delegation of substantial discretionary authority to individuals;
4. Effectively communicating standards and procedures to all employees and agents through training and also through printed and electronic materials;
5. Monitoring and auditing the operation of the ethics and compliance program and establishing a retribution-free means (e.g., a helpline) for employees to obtain information about standards and procedures and to report possible wrongdoing;
6. Consistently enforcing discipline of employee violations; and
7. Responding promptly to any wrongdoing and remedying any program deficiencies.

Similarly, the Commission published a report in 2002 identifying mitigating factors that it would consider in determining whether to initiate enforcement actions against companies and how to assess penalties. [21] The report, which referenced the Federal Sentencing Guidelines, stated that the Commission would take into account a number of factors, many of which relate to the ethical environment of a company and its internal controls. [22]

The Role of Directors

A code of ethics and ethical values are important elements of the internal control process of public companies.[23] The failure of a company (and its employees) to observe the values published in its code of ethics is not, in itself, a violation of the federal securities laws. However, the recent Commission actions may trigger disclosure requirements. More importantly, failure to observe the values set forth in the code may lead to violations of the law.

For reasons already discussed, the effectiveness of an ethics program and the culture of an organization should be a matter of concern to the Board of Directors. In a widely-cited decision, the Delaware Chancery Court has suggested that directors who fail to assure that their companies have effective compliance programs may have violated their fiduciary duties. [24] SEC Chairman Donaldson recently stated that "the most important thing that a Board of Directors should do is determine the elements that must be embedded in the company's moral DNA . . . . It should be the foundation on which the Board builds a corporate culture based on a philosophy of high ethical standards and accountability." [25] A recent report by the Conference Board Commission on Public Trust and Private Enterprise [26] also suggested the following areas of oversight by a Board:

• Designation of a Board committee to oversee ethics issues;
• Designation of an officer to oversee ethics and compliance with the code of ethics;
• Inclusion of ethics-related criteria in employees' annual performance reviews and in the evaluation and compensation of management;
• Representation by senior management that all known ethics breaches have been reported, investigated, and resolved; and
• Disclosure of practices and processes the company has adopted to promote ethical behavior.

Apart from any formal processes designed to meet the Commission's requirements, Boards should inquire about the effectiveness of the company's ethics program. Among other things, they should examine the extent to which values defined in codes of ethics are communicated and meet the requirements of the Sentencing Guidelines. [27] Ethics and culture are a legitimate topic of conversation in the Boardroom. [Editor's Note: The appendix to this article is a Guide to Assessing the Ethical Culture of a Company, which is presented as a starting point for discussion. [28]]

Conclusion

Having a code of ethics is not a guarantee against corporate misconduct. As recent events illustrate, people are capable of finding ways to pervert the code's intentions, in ways as subtle as subconscious rationalization, or as blatant as fraud or other criminal conduct. An effective ethics program requires continual reinforcement of strong values. A code of ethics or detailed procedures designed to encourage full disclosure alone is not a substitute for good and honorable management, employees, and directors working to the best of their ability for the benefit of shareholders and others who have entrusted them with responsibility.

---

[1] See Report of Investigation by the Special Investigation Committee of the Board of Directors of Enron Corp (Feb. 1, 2002).
[2] Release No. 33-8177 (Jan. 23, 2003), available at www.sec.gov/rules/final/33-8177.htm>. Separate provisions were adopted relating to investment companies. See Release No. 34-47262 (Jan. 27, 2003), available at www.sec.gov/rules/final/34-47262.htm>.
[3] Release No. 34-48745 (Nov. 4, 2003) (approving code of ethics requirements for NYSE and Nasdaq listed companies), available at < www.sec.gov/rules/sro/34-48745.htm >.
[4] The Committee's report, dated June 6, 2002, is available through links at www.nyse.com>.
[5] In contrast to a code of ethics, a code of conduct usually lists required behaviors, the violation of which would result in disciplinary action.
[6] Many successful codes have been developed with the assistance of an experienced facilitator, schooled in the roles and responsibilities of senior management and Boards, but more importantly, familiar with the subtleties of guiding a group of sophisticated and successful leaders through a process that causes them to confront their own sense of what is right, fair, just, and good.
[7] The handbook is available at www.sec.gov/pdf/handbook.pdf>. The quoted material is from the Introduction by then Chairman Arthur Levitt.
[8] "Improving Corporate Disclosure–Improving Shareholder Value," Speech by Cynthia A. Glassman (April 10, 2003), available at www.sec.gov/news/speech/spch041003cag.htm>.
[9] Relevant portions of the Model Code of Ethical Conduct for Financial Managers, published by the Financial Executives International, state that members must: "Provide constituents with information that is accurate, complete, objective, relevant, timely and understandable... Act in good faith, responsibly, with due care, competence and diligence, without misrepresenting material facts or allowing ones independent judgment to be subordinated." Available through links at www.fei.org>.
[10] At the same time, however, there may be a need to ensure that no employee can use the reporting provisions maliciously without fear of consequences. Many organizations may have chosen to tolerate possible abuse of the system rather than introduce any practice that would punish someone for raising an issue, if an investigation of the allegation was "unsuccessful."
[11] Section 806 of Sarbanes-Oxley also provides an express cause of action to an employee who is discharged, demoted, suspended, threatened, or harassed for providing information about violations of the federal securities laws or fraud to any law enforcement body, supervisor, or any person who has authority to investigate misconduct. In addition, Section 1107 of Sarbanes-Oxley makes it a crime for any person, with intent to retaliate, to knowingly take any actions harmful to any person (including interference with lawful employment or his/her livelihood) just because that person provided truthful information to a law enforcement officer relating to the commission or possible commission of a federal offense.
[12] Under the Nasdaq standards, a code must have an enforcement mechanism that ensures prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations.
[13] Nasdaq also requires disclosure of the reason for the waiver.
[14] See Instructions to Item 10 of Form 8-K. An "executive officer is defined in Rule 3b-7 of the Exchange Act. To avoid implicit waivers, Board members may consider surveying executive officers to determine whether they are aware of any material departures from the code by senior management.
[15] Some companies set expiration dates for their codes, which forces the Board to reapprove the code periodically. This process has the benefit of focusing attention on changes that may have occurred in the organization and its values and on laws affecting the code, and has the additional benefit of reinforcing the values underlying the code.
[16] Lynne Sharpe Paine, "Managing for Organizational Integrity," HARVARD BUS. REV. (March–April 1994).
[17] Curtis Verschoor, "A Study of the Link Between a Corporation's Financial Performance and Its Commitment to Ethics," JOURNAL OF BUS. ETHICS (Oct. 1998).
[18] Dr. Verschoor's work was repeated recently with similar conclusions by the London-based Institute of Business Ethics, which focused on publicly traded companies in the United Kingdom. See Webley and Moore, "Does Business Ethics Pay? Ethics and Financial Performance," Institute of Business Ethics (April 2003).
[19] See, e.g., Burlington Industries, Inc. v. Ellerth, 524 U.S. 742 (1998).
[20] The Sentencing Guidelines are available through links at www.ussc.gov>.
[21] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Release No. 34-44969 (Oct. 23, 2001), available at www.sec.gov/litigation/investreport/34-44969.htm>.
[22] Factors the Commission will consider include: Was the misconduct the result of pressure placed on employees to achieve specific results, or a tone of lawlessness set by those in control of the company? How high up in the chain of command was knowledge of, or participation in, the misconduct? How systemic was the behavior? Is it symptomatic of the way the entity does business, or was it isolated? How was the misconduct detected and who uncovered it? How long after discovery of the misconduct did it take to implement an effective response? Are persons responsible for any misconduct still with the company? If so, are they still in the same positions? Did the company promptly, completely and effectively disclose the existence of the misconduct to the public, to regulators and to self-regulators? Did the company cooperate completely with appropriate regulatory and law enforcement bodies? Did the company take steps to identify the extent of damage to investors and other corporate constituencies? Did the company appropriately recompense those adversely affected by the conduct? Were the Audit Committee and the Board of Directors fully informed? If so, when? What assurances are there that the conduct is unlikely to recur? Did the company adopt and ensure enforcement of new and more effective internal controls and procedures designed to prevent a recurrence of the misconduct?
[23] Statement of Auditing Standards (SAS) No. 78, issued by the AICPA Auditing Standards Board, requires external auditors to perform procedures to understand a company's internal control environment, including integrity and ethical values. SAS 78 notes that the culture of an organization, including its ethical values, can affect the strength of all other internal controls.
[24] See In re: Caremark Int'l Inc. Derivative Litigation, 698 A2d 959 (Del. Ch. 1996).
[25] Remarks before the Economic Club of New York by SEC Chairman William H. Donaldson (May 8, 2003), available at www.sec.gov/news/speech/spch050803whd.htm>.
[26] Report dated January 9, 2003, available at www.conference-board.org/pdf_free/758.pdf>. The report also contains recommendations regarding the evaluation of the tone at the top and tools and processes for implementing an ethical climate.
[27] See Trevino, Weaver, Gibson, and Toffler, "Managing Corporate Ethics and Corporate Compliance: What Works and What Hurts," 41 CAL. MNGMT. REV. (Winter 1999) ("a firm's approach to ethics and compliance management has an enormous impact on employees' attitudes and behaviors ... we found that specific characteristics of the formal ethics or compliance programs matter less than the broader perception of the program's orientation toward values and ethical considerations.")
[28] There are many other useful resources. Among these, the Ethics Resource Center, www.ethics.org, and the Defense Industry Initiative on Ethics and Business Conduct, www.dii.org, provide guidance on creating codes of ethics and other ethics-related information.

Edward L. Pittman (epittman@thelenreid.com) practices law with Thelen Reid & Priest LLP in Washington, D.C. Frank J. Navran (frank@ethics.org) is Principal Consultant with the Ethics Resource Center in Washington, D.C. The ERC is a non-profit, non-partisan educational organization. The authors wish to thank Ira H. Jolles of Thelen Reid & Priest LLP's New York office and Lois Yurow of the Wall Street Lawyer for their valuable comments on this article. A more extensive version of this article may be found at www.thelenreid.com and www.ethics.org.

---

Guide to Assessing an Ethical Culture

Organizational Culture

For each of these suggested items of inquiry, the process that the organization uses to come up with the answer is almost as important as the answer itself.

• What are the operational values–the values that define "how things really work around here"–as differentiated from those articulated in a values statement or code of conduct?
• Are the operational values sufficiently close to the articulated values to be essentially congruent?
• To what extent do employees and other key stakeholders believe they are being pressured from within the organization to commit ethical misconduct?
• How common is it for employees to observe others (peers, supervisors, senior management, external agents/stakeholders) engage in ethical misconduct in pursuit of organizational goals? In pursuit of personal goals?
• How satisfied are employees with their jobs?
• How satisfied are employees with their employers?
• Do employees trust that seeking guidance with regard to an ethical question will not result in retaliation and retribution?
• Do employees trust that reporting observed unethical conduct to the designated organizational authorities will not result in retaliation and retribution?
• Do employees believe that the same ethical standards apply to all employees regardless of level, position, or connections?
• To what extent do employees believe that ethics is a legitimate topic of business conversation?
• How often are ethics or values a topic written communication within the company or discussions at Board meetings or among senior mangers and staff? Are ethics and values part of performance appraisals/reviews or employee training (including new employee orientation), or otherwise a topic in critical business conversations?
• To what extent do employees trust that management is telling them the truth, will support them if they are in the right, will appropriately allot credit for significant successes, will recognize extra effort, and otherwise will keep their promises?
• Is there a common language used throughout the organization to facilitate discussion of core values/principles, ethical issues, and how ethical decisions are to be made?
• How confident are employees that senior leadership is committed to ethical standards as fundamental to the business (versus belief that it is a current fad, easily ignored)?

Organizational Process

The Federal Sentencing Guidelines set forth seven characteristics of an effective ethics program for public companies. These characteristics have spawned a set of questions that have come to be viewed as a standard means of assessing compliance with the Sentencing Guidelines. One interpretation of these criteria is set forth below.

Does the Company Have Clear Standards and Procedures?

• Has the organization clearly articulated ethical standards and the procedures to follow in order to meet those standards?
• Have those standards been committed to writing as a code of conduct or code of ethics?

Are Appropriate High-level Personnel Responsible?

• Has someone sufficiently high in the organizational structure been assigned overall responsibility for overseeing compliance with those standards and procedures?
• What specific roles and responsibilities have been assigned that person (or those persons)?
• Are those roles and responsibilities appropriate and adequate?

Is Due Care Observed in Assignments?

• Does the organization have systems for due care in the delegation of significant discretionary authority such that management can be reasonably confident that those given discretionary authority will meet the standards and procedures?
• Who makes those determinations of "fitness"?
• Are there adequate safeguards so those decisions are not compromised by possible conflicts of interest?

What are the Communication Standards and Procedures?

• Has the organization taken appropriate steps to ensure the effective communication of the standards and procedures to all employees, agents, and other appropriate stakeholders?
• Are those communications sufficiently relevant and dynamic so that employees and others are not likely to perceive them as "checking off a box"?

Are There Effective Monitoring, Auditing, and Reporting Systems?

• Has the organization implemented effective systems for monitoring and overseeing the actions of the organization, its employees, agents, and other critical stakeholders, reasonably designed to detect and prevent unethical and/or illegal activities?
• Has the organization developed means of gathering relevant data and reporting it on a regular basis to those charged with ethical oversight?
• Has the organization created safe and effective processes whereby employees, agents, and other key stakeholders can either seek guidance on the application of the standards and procedures and/or report suspected violations of those standards and procedures?

Are Standards Enforced Through Appropriate Mechanisms?

• Are the standards consistently enforced and has that enforcement included the consistent application of reasonable discipline?
• Is that discipline consistently based on the nature of the offense rather than the level/function/position of the offender? In other words, has the organization created disciplinary systems with no double standard?

Are there Appropriate Responses to Any Offenses?

• After an offense has been detected, has the organization taken all the appropriate steps to respond to the event and to prevent similar offenses, including necessary modifications to the standards and procedures?
• Has the organization created systems that enable it to identify patterns and trends to prevent recurrences of unacceptable actions and decisions?

Is There Appropriate Self-Disclosure?

• While not always articulated as one of the official components of an effective ethics program, there is an underlying assumption that the ethical organization, upon discovering an instance of unethical or illegal activity, will voluntarily disclose that activity in a timely manner to the appropriate authorities. This assumption is buttressed by statements of the SEC (among others) that failing self-disclosure will undo much of the mitigating benefits derived from having an effective ethics or compliance program in place.

---

*Frank J. Navran is Principal Consultant with the Ethics Resource Center in Washington,D.C. The ERC is a non-profit, non-partisan educational organization.