Joel Kirsch - Society of Corporate Compliance and Ethics

Volume SixNumber TwoApril 2009BimonthlyMeetJoel KirschV. P. & Chief Compliance OfficerAssociate General CounselSiemens Corporationpage 16Earn CEU Creditvisit: w w w.corporatecompliance.org/quizor see page 38SCCE is going greenSCCE conference attendees will NOT automatically receive conferencebinders. If you would like to purchase conference binders,please choose that option on your conference registration form.Attendees will receive electronic access to course materials priorto the conference as well as a CD onsite with all the conferencematerials.Doing the right thingduring downsizing:The hows matterpage 4Also:Will the newAdministrationhave an impact onCompliance and Ethics?page 33This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 277-4977 or 888/277-4977 with all reprint requests.

Third-party Codesof Conduct: Abenchmarking surveyEditor’s Note: Rebecca Walker is a partnerat the law firm of Kaplan & WalkerLLP, located in Santa Monica, CA andPrinceton, NJ. She is a member of theAdvisory Board of the SCCE and is theauthor of Conflicts of Interest in Businessand the Professions: Law and Compliance,published by Thomson West. She may becontacted by e-mail atrwalker@kaplanwalker.com.For many organizations, the existenceof compliance and ethicsprograms – and the applicationof a company’s code of conduct andother policies to employees throughthose programs – has become the norm.Compliance programs seek to mitigatethe risk of misconduct by, in part, defininga company’s standards and requirementsvia policies and other documents,and educating employees about thosestandards and requirements via training,communications, and other compliance“tools” that have been developedover the years. Of course, it is not onlyemployees who create risks for organizations.Organizations are also subjectto risks of misconduct by virtue of theactions of agents and other third partieswho act on their behalf or partner withthe organization in some way. One needlook no further than recent prosecutionsunder the Foreign Corrupt Practices Actto understand the substantial risks thatcan be created by non-employees of anorganization.By Rebecca Walker, Esq.However, the extent to which organizationscan and should extend theircompliance and ethics programs (orvarious elements of them) to third partiescontinues to be the subject of somedebate. It is also the subject of this, thefirst in a series of benchmarking columnsthat will appear in Compliance and EthicsMagazine.By way of a side note, benchmarking isparticularly important for compliance andethics professionals, because the standardsin this field are, to a large extent, createdin-house by compliance and ethicspractitioners themselves. In other words,government standards tend to reflect complianceand ethics initiatives developedby corporations and other organizations,so that the standards to which organizationsare held are often a reflection ofcompliance and ethics practices withinother organizations. This is reflected inthe Federal Sentencing Guidelines, whichprovide that, in determining what specificactions are necessary to meet the Guidelines’requirements, the government willconsider (among other things) applicableindustry practice. The Guidelines furtherprovide that an organization’s failure toincorporate and follow applicable industrypractice will weigh against a finding of aneffective compliance and ethics program.This makes knowledge about what othersare doing particularly important, hencethe importance of compliance and ethicsbenchmarking.As mentioned above, this month’s benchmarkingquestions (on the extension ofcodes of conduct to third parties) arean important issue for many organizations.Companies continue to grow moredependent on relationships with thirdparties, from joint venture partners toagents to suppliers of goods and servicesto temporary employees to contractors.Third parties are necessary to do businessfor a variety of reasons, and they canalso help reduce costs for organizations,as well as surmounting barriers to entry.However, while third-party relationshipsare essential to businesses, theyalso expose organizations to legal andreputational risk.In recent years, the government has providedsome incentives for organizationsto extend compliance to third parties.For example, in the 2004 revisions to theU.S. Sentencing Guidelines for Organizations,commentary was added thatprovides that large organizations shouldencourage small organizations (especiallythose that have, or seek to have, a businessrelationship with the large organization)to implement effective complianceand ethics programs. 1 The Guidelinesalso discuss third-party compliance in itsdefinition of an effective compliance andethics program. In the area of trainingand communication, the Guidelines providethat organizations shall periodicallycommunicate their standards and proceduresto employees, directors and agents, 2as appropriate, by conducting effectivetraining programs and otherwise disseminatinginformation appropriate to theirroles and responsibilities. 3 Likewise, inthe area of auditing and monitoring, theGuidelines provide that an organizationmust take reasonable steps to have andpublicize a system, which may includemechanisms that allow for anonymityor confidentiality, whereby the organiza-April 200928Society of Corporate Compliance and Ethics • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgThis article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 277-4977 or 888/277-4977 with all reprint requests.

tion’s employees and agents may reportor seek guidance regarding potential oractual criminal conduct without fear ofretaliation. 4 In addition, recent federal acquisitionregulations create requirementsfor government contractors to, in turn,require certain compliance measures,such as codes of conduct, from certaintypes of third parties. 5Despite these government incentives andmandates and the risk mitigation thatcan occur through extension of compliancemeasures to third parties, companiesshould nonetheless be cautious in thisendeavor. In particular, companies shouldbe careful not to create compliance andethics standards that are difficult to monitoror enforce and that could potentiallycreate their own risks of “associative liability.”Extending compliance and ethicsobligations to third parties could lead toreputational harm when a company holdsitself out as requiring others’ compliance,when in fact the company’s ability toensure compliance by third parties maybe limited, a problem which could becompounded if the third-party compliancerequirements more closely link thecompany to the third party in the mindsof the public (and press). There is also arisk that unsatisfied standards could beused against a company in the context oflitigation or a government investigation. 6There are, of course, numerous ways inwhich to extend compliance and ethicsrequirements or expectations to thirdparties, including:n Due diligence regarding potentialbusiness partners’ compliance and ethicsprograms.n Incorporating language into contractswith third parties that require compliancewith laws generally and withspecific legal prohibitions, such as inthe areas of bribery, environmentalcompliance, and child labor.n Requiring third parties to report suspectedmisconduct and disseminatinginformation to third parties regardingreporting procedures, such as thehelpline.n Communicating company policies tothird parties, such as through letters tothird parties regarding the company’sgifts and entertainment policies.n Training third parties on the ethicsand compliance program or on particularcompany policies or procedures.n Auditing third parties.n Distributing the company’s internalcode or a third-party code to thirdparties.The SurveyIn January 2009, SCCE sent a randomsurvey to compliance professionals. Thebenchmarking survey focused on codes ofconduct. More than 400 people responded.The questions asked and responsesreceived include:Does your organization disseminate itsinternal, employee code of conduct tothird parties?47% of responding companies stated thattheir organization does disseminate itsinternal code to third parties, and 53%said that their organization does not.Does your organization requirethird parties to certify to its internal,employee code of conduct?26% of responding organizations requirethird parties to certify to their codes, and74% do not.If yes, what dollar threshold of businessbetween your company and a third partymust be reached before the third party isrequired to certify to your organization’sinternal, employee code of conduct?92% of respondents said they have nothreshold (See Figure 1 on page 30).Does your organization have athird-party code of conduct that isapplicable to third parties only (andnot to employees)?17% of respondents do; 83% do not.The number of companies that disseminatetheir own code to third parties isfewer than half. In addition, only 17%Continued on page 30Society of Corporate Compliance and Ethics • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgApril 200929This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 277-4977 or 888/277-4977 with all reprint requests.