An organization’s code of conduct often serves as the foundation upon which other elements of the compliance program—such as employee training and communications—are built. More than just a tool for establishing baseline compliance, a strong code can help shape behavior, clarify expectations, and reinforce ethical values across the organization. When well-crafted and regularly updated, and supported by strong operational policies, a code of conduct can help embed a culture of compliance across the workforce.
At the 2024 PLI Advanced Compliance & Ethics Workshop last October, attendees explored strategies for code and policy management in a dynamic panel led by the fabulous Kari McCulloch, former Compliance Director at Sempra, and Karen Moore, Principal of Sounding Board Compliance, LLC. Real-time polling of participants – seasoned compliance professionals from a range of industries – highlighted both encouraging trends and clear opportunities to enhance current practices.
The Conference Advantage: Real-Time Learning About Real Challenges
At every PLI Compliance & Ethics Workshop, the real-time benchmarking stands out – not just for the data itself, but for the conversations it sparks and the opportunity it provides to turn statistics into practical insights. For example, when the benchmarking reveals that more than 20% of participants involve 11 or more experts in code reviews, it prompts meaningful discussion about how such a process is structured and sustained within organizations.
This tradition of peer learning and connection will continue at the upcoming PLI C&E Essentials program, scheduled for June 26-27 in NYC and virtually. https://www.pli.edu/programs/compliance--ethics-essentials/412798.
In the meantime, we take a deeper look at the insights around codes and policy management gathered from the 2024 conference, below.
Revision Frequency: The Annual Approach Dominates
Polling from the 2024 conference revealed that, while nearly half of participants’ organizations maintain annual code revision cycles, a significant proportion (21%) have no set schedule for code updates:
• Every year (45%)
• Every two years (18%)
• Every three years (7%)
• Less frequently than every three years (8%)
• No set schedule, revise as needed (21%)
• What code of conduct? (1%)
The strong preference for annual and biannual revisions (two thirds of participants) indicates that most compliance professionals recognize the code of conduct as a living document requiring regular attention. As Karen Moore, one of the panel speakers and a wonderful compliance thought leader, noted, “Review does not necessarily mean a complete revamp, but rather an assessment of whether the code tone and content accurately reflect the company’s culture and risk profile. With so many changes in the compliance landscape these days, keeping it fresh and relevant is important to maintaining the code’s status as a key reflection of the company’s expectations of business conduct.”
While annual revisions aren’t appropriate for every organization, the prevalence of this approach is consistent with best practice. A regular review schedule, combined with ad hoc updates to address identified issues, helps ensure that the code can function as a compliance tool.
Using Subject Matter Experts: Balancing Scope and Depth
When it comes to involving subject matter experts in code review, the polling results showed a strong preference for expert input, indicating that the code is recognized as a cross-functional concern:
• None, I did it myself (2%) - The solo approach is rare
• 1-10 experts (74%) - The vast majority use some expert review
• 11-50 experts (22%)
• 50+ experts (2%)
As Karen Moore explained, “Expert input is critical to ensuring that the language covers the essentials. No compliance officer or team can be expected to act as subject matter experts for an increasing scope of risks covered by corporate compliance and ethics programs. And subject matter experts shouldn't be limited to risk areas, but should also include corporate communications and marketing experts as well. The risk, or course, is involving the right number of people for the right part of the work and not getting bogged down in too many opinions. Maintaining overall primary decision making is important to keeping the process efficient and on track.”
Data-Driven Improvements: A Missing Link
Polling on the use of insights to inform codes of conduct highlights an opportunity for organizations to do more. The panel asked whether companies use operational data from code training, investigations, and risk assessments to inform their codes and policies. One example of how this can work: a company identifies a recurring issue in investigation data involving confusion around gifts and hospitality thresholds. In response, the company revises the gifts policy to clarify guidance and adds targeted scenarios to its FAQs.
While 4 out of 5 organizations use data at least to some extent to validate their codes and policies, 1 in 5 don’t use this data at all:
• Not at all (20%) - Missing critical feedback loops
• Some data integration (71%) - Benefitting from some use of available insights
• Fully integrated approach (9%) - Comprehensive use of data
By more intentionally applying data insights, organizations have a significant opportunity to address compliance risks in their codes and policies.
Another helpful insight from Karen Moore: “Failing to use available data in code updates is a truly missed opportunity to making the code effective and relevant. Root cause analysis on misconduct for example, should be asking the question ‘did this occur because something in the code or related training is missing or misunderstood?’”
External Benchmarking: Infrequent but Important
Most organizations periodically benchmark their codes of conduct against external resources like other companies’ codes, industry standards (e.g., ECI’s High-Quality Programs (HQP) index), or government guidance (such as the DOJ’s ECCP). The results of polling regarding frequency of external benchmarking are not particularly surprising, but are important to note:
• Annually (26%)
• Every two years (17%)
• Between 2-5 years (38%)
• Rarely if ever (19%)
Policy Management: Static Solutions Dominate
Perhaps the most revealing polling question focused on use of policy management tools. Only 2 in 5 participants use some kind of tool to actively manage policies:
• External vendor’s policy management tool (19%) - Leveraging professional solutions
• Home-grown policy tool (23%) - Custom internal solutions
• Static policy repository (like SharePoint) (43%) - Most common approach
• No system to track policy version control (14%)
It’s particularly notable that almost half of participants rely on static repositories, limiting their ability to track changes, manage approvals, and optimize accessibility. These findings highlight both the challenge and an opportunity in policy management: maintaining a record of the decision-making process to show what changes were made, who made them, why and when.
Translating Insights into Action
The code of conduct and underlying policies fundamentally shape an organization’s compliance culture and risk exposure. Understanding how peers approach the challenge of ensuring codes stay current and meaningful was a key takeaway for participants attending the 2024 PLI Advanced C&E workshop.
Whether among the 9% who fully integrate operational data into their code reviews, or the 20% who don’t (yet) use such data at all, the insights shared during the panel on code and policy management provided a valuable learning opportunity.
PLI’s upcoming 2025 conference promises to build on these insights with more real-time peer benchmarking. I hope you can join us in the room to be part of the conversation.
[View source.]
