When former Morgan Stanley employee Garth Peterson pled guilty to violating the Federal Corrupt Practices Act by conspiring with a Chinese official to circumvent his company’s internal controls, the company avoided being penalized because it could provide substantial documentation of a robust compliance system. Had Morgan Stanley not been so committed to the implementation of transparent and thorough internal controls, things might have turned out very differently. All publicly traded companies are required under the Sarbanes-Oxley Act to have a code of conduct. While these codes are expected to convey clear guidelines to management and employees for ethical behavior, they also publicly convey a company’s culture and values—which can be important for investors, regulators, and other external stakeholders. Developing solid codes of conduct is a time-consuming and complicated process, but one that, as proven by the Morgan Stanley case, is well worth the effort. Erica Salmon Byrne is the senior vice president of compliance advisory services and assistant general counsel for Corpedia, an e-learning and consulting practice that focuses on compliance and has published some 2,700 codes of conducts for companies across a wide range of business sectors. In August 2011, Corpedia released a whitepaper entitled “The Best Practices in Code of Conduct Development,” in which the authors, including Salmon Byrne, outline guidelines and procedures for drafting or revising a code of conduct. Though codes of conduct vary from one industry to another, Salmon Byrne insists that any code of conduct should have two components. “At a very minimum, the code should tell people where to go with questions and concerns. If someone sees a red flag and doesn’t say something, then the code has failed,” says Salmon Byrne, a former corporate defense lawyer, who moved from DLA Piper to Corpedia five and a half years ago. “It should also enforce the company’s commitment to non-retaliation. Every survey indicates that the reason people don’t report things is because they’re afraid something will happen to them.” Since Sarbanes-Oxley first mandated them in 2002, codes of conduct have evolved drastically. In their earliest iterations, these documents, written by industry experts and lawyers, were jargon-laden and dense. Now, however, there is an emphasis on accessibility, and many companies are using interactive media to include hyperlinks to policies and relevant documents, graphics, photos, and videos. And more consideration is given to readability, to ensure the code is understood by everyone from the chief financial officer to line workers. “A good code will cap off at 10,000 words,” says Salmon Byrne. “The average person can read between 250-300 words per minute, and between a 9th and 10th grade reading level.” She notes that any company’s code of conduct should take no more than 45 minutes to read. Ryan McConnell, a partner in Baker & McKenzie’s Houston office and columnist for CorpCounsel.com, specializes in white-collar defense and advising clients on compliance related issues, and has spent a lot of time analyzing code of conduct. “I think the most important thing is that people read it,” he says. “The key for me is that the code represents the company’s culture. Every code is different because every company is different. The critical thing is to make sure you have buy-in from the company.” To do this, McConnell gathers input from all the necessary stakeholders before drafting a code of conduct. “To write a document that speaks to everyone, you have to pull people in,” he says. “It can’t be a conference call—it needs to be a workshop with the legal experts, sales and marketing people, the heads of departments.” Whether a company uses a vendor like Corpedia to write their code or taps in-house experts, challenges still abound. For one, writing a good code of conduct takes time; Corpedia allots approximately 13 weeks for the drafting and revision process. Even more vexing is the increasingly global nature of business, as legal guidelines and cultural values can vary from one country to another. For example, in European Union countries, getting the go-ahead from works councils can both complicate the process of garnering approval and lengthen the time required to roll out a code. Still, Salmon Byrne insists that even for multi-nationals, having one streamlined code of conduct is more effective—and in many ways, most fair. “One code will help employees around the world know they are being held to one single standard—which is good for compliance programs. Also, this eliminates any insider/outsider feeling and reinforces the idea that it’s all one company.” Many companies are in their second, third, or even fourth iterations of their codes of conduct, McConnell notes. While Corpedia suggests that codes be rewritten every two or three years, it’s also pertinent to review codes annually to discern what is missing and/or what might have changed in the business world. For example, many recent codes of conduct now address issues related to social media. Going forward, McConnell says he also expects issues related to data privacy protection and human rights to have a greater presence in company codes.