Understanding Where Codes of Conduct Fit In Your Supply Chain

[email protected] / www.assentcompliance.com / 1 866 964 6931 / © Assent Compliance 2016

Code of Conduct Assessments

mailto:[email protected]



http://www.assentcompliance.com



Today’s Presenter

Travis MillerAssent ComplianceGeneral Counsel

2







Agenda

What is a Code of Conduct?

Evaluating a Code of Conduct

Business and Legal Implications

Implementing a Code

Questions

12345

[email protected] / www.assentcompliance.com / 1 866 964 6931 / © Assent Compliance 2016 3












INTRODUCTION







Assent Product SuitesOur Market Leading Platform

Ethical Sourcing

Materials Management

Supplier Information Management

InspectionsConfigurable Surveys & Declarable

Substance Lists

5







Code of Conduct







What Is a Code of Conduct?A mandate to public companies

◆ A code of conduct is a set of rules outlining the social norms and responsibilities of, or proper practices for, an individual, party or organization.

◆ The Sarbanes-Oxley Act of 2002 (SOX) directed the Securities and Exchange Commission (SEC) to issue new rules requiring public companies to disclose whether they have adopted a code of ethics (or code of conduct) that applies to key officers. ⬦ The law requires companies that have not adopted

a code to explain why not ⬦ The SEC’s rules took effect in January 2003

7







◆ The Federal Sentencing Guidelines for Organizations of 1991 (FSGO) provides additional incentives for companies to adopt an effective code of conduct.

◆ On November 1, 2004, the guidelines were amended to provide for reduced penalties for companies that have “effective programs to prevent and detect violations of law.” To have an effective compliance and ethics program, an organization must “exercise due diligence to prevent and detect criminal conduct” and “otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

Federal Sentencing Guidelines

8

What Is a Code of Conduct?







Under the guidelines, an organization with an effective compliance and ethics program will:⬥ Establish standards and procedures to prevent and detect criminal conduct

Federal Sentencing Guidelines: Evaluation Criteria

9









⬥ Provide leadership and oversight of the compliance and ethics program at the highest levels of the company

10

Federal Sentencing Guidelines: Evaluation CriteriaWhat Is a Code of Conduct?









⬥ Communicate standards, procedures and other aspects of the compliance and ethics program by conducting effective training programs and otherwise disseminating information appropriate to an employee’s role within the organization

11











⬥ Exercise due care to not give substantial authority within the organization to individuals whom the organization knows, or should have known, have broken the law or engaged in other conduct that is inconsistent with an effective compliance and ethics program

12












⬥ Establish monitoring and auditing procedures to detect criminal conduct, periodically evaluate the effectiveness of the compliance and ethics program, and have and publicize a system for employees to report and seek guidance about potential criminal conduct without fear of retribution

13













⬥ Promote and enforce the compliance and ethics program consistently throughout the organization, including providing appropriate discipline for engaging in or failing to take reasonable steps to prevent or detect criminal

14













⬥ Promote and enforce the compliance and ethics program consistently throughout the organization, including providing appropriate discipline for engaging in or failing to take reasonable steps to prevent or detect criminal conduct

⬥ Respond appropriately to criminal conduct that’s detected, and take reasonable steps to prevent similar conduct in the future, including making any necessary modifications to the company’s compliance program

15








The NYSE requires listed companies to adopt a code of business conduct and ethics for directors, officers and employees, to include the code on their websites, and to disclose in their annual report the code’s availability, on the company’s website and in print, to any shareholder who requests it.

The NASDAQ requires listed companies to have, and make publicly available, a code of conduct that complies with the Sarbanes-Oxley code of ethics guidelines and provides clear and objective compliance standards, a fair process for determining if a violation has occurred, a mechanism for ensuring prompt, consistent enforcement of the code, and protection for those who report questionable conduct.

Requirement to participate in U.S. stock exchanges

16








The Federal Acquisition Regulation (FAR) requires most companies doing business with the federal government to adopt a code of conduct and provide periodic and effective training to principals and employees on the provisions of the code.

Contractors must disclose whenever they have reasonable grounds to believe that federal law has been violated in connection with a federal contract.

Requirement to do business with the U.S. government

17








A code of conduct is a long-form policy document that is put together by companies seeking to comply with a series of laws and to mitigate penalties should they be found to have violated behavioral rules and regulations.

The results of implementing the code of conduct are regularly reported in both financial (SEC filings) and non-financial (CSR reporting) formats.

Short Answer

18








Evaluation







Evaluating Codes of ConductCodes of conduct tend to be very industry specific. However, there are a few attributes that tend to appear in all codes of conduct. See the EICC example below:

ENVIRONMENT◆ Permits and reporting◆ Pollution prevention◆ Hazardous substance management◆ Wastewater◆ Solid waste◆ Air emissions◆ Product substance content

HEALTH & SAFETY◆ Emergency preparedness◆ Injury and illness prevention◆ Industrial hygiene◆ Machine operation safety◆ Operator training◆ Personal protective equipment◆ Dormitory and bathroom

ETHICS◆ Business integrity◆ Anti-Bribery, Anti-Corruption◆ Proper disclosure◆ Intellectual property◆ Fair competition/trade◆ Personal data protection/privacy◆ Responsible sourcing◆ Non-retaliation

LABOR◆ Free employment/slavery prevention◆ Prevention of child labor◆ Reasonable working hours◆ Fair wages and benefits◆ Humane treatment◆ Non-discrimination◆ Freedom of association

20







Comparative Analysis

The most effective way to assess whether a code of conduct aligns with your own business policies and practices is to:

Itemize the key points of the code into an Excel or word document

Identify your own policies and programs that relate to the elements of the code

If there are gaps, identify the relevant business organizations that would need to be involved to close the gaps

Take a business decision if the gap is worth closing

Close the gaps or respond to the customer that the code cannot be adopted by your organization

21

123

45







Case Study: Evaluating Codes of Conduct

There can be nuances to these codes of conduct that might not be viable for a business or that could conflict. As a result, you have to look closely at the language.

Example fact pattern:

⬥ A large electronics OEM has requested that you adopt their code of conduct, saying that it aligns closely to the EICC Code of Conduct Industry Standard.

⬥ At first glance, the standard appears to be closely aligned to the EICC. However, on closer inspection your team identifies a discrepancy.

22







Case Study: Evaluation Codes of Conduct (cont’d)

When itemizing the key points of the code of conduct and identifying internal procedures, your team identifies the following discrepancy in the labor practices section:

Internal Procedure EICC Code of Conduct Customer's Code of Conduct

Maximum of 50 hours a week (10 hours of OT allowed during peak hours)



◆ The internal procedure is clearly below the EICC code of conduct.◆ However, the internal procedure is just a little over the customer’s code of conduct (two hours

more, to be exact).

So, what do you do?

23







Case Study: Evaluation Codes of Conduct (cont’d)The discrepancy is small (only two hours difference). However, the issue leads to a binary question that must be addressed. How much impact would this change have?

◆ Stakeholders

⬦ Human resources will have to change all procedures and tracking systems to reflect the maximum OT

⬦ Manufacturing will have to shift to a more compressed workweek and consider if additional labor is required

⬦ Legal will have to review the change against local labor practices and any union

contracts to determine if it is legal to take away hours and change policies to reflect the change in labor practices

⬦ Management/operations will have to determine the amount of attrition that will result

from the change and if wage changes are necessary to compensate for the lost opportunity to earn overtime

24







LowCosts High

BenefitsLow/High

High Benefit, Low Cost

Low Benefit, High Cost High Benefit, High Cost

Low Benefit, Low Cost

Decision Reference Guide Slide

Key Takeaways◆ What constitutes a high or low benefit or

cost is subjective and based on the company’s perception and values

◆ Once those metrics are established, you can apply normalized logic and reasoning to your decision. For example:◇ HBLC is a no-brainer — do it◇ LBHC is also a no-brainer — do not do it◇ LBLC and HBHC are variable and based

on factors like:■ Risk appetite■ ROI needs■ Growth goals■ Austerity■ Importance of this client

25







Case Study: Evaluation Codes of Conduct (cont’d)Outcome

⬥ With all the analysis complete you are left with one of two action items you must carry out

⬦ Internalize the necessary changes and incur the cost of

implementing the change. It is ideal an agreement or other

mechanism is in place in advance of taking these actions to ensure the benefits are recognized

⬦ Communicate the reluctance to adopt the requested

changes to the customer. Recognize that this

communication may also result in costs in the form of lost business and a relationship with the customer

26







Business & Legal Implications







Business ImplicationsModern codes of conduct are very prescriptive and wide ranging in nature. They often cover such diverse topics as:

◆ Labor practices

◆ Health and safety practices

◆ Environmental concerns

◆ Ethical and behavioral practices

◆ Management and quality systems

◆ Sourcing and supply chain management

◆ Compensation

28







Business Implications

◆ The diversity of these formats often masks the fact that many of the requirements have a legal attribute to them

◆ These codes are often treated as a gatekeeper for large procurement departments

◆ Specifically, if a supplier cannot attest to the standardized labor and ethical norms, then the supplier is deemed to be too high risk to engage in robust business opportunities

29







Business ImplicationsThe consequence can be significant

Since 1995, Macy’s, Inc. has had a stringent Vendor & Supplier Code of Conduct (the “Vendor Code”) that sets out specific standards and requirements for any supplier doing business with Macy’s, Inc. This includes private brand goods produced through contracted vendors. The Vendor Code is designed to protect workers in this country and abroad. All of the company’s vendors agree to comply with the company’s Vendor Code and Statement of Corporate Policy on Child or Forced Labor and Unsafe Working Conditions. Among other things, the Vendor Code requires that suppliers of Macy’s private brand merchandise allow unannounced factory audits (within a 14-day audit window) for contractual compliance, as well as for compliance with laws and regulations dealing with child or forced labor, wages and hours, and unsafe working conditions. Noncompliance with the Vendor Code has resulted in termination of 96 factories in the 2011-2014 period.

30







Business ImplicationsHowever, parties flowing down codes must also be aware

31






[email protected] / www.assentcompliance.com / 1 866 964 6931 / © Assent Compliance 2016 32

The New Environmental MovementThe current legal changes are as big as those from the 1960s and 1970s◆ The population's awareness and attention to

environmental matters is practically at an all-time high

◆ The number of new rules and regulations are also surging. In fact, the environmental code is second only to the tax code in the sheer volume of text and law dedicated to the matters

◆ Most citizen animosity towards corporations is no longer focused on profits, it is focused on behavior and culture

◆ This regulatory climate requires an understanding of very complex rules and the ability to build programs that manage them







Legal ImplicationsEnvironmental, Health and Safety (EHS)Natural Resource Protection (Conservation)

◆ Rivers and Harbors Act - 1899

◆ Lacey Act - 1900

◆ National Monuments Act - 1930

Impact Assessments (Research)

◆ Air Pollution Control Act - 1955

◆ Solid Waste Control Act - 1965

◆ National Environmental Policy Act - 1970

Factory Output Regulation (Regulating the Source)

◆ Clean Air Act - 1963

◆ Clean Water Act - 1972

◆ Resource Conservation and Recovery Act (RCRA) - 1976

◆ Superfund (CERCLA) - 1980

33







Legal ImplicationsCase Study: Impact Assessments - Research Before Approval

First offshore oil wells to blow out contaminating 100+ miles of California coastline. No diligence prior to approval. Result – NEPA.

34







Legal ImplicationsFactory Output Regulation - Regulating the Source

River near industrial area catches fire. Result – Clean Water Act.

35







Legal ImplicationsRegulating Greenhouse Gases

Images of terrible smog, flooded countries and stranded polar bears.Result – Greenhouse gas regulations.

36







Legal ImplicationsThese Rules Have Serious Implications

37







Legal ImplicationsTransactional behavior regulationsImport/Export Control (Restricted Transactions)

◆ Trading with the Enemy Act - 1917

◆ The Export Control Act - 1940

◆ International Traffic in Arms Regulations - 1979

Financial Regulations (Financial Controls)

◆ Napoleon's Continental System - 1806-14

◆ Federal Corrupt Practices Act - 1977

◆ Sarbanes Oxley - 2002

Government Contracting (Behavioral Flowdowns)

◆ Defense Secrets Act - 1911

◆ Civil Rights Act - 1964

◆ Office of Federal Procurement Policy Act - 1974

38







Legal ImplicationsImport/export regulations

IP theft, war, and terrorism. Result – EAR.

39







Legal ImplicationsGovernment contracting laws

Bribery, theft, corruption. Result – FCPA.

40







Legal ImplicationsProduct Compliance RegulationsMaterial Regulations (Substance Controls)

◆ Packaging and Packaging Waste - 1994

◆ RoHS - 2002

◆ REACH - 2006

Supply Chain Transparency (Labor Practice Disclosures)

◆ Conflict Minerals - 2010

◆ CA Transparency in Supply Chains - 2010 (effective 2012)

◆ UK Modern Slavery - 2015

Data Privacy (Protecting the Disclosure)

◆ Data Privacy Act - 1998

◆ Law on the Protection of Consumer Rights and Interests - 2014

◆ Defend Trade Secrets Act - 2016

41







Legal ImplicationsSupply chain transparency

Slavery and human trafficking found to be used in the supply chain of products. Result – Mandatory disclosures.

42







Legal ImplicationsData privacy

Countries learn their allies are spying on them and their people. Result – Data privacy laws.

43







Implementing a Code







Implementing a Code

45

When implementing a code of conduct and updating the associated programs, there are three methodologies that can be leveraged:◆ Risk averse model◆ Speed to market model◆ Compliance model







Implementing a Code

When implementing a code of conduct and updating the associated programs, there are three methodologies that can be leveraged:◆ Risk averse model◆ Speed to market model◆ Compliance model

46

While there are other compliance models, we will discuss and focus on these three. From our experience, they tend to be the most effective mechanisms to manage supply chain code of conduct roll-outs.







Implementing a CodeRisk Averse Model The risk averse model is most commonly deployed by companies where safety is a large aspect of regulatory compliance and consequences of product-compliance failures can be catastrophic (examples include aircraft and healthcare companies).

47







Implementing a CodeRisk Averse Model The risk averse model is most commonly deployed by companies where safety is a large aspect of regulatory compliance and consequences of product-compliance failures can be catastrophic (examples include aircraft and healthcare companies).◆ A code of conduct is treated as a legal document that is audited to and

deemed a mandatory requirement for doing business◆ The regulatory group usually has a direct reporting structure into the CEO or

general manager of a business unit◆ Products tend to be designed to the most stringent regulatory standards that

ensure any deviation to approved goods or processes are communicated to the company

48







Implementing a CodeRisk Averse Model The risk averse model is most commonly deployed by companies where safety is a large aspect of regulatory compliance and consequences of product-compliance failures can be catastrophic (examples include aircraft and healthcare companies).◆ A code of conduct is treated as a legal document that is audited to and

deemed a mandatory requirement for doing business◆ The regulatory group usually has a direct reporting structure into the CEO or

general manager of a business unit◆ Products tend to be designed to the most stringent regulatory standards that

ensure any deviation to approved goods or processes are communicated to the company

To operate under a risk averse code of conduct, you must be prepared to be audited to all aspects of the code and be able to demonstrate with evidence that you are meeting the requirements. This is the most labor-intensive form structure from a supplier standpoint.

49







Implementing a CodeSpeed to market (a.k.a. compliant by design) model The speed to market model is best defined by instances where the regulatory group operates closely with the research and development organization (example: consumer electronics and goods).

50







Implementing a CodeSpeed to market (a.k.a. compliant by design) model The speed to market model is best defined by instances where the regulatory group operates closely with the research and development organization (example: consumer electronics and goods).◆ The core goal of the code of conduct is to facilitate getting a product approved

efficiently and quickly to allow fast product launches◆ The regulatory organization is typically integrated into the product-development or

engineering process from the early strategy and concept-development stages◆ This allows the regulatory function to identify and include regulatory requirements

for new markets into the product-development plan early. These models tend to be very engineering specification-driven and rely upon performance reviews for analysis of supplier capability.

51







Implementing a CodeSpeed to market (a.k.a. compliant by design) model The speed to market model is best defined by instances where the regulatory group operates closely with the research and development organization (example: consumer electronics and goods).◆ The core goal of the code of conduct is to facilitate getting a product approved

efficiently and quickly to allow fast product launches◆ The regulatory organization is typically integrated into the product-development or

engineering process from the early strategy and concept-development stages◆ This allows the regulatory function to identify and include regulatory requirements

for new markets into the product-development plan early. These models tend to be very engineering specification-driven and rely upon performance reviews for analysis of supplier capability.

To operate under a speed to market code of conduct model, you must develop a very detailed engineering specification and control that evaluates all of the regulatory requirements and markets you operate in. Your code of conduct will be highly prescriptive and mandate supplier adoption and flow-down. Anticipate annual quarterly business reviews and supply chain performance assessments to incorporate a CSR component that impacts purchasing behavior.

52







Implementing a CodeCompliance model The compliance model is more reactive than the previous two discussed models. This model is hallmarked by having a regulatory organization that functions within a business silo and that does not report directly to senior management (example: business to business manufacturing companies).

53







Implementing a CodeCompliance model The compliance model is more reactive than the previous two discussed models. This model is hallmarked by having a regulatory organization that functions within a business silo and that does not report directly to senior management (example: business to business manufacturing companies).◆ The main function of a code of conduct is to mitigate risk and to maintain an

evidentiary record that a level of supply chain communication has occurred◆ While the regulatory organization sits in one or more business silos, it tends

to be highly independent and has a focus on managing customer requests◆ This model places a great emphasis on understanding customer needs, and

adapting to and amalgamating various customer compliance requests into its own policies, even if legal requirements do not directly apply to the business.

54







Implementing a CodeCompliance model The compliance model is more reactive than the previous two discussed models. This model is hallmarked by having a regulatory organization that functions within a business silo and that does not report directly to senior management (example: business to business manufacturing companies).◆ The main function of a code of conduct is to mitigate risk and to maintain an

evidentiary record that a level of supply chain communication has occurred◆ While the regulatory organization sits in one or more business silos, it tends

to be highly independent and has a focus on managing customer requests◆ This model places a great emphasis on understanding customer needs, and

adapting to and amalgamating various customer compliance requests into its own policies, even if legal requirements do not directly apply to the business.

To operate under a compliance code of conduct model, you need to be highly attuned to customer inquiries and have a defined process for adapting and communicating your code of conduct updates to your supply base.

55







[Webinar] Compliance Essentials: Managing Conflict Mineral ProgramsThursday, November 10th | 1PM EST

[Webinar] RoHS Around the World - Part 2Tuesday, November 15th | 1PM EST

Upcoming Educational SummitsNovember 17, 2016 | BostonFebruary 8, 2017 | San Jose

Restricted Substances & Product Compliance ForumDecember 1, 2016 | Chicago

Upcoming Events: Webinars & Conferences

Learn more about Assent events:www.assentcompliance.com/events

56






http://www.assentcompliance.com/events




Q&A Discussion

Questions?

57






Understanding Where Codes of Conduct Fit In Your Supply Chain

Education

Transcript of Understanding Where Codes of Conduct Fit In Your Supply Chain