A code of conduct can be one of your strongest controls, or one of your biggest liabilities. It is easy to publish a polished document that looks reassuring to leadership, auditors, and business partners. It is much harder to make it shape real decisions, especially under pressure.
This is the core idea in Muel Kaptein’s work on the “living code”, a code “says a lot” about the desired state, but “says nothing” about what happens in practice unless you embed it with discipline and evidence (Kaptein, The living code).
Code of conduct definition, in plain terms
A code of conduct is an independent, written, prescriptive document, developed by and for an organization, to guide the current and future conduct of its managers and employees.
That definition has implications that matter in audits and investigations:
- It is prescriptive, not a description of “how we behave today”.
- It is independent, not scattered clauses across an employee handbook or a contract.
- It applies to everyone, including leadership.
- It is about ethical conduct, not just operational instructions.
- It covers multiple topics in a coherent way, with links to related sub-policies.
What a code of conduct is not
Many programs fail because they confuse the code with other documents. The distinction is useful when you structure your policy library and evidence.
Document | What it is for | Typical owner | Why it is not enough on its own |
|---|---|---|---|
Code of conduct | Sets shared expectations and decision principles across topics | Board, ceo, compliance/legal | Too high-level unless embedded in processes |
Sub-policy (gifts, conflicts, antitrust, etc.) | Provides specific rules, thresholds, workflows | Compliance with functional owners | Can become fragmented, inconsistent, or ignored |
Procedure or work instruction | Describes how to execute a task | Business operations | Often misses ethical judgment and escalation logic |
Employee handbook | Consolidates HR and workplace practices | HR | Usually not designed as a compliance control framework |
What a code of conduct is for (and why regulators care)
A code is not “compliance communications”. It is a governance instrument with two audiences.
Internally, it should:
- Orient people (what the company is trying to be)
- Clarify boundaries (what is acceptable and not)
- Guide decisions (how to act in gray zones)
- Enable accountability (a shared reference for challenge)
Externally, it helps:
- Legitimate the organization’s conduct (stakeholders can test you against your own commitments)
- Distinguish the company (especially in bids, partnerships, and hiring)
This internal-external duality is exactly why codes backfire when they are “dead letters”. If you publish commitments you cannot evidence, you create what Kaptein calls the risk of the code becoming “the sword the organization falls on”.
How to create a code of conduct that survives real life, in 7 steps
Most companies do not need an 80-page “carpet banger”. They need a code that is clear, defensible, and operationally connected.
Step 1: Set scope and governance (before drafting)
Decide, in writing:
- What risks and topics the code must cover (anti-corruption, competition, conflicts, speak-up, data integrity, etc.)
- Which entities and geographies it applies to (including joint ventures, controlled affiliates)
- Who owns it (board sponsor, compliance owner, operational co-owners)
- How exceptions are handled (if any) and who can approve them
If you skip this, your “code project” becomes a drafting exercise without operational authority.
Step 2: Start from dilemmas and operating reality
A code is most useful where people face repeated tension. Gather inputs from:
- Recent incidents and near misses (investigations, audit findings)
- Business dilemmas (sales, procurement, tenders, distributor management)
- Third-party exposure (agents, subcontractors, intermediaries)
- Cross-border mismatches (france-spain differences in practices, thresholds, approval cultures)
You are building a decision tool, so you need decision data.
Step 3: Use the “code pyramid” to structure content
Kaptein’s pyramid is a practical drafting scaffold:
- Mission and vision: why we exist and what we aim for
- Core values: what we expect in attitude and intent
- Responsibilities to stakeholders: who we owe what to (customers, employees, suppliers, society)
- Norms and rules: concrete “do and do not” guidance
A useful drafting template is to keep the top layers short, then make the bottom layer operational.
Step 4: Apply 4 quality tests before you circulate a draft
Kaptein proposes four qualities of a good code. In compliance terms, these are also your pre-embedding risk controls.
- Comprehensive: does it cover the issues that actually arise in your business model?
- Morally justifiable: can you defend it against law, standards, and stakeholder expectations?
- Authentic: does it sound like your organization, or like a copy-paste?
- Manageable: can teams realistically comply, given targets, tools, and resources?
A short “quality gate” checklist you can use in steering committees:
- Does each section include at least one concrete example or boundary?
- Is the code readable by non-lawyers?
- Are key terms defined (public official, facilitation payment, competitor contact, conflict of interest)?
- Are escalation routes clearly stated (manager, compliance, speak-up channel)?
Step 5: Align to your external obligations without turning it into legal commentary
For anticorruption compliance programs for example, you typically want:
- Clear anti-corruption expectations (including gifts, facilitation payments, third parties)
- Reference to reporting channels and non-retaliation principles
- A link to disciplinary consequences
For competition compliance programs you typically want:
- Clear rules on competitor contacts, trade association behavior, and information exchange
- A practical “stop and escalate” rule for risky meetings or requests
Keep the code readable, put legal detail in sub-policies and playbooks.
Step 6: Approve at the right level and translate where needed
A code that is not formally approved at senior level becomes “compliance’s document”. For multijurisdiction teams, translation is not a cosmetic step, it is a control.
Step 7: Connect the code to sub-policies, controls, and evidence
Your code should point to sub-policies (gifts, conflicts, antitrust, investigations) and those sub-policies should reference the code. This creates a coherent policy system and makes audits faster.
5 code of conduct red flags, and how to avoid them
These red flags are common and they signal the gap between paper and practice.
Red flag 1: The code is launched like a communications campaign
What it looks like: a pdf, a ceo email, maybe a one-off e-learning, then silence.
Why it is dangerous: it creates expectations without changing behavior. In a review, you can show distribution, but you cannot show effectiveness.
How to avoid it:
- Build a 12-month embedding plan before publication
- Assign owners for each major section (HR, procurement, sales, finance, compliance)
- Run “dilemma sessions” in teams, not just general awareness
Evidence to keep: embedding plan, attendance records, discussion materials, examples of decisions influenced by the code.
Red flag 2: The code is either too vague, or only rules
What it looks like:
- Vague: “we act with integrity” with no boundaries or examples
- Only rules: long lists of prohibitions with no rationale or decision logic
Why it is dangerous: vagueness kills usability, and rule-only codes create loophole hunting and training fatigue.
How to avoid it:
- Combine values with operational guidance
- Use “rules of thumb” carefully, but do not outsource ethics to personal conscience alone
- Add examples for your highest-risk roles (sales, procurement, tenders, distributors)
Evidence to keep: version history showing improvements driven by real dilemmas, role-based annexes or companion guides.
Red flag 3: Leadership behavior contradicts the code
What it looks like: senior exceptions, informal “do what it takes” pressure, visible tolerance of misconduct.
Why it is dangerous: it destroys role modeling, and regulators treat tone at the top as a core effectiveness factor.
How to avoid it:
- Require leaders to document a small number of “code in action” decisions each quarter
- Include code behaviors in leadership objectives and evaluation
- Investigate and address leadership breaches with the same rigor as employee breaches
Evidence to keep: leadership communications, decision records, disciplinary consistency, board oversight minutes (as appropriate).
Red flag 4: The code is not feasible under your incentive and target system
What it looks like: aggressive growth targets, sales incentives, procurement pressure, or understaffing that make compliant behavior unrealistic.
Why it is dangerous: it pushes violations underground and turns controls into theater.
How to avoid it:
- Run a feasibility review on high-risk processes (tenders, distributor onboarding, high-pressure quarter-end)
- Adjust incentives that reward risky behavior (or add counter-metrics)
- Provide escalation routes that do not punish the messenger
Evidence to keep: risk assessments linked to incentive design, remediation actions, documented resourcing decisions.
Red flag 5: There is no safe discussion, no transparency, and no enforcement
What it looks like: people do not ask questions, speak-up is distrusted, investigations are ad hoc, discipline is inconsistent.
Why it is dangerous: it removes your detection and response capacity. Auditors will ask how you know the code is followed.
How to avoid it:
- Create a practical “ask and escalate” model (manager, compliance, speak-up channel)
- Train managers on how to handle questions and reports
- Track investigations, outcomes, and remediation with defined timelines
Evidence to keep: speak-up metrics, case management records, root-cause analysis, disciplinary actions, follow-up controls.
How to keep your code alive, using the 7 “living code” conditions
Kaptein’s “code star” is a practical operating model: if you strengthen these seven conditions, you increase the probability that the code will be followed in practice.
- Clarity
- Good role modeling
- Commitment
- Feasibility
- Transparency
- Discussability
- Enforcement
Turn the 7 conditions into an audit-ready operating rhythm
A lightweight rhythm that works well in mid-size companies:
- Monthly: one 30-minute dilemma clinic in each high-risk function (sales, procurement, bids)
- Quarterly: leadership “code in action” review (2 decisions, 1 lesson learned, 1 improvement)
- Quarterly: speak-up health metrics and investigation cycle-time review
- Semiannual: targeted micro-training refreshers for the top 3 risks
- Annual: code review and update cycle, aligned to risk assessment updates
Map each condition to evidence (what “good” looks like)
This table is a practical way to move from “we have a code” to “we can prove it works”, in the language auditors and reviewers use.
Condition | What you do in practice | Evidence you can retain |
|---|---|---|
Clarity | role-based explainers, short scenarios, onboarding emphasis | training completion, scenario results, onboarding checklist |
Good role modeling | leadership decisions aligned to the code, documented | decision records, communications, meeting minutes |
Commitment | employees can challenge and escalate without penalty | survey results, participation rates, examples of escalations |
Feasibility | align incentives, provide tools and time | incentive review notes, resourcing decisions, control design docs |
Transparency | monitoring, registers, sampling, data quality checks | monitoring logs, gift registers, audit trails |
Discussability | structured spaces to raise questions, manager coaching | dilemma clinic notes (anonymized), manager training records |
Enforcement | consistent investigations and discipline, plus recognition | case records, disciplinary decisions, recognition examples |
How Naltilia can help
Keeping a code alive is mostly operational work: chasing evidence, coordinating owners, tracking actions, and producing consistent reporting for leadership, internal audit, AFA-style reviews, or ISO and UNE audits. Naltilia can support that operational layer by automating regulatory risk assessments, structuring remediation actions, collecting evidence from control owners, and maintaining dashboards that show both control design and control effectiveness over time.
If you want to see what an audit-ready “living code” workflow looks like in practice, you can contact Naltilia.
This article is general information, not legal advice.
