How to build an effective code of conduct

ICA Members – please login to track your CPD

Not currently a member? Join your professional community today to access a range of member benefits.
Find out more here.

At the heart of every robust and effective GRC framework is a code of conduct. The cornerstone of a firm’s culture, a code of conduct establishes the basic expectations of an organisation’s members, the duties and responsibilities which they must fulfill and the behaviours they are expected to exhibit. This article will explore the research literature on codes of conduct, and what it reveals about the elements of a strong (and a weak) code.

In the Association of Certified Fraud Examiners 2020 survey of its members,[1] the fraud control that had the largest impact on reducing both losses and the duration of a fraud incident was the adoption of a corporate code of conduct. Firms that had a code of conduct in place (81% of those surveyed) experienced a 51% decrease in median loss ($205,000 reduced to $100,000) and a 50% decrease in median duration (24 months reduced to 12 months). Perhaps surprisingly, the survey found that the presence of a code of conduct was considerably more effective in reducing fraud than both anti-fraud training for managers and having a dedicated anti-fraud department.

Of course, codes of conduct alone do not guarantee a better culture. The Enron Code of Ethics, after all, ran to a weighty 64 pages. To be effective, and to be worth the paper they are written on, codes of conduct need enforcing. A 2020 survey of Nordic businesses[2] found that issues such as stealing items from work, expense manipulation and bullying were regular events, yet only 38% of the issues identified were ever acted upon by those who observed them. Indeed, the rates of reporting for workplace theft and managerial favouritism were so low as to indicate a general cultural acceptance of those practices.

A robust code of conduct

But what makes a code of conduct valuable and effective? First, a code needs to be very specific to the firm in question and express values rather than legal requirements. In a study of the codes of ethics from nearly 600 US companies,[3] researchers found a correlation of over 50% in the wordings of the codes; in other words, the codes said the same thing in the same way. For some firms, the codes were almost identical (only 64 of the 600 documents reviewed were completely unique).[4] Firms did not have to be in the same industry to show similarities. For example, a healthcare provider and an engineering group had near identical ethical codes. The primary driver of similarity was repetition of legal statements, with phrases used in legislation and regulatory guidelines simply repeated verbatim, with no attempt to translate those goals into locally relevant values and behaviours.

Codes of conduct also need to be embedded in a firm’s everyday operations. This does not mean staff training – it means the code needs to be immediate and proximate to decisions being taken. In an extensive series of experiments concerning cheating, Dan Ariely[5] found that most people tend to cheat, but only a little. For example, claiming to inflate scores on a self-marked test by about 20%. Hearteningly, even when there was no risk of being caught, people still only exaggerated by 20%. Only 20 out of the 40,000 people in the study were ‘big cheaters’, people who claimed to have solved all of the questions on the test. They cost the experiment $400 in rewards. However, there were more than 28,000 ‘little cheaters’: they cost the experiment $50,000.

What is interesting is what happened when Ariely introduced a code of conduct to the test. In one variant of the study, participants were asked to recall the Ten Commandments prior to taking the test. In a second variant, college students were asked to remember the school’s code of ethics. Revealingly, in neither of these cases was there any cheating. It did not matter if the individuals failed to remember the Commandments, nor did it matter if the school actually had a code of ethics (it didn’t). What mattered was the appeal to the ethical conscience of the participants.

Creating a code

Creating an effective code of ethics requires stating values that are specific to a firm. The wording should express the authentic ethics of the company and be explicit about the ways in which those can be lived by everyone working within it. Most importantly, the code must be placed at the forefront of people’s minds, especially when staff are set to make key decisions and declarations. Writing core elements of the code on the walls of boardrooms or placing calls to integrity on expense forms is one way this is achieved. But to reinforce the message, a code must be meaningful and ‘immediate’ in day-to-day processes, and not just read on an annual basis and then forgotten. Combined, these methods will help facilitate a healthy, ethical culture, reducing the likelihood of wrongdoing and increasing the prospect of good behaviour.  


[1] Association of Certified Fraud Examiners, ‘Report To The Nations: 2020 Global Study on Occupational Fraud And Abuse’: – accessed April 2020

[2] Nordic Business Ethics, ‘Nordic Business Ethics Survey’: – accessed January 2021.

[3] Margaret Forster, Tim Loughran and Bill McDonald, ‘Commonality in Codes of Ethics’, Journal of Business Ethics, 2009: – accessed April 2020

[4] As the researchers note, however, this may not mean that the 64 companies can pat themselves on the back; it may be that others felt that their codes simply weren’t worth copying.

[5] Ariely, D. (2013) The Honest Truth About Dishonesty. Harper


Written by Paul Eccleson


International Compliance Association

The International Compliance Association (ICA) is a professional membership and awarding body. We are the leading global provider of professional, certificated qualifications in anti money laundering; governance, risk and compliance and financial crime prevention.

Being a member of the ICA, a global community, is a mark of prestige and shows that you have reached a standard of excellence in your professional career.