At the heart of every robust and effective GRC framework is a code of conduct. The cornerstone of a firm’s culture, a code of conduct establishes the basic expectations of an organization’s members, the duties and responsibilities they must fulfill, and the behaviors they are expected to exhibit.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

In an Association of Certified Fraud Examiners 2020 survey of its members, the fraud control that had the largest impact on reducing both losses and the duration of a fraud incident was the adoption of a corporate code of conduct. Firms that had a code of conduct in place (81 percent of those surveyed) experienced a 51 percent decrease in median loss ($205,000 reduced to $100,000) and a 50 percent decrease in median duration (24 months to 12 months).

Perhaps surprisingly, the survey found the presence of a code of conduct was considerably more effective in reducing fraud than both anti-fraud training for managers and having a dedicated anti-fraud department.

Of course, codes of conduct alone do not guarantee a better culture. The Enron code of ethics, after all, ran a weighty 64 pages. To be effective, and to be worth the paper they are written on, codes of conduct need enforcing.

A 2020 survey of Nordic businesses found issues such as stealing items from work, expense manipulation, and bullying were regular events, yet only 38 percent of the issues identified were ever acted upon by those who observed them. Indeed, the rates of reporting for workplace theft and managerial favoritism were so low as to indicate a general cultural acceptance of those practices.

A robust code of conduct

What makes a code of conduct valuable and effective?

First, a code needs to be specific to the firm in question and express values rather than legal requirements. In a 2009 study of the codes of ethics from nearly 600 U.S. companies, researchers found a correlation of over 50 percent in the wordings of the codes; in other words, the codes said the same thing in the same way. For some firms, the codes were almost identical. Only 64 of the 600 documents reviewed were completely unique.

Firms did not have to be in the same industry to show similarities. For example, a healthcare provider and an engineering group had near identical ethical codes. The primary driver of similarity was repetition of legal statements, with phrases used in legislation and regulatory guidelines simply repeated verbatim instead of being translated into locally relevant values and behaviors.

Codes of conduct also need to be embedded in a firm’s everyday operations. This does not mean staff training—it means the code must be immediate and proximate to decisions being taken.

In an extensive series of experiments, Dan Ariely, author of “The Honest Truth About Dishonesty,” found most people tend to cheat—but only a little.

Only 20 of the 40,000 people in the study were “big cheaters,” people who claimed to have solved all the questions on the test. They cost the experiment $400 in rewards. However, there were more than 28,000 “little cheaters” that cost the experiment $50,000.

What was interesting was what happened when Ariely introduced a code of conduct to the test. In one variant of the study, participants were asked to recall the Ten Commandments prior to taking the test. In a second variant, college students were asked to remember the school’s code of ethics. Revealingly, in neither of these cases was there any cheating. It did not matter if the individuals failed to remember the commandments, nor did it matter if the school had a code of ethics (it didn’t). What mattered was the appeal to the ethical conscience of the participants.

Creating a code

Creating an effective code of ethics requires stating values specific to a firm. The wording should express the authentic ethics of the company and be explicit about the ways in which those can be lived by everyone working within it. Most importantly, the code must be placed at the forefront of people’s minds, especially when staff are set to make key decisions and declarations.

Writing core elements of the code on the walls of boardrooms or placing calls to integrity on expense forms is one way this is achieved. But to reinforce the message, a code must be meaningful and “immediate” in day-to-day processes and not just read on an annual basis and then forgotten. Combined, these methods will help facilitate a healthy, ethical culture, reducing the likelihood of wrongdoing and increasing the prospect of good behavior.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.