7 items to be included in your Business Code of Ethics

Whether your business has three, thirty, or three hundred employees, a Code of Ethics is one of the few documents that has to make sense to everyone in the company, from a new hire on day one to the chief executive on her way to a board meeting. It earns its keep when it communicates company values clearly, and when those values shape day-to-day decisions instead of decorating the careers page.

A modern code is also no longer a purely internal artefact. Under the EU Corporate Sustainability Reporting Directive, around 50,000 companies are now disclosing their business-conduct policies, including anti-bribery rules, whistleblower channels, and supplier ethics, in the same statutory reports as their financials. A weak code used to be embarrassing; today it is auditable. When you sit down to write or refresh yours, seven elements are worth getting right.

Key values

A useful code gives employees access to a company's culture and frames the values that culture is built on. The point is not a tablet of commandments. It is to give employees the language and the support they need when a workplace dilemma lands on their desk: a contract with a supplier whose ethics look shaky, an aggressive sales target that pushes against fair-dealing rules, a hiring decision that has to be justified beyond gut feel.

The standards bodies have caught up with this idea. ISO 37001 for anti-bribery management systems was refreshed in 2025 with stronger language on compliance culture and conflict-of-interest handling, and ISO 37301 covers compliance management more broadly. Aligning a code with one of those frameworks gives external auditors a reference point, and gives employees something more solid than a poster in the break room.

The soft side is real. As workplace experience research has shown for years, employees infer what is and is not acceptable from how the rules are written, and from how reliably they are applied. A code that sounds principled but is not enforced trains people to ignore it.

"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
Warren Buffett

Measures against discrimination

Anti-discrimination rules belong in the body of the code, not in an appendix. Spell out the conduct that is prohibited, including bias on the basis of race, gender, age, disability, religion, sexual orientation, and pregnancy, and spell out what happens when someone breaks the rule. Vague language about respect is what produces the cases that show up in court.

The numbers explain the urgency. The U.S. Equal Employment Opportunity Commission received 91,503 new charges of discrimination in fiscal year 2025, up 3.4 percent over the previous year, and recovered $660 million for affected workers. Retaliation against employees who reported issues remained one of the most common bases of complaint, which means the people who tried to surface problems were punished for it.

That last point separates a credible code from a decorative one. Spelling out the prohibited conduct is half the work; the other half is committing the company to acting on reports without retaliating against the person who filed them. Tackling toxicity among co-workers starts with a written promise that doing the right thing will not cost someone their job.

Wellbeing and workplace hygiene

Health and hygiene used to be the section everyone skimmed. After the disruptions of the early 2020s it now reads as one of the load-bearing parts of a modern code: clean shared spaces, sensible sick-leave practices, mental-health support, and a clear stance on what the company expects when an employee is unwell. None of that is fluff. It is how people decide whether the company actually cares about them or only says it does.

With roughly 67 percent of companies still offering some hybrid arrangement, and around a fifth of the U.S. workforce splitting time between home and office, this section now also has to cover digital hygiene: keeping work data off personal devices, locking screens before stepping away, using company-approved messaging tools rather than whatever app the team likes that week. Hygiene at the desk is the same idea as hygiene in the kitchen. It protects everyone else who shares the space.

A short paragraph here saves a lot of arguments later. Employees should not have to guess whether they can stay home with the flu, work from a cafe on a public Wi-Fi network, or take a screenshot of a confidential dashboard onto their phone.

Accountability

Calling this section accountability rather than penalties shifts the framing from punishment to ownership. The code should explain what behaviours are prohibited, but it should also explain how the company holds itself accountable: who reviews complaints, how investigations are run, what feedback the reporter receives, and what happens when the violation is by a senior leader rather than a junior employee.

Research from the LRN and ECI surveys is unflattering on this point. Only about half of corporate codes meet minimum expectations, only around 60 percent include strong anti-retaliation policies, roughly one in four codes has no speak-up section at all, and only 17 percent explain how a misconduct investigation is actually conducted. Those gaps are why a well-meaning code can still leave employees with no idea what would happen if they raised something serious.

"Management is doing things right; leadership is doing the right things."
Peter Drucker

The fix is procedural, not philosophical. Document the channels (internal, external, anonymous) and document what the reporter can expect at each step. If you want a template for that part of the code, the breakdown of what to do with a whistleblower report walks through the receipt-acknowledgement, triage, investigation, and feedback stages most regulators now expect to see.

Recognition matters too. Holding people accountable for breaking the code is necessary; recognising the team members who keep the culture honest day after day is what makes the code feel like the company's actual character rather than a binder on a shelf.

Commitment to environmental responsibility

Environmental commitments in a code of ethics used to be aspirational, a paragraph about recycling and a vague nod to sustainability. That is no longer adequate, because regulators have started reading the codes too.

The EU's Corporate Sustainability Reporting Directive, with its European Sustainability Reporting Standards, brought roughly 50,000 companies into a mandatory disclosure regime that covers climate, pollution, water, biodiversity, and circular-economy practice, alongside a separate strand (ESRS G1) on business-conduct policies. The directive uses a double-materiality test: companies disclose both how environmental factors hit their finances and how their operations hit the environment. The two questions cannot be answered with platitudes.

What does that mean for a code of ethics? It means writing the environmental section in language a stakeholder, a regulator, and a journalist could each take seriously. Specific commitments around supplier emissions audits, packaging targets, and energy procurement choices beat slogans every time. If the company offers hybrid working partly because it reduces commuting emissions, say so and put a number on it. Vague pledges signal that the rest of the code is decorative too.

Justice

Justice in this context is broader than legal compliance. It covers fairness in customer service, fairness in supplier relationships, and fairness inside the company across pay, promotion, and access to opportunity. Customers, regardless of their status or financial position, are entitled to the same level of service; employees, regardless of their seniority, are entitled to the same protection from the rules in the code.

The cost of getting this wrong is now financial as well as reputational. Regulators will act, courts will award damages, and journalists will write the story. Sherron Watkins's memos at Enron are a textbook case: the issues were knowable internally long before they became public, and the cost of treating them as a public-relations problem rather than a fairness problem was catastrophic.

"There should be a huge area between everything you should do and everything you can do without getting into legal trouble."
Charlie Munger

Practically, the justice section should set a higher bar than the legal minimum. Munger's point, that there ought to be a generous gap between what you should do and what you can get away with, is the operating principle. A code that only repeats the law adds nothing the law was already going to require.

Protecting sensitive data

Data protection used to be one of the shorter sections of a code. It now needs to be one of the more careful ones. Treat all employee, customer, and partner data as sensitive by default, name the categories you collect, name the people inside the company who are authorised to see them, and name the criteria you use to share or process them outside.

The numbers tell you why this matters. Cumulative GDPR fines crossed 5.65 billion euro by early 2025, and the first half of that year alone produced more than 3 billion euro in new penalties, more than any previous full year. Headline cases include Meta's 1.2 billion euro penalty for unlawful EU-to-US transfers, TikTok's 530 million euro fine over data flows to China, and LinkedIn's 310 million euro penalty over advertising-related profiling. The running list is published at the GDPR Enforcement Tracker; the names you recognise are not unusual cases, they are simply the cases that make the headlines.

For the code itself, the practical commitments are straightforward: name the lawful basis you rely on for each category of data, set retention windows and deletion procedures, define the breach-notification timeline you promise customers and regulators, and list the rules you apply when sensitive data passes through a third-party processor. None of those clauses is novel; what is novel is that omitting any of them now reads as a red flag rather than a tidy editorial choice.

A Code of Ethics is doing real work when it gives employees the confidence to act on what they already believe is right, and when it gives the company the discipline to follow through. Seven elements (values, anti-discrimination, wellbeing, accountability, environment, justice, and data) will not cover every dilemma a workplace can produce, but they cover the ground that matters most often, and they give whoever opens the document a fighting chance of finding the answer they came looking for.