Are corporate codes of conduct and codes of ethics a luxury or a necessity in today’s tough—and perhaps shrinking—global economy? Compliance may be costly and burdensome, but we feel strongly that it is crucial to success.

Employees at all levels face myriad ethical and behavioral challenges every day. Gray areas can often create an apparent conflict between building and growing the business and following the strictures of a code of conduct or code of ethics. In addition, employees sometimes grapple with real or perceived concerns that reporting possible code violations may have adverse business and career implications.

Yet for companies and employees alike, the investment in, presence of, and adherence to codes of conduct and codes of ethics provide important guidance and value. They enable employees to gain a much clearer understanding of permissible and measureable actions and behaviors, while allowing companies to demonstrate to regulators and other critical stakeholders that they are acting transparently and ethically—which in turn helps them to build a brand as an attractive employer and business partner.

As companies seek to enhance and clarify their compliance programs while reevaluating how best to allocate precious dollars, they may be tempted to wonder whether they need both a code of ethics and a code of conduct. We contend that they do—and that a combined code of business ethics and conduct is preferable.

Codes of Conduct and Codes of Ethics: What’s in a Name?

To develop an ethical corporate culture, compliance officers must engender an understanding of conduct that is against the rules and conduct that is ethically wrong. This means instilling a two-pronged organizational norm:

  1. Specific rules are followed.
  2. The corporate culture fosters compliance with fundamental organizational values.

A code of conduct provides black-and-white directions about what constitutes acceptable behavior. What is permissible? What is prohibited? What will cost an employee his or her job? It’s about rules.

A code of ethics is about values. What guiding principles underpin decision-making within the organization? What ethical standards should employees follow if a situation arises that falls outside the rules spelled out in the code of conduct? The code of ethics also extends beyond employees to third-party stakeholders, such as officers, independent contractors, and subsidiary employees.

Combining Codes of Business Ethics and Conduct

Combined codes bridge the gap between what’s legal and what’s ethical [see sidebar, “Cases in Point”]. Mere compliance with an organization’s written bylaws, or even a governmental regulation or law, doesn’t necessarily mean that one has acted ethically. Rules, ultimately, have limits. The rules in a code of conduct can be too specific, and thus fail to cover the full range of circumstances confronting an organization, thereby falling short of providing adequate direction. A code of ethics can fill that void and help confirm that employees abide by not only the entity’s rules, but also its values. By the same token, an organization’s ethical guidelines can be too general to provide an intelligible principle. Either extreme can undermine efforts to develop and maintain an ethical culture.

It also makes sense from a practical perspective to consolidate the codes for clarity, brevity, and ease of implementation. Business, like life, is not static. Amendments, adaptations, and adjustments can more easily and successfully be made to a combined code. When revising a code of conduct, general ethical principles should be used to address the omitted behavior. Such revision is made easier through a combined code, especially if an organization’s ethical standards also need to evolve.

While some organizations still have only codes of conduct, or separate codes of conduct and codes of ethics, we see growing recognition of the value of combined codes. The New York Stock Exchange, for example, now requires that listed companies use combined codes. Similarly, the federal government, which spends hundreds of billions of dollars a year on contracts, has required since 2009 that nearly all of its subcontractors and contractors adopt written combined codes.

Under U.S. Federal Sentencing Guidelines, the government also promotes ethics training programs for those who work for and on behalf of a company. It also sees an effective compliance and ethics program as a potentially mitigating factor that can trigger penalty reductions in the event an organization faces government sanctions or fines (U.S. Sentencing Guidelines, § 8B2.1(a)-(c) (2012); Manual, § 8C2.5(f)(1) (2010); and § 8B2.1(a)). Establishing procedures to help promote compliance with the Sentencing Guidelines is best done through a combined code, including a statement of the company’s fundamental principles, addressing what it views as right and wrong to guide decision-making and provide for compliance with the law through the specific delineation of required and prohibited behaviors.


Complicated ethical situations require more nuanced guidance than a stand-alone code of conduct can provide.

A combined code of business ethics and conduct should contain, in addition to explicit instructions concerning specific rules and conduct, a statement of the organization’s fundamental values and ethical principles that an employee should keep in mind when contemplating any decision. In addition, the combined code should instruct employees to report concerns about possible violations of the code to appropriate individuals beyond their supervisors, including, but not limited to, the company’s compliance/ethics office or officials.

The combined code should also inform employees that they will be protected from retaliation for good-faith reporting of alleged violations and that furthermore, the company has an anonymous ethics hotline for reporting suspected misconduct.

An ethical culture cannot be created merely through rules-based direction. A combined code of business ethics and conduct provides effective guideposts for behavior by tying specific rules to the company’s values and ethical commitments, to enhance the likelihood that employees will make ethical decisions consistent with the code and the employer’s values.

Suzanne R. Folsom is the executive vice president, general counsel, and chief compliance officer at ACADEMI LLC, a leading provider of defense, training, security, and logistics services. She previously served as the VP, chief regulatory and compliance officer, and deputy general counsel for American International Group, where she created AIG’s first global compliance framework during the financial crisis; and as counselor to the president of the World Bank and director of its Department of Institutional Integrity, where she led anticorruption efforts affecting all aspects of the bank’s lending activity.

Victoria McKenney is the director of regulatory and compliance and associate general counsel at ACADEMI LLC. Prior to joining ACADEMI, she was a senior associate at Hogan Lovells U.S., and during the financial crisis served on secondment in the Office of the Chief Regulatory and Compliance Officer at AIG, where she assisted in establishing an internationally recognized regulatory and compliance program.

Glenn T. Ware is a principal with PricewaterhouseCoopers International Limited and co-leader of its anticorruption and corporate intelligence practice group. An international lawyer by training, Mr. Ware holds an LL.M. from Harvard Law School and is a captain in the United States Navy. During his 24 years of active duty and reserve time, Mr. Ware focused his practice on international, national security, and criminal law matters, and has held numerous foreign and domestic postings, including, more recently, deputy legal counsel to the chairman of the Joint Chiefs of Staff.

Todd Garland, a former law clerk at ACADEMI LLC, assisted with this article.

Cases in Point

Example 1: John’s Judgment

Imagine a mid-level employee, John, at a marketing event for prospective clients. In an attempt to generate new business, John’s manager reveals the name of a high-profile celebrity client.

John believes that company policy, and perhaps the law, prohibits publicizing clients’ names. He vaguely recalls a training event in which employees were advised not to discuss customers outside the company.

His manager’s actions might skirt internal guidelines and the law. But how should John address this? He consults the company’s code of conduct, which includes a specific prohibition on disclosing customer information, including customer names, to the public. Worse, the code indicates this might violate privacy and information security laws and regulations.

Adding to John’s woes, the code further directs that, upon discovering such a violation, he should report the misconduct to his manager—who, of course, happens to be the one who violated the code—or to another unspecified supervisor.

If John goes to his manager, he runs the risk that nothing will be done to address the current violation and that his manager will retaliate. He’s also afraid that if he goes to his manager’s supervisor, his manager will find out, while no corrective action will be taken. After all, it’s been increasingly difficult to win new business in the current economy, and John has heard several times in recent months how the company’s top priority is to obtain new contracts.

John decides not to do anything, reasoning that although technically a rule has been violated, perhaps no real damage has been done.

Example 2: Katie’s Call

At a company across town, Katie, an IT company procurement supervisor, needs to order new computer accessories for a contract that her company just secured. Her best friend operates a company that produces such accessories.

Although her friend’s company doesn’t offer the lowest price, the friend assures her that the company produces the best products and has a great customer service team. Katie checks her company’s code of conduct to make sure that there is no conflict in doing business with her friend.

The code states that certain interactions and business relationships with immediate family are prohibited as conflicts of interest, but contains no restrictions against the type of transaction that Katie is contemplating.

Believing that no conflict of interest exists, Katie signs a contract with her friend.

In Example 1, John decided not to report his manager’s disclosure of a customer’s identity because it resulted in new business, which John believed was the most important factor to the company.

He might well have behaved differently given the benefit of a combined code of business ethics and conduct, which not only clearly proscribed such conduct, but also explained that the transgression was the antithesis of the company’s principles regarding its loyalty and responsibility to its customers and the importance of protecting customer information.

Similarly, in Example 2, ethical guidance would have improved Katie’s decision-making by arming her with an understanding of the company’s ethical principles, rather than restricting her to a narrowly drafted code of conduct that didn’t cover the decision she needed to make.

Thus equipped, Katie might have understood that conflicts of interest are broadly construed; that she should avoid, if at all possible, doing anything that suggested a conflict; and that, at the very least, such decisions should be reviewed by a manager before proceeding.

[Back to main article]