.svg){kind=logo}
A complaint comes in. An employee says a colleague has been making comments that make them uncomfortable. You open your internal docs looking for the code of conduct policy to reference. Nothing. You have a values page, a Notion doc about company culture, and a Slack channel called #team-principles. But no policy.
That’s the moment most companies realise they should have written one earlier.
A code of conduct policy is a formal document that defines the professional and ethical standards expected from everyone in your organisation: employees, contractors, and leadership. It covers professional behaviour, conflicts of interest, confidentiality, use of company assets, harassment, how violations are reported, and what happens when the rules are broken.
It’s owned by HR or Legal, signed off by leadership, and applies from day one of someone joining your company through to the day they leave.
Unlike a values statement or culture deck, a code of conduct policy has enforcement teeth. It’s a binding document. That distinction matters enormously if you ever need to discipline someone or defend a decision.
By the end of this, you’ll know exactly what a code of conduct policy needs to include, how to write one that people will actually follow, and how to enforce it without making things worse.
Here’s what I’ll cover:
- What a code of conduct policy is and how it differs from a code of ethics
- Why every company needs one, regardless of size
- What it must include, section by section
- A free, customisable template you can use immediately
- How to write, roll out, and enforce it
- The mistakes I see companies make most often
Free Template
Download the Code of Conduct Policy Template (PDF)
Pre-built for employee acknowledgement, SOC 2, and ISO 27001. Customise and use immediately.
Code of Conduct Policy Explained: Scope, Ownership, and Who It Applies To
Most companies have some version of this document sitting somewhere: a PDF from a few years ago, a section buried in the employee handbook, a template someone downloaded and never customised. That’s not a code of conduct policy. That’s a liability with a filename.
Key insight
A code of conduct policy isn't just for large companies. Auditors ask for it in SOC 2 and ISO 27001 contexts because it documents your standards for professional behaviour, confidentiality, and acceptable use — in a single enforceable document with employee signatures.
A proper code of conduct policy is a standalone, version-controlled document with a named owner, a current approval signature, and evidence that everyone bound by it has actually read it.
Here’s what it covers:
- Professional conduct: What respectful, appropriate workplace behaviour looks like
- Conflicts of interest: How to identify and disclose situations where personal interests could influence business decisions
- Confidentiality: How sensitive company and customer information must be handled
- Use of company assets: Devices, systems, data, and other company property
- Harassment and discrimination: What constitutes a violation, and where to report it
- Consequences: The range of disciplinary actions available for violations
The policy owner is typically HR or Legal. At earlier-stage companies, it’s often the founder or COO. Whoever owns it is responsible for keeping it current, distributing it, and running the annual review cycle.
Employee Code of Conduct Policy vs. Company-Wide Policy
There’s a common question here: should your policy cover just employees, or everyone?
Employee-focused policies govern individual behaviour and obligations. Company-wide policies extend those same standards to contractors, consultants, board members, and sometimes supply chain partners.
My recommendation: write one policy with a clearly defined scope section that names every group it applies to. One document with explicit scope beats two documents, one of which is always slightly out of date.
Most startups do best with a company-wide document from the start. Contractors and consultants often have more lateral access than junior employees. Including them explicitly isn’t bureaucracy. It’s just accurate.
Code of Conduct and Ethics Policy: Are They the Same Thing?
You’ll often see “code of conduct” and “code of ethics” used interchangeably. They’re related but not identical.
A code of ethics covers higher-level values and principles: integrity, fairness, transparency, honesty. It’s aspirational. A code of conduct policy translates those values into specific, enforceable rules: what you can and can’t do, and what happens if you do it anyway.
Many companies combine them into one document, and that’s fine. If you’re writing one from scratch and can only do one, write the conduct policy. It’s more operationally useful, it’s what HR needs when an incident happens, and it’s what a legal team can actually work with.
Why Your Code of Conduct Policy Is More Important Than You Think
People often treat this as a “nice to have” document: something to write when things are going well and file away. Then an incident happens and it becomes the most important document in the company.
Free Demo
Enterprise customers check for signed conduct policies in security questionnaires
ComplyJet generates a code of conduct policy mapped to your frameworks, routes it for approval, and collects employee acknowledgements automatically.
Here’s why it matters before anything goes wrong.
Legal protection. Without documented conduct standards, consistent disciplinary action is nearly impossible. Employment disputes, harassment claims, and wrongful termination cases all go worse for companies that cannot produce a written policy their employees acknowledged. “Everyone knew the rules” is not a legal defence. A signed policy is. SHRM’s research on workplace conduct consistently shows that documented standards are the single most important factor in successful disciplinary outcomes.
Culture integrity. Unwritten norms are unenforceable. When the rules exist only in people’s heads, enforcement becomes inconsistent: strict with some, lenient with others, depending on who’s involved. That inconsistency is where culture actually breaks down, not the original incident.
Contractor and vendor risk. Most companies apply informal expectations to employees but forget that contractors and consultants operate with fewer implicit social norms. They haven’t been through your onboarding. They don’t absorb your culture over time. A written policy that explicitly includes them closes that gap.
Enterprise trust. Enterprise buyers and procurement teams ask vendors for evidence of internal conduct standards during security reviews and RFP processes. A signed, up-to-date company code of conduct policy is a fast, clean answer to that question.
Onboarding clarity. New hires, especially remote ones, don’t pick up conduct expectations by osmosis. A written policy distributed on day one removes ambiguity from the start. It also signals that leadership takes this seriously.
Does Your Company Need a Code of Conduct Policy?
Short answer: if you have employees or contractors, yes.
Why it matters
If you're pursuing SOC 2 or ISO 27001, a code of conduct policy (or equivalent acceptable use document) will appear in your audit. Auditors use it to verify that employees know the rules and that you have a process for enforcing them.
Longer answer: any company past the co-founder stage benefits from a written policy, even a lean one. The question isn’t really whether you need one. It’s whether you’ll write it before you need to use it.
Workplace Code of Conduct Policy: When It Becomes Non-Negotiable
There are certain moments where not having a policy stops being a risk and becomes an active problem:
- When you hire your first employee. The moment someone joins who isn’t a founder, you need documented expectations. What counts as acceptable? Who do they report a concern to? Don’t leave that to inference.
- When you onboard contractors or freelancers. Contractors don’t have the same implicit cultural context as employees. They need the same written standards.
- When you operate in a regulated industry. Healthcare, finance, legal, and education all have specific employment law requirements around workplace conduct. A policy isn’t optional.
- When enterprise customers start asking. Security questionnaires, vendor due diligence, and procurement reviews ask for evidence of internal conduct standards. If you don’t have a policy, you can’t answer the question.
- When a harassment or misconduct incident happens. If you don’t have a documented policy before this moment, you’ll be making decisions with no framework. That’s an expensive way to learn.
Company Code of Conduct Policy for Early-Stage Startups: What’s Actually Enough
A lean, signed document beats a comprehensive one that nobody has read.
The minimum viable version covers: purpose, scope, six to eight core conduct requirements, a reporting mechanism, enforcement language, and an acknowledgement requirement. Get it on a page, get leadership to sign it, and get every employee and contractor to acknowledge it.
You’ll expand it as you grow. But starting lean beats starting late.
What Should a Code of Conduct Policy Include?
The goal is a document specific enough to be enforced and broad enough to cover the situations that actually come up. Vague policies don’t protect you. Overly prescriptive ones that nobody reads don’t either.
Core Sections Every Code of Conduct Policy Needs
| Section | What to Cover |
|---|---|
| Purpose | Why the policy exists; what it is designed to protect |
| Scope | Who it applies to: employees, contractors, leadership, vendors, interns |
| Professional conduct | Expected workplace behaviour; respect, communication standards |
| Conflicts of interest | How to identify and disclose conflicts; outside employment rules |
| Confidentiality | Handling of sensitive company and customer data; NDA obligations |
| Use of company assets | Acceptable use of devices, systems, and data |
| Harassment and discrimination | Zero-tolerance statement; definitions; what constitutes a violation |
| Reporting violations | How to report a concern; named channel; whistleblower protection |
| Consequences | Disciplinary process; range of sanctions; who makes the decision |
| Acknowledgement | Requirement for every employee and contractor to sign |
| Review cadence | How often the policy is reviewed; who triggers it |
Every section should be filled in, not left as a placeholder. A policy that still says “insert company name” in three places tells employees it was never properly adopted.
Optional Sections Worth Adding
Depending on your company and industry, these are worth including:
- Social media conduct: Particularly relevant for customer-facing or marketing-heavy teams
- Gifts and hospitality rules: Often expected by enterprise customers and required in some regulated industries
- Third-party conduct alignment: Standards you expect from suppliers and partners (see also the HR Security Policy for third-party security controls)
- Anti-bribery and anti-corruption: Required in some jurisdictions and expected in many B2B enterprise contexts
- Environmental and sustainability conduct: More relevant for larger organisations, increasingly appearing in enterprise procurement questionnaires
Free Code of Conduct Policy Template
What a Good Sample Code of Conduct Policy Looks Like
Before you use the template below, it’s worth knowing what separates a useful policy from a generic one.
A good sample code of conduct policy has: a specific scope (not just “employees”), a named reporting channel (not “contact HR”), a version number and review date, and a signature from leadership. Those four things signal the policy was actually adopted, not just downloaded.
Red flags to watch for in any sample: vague enforcement language (anything that says “may result in disciplinary action” without specifying what), no acknowledgement requirement, no reporting mechanism, no review date. If the template you’re looking at is missing any of these, you’ll need to add them yourself.
Here’s a template you can use as a starting point. Customise every section for your company. Change every bracketed placeholder. Don’t leave any section blank.
Free Template
Download the Free PDF Template
Pre-built and compliance-ready. Customise and use immediately.
[Company Name] Code of Conduct Policy
Version: 1.0 Effective Date: [Date] Last Reviewed: [Date] Policy Owner: [Name / Role] Approved By: [CEO / Managing Director Name]
1. Purpose
This policy sets out the professional and ethical standards [Company Name] expects from all employees, contractors, consultants, and board members. It exists to protect employees, customers, and the company by establishing clear expectations for behaviour, a fair and consistent process for handling violations, and a safe mechanism for reporting concerns.
2. Scope
This policy applies to:
| Group | In Scope |
|---|---|
| Full-time employees | Yes |
| Part-time employees | Yes |
| Remote employees | Yes |
| Contractors and freelancers | Yes |
| Consultants | Yes |
| Board members | Yes |
| Interns and work experience | Yes |
| Third-party vendors with system access | Yes |
3. Professional Conduct
All individuals covered by this policy are expected to:
- Treat colleagues, customers, and partners with respect at all times
- Communicate professionally in all work-related settings, including messaging tools, email, and video calls
- Represent the company in a way that reflects its values in external interactions
- Raise concerns or disagreements through appropriate channels rather than in ways that damage team cohesion
4. Conflicts of Interest
A conflict of interest arises when personal interests could influence, or appear to influence, professional judgement. All employees and contractors must:
- Disclose any actual or potential conflict of interest to their manager and [HR / Legal]
- Recuse themselves from decisions where a conflict exists
- Not engage in outside employment or business activities that compete with or compromise [Company Name]
- Not use company relationships, information, or assets for personal benefit
5. Confidentiality
All individuals covered by this policy must:
- Protect confidential company and customer information and not disclose it to unauthorised parties
- Handle personal data in accordance with [Company Name]’s Privacy Policy and applicable data protection law
- Honour any non-disclosure agreements signed as a condition of their engagement
- Report any accidental or suspected data disclosure immediately to [Security / Privacy contact]
Confidentiality obligations apply during employment and after it ends.
6. Use of Company Assets
Company assets, including devices, systems, software, and data, must be used primarily for business purposes. Acceptable personal use is limited to incidental, reasonable use that does not interfere with work.
Prohibited uses include: accessing, storing, or transmitting illegal content; using company systems to conduct personal business; sharing login credentials; and installing unauthorised software on company devices.
Refer to [Company Name]’s Acceptable Use Policy for full requirements.
7. Harassment and Discrimination
[Company Name] is committed to a workplace free from harassment, discrimination, bullying, and intimidation.
Harassment includes: unwanted comments or conduct related to gender, race, ethnicity, religion, disability, sexual orientation, or any other protected characteristic; inappropriate physical contact; hostile or offensive communication; and conduct that creates an intimidating or degrading work environment. For US companies, the EEOC’s guidance on harassment provides the authoritative legal definitions. For UK companies, ACAS’s guidance on bullying and harassment is the standard reference.
This policy applies in all work settings: in the office, while travelling for work, at company events, and in digital communications.
8. Reporting Violations
If you witness or experience a violation of this policy, you are encouraged to report it. Reports can be made to:
| Channel | Contact |
|---|---|
| Direct report | Your manager |
| HR | [HR contact / email] |
| Anonymous channel | [Tool name / email alias] |
| Escalation (if manager is involved) | [Senior HR / Legal contact] |
All reports will be treated confidentially to the extent possible. Retaliation against anyone who makes a good-faith report is a serious violation of this policy and will itself result in disciplinary action.
9. Consequences
Violations of this policy will result in disciplinary action proportionate to the severity of the violation:
| Severity | Response |
|---|---|
| Minor violation (first occurrence) | Verbal warning and documented conversation |
| Repeated or moderate violation | Written warning |
| Serious violation | Suspension pending investigation |
| Severe or repeated serious violation | Termination of employment or engagement |
Certain violations, including harassment, discrimination, and confidentiality breaches, may warrant immediate termination without following the graduated steps above. Decisions on disciplinary action will be made by [HR / Legal] in consultation with the relevant manager or leadership.
10. Acknowledgement
All employees and contractors are required to read this policy and confirm their understanding by signing below. New employees and contractors must sign before or on their first day. Acknowledgement is required again whenever the policy is updated in a material way.
I confirm that I have read and understood [Company Name]’s Code of Conduct Policy and agree to comply with its requirements.
Name: __________________ Signature: ________________ Date: ________
11. Review Cadence
This policy will be reviewed at least annually. Out-of-cycle reviews will be triggered by:
- A significant conduct incident that exposes a gap in the policy
- Changes in employment law in jurisdictions where the company operates
- Major organisational changes: acquisitions, rapid headcount growth, new office locations
- Feedback from legal counsel following an employment dispute
Version History
| Version | Date | Changes | Approved By |
|---|---|---|---|
| 1.0 | [Date] | Initial version | [Name] |
How to Write and Roll Out a Code of Conduct Policy
Writing the policy is the easier half. Getting it properly adopted is where most companies fall short.
Here’s the process, in order:
Assign an owner. HR or Legal at most companies. At earlier-stage startups, it’s often the founder or COO. Whoever owns it is responsible for every step that follows.
Define your scope explicitly. Name every group covered by the policy. Don’t rely on implication. If contractors are in scope, say so. If board members are in scope, say so. “All employees” is not enough.
Draft using a template, then customise everything. Use the template in this article as a starting point. Customise every section for your company: your reporting channels, your specific prohibited behaviours, your governance structure. Remove all placeholder text before distributing.
Get leadership review and sign-off. The policy carries more weight when it’s visibly approved at the top. Have the CEO or MD sign it. That signal matters to employees.
Distribute to all personnel. Email, onboarding pack, and internal knowledge base. Make it easy to find, not just easy to forget.
Collect signed acknowledgements from everyone. Every employee and contractor must confirm they have read and understood the policy. This is the single most commonly skipped step, and it’s the one that matters most when a dispute arises.
Store acknowledgements properly. Keep a log: name, role, date signed, policy version. Not in someone’s inbox. In a central location that survives staff changes.
Re-distribute and re-collect when the policy changes. An updated policy that nobody has re-acknowledged is still the old policy, practically speaking.
Set an annual review reminder. Review at minimum once per year, and also after any significant incident, major team change, or legal development that affects employment in your jurisdiction.
How to Enforce a Code of Conduct Policy (Without Creating More Problems)
This is the section most policy guides skip. Writing the policy is the start. Enforcing it fairly is what actually makes it work.
Free Demo
Conduct policy + acknowledgement tracking = audit evidence
ComplyJet automatically tracks which employees have acknowledged your code of conduct, sends reminders, and gives auditors a clean evidence trail without any manual chasing.
A policy that is never enforced sends a worse message than having no policy at all. It tells people the rules are aspirational, not real.
Building a Consistent Enforcement Process
The time to establish your enforcement process is before any incident happens, not during one.
Set up a clear escalation path in advance: who a report goes to, who investigates, who makes the decision, and who communicates the outcome. That path should be documented, not improvised.
Apply consequences consistently. Different outcomes for similar violations by different people, based on seniority or relationships, is where companies create legal exposure and lose team trust simultaneously. The behaviour matters. The person’s role does not.
Document every step: the report, the investigation, the decision, and the outcome. If the decision is ever challenged, that record is what you’ll rely on.
Handling Violations Without Destroying Trust
Not every violation warrants termination. A proportional response ladder gives managers room to respond appropriately without forcing an all-or-nothing decision.
Verbal warning. Written warning. Suspension pending investigation. Termination. Each step should be documented and escalated appropriately. Some violations, including harassment, discrimination, and confidentiality breaches, skip straight to the serious end of the ladder. The policy should say which ones.
Protect the reporter. Retaliation against someone who raises a concern in good faith should itself be treated as a serious violation. If people don’t trust that reporting is safe, they won’t report.
One situation that catches companies off guard: violations involving leadership or founders. Have a pre-agreed process for this before you ever need it. Who investigates when the policy owner is the subject? Who communicates the outcome? Answering that question in advance prevents an already difficult situation from becoming chaotic.
When to Involve Legal Counsel
Some violations require legal involvement before any action is taken.
Harassment and discrimination allegations should always involve legal review before the company responds. Employment law in this area is complex and jurisdiction-specific. Getting it wrong is expensive. In the US, the EEOC sets the framework; in the UK, ACAS provides the code of practice that employment tribunals reference when assessing how employers handled complaints.
Violations that involve customer data, confidentiality breaches, or anything that might constitute criminal conduct require immediate legal involvement. Do not take informal action on these.
Document every conversation related to an investigation. Informal notes in someone’s head are not a record. Anything that might become relevant to a legal proceeding needs to be in writing.
What Records You Need to Keep for Your Code of Conduct Policy
Writing a policy and distributing it creates obligations. You also need to keep the evidence that shows you’ve met them.
| Record Type | What It Should Contain |
|---|---|
| Signed policy document | Leadership-approved version with signature, version number, and effective date |
| Acknowledgement log | Name, role, date signed, and policy version for every employee and contractor |
| Distribution records | Evidence of when and how the policy was communicated to all personnel |
| Onboarding records | Confirmation that new hires received and signed the policy on day one |
| Annual review log | Who reviewed, what changed, when the updated version was re-approved |
| Violation and investigation log | Report details, investigation steps, decision, outcome (kept strictly confidential) |
How long to retain these records varies by jurisdiction. In the US, the EEOC recommends retaining employment records for at least one year, but HR best practice is three to five years for conduct-related records. In the UK, the ICO’s employment practices guidance covers how long HR records should be kept under UK GDPR. Legal counsel can advise on the requirements for your specific location.
Where to store them: an HR system, a secure shared drive, or a compliance platform. Not individual email inboxes, which change with staff turnover and don’t survive departures reliably.
The Mistakes Startups Make With Workplace Conduct Standards
I’ve seen this play out enough times to know which mistakes happen most often.
Watch out
The most common mistake is treating the code of conduct as a one-time document. Auditors and enterprise procurement teams expect annual re-acknowledgement. A policy that was signed three years ago and never updated or re-confirmed is a weak evidence item.
Copying a template verbatim. If your code of conduct looks identical to ten others found with a quick search, it offers minimal legal protection and tells employees nothing specific about your company. Every section needs to be customised. “Insert company name here” should not appear anywhere in the version you distribute.
Writing it and never collecting acknowledgements. A policy nobody has signed is a suggestion. Acknowledgements are the difference between “we told everyone” and “everyone confirmed they understood.” That distinction matters in an employment dispute.
Leaving out contractors. Contractors are frequently the people with the most lateral access and the least cultural context. If your policy says “employees” and means “employees only,” you have a gap. Write “employees and contractors.” Say it explicitly.
No reporting mechanism. People will not report violations if they don’t have a clear, named, and safe way to do it. An anonymous option is strongly recommended, especially for anything involving harassment or senior leadership. A reporting mechanism that routes to the person being reported is not a reporting mechanism.
Vague enforcement language. “May result in disciplinary action” is not a policy. Name the range of consequences. Name who makes the decision. A graduated response table is better still.
Never reviewing it. A policy with a three-year-old date raises questions when it surfaces in a dispute. Review it annually. Update it when something changes. The date and version number signal that someone is actively maintaining it.
Burying it in the employee handbook. A standalone document is easier to version, easier to distribute, easier to produce as evidence, and easier for employees to find. When a conduct question comes up, you want to be able to point to a single, unambiguous document. The same logic applies to your Personnel Security Policy and your Acceptable Use Policy: each one earns its impact as a standalone document, not as a section in a larger file.
Scaling Your Code of Conduct Policy as Your Team Grows
The right policy for a five-person team is not the right policy for a 150-person company. Here’s how the requirements shift.
Quick tip
At under 25 people, a two-page code of conduct with annual electronic sign-off is enough for SOC 2 and ISO 27001. You don't need a 30-page ethics manual — you need something every employee has read, understood, and signed.
Startups (1–20 Employees)
Your priority at this stage is getting something signed and in place before you need to use it. Not perfect: signed.
Keep it short. Cover the essentials. Get every founder, employee, and contractor to acknowledge it. Founders signing it too isn’t optional. It sets the tone for everyone else.
A one-page policy that everyone has actually read and signed beats a twenty-page document that nobody has looked at. The acknowledgement is the point.
Growing Companies (20–100 Employees)
At this scale, the informal enforcement that worked at ten people starts to break down. You need structure.
Add an anonymous reporting channel. A dedicated email alias or a simple third-party tool is enough. The goal is giving people a safe way to report that doesn’t require them to confront someone senior.
Bring Legal into your annual review. As headcount grows, employment law exposure grows with it. What was fine at fifteen people may need more careful handling at fifty.
Use a system to track acknowledgements. Spreadsheets work up to about thirty people and then become unreliable. A compliance platform or HR system that flags who has and hasn’t acknowledged the policy is worth it at this stage.
If your policy is still embedded in the employee handbook, separate it now.
Larger Organisations (100+ Employees)
Department-specific addenda make sense when different teams have meaningfully different risk profiles: stricter social media rules for customer-facing teams, for example, or specific data handling obligations for engineering.
Integrate acknowledgement collection with your HR or onboarding system so it happens automatically for every new hire and at every policy renewal.
At this stage, annual conduct awareness, a short training session and not just a policy re-read, becomes expected. It adds reinforcement and creates a record that the conduct standards are actively maintained.
Managing Your Code of Conduct Policy with ComplyJet
Most companies write their code of conduct policy once and then lose track of it. Nobody knows who signed it, whether it’s been updated, or where the latest version lives. That’s not a policy programme. That’s a document sitting in a folder.
ComplyJet gives you a ready-to-use code of conduct policy template you can customise and get signed off in minutes.
You can distribute the policy to employees and contractors and track acknowledgements in one place, without chasing people via email. Every signature, distribution event, and review cycle is logged automatically, so you always have a complete record when you need it.
Annual review reminders are built in. You won’t need to remember to update it.
FAQs
What is a code of conduct policy?
A code of conduct policy is a formal document that defines the professional and ethical standards expected from everyone in an organisation: employees, contractors, and leadership. It sets out acceptable behaviour, how violations are reported, and what the consequences are for non-compliance. Unlike a values statement, it’s a binding document with enforcement procedures attached.
What is an employee code of conduct policy?
An employee code of conduct policy governs the workplace behaviour, confidentiality obligations, and use of company assets for employees specifically. A company-wide version extends the same standards to contractors, consultants, and other third parties. One document with a clearly defined scope section typically covers both, and that’s the recommended approach for most companies.
What does a code of conduct policy need to cover?
At minimum: purpose and scope, professional conduct expectations, conflicts of interest rules, confidentiality obligations, acceptable use of company assets, a reporting mechanism, enforcement and disciplinary process, and an acknowledgement requirement. The “What Should a Code of Conduct Policy Include?” section above has a full section-by-section breakdown with a table.
How do I write a code of conduct policy?
Assign an owner (HR, Legal, or a founder), define your scope explicitly, draft using a template and customise every section, get leadership sign-off, distribute to all personnel, collect signed acknowledgements, store those acknowledgements centrally, and set an annual review reminder. The full step-by-step checklist is in the “How to Write and Roll Out” section above.
How do I create a code of conduct policy from scratch?
Start with the free template in this article. Customise every section for your company. The key areas to personalise are: scope (who exactly is covered), prohibited behaviours specific to your industry or team, the reporting channel name and contact, and who signs off on the policy. Do not leave placeholder text in the version you distribute.
How do you enforce a code of conduct policy?
Establish a clear escalation path before any incident happens: who a report goes to, who investigates, and who makes the decision. Apply consequences consistently regardless of seniority. Use a graduated response ladder. Document every step. Protect reporters from retaliation. For harassment, discrimination, or potential criminal conduct, involve Legal before taking any action.
How often should a code of conduct policy be reviewed?
At minimum annually. Also review after any significant conduct incident, major organisational change such as rapid growth or an acquisition, or a change in employment law in a jurisdiction where you operate.
Who is responsible for the code of conduct policy?
HR or Legal typically owns it; the CEO or equivalent approves and signs it. At early-stage startups, this is often the founder or COO. The owner is responsible for distributing the policy, collecting and storing acknowledgements, and managing the annual review cycle.
Related Policies
Acceptable Use Policy: Governs how employees use company systems, devices, and data. Frequently cross-referenced in the code of conduct’s company assets section.
HR Security Policy: Covers personnel security controls from pre-employment screening through offboarding. Sits alongside the code of conduct in most policy programmes.
Personnel Security Policy: Covers background checks, NDA requirements, and role-based access decisions. Often bundled with the code of conduct in smaller organisations.
