How to Write a Code of Conduct for Your Business

A team reviewing a printed policy document around a meeting table

Learning how to write a code of conduct is one of the most practical steps a business can take to turn its values into everyday behaviour. A code of conduct is a short, plain-English document that sets out how your organisation expects people to act: with each other, with customers and suppliers, and with the wider public. It is not a legal contract or a full staff handbook. Done well, it is the reference point people actually reach for when they are unsure what the right thing to do is. This guide covers what to include, the tone to aim for, and how to get it approved and used rather than filed away.

Start with why you are writing it

Before drafting, be clear on the purpose. A code of conduct exists to protect the organisation and its people, to make expectations explicit so no one has to guess, and to give managers a fair, consistent basis for handling problems. It also signals to customers, partners and regulators that you take integrity seriously. Keeping that purpose in view stops the document drifting into vague statements no one can act on.

The sections to include

Most effective codes cover the same core ground. Adapt the list to your size and sector, but a solid structure looks like this:

  • Purpose and values. A short opening on why the code exists and the values behind it, ideally in the leader's voice.
  • Scope. Who it applies to, employees, contractors, agency staff and often suppliers, and where it applies.
  • Expected standards of behaviour. Honesty, respect, and treating colleagues and customers fairly, described in concrete terms.
  • Conflicts of interest. How to recognise and declare situations where personal interests could clash with the business.
  • Gifts and hospitality. What is acceptable, what must be declared, and what is never allowed.
  • Anti-bribery and corruption. A clear statement that bribery is prohibited, in line with the UK Bribery Act 2010.
  • Confidentiality and data protection. Handling company, customer and colleague information responsibly and lawfully.
  • Equality, diversity and anti-harassment. A firm stance against discrimination, bullying and harassment.
  • Health, safety and wellbeing. The shared responsibility to keep the workplace safe.
  • Use of company resources and social media. Sensible use of equipment, time, systems and public posting.
  • Speaking up. How to raise a concern, and a clear promise of no retaliation for doing so in good faith.
  • Consequences. What happens if the code is breached, linked to your disciplinary process.

Get the tone right

Write it for the people who have to follow it, not for lawyers. Use plain language, the second person ("you"), and real examples of tricky situations with a short steer on how to handle each. A code that reads like a wall of legal clauses gets ignored; one that sounds like a sensible colleague explaining the ground rules gets used. Keep it as short as it can be while still covering what matters, often ten pages or fewer for a small or mid-sized business.

How to draft it, step by step

A workable process is: agree the purpose and values with senior leaders; list the risks and situations specific to your business; draft each section in plain English with examples; consult a cross-section of staff and, where relevant, HR and legal; then tighten and cut. Involving people during drafting is not a formality. It surfaces the real dilemmas your teams face and builds the ownership that makes people follow the code later. For frameworks and model wording, the Institute of Business Ethics is a reliable reference.

Approval and rollout

A code carries weight only if leadership visibly owns it. Have the board or senior team formally approve it, and have the most senior leader introduce it, in person or in writing. Roll it out with a short briefing rather than a silent email: explain why it exists, walk through the speak-up route, and give people a chance to ask questions. Ask staff to confirm they have read it, and build it into induction so every new joiner meets it on day one.

Keep it alive

A code of conduct is not a one-off. Review it at least every year or two, and whenever the law, your business or a real incident exposes a gap. Refer to it when decisions are made, so people see it shaping behaviour rather than sitting on a shelf. Pairing it with practical training turns the words into habits; our guides on building an ethical company culture and why business ethics matters go further, and the E-Business Ethics homepage has more.

Frequently Asked Questions

What is the difference between a code of conduct and a code of ethics?

A code of ethics sets out the values and principles an organisation stands for, while a code of conduct translates those principles into specific rules and expected behaviours. In practice many businesses combine them into one document, leading with the values and then setting out the conduct expected of everyone.

How long should a code of conduct be?

As short as it can be while still covering the important risks, often ten pages or fewer for a small or mid-sized business. Clarity matters more than length; a concise, readable code that people use beats a long one that gets ignored.

What must a UK business include on bribery?

Your code should state clearly that bribery and corruption are prohibited, in line with the UK Bribery Act 2010, and set out the rules on gifts and hospitality and how to declare them. Having clear procedures also supports the "adequate procedures" defence the Act provides.

Who should approve the code of conduct?

The board or senior leadership team should formally approve it, and the most senior leader should introduce it. Visible ownership from the top is what gives the code authority and signals that the standards apply to everyone, leaders included.

How often should you update a code of conduct?

Review it at least every one to two years, and sooner if the law changes, the business changes significantly, or a real incident reveals a gap. Regular review keeps it relevant and shows staff and regulators that it is a living document, not a formality.