Code of Conduct Series – Blog 3: Implementation

A Code of Conduct (CoC or Code) is an important part of many (if not most) companies’ compliance programs. However, despite their common use, Codes can vary widely in terms of purpose, scope and comprehensiveness. Building upon Blogs 1 and 2, where we looked at a Supplier Code’s purpose and scope, this final blog will consider some best practices for how to implement Codes.

As discussed earlier in the blog series, CoCs should be based on effective risk assessments of your company’s operations, taking into account both internal and external stakeholder opinions. Your risk assessment may, in fact, identify suppliers that have not traditionally been included in the Code scope, such as suppliers beyond your Tier 1 suppliers or service providers contracted for logistics or customer care.

Both the UN Guiding Principles on Business and Human Rights (UNGP) as well as the U.S. Department of Justice 2020 Guidance on Evaluation of Corporate Compliance Programs emphasize that a Code’s commitments and requirements are only meaningful when the CoC is effectively implemented.  Therefore, when developing your CoC, it is important to consider whether and how your company can effectively implement the Code’s requirements both internally within your own company and then with your suppliers and service providers.

Implementing Codes Internally


In Blog 1, we discussed that it is important to determine ownership of the Code at the outset of Code development. Identifying the right internal partners who are responsible for your company’s Code and for oversight of Code implementation is critical to ensuring that your commitments can effectively be put into practice. The UNGP highlights that companies should integrate the findings of their human rights impact assessment across all relevant functions/processes and take appropriate action. To ensure that the Code of Conduct can actually be implemented, a good first step is to ask whether the appropriate internal management systems are in place. A key component of this is establishing clearly defined Code implementation procedures, including assigning responsibilities for implementation to the appropriate level and function within your company and ensuring that internal decision-making, budget allocations and oversight processes are created to enable effective implementation.

Next, your company will need to confirm that internal processes and procedures are aligned, to ensure that your CoC can be put into practice. For example, your company may decide that suppliers need to demonstrate some form of compliance with the CoC (e.g., passing a factory or facility audit, passing a test on Code commitments, affirmative attestation, etc.) before your company will place an order or otherwise do business with them. In this case, relevant departmental procedures (e.g., sourcing, operations, IT, etc.) might need to be reviewed and modified to ensure that appropriate steps are taken to align suppliers and service providers with your company’s CoC requirements. In other cases, you may need to update contracts and purchasing agreements to ensure the CoC is incorporated for all new suppliers and service providers who fall within the scope of your company’s Code.

Once the relevant internal responsible partners have been identified, they should be trained on how the new procedures impact their work processes. These new procedures these need to be regularly reviewed to ensure they still fulfil the program objectives. For example, sourcing departments may need to be trained on the purpose of the company’s CoC, how their sourcing practices influence implementation of the Code and steps required to ensure that sourcing decisions are made in furtherance of the Code.

In addition, performance should be regularly measured and reviewed to make sure the desired outcomes are being met. As a Code evolves, internal implementation will need to be adapted and updated. For example, if the scope of your company’s Code is expanded to include new suppliers requiring the engagement of more internal partners, you may need to start implementing new processes. In other cases, internal employee evaluation processes may need to be adapted to ensure company employees are rewarded for implementing the CoC and not inadvertently penalized for reporting or identifying noncompliance.

Supplier/Service Provider Implementation

Before requiring suppliers/service providers to comply with your company’s CoC, it can be helpful to socialize requirements and take a long-term view of compliance. Suppliers may require some support to implement your Code. This is especially true when a completely new CoC is adopted or updated with new requirements.

Written communication such as handbooks and manuals as well as in-person or remote trainings are a good way to communicate your company’s expectations before beginning to take any further action in implementing  programs such as measuring actual performance. When Code requirements go beyond standard industry practice and introduce new ‘leading’ requirements, it is good practice to provide detailed explanations and give clear guidance to suppliers on how to meet these new requirements. Additionally, this supplier engagement can also be an excellent way to immediately receive supplier feedback on requirements and build buy-in for your company’s Code. For example, where aspirational requirements around payment of living wage are introduced and assessed, it can be helpful to give suppliers sufficient training and guidance on what the requirements mean and how they should be implemented. Special attention should also be paid to supplier groups who are less familiar with industry leading practices and may require a more in-depth introduction into specific concepts and expectations.

Onsite assessments such as social compliance audits are relatively commonplace in many private-label supply chains and are most often used for assessing compliance with a CoC. However, they may not be the best tool for educating suppliers on Code requirements and implementing them throughout your supply chain. Other tools such as self-assessment questionnaires (SAQ) and desktop reviews can be preferable or complementary ways to raise awareness with your company’s suppliers about your company’s Code expectations, help them understand their performance in relation to the Code, as well as identify areas for improvement. SAQs can be tailored to either specific Code risk areas or cover a wider range of issues. By allowing suppliers to understand their own performance and providing them support to remediate identified gaps, retailers can build more open and transparent relationships with their suppliers.

Ultimately, your company’s goal should be that suppliers “own” the Code expectations and requirements and incorporate them into their operations. This is especially important where your company may have expanded the scope of your company’s CoC to suppliers beyond Tier 1 suppliers. In this case, your company will need your direct suppliers to “own” your Code’s requirements and push them down the supply chain, potentially including suppliers all the way down to raw materials. One good way to do this can be to encourage Tier 1 suppliers to develop their own Code incorporating the concepts contained in your CoC, thereby enhancing their ownership and commitment to these requirements.

In summary, implementing your company’s Code will require implementing it both internally in and externally with your company’s suppliers and service providers.

RILA, in partnership with UL, recently launched the Supplier Code of Conduct Project, a multiphase cross functional project designed to provide RILA members an opportunity to review and benchmark on their supplier codes of conduct. This blog is a part of a larger collection of Supplier Code of Conduct Project materials that will be available to RILA members. For more information, please reach out to Kathleen McGuigan, RILA’s Executive Vice President & Deputy General Counsel or Erin Hiatt, RILA’s Vice President of CSR. Special thanks to Daphne Guelker, Head of Advisory Services at UL for authoring this blog series.

  • Code of Conduct

Stay in the know

Subscribe to our newsletter