This article captures the key takeaways from our Code of Conduct event held in Brussels in collaboration with Lydian. Drawing on a candid discussion between ethics & compliance and employment law perspectives, it explores what distinguishes codes that simply exist from those that truly shape behavior, build culture, and stand up to real-world scrutiny.
Global organizations are under pressure to prove that ethics and compliance are not just documented, but lived. Regulators are raising expectations for program effectiveness. Employees are quicker to test whether values hold in real situations. And emerging risks (especially around AI, data, and hybrid work) are moving faster than most governance cycles.
Against that backdrop, a simple question is becoming a leadership litmus test: Is your Code of Conduct a static artifact? Or an operating system for decisions and behavior?
In a recent panel discussion, Guillem Casòliva, PhD, CCEP-I (Senior E&C Advisor, EMEA & APAC, LRN) and Kato Aerts (Partner, Employment Lawyer, Lydian) explored what distinguishes codes that merely exist from those that actually influence conduct and stand up under scrutiny when it matters most.
What emerged was not a checklist. It was a maturity conversation: how organizations translate principles into daily decisions, and how leaders avoid the common trap of “more policy” instead of “more impact.”
“The intersection is form and function; how it’s written, how it’s used internally, and whether it changes daily decisions.” - Guillem Casòliva
Here are the 5 key takeaways from their discussion:
1.) A code written for courts won’t be read; and a code written for people won’t be defensible (unless it’s real)
For years, codes were often “written mostly by lawyers, for lawyers,” as Casòliva noted, “dense, formal, and disconnected from how employees actually learn and decide”. Yet the legal perspective is not optional. Aerts made a pragmatic point: when organizations need to enforce standards, they’re often doing it in contested contexts: investigations, terminations, or disputes. In those moments, courts look for evidence that expectations were clear, communicated, and credible.
The maturity move is not choosing between readability and enforceability. It’s designing for both:
- Reinforcement: callouts, definitions, clarifications, and Q&As that anticipate how employees interpret ambiguity.
- Usability: navigation, searchability, and “find what I need in seconds” structure.
- Look and feel: not cosmetic polish, but signals of seriousness. “Effort” that communicates values are not a template exercise.
Aerts captured the tension well: design doesn’t need to be “fancy,” but it can help demonstrate that the organization treats the code as meaningful, not performative.
“If it looks like a template, it probably is a template, and that makes it harder to argue your values truly matter.” — Kato Aerts
2.) The code is evolving into a governance hub, raising the bar for coherence
One of the most practical insights from the discussion: the most mature codes act as a front door to governance, not a warehouse of every rule the company has ever written.
The panel returned repeatedly to a modern risk reality: employees are navigating too many policies and often created in silos, with inconsistent standards, unclear ownership, and no shared lifecycle. That fragmentation creates two predictable outcomes:
- employees stop reading altogether, and
- organizations struggle to prove fairness and consistency when enforcement is required.
Casòliva described how leading organizations are using the code as a structured “hub”. A concise set of expectations, linked to deeper policies where needed - with clear signposts to reporting channels, training, and decision support. Aerts reinforced the legal risk on the other side: if you “self-regulate” in writing but don’t follow your own processes consistently, it can be used against you.
This is where program maturity shows up: not in the number of documents, but in the coherence of the ecosystem. A governance architecture employees can actually navigate, and leaders can actually defend.
3.) AI is forcing a new kind of code: values-led guidance that links to real controls
AI governance surfaced as one of the sharpest inflection points. The panel referenced a clear trend: more organizations are beginning to address AI, but most still don’t. And even where AI policies exist, they often sit outside the code, creating a gap between “what people do” and “what the company says it expects.”
Aerts observed that many employers simply haven’t implemented rules yet despite the fact that regulatory expectations and workforce adoption are accelerating. But the most immediate risk isn’t just regulatory. It’s behavioral: employees will use the tools available. If the organization doesn’t define what’s authorized, what’s prohibited, and what “responsible use” means, enforcement becomes complicated and inconsistent.
The panel offered a pragmatic approach:
- Use the code to state high-level values and expectations (e.g., confidentiality, data protection, integrity of work product).
- Link to the detailed AI governance document(s) that define approved tools, prohibited uses, and escalation paths.
- Highlight the organization’s top AI risks in plain language (unauthorized tools, sensitive data exposure, misuse of outputs).
This is not about turning the code into an AI policy manual. It’s about ensuring the code remains the employee’s first reference point for what matters, and where to go next.
4.) Reporting channels are standard. Credibility is the real test
The panel underscored that formal reporting mechanisms are now a baseline expectation, particularly in light of expanding whistleblower regulations. Most organizations have channels in place, but publishing a process in the Code of Conduct creates an obligation to apply it consistently and credibly.
As Aerts noted, policies that sit unused, are inconsistently enforced, or are only invoked when convenient can weaken both legal defensibility and employee trust. Clear signposting in the code, visible promotion, and escalation routes that bypass local management were highlighted as critical enablers.
The takeaway for senior leaders: having a channel is not enough. A speak-up system only strengthens culture if employees believe concerns will be taken seriously, and handled fairly.
5.) The biggest gap isn’t executive messaging, it’s middle management behavior
One of the most consequential themes was cultural. Codes are increasingly championed by executives, yet too often fail in the place culture is actually made, the day-to-day manager relationship.
The panel described a familiar pattern: strong global messaging, town halls, and formal training; while middle managers deprioritise, mock, or simply fail to role-model expectations. And because managers shape performance pressure, psychological safety, and what “really matters,” the code can become irrelevant, even when it’s well written.
Casòliva emphasized two remedies that many organizations underuse:
- make manager responsibilities explicit in the code (not just employee obligations), and
- provide manager-specific enablement, not only harassment training, but broader ethical leadership and case discussions (“ethics moments”) that give managers practice navigating real dilemmas.
Aerts added a critical governance lens: manager accountability needs to be tangible, integrated into appraisal criteria, promotion decisions, and consequences. Otherwise, employees learn the real system fast: “values exist on paper, but performance pressure wins.”
The leadership imperative: From “having a code” to proving it works
For senior compliance, legal, HR, and risk leaders, the takeaway is not that codes need more content. It’s that codes now function as a program instrument, and program instruments need evidence of effectiveness.
That shifts the maturity conversation from activity to impact:
- Is the code designed for how employees learn, decide, and seek help?
- Can you show it is accessible, understood, and reinforced - especially for managers?
- Is it a governance hub that reduces complexity, or a document that adds to it?
- Are emerging risks like AI addressed in a way that connects values to real controls?
- Does the organization follow what it publishes, consistently and credibly?
Modern codes don’t succeed because they are longer, stricter, or more comprehensive. They succeed because they are usable, trusted, embedded, and leadership-driven, and because they help people make better decisions before problems become cases.
Conclusion: The code is no longer a document. It’s a test of organizational seriousness
The panel’s discussion made one thing clear: the Code of Conduct has become a mirror. It reflects whether an organization is serious about culture, clear about expectations, and capable of keeping pace with change.
In a world of hybrid work, accelerating technology risk, and heightened stakeholder scrutiny, resilience doesn’t come from policies alone. It comes from principled performance: where values are operational, not aspirational.
The question now isn’t whether your organization has a code. It’s whether leaders can confidently say:
“Our code is something people use, and something our culture can stand on, when it matters most.”
