In Amsterdam, senior compliance, legal and ethics leaders gathered to examine a deceptively simple question: what does a Code of Conduct actually achieve? The discussion moved well beyond document design to confront deeper organisational realities: from behavioural blind spots to structural risk and leadership accountability. What follows are the key strategic takeaways from that conversation, and what they signal for the future of effective compliance programmes.
At a time of accelerating regulatory scrutiny, AI disruption and rising stakeholder expectations, the corporate Code of Conduct remains the symbolic centrepiece of most ethics and compliance programmes. Nearly every global organisation has one. Many have recently updated it. Some have beautifully designed, interactive versions supported by helplines, ambassador networks and scenario-based learning.
And yet, major corporate failures continue to occur, often in organisations with award-winning codes.
At LRN’s recent Amsterdam Code of Conduct panel, Professor Benjamin van Rooij (University of Amsterdam), Guillem Casòliva (LRN) and Octavian Cebotari (Booking.com) explored a difficult but necessary question: What does a code actually do - and where does it fall short?
The discussion surfaced a deeper leadership challenge. The issue is no longer whether organisations have a code. It is whether their code, and the system around it, meaningfully shapes behaviour in complex, high-pressure environments.
1.) The maturity trap: When “more” doesn’t mean “better”
LRN’s latest Code of Conduct benchmarking research, shared during the session, analysed nearly 200 global codes and surveyed more than 2,000 employees across 15 countries
Encouragingly, many organisations are evolving:
- 98% provide clear reporting resources
- 77% include helplines
- 45% review their code annually
- Web-based and interactive formats are increasing
AI, the fastest-growing risk area, has tripled in inclusion, though still only appears explicitly in 15% of codes
On the surface, this signals progress. But the panel challenged an underlying assumption: that expanding policies, pages and disclosures necessarily strengthen ethical culture.
Professor van Rooij offered a striking example from academia. Following a laboratory accident, a university introduced extensive new safety acknowledgements, eventually requiring researchers to sign thousands of pages of documentation. Legally defensible? Perhaps. Behaviourally effective? Highly doubtful.
The tension is familiar to senior compliance leaders: regulators demand comprehensiveness; employees require clarity. The more expansive the documentation, the harder it becomes to embed.
The risk is not under-documentation. It is overengineering. Creating a system too complex to execute consistently, and too burdensome to influence daily judgement.
2.) From awareness to behaviour: The limits of information
A core theme of the discussion was behavioural reality.
Most codes operate on a rational model: define the rules, communicate them clearly, reinforce consequences, and employees will decide accordingly.
But behavioural ethics research tells a different story.
“People are not little philosophers rationally weighing right and wrong,” van Rooij noted. “They have ethical blind spots.”
Employees do not approach decisions in a vacuum. They are shaped by peer norms, situational pressures, incentives and cognitive biases. Simply reading a policy does not reliably update behaviour.
One research study shared during the session tested whether shorter, more digestible anti-bribery policies improved understanding. Surprisingly, length made no significant difference. What mattered more were individuals’ pre-existing beliefs about bribery.
The implication for global organisations is significant:
- Codes alone rarely override local norms.
- Messaging alone cannot counteract misaligned incentives.
- Knowledge does not automatically translate into action.
Modern compliance must therefore move beyond document quality to behavioural design: aligning systems, incentives and leadership signals with stated values.
3.) The middle management gap
One of the more sobering insights from the research concerned leadership communication.
While 85% of executives are perceived as actively communicating the importance of ethics and compliance, only 53% of line managers are seen doing the same.
This gap matters.
Senior executives often deliver high-visibility messaging through town halls and formal communications. But culture is transmitted most powerfully in day-to-day team interactions - where trade-offs are made and pressures are felt.
As one delegate observed, executives typically have compliance support structures behind them. Middle managers often do not. Yet they are the ones translating ambition into operational reality.
Where unrealistic targets, performance pressure or short-term incentives dominate local environments, no amount of executive messaging can compensate.
Van Rooij’s research into major corporate scandals highlights this pattern repeatedly. In the worst cases, harm is preceded by:
- Unrealistic or conflicting performance goals
- Structural barriers to upward communication
- Informal norms that contradict formal values
In such environments, speak-up systems exist, but trust erodes. Ethics conversations become performative rather than protective.
4.) Speak-up systems: Infrastructure vs Credibility
The panel acknowledged significant progress in reporting infrastructure. Whistleblowing channels are widespread. Many organisations now share anonymised case data to demonstrate follow-through. Some, like Booking.com, operate ethics ambassador networks embedded locally to bridge gaps between global functions and regional teams.
These are signs of programme maturity.
Yet research suggests a more complex reality: whistleblowing mechanisms tend to work best in environments where culture is already relatively healthy and least effectively where they are most needed.
Retaliation today is rarely overt dismissal. It is more often subtle marginalisation, stalled advancement or social isolation. Such dynamics are difficult to codify and even harder to detect.
Employees assess risk based not on policy language, but on observed patterns:
- Are concerns handled fairly?
- Are high performers held accountable?
- Are managers modelled as open to challenge?
Without visible reinforcement, infrastructure alone cannot generate trust.
5.) When organisational design overrides intent
Perhaps the most strategic insight from the discussion came from van Rooij’s analysis of large-scale corporate harm.
Across industries, five recurring “red flags” appear in organisations that cause systemic damage:
- Unrealistic or inflated goals
- Weak internal challenge mechanisms
- Structural opportunities for misconduct
- Normalisation of deviance
- Defensive reactions to early warning signs
Notably, these are organisational dynamics and not individual failings.
Compliance programmes often focus on individual accountability: training, attestations, discipline. But systemic failures frequently originate in structural design particularly where commercial ambition outpaces governance capacity.
For senior leaders, this raises a harder question:
Are we assessing behavioural risk only at the level of individuals? Or also at the level of incentives, decision rights and operational pressure?
What this means for compliance leaders
The modern Code of Conduct must do more than exist or even engage. It must function as the hub of a broader behavioural system.
Leaders should be asking:
- Do our performance incentives align with our stated values?
- Where might operational pressure override ethical judgement?
- Are our middle managers equipped, and incentivised, to model ethical leadership?
- Are we measuring cultural effectiveness, or simply programme activity?
As regulatory expectations continue to evolve, documentation will remain essential. But documentation is not culture.
The next frontier for ethics and compliance is integration: connecting codes to lived experience, linking reporting data to structural change, and equipping leaders at every level to translate principles into practice.
A leadership inflection point
The Amsterdam discussion underscored a broader shift underway in governance and risk management.
The question is no longer whether an organisation has the right words. It is whether its systems, incentives and behaviours make those words real.
Codes of Conduct remain foundational. But they are only as powerful as the organisational conditions surrounding them.
In an era defined by AI acceleration, geopolitical volatility and public scrutiny, principled performance will depend less on what is written and more on what is reinforced.
The real test for leaders is not whether their code is comprehensive. It is whether their organisation is designed to live by it.
