What Makes an Effective Third-Party Code of Conduct?

You’ll be hard pressed to find a business today that doesn’t depend significantly on third parties for its success. From suppliers to vendors to agents and more, third parties are essential to how most organizations operate and grow. But they also represent one of the most significant sources of risk. Over the past 15 years, 90% of FCPA enforcement actions involved third-party intermediaries. Intermediaries also appear in 76% of global foreign bribery cases concluded under the OECD Anti-Bribery Convention between 1999 and 2014. As this data make clear, third-party risk management is a primary control point, not a ‘nice to have.’

Recognizing this reality, a whopping 99% of 2026 World’s Most Ethical Companies honorees maintain a stand-alone third-party Code of Conduct outlining the expectations partners must meet to maintain a business relationship. These codes provide clarity not only for third parties, but also for employees, customers, and the public. They help answer a simple but important question: How does this company expect its partners to do business?

Employee codes of conduct have been a cornerstone of ethical business practice for decades, and most companies have evolved them from the dense legal documents of yore into clear, accessible guides. Third-party codes, however, are newer; we see much greater variation in their tone, content, and design.

After evaluating hundreds of these documents, we have identified four key elements that consistently define effective third-party codes of conduct.

1: Set the Right Tone and Define the Scope

A strong third-party code begins by clearly explaining why it exists and to whom it applies. At its best, this section reinforces that the company’s relationships with suppliers and partners are grounded in shared values—not just contractual obligations.

Effective codes typically include:

• A clear explanation of the code’s purpose and how it supports the company’s broader approach to ethical business.
• A description of who the code applies to, and if there are different expectations/requirements for different types of third parties.
• Language that emphasizes integrity, partnership, and responsible business practices, rather than mere compliance.
• Some codes include a message from leadership (such as the CEO, Chief Procurement Officer, or Chief Ethics & Compliance Officer) reinforcing why these expectations matter.

Example: JLL’s code clearly describes its purpose (“to set out our business conduct and ethical expectations of you as well as your employees, agents and sub-contractors”). The tone throughout reinforces a spirit of partnership and describes the relationship between JLL and its supply chain as “mutually beneficial”

2: Clearly Communicate Expectations

The core of any third-party code is the substance of the expectations it sets. Effective codes address the key risk areas relevant to the company’s industry and third-party ecosystem. Common topics include:

• Anti-bribery and corruption
• Conflicts of interest
• Gifts, meals, travel, and entertainment
• Fair competition
• Human rights and fair labor practices
• Protection of information and company assets
• Accurate books and records
• Environmental responsibility and sustainability

Many organizations expand these topics to reflect specific risks identified through their risk assessments. For example, human rights expectations may address issues such as:

• Child labor
• Forced labor or modern slavery
• Migrant labor practices
• Wages and overtime
• Working hours
• Employment fees
• Access to identity documents
• Harassment and discrimination
• Freedom of association
• Conflict-free sourcing
• Health and safety

Effective codes also clearly describe the expectations for third party behavior and compliance with each risk topic, including definitions, explicit or quantifiable commitments, and examples where possible. They provide clear reporting channels, encourage or require the reporting of concerns, and affirm the company’s commitment to non-retaliation.

Example: Microsoft’s code provides explicit expectations around child labor. Compare the clarity of:

“Suppliers shall not employ anyone under the age of 15, or under the age for completing compulsory education, or under the legal minimum working age for employment, whichever requirement is greatest”

versus the much more ambiguous:

“Child labor shall not be used under any circumstance.”

The former explicitly defines the standard and avoids the potential for varied labor practices that could otherwise result from different jurisdictional criteria.

3: Make the Code Accessible and Easy to Use

Strong third-party codes prioritize usability by ensuring the document is easy to find, read, and navigate. Best practices include:

• Providing the code to all third parties and making it publicly available on the company’s website.
• Translating the code into relevant languages based on a risk-based approach.
• Using clear, plain language (generally written at a 10–12th grade reading level).
• Organizing topics logically so readers can easily navigate the document.

Increasingly, organizations are also improving visual design. While a third-party code does not need the same level of design sophistication as an employee code, good formatting can significantly improve comprehension. For example, applying consistent company branding, using clear headings and subheadings to differentiate content, and using layout to highlight key requirements.

Example: Cummins’ code employs a clean, simple layout that underlines the main principle (”treat people with dignity and respect”). Specific third party requirements are clearly highlighted in the “Compliance Requirements” callout.

4: Define Responsibilities and Consequences

A third-party code should clearly communicate what partners are expected to do with the document and how the company will ensure compliance. Effective codes explain:

• The responsibilities of third parties to implement the code internally, and if that responsibility extends to their sub-parties or sub-contractors.
• Whether partners are expected to train employees on the code’s provisions or adopt management systems to support compliance.
• How the company may monitor adherence to the code, such as through due diligence, audits, inspections, or verification processes.
• The potential consequences of non-compliance; often described along a spectrum from remediation requirements to suspension or termination of the business relationship.

The goal is not simply enforcement, but shared accountability for ethical business practices.

Conclusion

The most effective third-party codes of conduct do more than outline rules—they communicate a company’s expectations about how business should be done. When written well, these codes reinforce the stance that integrity doesn’t stop at the company’s walls. Suppliers, vendors, and partners are expected to operate with the same commitment to ethical business practices that the company holds for itself.

Strong third party codes also signal something important to the broader marketplace. They demonstrate that the organization views its supply chain not simply as an operational necessity, but as an extension of its values. Organizations that invest in clear, accessible, and well-implemented third-party codes create stronger partnerships, reduce risk, and build greater trust with stakeholders.

Ultimately, the goal is alignment, not just compliance. When companies and their third parties share the same expectations for responsible business conduct, they create a foundation for relationships that are not only productive, but sustainable.