Code Of Conduct Responsibilities By Role In The United Kingdom
Typical responsibilities | Responsibility type | Evidence of compliance | Responsibility frequency | Escalation notes |
|---|---|---|---|---|
Board of directors | ||||
Set ethical culture, values and expectations for conduct across the organisation. | Oversight | Board minutes, culture reports, approved code, annual governance statements. | Periodic | Escalate material cultural or conduct failings to the chair and full board. |
Oversee internal controls for ethics, compliance, fraud, bribery and misconduct risks. | Oversight | Risk register, audit committee papers, control testing, remediation plans. | Periodic | Audit committee should escalate significant control weaknesses to the board. |
Ensure effective whistleblowing arrangements and oversight of serious disclosures. | Oversight | Whistleblowing policy, hotline reports, board summaries, action tracking. | Periodic | Serious or executive-level concerns should go to the chair or designated non-executive director. |
Approve proportionate anti-bribery procedures and require senior commitment. | Oversight | Anti-bribery policy approval, risk assessments, board briefings, compliance reports. | Annual | Escalate suspected bribery involving senior staff or high-risk markets to the board. |
Approve the annual modern slavery statement if the statutory threshold applies. | Oversight | Board approval, signed statement, website publication, supply chain risk review. | Annual | Escalate credible forced labour concerns to legal, compliance and the board sponsor. |
Senior leadership | ||||
Model ethical behaviour and communicate expectations consistently to teams. | Training and communication | Leadership messages, town halls, intranet posts, team briefings. | Day-to-day | Escalate repeated policy disregard to the executive committee or board sponsor. |
Allocate resources for training, reporting channels, monitoring and remediation. | Implementation | Budgets, implementation plans, accountable owners, KPI dashboards. | Periodic | Resource gaps should be raised to the CEO, CFO or relevant executive sponsor. |
Declare and manage conflicts of interest, outside roles and related-party issues. | Compliance | Conflict declarations, approvals, recusals, register entries. | Event-triggered | Escalate unresolved senior conflicts to the company secretary, legal team or board chair. |
Support proportionate action after serious misconduct findings. | Implementation | Disciplinary decisions, remediation logs, lessons-learned reports. | Event-triggered | Executive misconduct should be handled independently through HR, legal and the board. |
Lead health and safety culture and require compliance with safe working rules. | Oversight | Safety reports, management reviews, incident trends, improvement plans. | Periodic | Serious risks or incidents should be escalated to the safety lead and directors. |
Line managers | ||||
Apply the code fairly in daily supervision and team decisions. | Implementation | Team records, performance notes, approvals, management actions. | Day-to-day | Escalate uncertainty to HR, legal or the policy owner before acting. |
Encourage staff to raise concerns and protect them from retaliation. | Reporting | Concern logs, referrals, follow-up notes, anti-retaliation actions. | Event-triggered | Whistleblowing concerns should go to the designated officer or confidential channel. |
Address bullying, harassment, discrimination and inappropriate workplace behaviour promptly. | Compliance | Meeting notes, HR referrals, adjustments, investigation requests, action plans. | Event-triggered | Escalate complaints or protected characteristic issues to HR immediately. |
Review gifts, hospitality and entertainment requests under approval thresholds. | Compliance | Gift register entries, approvals, refusals, expense records. | Event-triggered | Escalate high-value or public official hospitality to compliance or legal. |
Ensure team members complete mandatory ethics and compliance training. | Training and communication | Training completion reports, reminders, induction checklists. | Periodic | Persistent non-completion should be escalated to HR and senior management. |
Employees | ||||
Read, understand and follow the code and related workplace policies. | Compliance | Policy acknowledgement, training completion, compliant conduct records. | Day-to-day | Ask a manager, HR or compliance if any requirement is unclear. |
Report suspected misconduct, illegal activity, safety risks or unethical behaviour. | Reporting | Reports, emails, hotline references, witness notes. | Event-triggered | Use manager, HR, compliance, whistleblowing channel or prescribed person where appropriate. |
Declare personal interests, relationships or outside work that may affect judgement. | Compliance | Conflict forms, register updates, manager approvals, mitigation steps. | Event-triggered | Escalate unresolved or sensitive conflicts to HR, legal or compliance. |
Avoid bribery, facilitation payments and improper inducements. | Compliance | Refusal records, gift declarations, due diligence checks, training logs. | Day-to-day | Report suspected bribery immediately to compliance, legal or the whistleblowing channel. |
Handle personal data securely, lawfully and only for authorised purposes. | Compliance | Training records, access logs, privacy checks, secure disposal records. | Day-to-day | Report suspected personal data breaches promptly to the data protection lead. |
Treat colleagues, customers and third parties fairly and without discrimination. | Compliance | Training completion, complaint outcomes, inclusive practice records. | Day-to-day | Report harassment or discrimination to a manager, HR or reporting channel. |
Take reasonable care for own and othersu0027 health and safety. | Compliance | Safety training, incident reports, PPE records, risk assessment acknowledgements. | Day-to-day | Escalate hazards, near misses or unsafe practices to the manager or safety lead. |
Protect confidential information, trade secrets and company records. | Compliance | Access permissions, NDA acknowledgements, secure storage, audit logs. | Day-to-day | Report unauthorised disclosure to the manager, IT security or legal team. |
Act honestly and avoid fraud, false accounting and dishonest expense claims. | Compliance | Accurate records, expense receipts, approvals, audit trails. | Day-to-day | Report suspected fraud to finance, compliance, legal or whistleblowing channels. |
Contractors and consultants | ||||
Comply with applicable conduct, confidentiality, safety and security requirements. | Compliance | Contract clauses, onboarding records, signed policy acknowledgements. | Day-to-day | Concerns should be raised with the contract manager or compliance contact. |
Disclose conflicts, competing engagements or independence issues before work starts. | Reporting | Conflict declarations, engagement letters, contract manager approvals. | Event-triggered | Material conflicts should be escalated to procurement, legal or the project sponsor. |
Process personal data only under authorised instructions and security controls. | Compliance | Data processing terms, access logs, security attestations, breach reports. | Day-to-day | Suspected data breaches should be reported immediately to the client contact and DPO. |
Avoid bribery and improper payments when acting for the organisation. | Compliance | Contract warranties, due diligence, payment records, training attestations. | Day-to-day | Suspected bribery should be escalated to the contract manager and compliance team. |
Human resources | ||||
Include the code in induction and obtain staff acknowledgements. | Training and communication | Induction checklists, signed acknowledgements, LMS records. | Event-triggered | Missing acknowledgements should be escalated to line managers and HR business partners. |
Manage disciplinary and grievance processes fairly and consistently. | Implementation | Case files, meeting notes, outcome letters, appeal records. | Event-triggered | Complex or high-risk cases should be escalated to legal and senior HR. |
Provide training on equality, harassment, bullying and respectful workplace standards. | Training and communication | Training materials, attendance logs, refresher schedules, evaluation results. | Periodic | Training gaps in high-risk teams should be escalated to senior leadership. |
Support impartial investigations into employee misconduct and workplace complaints. | Investigation support | Terms of reference, interview notes, evidence logs, investigation reports. | Event-triggered | Allegations involving senior leaders should use an independent investigator or legal oversight. |
Monitor for retaliation after complaints, grievances or whistleblowing disclosures. | Compliance | Follow-up check-ins, case notes, transfer records, retaliation reviews. | Event-triggered | Suspected retaliation should be escalated to senior HR and legal immediately. |
Advise on reasonable adjustments and fair treatment in employment decisions. | Implementation | Adjustment records, occupational health referrals, decision rationale, review dates. | Event-triggered | Escalate contested or high-risk decisions to legal and senior HR. |
Compliance or legal team | ||||
Draft, update and interpret the code and related compliance policies. | Implementation | Version history, legal reviews, approval records, policy change logs. | Periodic | Material legal changes should be escalated to senior leadership and the board. |
Maintain anti-bribery risk assessments, procedures, monitoring and advice. | Implementation | Risk assessments, due diligence files, approvals, monitoring reports. | Periodic | High-risk bribery issues should be escalated to general counsel and the board sponsor. |
Operate confidential reporting routes and triage whistleblowing disclosures. | Reporting | Case log, triage notes, confidentiality controls, board reporting. | Event-triggered | Serious disclosures should be escalated to independent senior oversight. |
Advise on investigations involving fraud, bribery, sanctions, data or legal risk. | Investigation support | Legal hold notices, evidence logs, advice notes, investigation reports. | Event-triggered | Matters involving criminal risk or regulators should be escalated to general counsel. |
Advise on sanctions, fraud, money laundering and restricted-party risks. | Compliance | Screening records, risk assessments, approvals, escalation decisions. | Event-triggered | Potential sanctions matches should be escalated immediately and transactions paused. |
Assess data incidents and advise on ICO notification requirements. | Reporting | Incident assessments, breach register, ICO notifications, remedial actions. | Event-triggered | High-risk data incidents should be escalated to the DPO and senior management urgently. |
Suppliers and business partners | ||||
Follow contractual conduct standards on ethics, labour, safety and integrity. | Compliance | Supplier code acceptance, contract clauses, audit responses, certifications. | Day-to-day | Supplier breaches should be escalated to procurement, legal and the contract owner. |
Avoid forced labour and support modern slavery supply chain due diligence. | Compliance | SAQs, audit reports, corrective actions, worker records, termination rights. | Periodic | Credible exploitation risks should be escalated to compliance, legal and senior procurement. |
Avoid bribery, kickbacks and improper advantages in business dealings. | Compliance | Due diligence, anti-bribery clauses, payment controls, audit rights. | Day-to-day | Suspicious requests or payments should be escalated before payment or engagement continues. |
Meet contractual data protection and security obligations when processing personal data. | Compliance | Data processing agreement, security audits, subprocessors list, breach notices. | Day-to-day | Supplier data incidents should be reported immediately to the contract owner and DPO. |
Notify the organisation of suspected code, legal or contract breaches. | Reporting | Breach notices, meeting minutes, remediation updates, audit findings. | Event-triggered | Use the contract manager, procurement contact or confidential reporting channel. |
Avoid bid rigging, price fixing, market sharing and anti-competitive coordination. | Compliance | Tender records, competition clauses, training attestations, audit trails. | Event-triggered | Competition concerns should be escalated to legal before discussions or tenders continue. |
Board of directors | ||||
Review code effectiveness, incident trends and material policy changes annually. | Oversight | Annual review paper, incident metrics, approved revisions, action plan. | Annual | Unresolved systemic weaknesses should be assigned to an executive owner. |
Compliance or legal team | ||||
Coordinate annual code attestations and exception reporting. | Training and communication | Attestation dashboard, exception list, reminders, escalation records. | Annual | Non-attestation by senior staff should be escalated to leadership and HR. |
Senior leadership | ||||
Communicate lessons learned after material ethics or conduct incidents. | Training and communication | Lessons-learned briefings, updated guidance, team action trackers. | Event-triggered | Communications on legal or sensitive matters should be cleared by legal and HR. |
Line managers | ||||
Preserve evidence and cooperate with investigations without prejudging outcomes. | Investigation support | Evidence preservation notes, witness availability, handover records. | Event-triggered | Potential interference or retaliation should be escalated to HR or legal. |
Employees | ||||
Cooperate honestly with authorised investigations and preserve relevant information. | Investigation support | Witness statements, document preservation, interview attendance. | Event-triggered | Concerns about the process should be raised with HR, legal or the investigator. |
Human resources | ||||
Keep conduct, grievance and disciplinary records securely and lawfully. | Compliance | Retention schedule, restricted access, deletion logs, case files. | Day-to-day | Subject access or deletion issues should be escalated to the DPO or legal team. |
Compliance or legal team | ||||
Advise whether misconduct requires notification to regulators or authorities. | Reporting | Notification assessments, regulator correspondence, decision logs. | Event-triggered | Potential external reporting should be escalated to general counsel and senior leadership. |
Employees | ||||
Use company assets, systems and funds responsibly and for authorised purposes. | Compliance | Asset registers, access logs, expense approvals, acceptable use acknowledgements. | Day-to-day | Suspected misuse should be reported to the manager, IT, finance or HR. |
Suppliers and business partners | ||||
Submit accurate invoices, records and representations under commercial arrangements. | Compliance | Invoices, delivery records, audit trails, contract reports. | Day-to-day | Suspected false billing should be escalated to procurement, finance and legal. |
Who Should Be Responsible For A UK Code Of Conduct And Ethics Policy?
A robust UK code of conduct should allocate duties across the organisation rather than treating ethics as an HR-only matter. The board should own oversight of culture, risk appetite and whistleblowing arrangements, while senior leadership should translate those expectations into business decisions, resources and communications.
What Should Managers And Employees Do Day To Day?
Line managers and employees carry most day-to-day responsibilities: applying standards on conflicts of interest, gifts and hospitality, anti-bribery, data protection, equality, health and safety, and respectful workplace behaviour. Evidence should be practical and contemporaneous, such as conflict declarations, training records, approvals, incident reports and documented management actions.
When Should Issues Be Escalated?
Escalation routes should be clear for misconduct, suspected bribery, fraud, harassment, discrimination, data breaches, health and safety concerns, modern slavery risks and whistleblowing disclosures. Serious matters should move quickly to HR, legal, compliance, senior leadership or the board, depending on the risk and whether independence is required.
Why Do Suppliers And Contractors Need Specific Duties?
UK organisations often rely on contractors, consultants, suppliers and business partners, so the policy should extend core expectations to third parties through contract clauses, onboarding, due diligence and reporting obligations. This is particularly important for anti-bribery controls, modern slavery due diligence, data protection, sanctions, confidentiality and workplace conduct.
What Records Help Demonstrate Compliance?
Useful evidence includes board minutes, risk registers, policy acknowledgements, training logs, investigation files, supplier due diligence, audit findings, declarations of interest, whistleblowing case logs and remediation actions. These records support defensible decision-making if an issue is reviewed by regulators, courts, auditors or business partners.

FAQs
You Might Also Be Interested In











