3 steps to Supplier code of conduct

Supplier Code of Conduct: From Policy to Supplier Compliance

Having a Supplier Code of Conduct is no longer unusual. For many companies, it is expected.

Customers, owners, regulators, employees, and business partners increasingly expect companies to know how suppliers behave in areas such as human rights, labour conditions, health and safety, environment, anti-corruption, data protection, and business ethics.

But this creates a practical procurement problem.

It is not enough to have a Supplier Code of Conduct saved as a PDF on the company website. It is not enough to attach it to an RFQ. It is not even enough to ask suppliers to sign it.

The real question is:

Can procurement make the Supplier Code of Conduct work in practice?

That normally requires three maturity steps:

  1. Develop the Supplier Code of Conduct
  2. Get suppliers to accept it
  3. Enforce and verify compliance

This article explains the role of a Supplier Code of Conduct in procurement and how buyers can move from policy to practical supplier control.

LHTS framework

Role: Tactical
Supporting roles: Management, Operative
Process: Supplier qualification, sourcing, RFQ/RFP, contracting, supplier onboarding, supplier management, supplier risk management
Level: Advanced
Related course: Supplier Code of Conduct
Supporting courses: Supplier Audits, Supplier Relationship Management,

Quick answer: what is a Supplier Code of Conduct?

A Supplier Code of Conduct is a document that defines the minimum ethical, social, environmental, legal, and business conduct requirements suppliers must follow when doing business with a buying organization.

In procurement, the Supplier Code of Conduct is used to set expectations, qualify suppliers, support responsible sourcing, create contractual obligations, and verify supplier compliance.

A mature procurement function does not treat the SCoC as only a document. It treats it as part of supplier governance.

The real problem: a signed code does not prove compliance

Many companies have a Supplier Code of Conduct.

Fewer companies know whether suppliers actually follow it.

This is the gap procurement must manage.

  • A supplier may sign the code during onboarding but never communicate it internally.
  • A supplier may accept the code but not apply it to subcontractors.
  • A supplier may agree to labour standards but operate in a high-risk region without adequate controls.
  • A supplier may confirm environmental compliance but lack measurement, permits, or documentation.
  • A supplier may sign every customer’s code without reading the differences.
  • A buyer may collect signed documents but never check whether the content is followed.

This is why the Supplier Code of Conduct must be managed as a process.

The document matters. But acceptance, implementation, monitoring, and corrective action matter more.

Step 1: Develop the Supplier Code of Conduct

The first maturity step is to create a Supplier Code of Conduct that is clear, relevant, and usable.

A good SCoC should be based on:

  • Applicable law
  • Company values
  • Customer requirements
  • Industry standards
  • Risk exposure in the supply chain
  • International principles
  • Procurement category needs
  • Contractual enforceability
  • Supplier ability to understand and apply the requirements

The code should not be written only by legal, sustainability, or procurement in isolation. It should be developed cross-functionally with input from procurement, legal, compliance, sustainability, quality, finance, operations, HR, and business stakeholders.

The purpose is to create a standard that is ambitious enough to protect the company, customer offering and supply chain, but practical enough to be implemented by suppliers.

What should a Supplier Code of Conduct include?

The exact content depends on industry, geography, risk, and company priorities, but most Supplier Codes of Conduct include these areas.

Suppliers must comply with applicable laws and regulations in the countries where they operate.

This includes labour law, environmental law, tax law, trade law, competition law, anti-corruption law, sanctions, export controls, and product-specific regulations.

The SCoC should also state what happens if local law and the buyer’s standard differ.

A common approach is to require the supplier to follow the stricter standard where legally possible.

2. Human rights

The code should require respect for internationally recognized human rights.

This normally includes prohibition of forced labour, child labour, human trafficking, harassment, abuse, discrimination, and restrictions on freedom of movement.

It should also include respect for vulnerable workers such as migrant workers, temporary workers, agency workers, young workers, and workers in high-risk regions.

3. Labour standards

Labour requirements normally include:

  • Freedom of association
  • Collective bargaining
  • Working hours
  • Wages and benefits
  • No discrimination
  • No forced labour
  • No child labour
  • Fair treatment
  • Employment contracts
  • Recruitment fees
  • Worker grievance mechanisms

These are not only ethical issues. They are also supply continuity and reputation risks.

4. Health and safety

Suppliers should provide a safe and healthy working environment.

This can include requirements for:

  • Risk assessments
  • Protective equipment
  • Machine safety
  • Fire safety
  • Emergency preparedness
  • Incident reporting
  • Chemical handling
  • Training
  • Accommodation standards where workers live on site

Health and safety requirements are especially important for manufacturing, construction, logistics, mining, chemicals, food, and labour-intensive services.

5. Environment

Environmental requirements may include:

  • Permits and compliance
  • Waste management
  • Water use
  • Energy use
  • Emissions
  • Hazardous substances
  • Pollution prevention
  • Biodiversity where relevant
  • Resource efficiency
  • Climate impact
  • Product lifecycle considerations

The level of detail should reflect the supplier risk. A stationery supplier and a chemical manufacturer do not need the same level of environmental control.

6. Business ethics and anti-corruption

The SCoC should address:

  • Bribery
  • Facilitation payments
  • Gifts and hospitality
  • Conflicts of interest
  • Fraud
  • Money laundering
  • Competition law
  • Confidential information
  • Accurate records
  • Whistleblowing
  • Retaliation protection

This area is important because supplier misconduct can create legal, financial, and reputational consequences for the buyer.

7. Data, confidentiality, and information security

For suppliers handling sensitive data, systems, designs, personal information, customer data, or business-critical information, the SCoC should include expectations for confidentiality, information security, privacy, and incident reporting.

This is especially relevant for IT suppliers, consultants, outsourcing providers, logistics partners, engineering partners, and service providers with system access.

8. Subcontractors and supply chain flow-down

A Supplier Code of Conduct should not stop at the first-tier supplier.

If the risk sits deeper in the supply chain, the supplier must be expected to communicate equivalent requirements to relevant subcontractors, agents, labour providers, and sub-suppliers.

The buyer should be careful here. Passing obligations down the chain is not enough by itself. The supplier must also have reasonable control, monitoring, and escalation processes.

Make the SCoC clear and practical

A common mistake is to write a Supplier Code of Conduct that sounds strong but is too vague to enforce.

For example:

“Suppliers shall act ethically.”

That is a good principle, but it is too general.

A better structure is:

  • What is required?
  • Who must comply?
  • Which standard applies?
  • What evidence may be requested?
  • What happens if non-compliance is found?
  • How should violations be reported?
  • How does the code apply to subcontractors?
  • How will updates be communicated?

A good Supplier Code of Conduct should be written in clear language. It should be understandable for suppliers in different countries, company sizes, and maturity levels.

If suppliers cannot understand the requirement, they cannot implement it.

Step 2: Get suppliers to accept the Supplier Code of Conduct

The second maturity step is supplier acceptance.

This is where many procurement teams underestimate the work.

Publishing the code on the website does not mean suppliers have accepted it. Sending it by email does not mean it is contractually binding. Asking for a signature does not mean the supplier has implemented it.

Procurement must decide where and how the SCoC becomes part of the supplier relationship.

Where should supplier acceptance happen?

Supplier onboarding

The SCoC should be part of supplier onboarding.

Before a new supplier is approved, the supplier should confirm that it has received, understood, and accepted the code.

This can be done through:

  • Supplier portal
  • Supplier registration form
  • Signed declaration
  • Onboarding questionnaire
  • Digital acceptance workflow
  • Contract document
  • Purchase terms
  • Supplier qualification process

For low-risk suppliers, digital acceptance may be enough. For high-risk suppliers, acceptance should be combined with due diligence and documentation.

RFQ and RFP process

The SCoC should also be included in RFQs and RFPs.

This gives suppliers early visibility of the requirements before they price the offer or commit to delivery.

The buyer can ask:

  • Can you comply with our Supplier Code of Conduct?
  • Do you have exceptions?
  • Do you apply equivalent standards internally?
  • Do you require similar standards from your own suppliers?
  • Can you provide evidence if requested?
  • Have you had serious violations in the last period?
  • Do you have a corrective action process?

This avoids a common problem: the supplier wins the business and only later objects to the code.

Contracting

The Supplier Code of Conduct should be linked to the contract.

This can be done by:

  • Including the SCoC as an appendix
  • Referencing it in the main agreement
  • Including a compliance clause
  • Including audit rights
  • Including reporting obligations
  • Including corrective action requirements
  • Including termination rights for serious breach

The exact legal structure should be reviewed by legal counsel.

From a procurement perspective, the important point is simple:

If the code matters, it must be connected to the commercial relationship.

Purchase orders and general terms

For smaller suppliers or simpler purchases, the SCoC can be referenced in general purchasing terms or purchase order conditions.

This is not always as strong as a negotiated contract, but it is better than having no link at all.

Procurement should align with legal to decide what level of acceptance is appropriate for different supplier types.

Supplier acceptance should be risk-based

Not every supplier needs the same process.

A mature procurement team segments suppliers based on risk.

A low-risk office supply provider may only need digital acceptance.

A critical manufacturing supplier in a high-risk country may need a self-assessment, documentation review, audit rights, and follow-up.

A labour provider may need deeper review of recruitment practices, wages, working hours, contracts, and grievance mechanisms.

A chemical supplier may need environmental permits, safety data, waste handling procedures, and compliance evidence.

Supplier acceptance should reflect risk, not administrative convenience.

What if a supplier refuses to accept the SCoC?

Some suppliers may refuse to sign.

That does not always mean the supplier is unethical. It may mean:

  • The supplier has its own code
  • The supplier objects to audit wording
  • The supplier cannot accept unlimited liability
  • The supplier cannot control all sub-suppliers
  • The supplier needs legal review
  • The supplier sees conflicting customer requirements
  • The supplier lacks maturity
  • The supplier does not want the business enough

Procurement should not automatically accept exceptions, but it should understand them.

A practical approach is:

  • Identify the exact objection.
  • Separate legal wording from ethical substance.
  • Check whether the supplier’s own code is equivalent.
  • Escalate material deviations to legal/compliance.
  • Use risk-based approval.
  • Document exceptions.
  • Decide whether the supplier can be approved.

For strategic or technically unique suppliers, the answer may not be immediate rejection. It may be a negotiated compliance plan.

Step 3: Enforce and verify compliance

The third maturity step is where the Supplier Code of Conduct becomes real.

This is the difference between a policy and a control system.

Verification can include:

  • Supplier self-assessments
  • Document reviews
  • Certifications
  • Third-party platform data
  • Risk screening
  • Supplier audits
  • Worker interviews
  • Site visits
  • Corrective action plans
  • Incident reporting
  • Grievance mechanisms
  • KPI follow-up
  • Management reviews
  • Contractual escalation

The buyer does not need to audit every supplier every year. That is usually impossible and inefficient.

The buyer should apply a risk-based approach.

Risk-based supplier compliance

A mature supplier compliance process starts with risk segmentation.

Risk factors may include:

  • Country risk
  • Industry risk
  • Spend
  • Criticality
  • Labour intensity
  • Use of migrant workers
  • Use of subcontractors
  • Environmental impact
  • Chemical or hazardous processes
  • Known corruption risk
  • Data access
  • Product safety risk
  • Previous non-compliance
  • Supplier maturity
  • Customer requirements
  • Regulatory exposure

The highest-risk suppliers should receive the strongest follow-up.

This may include:

  • More detailed questionnaires
  • Evidence requests
  • Third-party assessments
  • On-site audits
  • Corrective action plans
  • Senior supplier meetings
  • Contractual milestones
  • Exit planning if risk is not controlled

The goal is not to create bureaucracy. The goal is to focus resources where the risk is highest.

Supplier self-assessments

A supplier self-assessment is often the first verification step.

It can ask suppliers to confirm whether they have:

  • Policies
  • Procedures
  • Training
  • Responsible managers
  • Subcontractor controls
  • Incident reporting
  • Grievance channels
  • Certificates
  • Permits
  • Risk assessments
  • Corrective action records

Self-assessments are useful because they create structure and supplier awareness.

But they are not proof by themselves.

A supplier can answer “yes” without having strong controls. Procurement should therefore use self-assessments as a screening tool, not as final assurance.

Supplier audits

Audits are useful when risk is high or when evidence is needed.

Audits can be performed by:

  • The buyer
  • A third-party audit firm
  • An industry audit program
  • A customer audit team
  • A certification body

Audits may cover labour, health and safety, environment, ethics, quality, information security, or specific legal requirements.

But audits also have limitations. They are snapshots. They may miss hidden issues. Suppliers may prepare for the audit. Workers may not speak freely. Subcontractors may be outside the audit scope.

This is why audits should be combined with other controls such as grievance channels, performance data, documentation checks, supplier dialogue, and corrective action follow-up.

Corrective action plans

When non-compliance is found, the mature response is not always immediate termination.

Sometimes termination is necessary, especially for severe violations, fraud, refusal to cooperate, or immediate danger.

But in many cases, the better response is a corrective action plan.

A corrective action plan should define:

  • What was found
  • Why it happened
  • What must be corrected
  • Who is responsible
  • Deadline
  • Evidence required
  • Follow-up method
  • Escalation if not completed
  • Preventive action to avoid recurrence

The purpose is to improve supplier behaviour, not only to document failure.

This is especially important when leaving the supplier would increase harm to workers, communities, or the environment.

Remediation and grievance mechanisms

A Supplier Code of Conduct should include a way to report concerns.

This can include:

  • Whistleblowing channel
  • Supplier reporting route
  • Worker grievance mechanism
  • Anonymous reporting option
  • Non-retaliation requirement
  • Escalation contact
  • Investigation process

If harm has occurred, the buyer and supplier must consider remediation.

Remediation may include repayment of recruitment fees, correction of wages, improvement of working conditions, reinstatement, medical support, environmental cleanup, or other actions depending on the issue.

A code without a reporting and remediation route is incomplete.

Make the SCoC part of daily procurement work

The Supplier Code of Conduct should not live only in sustainability or legal.

It should be integrated into procurement work.

In supplier qualification

Use the SCoC to define minimum supplier requirements.

In market analysis

Identify categories, regions, and supplier types where SCoC risks are higher.

In RFQ/RFP

Ask suppliers to confirm acceptance and describe their own controls.

In evaluation

Include compliance and risk as part of supplier evaluation where relevant.

In negotiation

Discuss exceptions, audit rights, reporting obligations, and corrective action.

In contracts

Make the SCoC legally connected to the supplier relationship.

In onboarding

Make acceptance mandatory before activation.

In supplier management

Follow up compliance according to supplier risk.

In supplier development

Support suppliers in improving systems, training, controls, and documentation.

Practical maturity model for Supplier Code of Conduct

Level 1: Document exists

The company has a Supplier Code of Conduct.

It may be available on the website or sent to suppliers. However, acceptance is inconsistent and follow-up is limited.

Typical signs:

  • Code exists as PDF
  • No clear owner
  • Limited supplier acceptance tracking
  • No risk segmentation
  • No audit plan
  • No corrective action process

This is the starting point, not the goal.

Level 2: Supplier acceptance is controlled

The SCoC is integrated into supplier onboarding, RFQ/RFP, contracts, and purchase terms.

Typical signs:

  • Acceptance is tracked
  • New suppliers must accept the code
  • Exceptions are documented
  • Contracts refer to the SCoC
  • Suppliers are informed during sourcing
  • High-risk suppliers receive additional questions

This is stronger, but still not enough.

Level 3: Compliance is verified and enforced

The company applies risk-based due diligence and follow-up.

Typical signs:

  • Supplier risk segmentation
  • Self-assessments
  • Audit program
  • Corrective action plans
  • Supplier training
  • Incident reporting
  • Grievance process
  • Management reporting
  • Supplier development
  • Escalation and termination rules

This is where the SCoC becomes part of responsible supplier management.

Level 4: SCoC is integrated into supplier strategy

At a higher maturity level, the SCoC is connected to category strategy, supplier relationship management, supplier development, sustainability targets, customer requirements, and regulatory due diligence.

Typical signs:

  • Category-specific risk maps
  • Supplier compliance KPIs
  • Board or management reporting
  • Cross-functional governance
  • Supplier improvement programs
  • Data-based risk monitoring
  • Sub-tier supply chain visibility
  • Integration with sourcing tools
  • Continuous improvement

At this stage, the SCoC is no longer only a compliance document. It becomes part of procurement strategy.

Practical example

A company introduces a Supplier Code of Conduct and sends it to all suppliers.

At first, procurement celebrates because 85% of suppliers have signed.

But then the company discovers several problems.

  • Some suppliers signed but never communicated the code internally.
  • Some high-risk suppliers did not answer.
  • Some suppliers accepted the code but excluded subcontractors.
  • Some suppliers signed but could not provide evidence of working hour controls.
  • Some suppliers had no environmental permits available.
  • Some suppliers objected to audit rights.
  • Some suppliers were active in high-risk regions but had never been assessed.

The company realizes that supplier signature is not the same as supplier compliance.

The procurement team then changes the approach.

  • They classify suppliers by risk.
  • They make SCoC acceptance mandatory in onboarding.
  • They include the SCoC in RFQ/RFP documents.
  • They link it to contracts.
  • They create an exception process.
  • They introduce self-assessments for medium-risk suppliers.
  • They audit selected high-risk suppliers.
  • They create corrective action plans.
  • They report progress to management.

This is the maturity shift: from document control to supplier control.

Common mistakes with Supplier Codes of Conduct

The SCoC is not only a document for legal protection. It is a procurement tool for setting expectations and managing supplier risk.

Mistake 2: Asking suppliers to sign but not tracking acceptance

If procurement cannot see which suppliers have accepted the code, the process is not controlled.

Mistake 3: Applying the same follow-up to all suppliers

Risk differs by category, country, supplier type, and business criticality. Follow-up should be risk-based.

Mistake 4: Writing requirements that suppliers cannot understand

A code written in complex legal language may protect the buyer on paper but fail in implementation.

Mistake 5: Forgetting subcontractors

Many serious risks sit below the first-tier supplier. The SCoC should address relevant subcontractors and sub-suppliers.

Mistake 6: Auditing without corrective action

An audit without follow-up is weak. Findings must lead to corrective action, deadlines, evidence, and escalation.

Mistake 7: Terminating too quickly or too late

Immediate termination may sometimes increase harm. But ignoring serious violations is also unacceptable. Procurement needs clear escalation logic.

Buyer checklist: is your Supplier Code of Conduct mature?

Ask these questions:

  • Do we have a current Supplier Code of Conduct?
  • Is it aligned with recognized international principles?
  • Is it written in clear supplier-friendly language?
  • Is it part of supplier onboarding?
  • Is acceptance tracked?
  • Is it included in RFQs and RFPs?
  • Is it linked to contracts and purchase terms?
  • Do we have a process for supplier exceptions?
  • Do we classify suppliers by compliance risk?
  • Do high-risk suppliers receive deeper due diligence?
  • Do we use self-assessments where relevant?
  • Do we audit selected suppliers?
  • Do we have corrective action plans?
  • Do suppliers have a way to report concerns?
  • Do we follow up subcontractor expectations?
  • Do management and procurement review compliance progress?

If the answer is no to most of these questions, the SCoC is probably still at document level.

How this connects to the procurement role

This topic is mainly connected to the tactical procurement role.

Tactical buyers, sourcing managers, and category managers must make sure that supplier expectations are built into RFQs, supplier qualification, evaluation, negotiation, contracting, onboarding, and supplier management.

The topic also connects to procurement management because SCoC implementation requires governance, tools, risk appetite, resources, escalation routines, and reporting.

Operative buyers are also important. They often see early warning signs in daily supplier contact, such as poor documentation, repeated non-compliance, unexplained subcontracting, delivery problems, or unusual supplier behaviour.

A Supplier Code of Conduct works only when all procurement roles understand how it affects their work.

Where this fits in the procurement process

The Supplier Code of Conduct connects to several procurement process steps:

Supplier market analysis
Identify high-risk categories, countries, and supplier types.

Supplier qualification
Use the SCoC as a minimum requirement for supplier approval.

RFQ/RFP
Ask suppliers to confirm acceptance and disclose exceptions.

Supplier evaluation
Include compliance, risk, and responsible sourcing criteria.

Contracting
Link the SCoC to contractual obligations, audit rights, and corrective action.

Supplier onboarding
Make acceptance part of supplier activation.

Supplier management
Monitor compliance based on risk.

Supplier development
Support suppliers in improving weak controls.

Contract termination or exit
Escalate serious or unresolved non-compliance.

If you want to go deeper into this topic, the Learn How to Source course Supplier Code of Conduct is the natural next step.

The course supports tactical buyers who need to understand how supplier standards are created, communicated, accepted, and followed up in procurement practice.

The courses Supplier Auditsand Supplier Relationship Management are also relevant because a Supplier Code of Conduct must be connected to supplier assessment, ongoing supplier governance, and enforceable contractual terms.

FAQ

What is a Supplier Code of Conduct?

A Supplier Code of Conduct is a document that defines the ethical, social, environmental, legal, and business conduct requirements suppliers must follow when working with a buying organization.

Why is a Supplier Code of Conduct important in procurement?

It helps procurement set minimum supplier standards, manage risk, support responsible sourcing, meet customer expectations, and create a basis for supplier compliance follow-up.

Is it enough for a supplier to sign the Supplier Code of Conduct?

No. A signature confirms acceptance, but it does not prove implementation or compliance. Mature procurement functions also use risk-based verification, self-assessments, audits, corrective action plans, and supplier management.

When should suppliers accept the Supplier Code of Conduct?

Supplier acceptance should happen during onboarding, RFQ/RFP, contracting, and supplier renewal. For high-risk suppliers, acceptance should be combined with additional due diligence.

Should all suppliers be audited?

No. Supplier audits should be risk-based. High-risk suppliers may need audits, while low-risk suppliers may only need acceptance and periodic screening.

What should happen if a supplier violates the SCoC?

The response should depend on severity. It may include investigation, corrective action, remediation, escalation, suspension, or termination. Serious violations require immediate attention.

Should subcontractors be covered by the Supplier Code of Conduct?

Yes, where relevant. Suppliers should be expected to communicate equivalent requirements to subcontractors and sub-suppliers, especially where supply chain risk is high.

Conclusion

A Supplier Code of Conduct is now a standard part of responsible procurement.

But the document itself is only the beginning.

The real procurement challenge is to make the code work:

  • Develop clear requirements.
  • Get supplier acceptance.
  • Connect the code to sourcing and contracts.
  • Apply risk-based follow-up.
  • Verify compliance.
  • Use corrective action when needed.
  • Escalate serious non-compliance.

The practical maturity question is not:

Do we have a Supplier Code of Conduct?

The better question is:

Can we prove that suppliers understand it, accept it, and follow it where it matters most?

3 steps to Supplier code of conduct
3 steps to Supplier code of conduct

Related Posts

a buyer in Stockholm being identified having conflict of interest and about to be collected by guards

Conflict of Interest in Procurement: How Buyers Protect Fair Decisions

Procurement decisions must be fair, objective, and based on business value. But what happens if a buyer has a personal relationship with a supplier? What if a procurement manager owns shares in a company participating in a tender? What if a supplier offers gifts, hospitality, or future employment […]
Tags: