While most companies have Code of Conduct for staff, not as many require their 3rd parties to sign such a document. Even fewer include violation of that Code of Conduct as a condition for cancellation of contract. As we all know, being associated with a 3rd party that has received adverse attention in the media could affect the reputation of the institution itself and be costly to repair. While the Code of Conduct document itself might state that violations could result in termination of the relationship and the contractual agreement, it needs to be built into the contract and even include terms for recovery of costs associated with the violation. Let’s take it a step further…the 3rd party risk management supply chain includes 4th parties, 5th parties, etc. Ultimately, it’s the institution’s responsibility to ensure that those vendors are monitored on an ongoing basis so it needs to be contractually required of the 3rd party to monitor and report on its vendors. Thus, the Code of Conduct should contractually flow downstream.