THE COPENHAGEN COMPLIANCE® CODEX on Bribery Fraud and Corruption


The primary mission of the Copenhagen Codex on Bribery, Fraud and Corruption (BFC) is to deliver independent and integrated certification and recommendations to its members and stakeholders.

The secondary mission is to enable the management of participating companies and organisations to prevent, identify, and manage the risk of bribery, fraud, theft, and corruption and address internal irregularities within the organisation.


The core objective is to manage the risks of bribery, fraud, and corruption and their deviations. We focus on incidents and related material (internal) issues and irregularities for identified problem areas in the Member Company or organisation.

The secondary objective is to recommend how to be proactive, effective and efficient in the areas that are of interest and importance to the member companies and organisations:

The codex provides you with recommendations for the development and provisioning of;

  • Develop and implement processes and procedures that will assist with promptly detecting fraud risks and incidents.
  • Develop and implement ongoing fraud risk awareness, training and communication programs and campaigns that will result in staff awareness and the effective prevention of such incidents
  • Prioritise, investigate and report on the identified and reported international incidents to establish the material facts, collate the relevant evidence and recommend appropriate actions.
  • Liaise with the appropriate criminal and regulatory law enforcement authorities to facilitate the institution of proper criminal action.
  • Liaise with significant internal parties to minimise the reputational risk to its members of such fraud issues and incidents.
  • Implement measures in the recovery of stolen assets
  • Provide all stakeholders with integrated intelligence on the risk of fraud, theft, corruption and associated irregularities.
  • Advice on how to create and maintain a controlled environment that will reduce and control such incidents
  • Best Practice Notes, Standards and Guidelines for Fraud Investigations
  • Detailed processes and procedures adopted by Its members for achieving these core and value-add objectives are set out in the following documents:
  • Assistance to the members to leverage the specialist expertise in forensic audits
  • Report integrated intelligence on the risk of fraud, theft, corruption and associated internal irregularities
  • Procedures and Policies on Fraud, Bribery and Dishonesty


The Copenhagen Compliance organisation will discharge their duties and be accountable to its members and stakeholders, incl. processes, update of the annual anti-fraud strategic plan and coordination of BFC activities

The Copenhagen Codex accountability incl. processes, an update of the annual anti-fraud strategic plan and coordination of BFC activities.

  • Report significant issues related to the processes for managing fraud risk, including recommending improvements to operations, and provide information concerning issues through active engagement and with the view to a constructive resolution.
  • Periodically provide information on the status and results of the annual anti-fraud strategic plan update.
  • Coordinate the activities of different departments with other control and monitoring functions in the organisation (including compliance, legal, company secretary, internal and external audit, and risk management).


To provide for the independence required in its role, Copenhagen Codex personnel report to the Board of Directors and will have unrestricted access to the Managing Director and Chairman of the Audit, Risk or Compliance Committee, should the need arise.

Copenhagen Compliance Codex personnel report to the Board of Directors to provide the independence required.

We believe that independence is a condition for successful certification that provides value to the Board, management and the entire organisation. We will work closely with The Audit, Risk or Compliance Committee and make sure that the platform of our independence includes the following:

  • Approve the overall Corruption and Fraud Codex
  • Approve the strategy and related plan for the year
  • Receive quarterly communications from the Copenhagen Codex Managers on the results of their corruption or fraud investigation activities or other matters that they determine necessary, including private meetings without Executive Management present.
  • Make appropriate inquiries to determine whether scope restrictions or budgetary limitations impede the ability to execute their responsibilities.


The functions and responsibilities of the codex must be detailed in the Best Practice Notes, Standards and Guidelines for Corruption and Fraud Investigations. Where investigations involving allegations relating to any senior manager are conducted, written notifications of the nature of these allegations will be sent to the Board of directors or the audit committee.


To achieve actual value and integrated improvements, we suggest that The Copenhagen Compliance Codex is certified to, depending on the circumstances and situation to:

Based on our experience, actual value and integrated improvements, depending on the circumstances and situation, are achieved when:

The Copenhagen Compliance Codex on BFC can recommend allocating resources, setting frequencies, selecting subjects, and determining the scope of work of investigations and fraud risk assessments without intervention or restriction from the staff of its business units. However, further to improve on Detection and Recovery, we should:

  • Cover full and unrestricted access to the information and personnel required to conduct or institute investigations and corruption and fraud risk assessments on the initiative of its members.
  • Apply the techniques required to accomplish its functions and responsibilities in this Codex and the approved Best Practice Notes, Standards and Guidelines for Fraud Investigations.
  • Have unrestricted access to all Its members’ functions, records, property, and personnel;
  • Obtain the necessary assistance from staff in the Business Units of its members and other specialised services from within or outside its members.

The scope of such investigations and formal reports will be issued confidentially once such studies are completed.




Management must provide unrestricted access to functions, records, property, and personnel and facilitate the necessary assistance, co-operation and support in connection with the certification process if there is a requirement for additional efforts other than self-assessment.

When an investigation, audit or incident is under investigation, members must report related or suspected incidents of fraud, theft, corruption and dishonesty involving staff in connection with the certification process.

Similarly, the member must report all suspected fraud, theft, corruption, and dishonesty of a claims-related nature involving suppliers, third parties, and brokers.

Management must provide unrestricted access to all functions, records, property, and personnel and facilitate the necessary assistance, co-operation and support to enable the investigation to be conducted professionally and adequately and fulfil their functions and responsibilities in this Codex.


Our recommendations on BFC are focused and based on our co-operation with industry-specific specialist investigative service providers. Our relationships with external experts is governed by appropriate legal documentation and confidentiality undertakings for 3rd party engagements. We provide ad hoc project management solutions that can work together with your internal resources. Specialist services in case of an emergency/crisis will receive top priority.


All investigations, forensics and audits will follow the Copenhagen Codex Code of Ethics based on the Global Code of Professional Standards and Ethics.

Contact us for additional information on the above Principles and codex on Bribery, Fraud or Corruption Certification issues.

Cyber Security Governance Codex

Cybersecurity governance holds fundamental importance in the modern digital landscape, serving as the cornerstone for safeguarding organisational assets and network security. It provides a structured framework for ensuring compliance with diverse regulatory requirements, managing and mitigating risks associated with network deployments, and protecting the confidentiality and integrity of sensitive data. By aligning security practices with broader business objectives, cyber security governance balances innovation and risk, fostering a secure environment for digital transformation, data and corporate digitisation.

The cybersecurity codex should serve as a starting point, and it’s essential to tailor it to your organisation’s specific needs and requirements. Additionally, it encompasses effective vendor management, incident response planning, and resource optimisation, contributing to cost efficiency and organisational resilience. Ultimately, cyber security governance builds trust and transparency, showcasing a commitment to responsible data management and positioning organisations to navigate the complexities of the ever-evolving digital landscape. To ensure accountability for cybersecurity at all levels within an organisation, consider implementing the following practices:

Senior management’s cybersecurity discipline and tone must signal engagement, commitment, and support to create a culture of accountability. Incorporate cybersecurity into job descriptions to include cybersecurity responsibilities, expectations, and performance evaluations to ensure employees understand their individual accountability for IT and cybersecurity. The codex is generic and needs customization to reflect the corporate actions to address the identified vulnerabilities.

10-point Cybersecurity Governance Codex: 10-point Cybersecurity Governance Codex:


  1. Establish a Cybersecurity Governance Framework: Develop and implement a comprehensive framework that outlines the organisation’s cybersecurity goals, policies, and procedures for 24X7 SOC monitoring of the corporate infrastructure and applications.
  1. Define Roles and Responsibilities: Clearly define and communicate the roles and responsibilities of individuals within the organisation. Clearly Define Roles and Responsibilities: Establish and communicate clear roles and responsibilities for individuals involved to ensure cybersecurity accountability. This includes executives, managers, IT staff, and end-users. Clearly outline what is expected of each role in terms of cybersecurity responsibilities.
  1. Conduct Regular Risk Assessments: Conduct an annual cybersecurity program maturity assessment. Based on the performance of the IT and cybersecurity risk assessments, identify and prioritise potential cybersecurity threats and vulnerabilities with an action plan. Assure Risk and Compliance to ISO 27001, PCI-DSS HIPPA HITRUST /SOC1/SOC2 based on the trade and annual security plan.
  1. 4. Implement Strong Access Controls: Strong access controls, including multi-factor authentication and least privilege principles, restrict unauthorised access to sensitive data and systems. This ensures that employees are granted access only to the resources necessary for their roles, reducing the risk of unauthorised actions and enhancing accountability.
  1. Educate and Train Employees: Encourage all employees to report any suspicious activities or potential security breaches promptly. Provide regular cybersecurity awareness training programs to all employees to enhance their understanding of potential threats and best practices for safeguarding data. This educates them about their role in protecting sensitive information and systems and reinforces the importance of accountability.
  1. Regularly Update and Patch Systems: Stay up to date with the latest security patches and software updates to protect against known vulnerabilities. Monitor all Logs for all deviations, track user activities, and detect suspicious behaviours. Regularly review these logs to identify any potential security breaches or policy violations. Conduct regular vulnerability assessment and penetration tests (VAPT)
  1. Monitor and Detect Cybersecurity Incidents: Implement robust monitoring and detection systems to promptly identify and respond to cybersecurity incidents. Establish an Incident Response Plan and develop and regularly test the incident response plans to ensure a coordinated and effective response to cybersecurity incidents. The incident response plan is based on scenarios, penetration tests, and ethical hacks to test and coordinate the breach response solutions regularly. Establish a straightforward process for reporting and responding to cybersecurity incidents. Ensure that incidents are thoroughly investigated, and appropriate actions are taken.
  1. Engage in Continuous Improvement: Evaluate and improve cybersecurity practices based on emerging threats and industry best practices. Based on all response exercises in the codex, conduct regular tabletop exercises or simulated cybersecurity incidents to test the organisation’s incident response capabilities to identify gaps in accountability and provide an opportunity to improve processes.
  1. Regularly Audit and Assess Compliance: Conduct regular audits and assessments to ensure compliance with cybersecurity policies, regulations, and industry standards. Hold individuals accountable for (not) following established security practices and identify improvement areas.
  1. Performance Metrics and Reporting: Establish key performance indicators (KPIs) and metrics to measure the effectiveness of cybersecurity practices. Regularly report these metrics to management and stakeholders to promote transparency and accountability.

By implementing these practices, organisations can foster a culture of accountability for cybersecurity throughout the entire workforce.

Remember, the cybersecurity codex should serve as a starting point, and it’s essential to tailor it to your organisation’s breaches, specific needs, and additional requirements to strengthen your cybersecurity measures.

The AI Governance Codex by The Corporate Governance Institute

The governance of AI is a critical topic of corporate discussion. Get on the right track to getting maximum value from the digitisation data journey. The AI Codex will create a platform to balance transparency, accountability, sustainability and security. The AI Codex will improve security quality, develop fair trade practices, harness technology, and enhance risk management.

The role of directors and management in addressing AI and sustainability issues is crucial for companies. The rapid advancement of AI technology has the potential to significantly impact corporate history, making it essential for corporate leaders to have a unified response.

While financial stability is essential, there are other significant consequences related to AI. One such consequence is the potential for AI models to be used for spreading misinformation. Finding practical solutions to these challenges becomes more difficult without a coordinated global corporate response.


A more coordinated approach is necessary to regulate AI on a global scale, taking into account the geopolitical implications involved. There is no clear path for how this technology will be regulated globally. Global leaders must collaborate and establish frameworks that ensure AI’s responsible and ethical use while fostering innovation and sustainability. Implementing a responsible AI program is critical to achieving AI compliance. The Artificial Intelligence Governance Code by The Corporate Governance Institute is a comprehensive framework for AI technologies’ ethical and accountable development. Addressing concerns such as bias, privacy, and societal impact, the code emphasises the importance of sustainability, transparency, accountability, and risk management throughout the AI lifecycle. The AI Code will harness AI’s potential and comply with emerging regulations through a robust AI governance codex. We recommend that you do not rush, as reaching high AI maturity will take 2-3 years, highlighting the urgency to start now to build customer trust while mitigating risks. Here are some steps to consider:

  1. Risk Management:

Create a framework to identify high-risk AI applications for enhanced scrutiny. Employ thorough risk management measures at every advanced AI system development stage, from inception to deployment, to identify, assess, and mitigate potential risks.

  1. Transparency:

Ensure transparency in AI systems, with developers providing clear explanations of system operations and data usage, including disclosure of any biases or limitations.

  1. Accountability:

Develop principles, policies, and guardrails governing AI use that align with the organisation’s mission and values. Hold developers and organisations accountable for AI system decisions, establish mechanisms to address the harm caused, and provide avenues for recourse and redress.

  1. Privacy and Data Protection:

Uphold user privacy and adhere to data protection laws, obtaining informed consent for data collection and ensuring secure storage and processing of personal data.

  1. Fairness and Bias:

Integrate AI governance into existing corporate structures to ensure apparent decision-making authority. Design and train AI systems to be fair and unbiased, actively mitigating biases in training data to prevent discrimination based on protected characteristics.

  1. Human Oversight:

Establish a senior leaders committee to oversee AI development and implementation that includes human oversight and control for AI systems, allowing intervention, override, or modification of decisions, especially in critical domains like healthcare, finance, and criminal justice.

  1. Safety and Security:

Prioritise safety and security in AI system design, implementing measures to prevent malicious use, protect against cyber threats, and ensure robustness and reliability.

  1. Social Impact:

Consider and minimise the societal impact of AI systems, addressing issues such as job displacement, economic inequality, and the potential amplification of social biases.

  1. Early Identification of Vulnerabilities:

Actively monitor AI systems for vulnerabilities and emerging risks post-deployment, taking appropriate action to address issues and encouraging third-party and user reporting.

  1. Responsible Information Sharing:

Engage in responsible information sharing and incident reporting among organisations developing advanced AI systems, collaborating with industry, governments, civil society, and academia to enhance AI safety and security.

Monitor high-profile litigation cases related to AI to prepare for evolving legal issues. Building a comprehensive RAI program takes time, but it’s a journey worth it as it can drive value and growth. Contact us for an in-house onsite or online workshop.