TASK
Read Gonzalez-Padron, Business Ethics and Social Responsibility for Managers (2nd ed.), Chapter 9 — the five practical steps to implementing an organizational ethics and compliance program, from structure through monitoring.
FRAMEWORK
The five common elements shared by the FSGO, FCPA, U.K. Bribery Act 2010, and OECD guidance: program structure, corporate standards (code of conduct), workforce education, investigation procedures, and program-effectiveness assessment.
DELIVERABLE
No standalone submission — this reading supplies the vocabulary and design criteria for evaluating and building an ethics and compliance program used in Week 5's discussion and assignment work.
PROGRAM
University of Arizona Global Campus — Graduate Studies
Canvas Link
Open on Canvas ↗

WHAT THIS CHAPTER PROMISES YOU CAN DO BY THE END

1

Learning Goals


Chapter 9 opens with five learning outcomes. After reading the chapter, you should be able to do each of the following.

  1. Explain how an organization can structure and manage an ethics program.
  2. Develop a code of conduct that articulates standards to company stakeholders.
  3. Create an ethics training and communications plan.
  4. Evaluate mechanisms for obtaining advice on ethical issues and reporting ethical misconduct.
  5. Design an effective monitoring and auditing system.

WHAT HAPPENS WHEN A COMPANY SKIPS THE PROGRAM

2

Introduction — Gunvor Learns That Ethics and Compliance Matters


The chapter opens with global energy trader Gunvor Group as a cautionary tale. In the oil and gas industry, where intense competition can normalize a culture of misconduct, Gunvor learned the cost of not having an effective ethics and compliance program the hard way, across two separate scandals roughly a decade apart.

In 2019, Gunvor International BV (via Gunvor Ltd in Geneva) was found guilty by the Office of the Attorney General (OAG) of Switzerland of bribing public officials in the Republic of Congo and Ivory Coast between 2008 and 2011. The OAG's press release was blunt: Gunvor "had taken no organisational measures to prevent corruption in its business activities: the company did not have a code of conduct... nor did it have a compliance programme" (Office of the Attorney General of Switzerland, 2019, para. 3), and had no dedicated risk staff. Gunvor responded by investing in compliance procedures aligned with international anti-bribery standards.

Less than five years later, an investigation of parent company Gunvor Group uncovered a bribery scheme involving Ecuadorian officials between 2012 and 2020, paying more than $97 million in bribes through shell companies in Panama and the British Virgin Islands, routed through U.S. banks (Office of the Attorney General of Switzerland, 2023; U.S. Department of Justice, 2024). The DOJ set the penalty at $661 million, crediting Gunvor's cooperation and remedial steps: ending use of third parties for business origination, implementing payment control frameworks, modifying compensation structure, investing in compliance personnel, and reviewing high-risk transactions (DOJ, 2024). The Swiss OAG remained unconvinced the program had actually prevented corruption, noting only that "certain measures were implemented by the Gunvor Group, albeit belatedly" (Office of the Attorney General of Switzerland, 2023, para. 7).

The DOJ (2023) evaluates programs partly by asking "if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting" (p. 14) — judged not on paper, but on whether it actually catches problems in time. Four major frameworks converge on the same five elements for an excellent program: the U.S. Federal Sentencing Guidelines for Organizations (FSGO), the FCPA, the U.K. Bribery Act 2010, and the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. Each recommends: (a) create program structure, (b) establish corporate standards, (c) educate the workforce, (d) create investigation procedures, and (e) assess program effectiveness — though none dictates exactly how, since organizations tailor programs to their own industry, size, and risk (United States Sentencing Commission, 2023). As ethics becomes more strategic, companies increasingly fold in sustainability/ESG, privacy/cybersecurity, and diversity/DEI alongside the core ethics function (LRN, 2023, 2024). The rest of the chapter walks through the five steps in order.

THE ETHICS OFFICER, THE BOARD, AND THE REPORTING LINE

3

9.1 Creating a Program Structure


Simply creating an ethics program is not enough to prevent misconduct — a designated individual or group must have the authority and responsibility to oversee it. The chapter identifies three components of an effective program structure: (1) an appointed ethics officer who oversees legal and ethical compliance and acts as steward of the program, (2) oversight by the organization's governing body (e.g., the board of directors), and (3) the reporting relationship between the ethics officer and whomever they report to — which can help or hinder the program's effectiveness.

Approaches vary. Some companies maintain a distinct department, such as Lockheed Martin's Office of Ethics and Business Conduct (Lockheed Martin, 2024); others assign responsibility to an existing function such as HR or legal. Organizations designing a program should ask: How does the function relate to the business, the CEO, and top management? To functional departments? To external stakeholders (customers, suppliers, regulators)? To the board? What should it report, to whom, how, and when?

The Role of the Ethics Officer

Patrick Gnazzo, former Chief Ethics, Risk and Compliance Officer of CA Technologies, described the role as guarding "the organization's culture, the tone that a company has set, and the company's reputation" (Gnazzo, 2011, p. 549). SHRM describes it as the organization's "internal control point for ethics and improprieties, allegations and complaints, and conflicts of interest" (SHRM, 2014, para. 1) — in practice a broader role spanning strategic input, culture leadership, global responsibilities, and risk management.

Regulatory guidelines require the function be led by high-level personnel (United States Sentencing Commission, 2023). As covered in Chapter 1, the field shifted from a solely compliance focus in the early 1990s to a combined or solely ethics focus in the 2000s — a C-Suite chief ethics officer is generally taken more seriously. The officer coordinates with HR, finance, IT, risk management, and governance, and may communicate with customers and media; a 2023 survey found ethics officers spend a little over a day per week tracking regulatory developments (Thomson Reuters Regulatory Intelligence, 2023). The relationship to the governing authority shifted from informal to a formal reporting requirement after Sarbanes-Oxley (Chapter 4); the 2004 and 2010 FSGO amendments encourage direct board access to report observed misconduct.

Board Oversight

Board oversight differs from the ethics officer's daily management: the board monitors management practices and protects the organization from risk, and members can be personally liable for failing to guard against misbehavior. Recall from Chapter 1 that Medicare/Medicaid fraud scrutiny led to the 1996 Caremark decision, holding that directors must ensure accurate reporting systems are in place (Cohan, 2002; Robinson & Pauzé, 1997); Enron's board twice waiving its conflict-of-interest policy for its CFO intensified regulatory attention on board oversight of ethics (Felo & Solieri, 2003).

The FSGO requires the governing authority "be knowledgeable about the content and operation of the compliance and ethics [program] and... exercise reasonable oversight," giving whoever holds day-to-day responsibility "adequate resources, appropriate authority, and direct access" to the board (United States Sentencing Commission, 2023, pp. 525–526) — a global trend also seen in U.S. healthcare and the Bank of England (Penman, 2016).

Because a board cannot manage every detail, it relies on the ethics officer to build an ethical culture, even though boards often aren't sure how to evaluate a program (Vollmer, 2018). Table 9.1 supplies sample board questions by program element.

Board oversight questionElement of ethics programThe board needs to ensure that…
Do we have the right model to oversee, manage, and implement the E&C program?Program structure; governance; executive oversight; resourcesA CECO or equivalent is appointed with sufficient personnel, resources, and executive-team integration.
How do we assess adherence to standards and determine effectiveness? How are we using technology?Code of conduct and appropriate policiesThe code is referenced with all employees, the board, and third parties; E&C is factored into performance evaluations.
How do we ensure visibility of high-risk matters? Are policies updated for new law or innovation?Code of conduct and appropriate policiesHigh-risk policies are continually updated and available electronically and interactively.
How do we train employees and raise awareness of the E&C program?Targeted training and communicationsTraining occurs for all employees via multiple methods; completion is tracked; the board receives periodic integrity education.
Are we identifying and prioritizing the right compliance risks?Periodic risk assessmentRisk assessment is completed periodically, targets high-risk areas, and connects to enterprise risk management.
Do we have the resources and technology to monitor and enforce compliance?Monitoring, investigating, and auditingMonitoring/auditing is automated with board reporting; routine audits, an investigations protocol, and exit interviews occur.
Do we have systems ensuring misconduct is reported? Are employees comfortable raising issues?Anonymous reporting and helplinesA no-retaliation system exists; supervisors are trained; the board receives periodic hotline statistics and trends.
How do we measure E&C program effectiveness?Continual review and improvementLessons from mistakes are sought by the board; management is accountable for improvements; the CECO benchmarks via peer associations.

The ethics officer must inform the board of risks, incidents, and activities quarterly, with a full annual debrief, without fear of retaliation (Bagley et al., 2017). Quantitative dashboards typically cover helpline statistics, investigations, training completion, code certifications, culture-survey results, and turnover; qualitative reporting covers new laws, audit findings, and risk assessments.

Reporting Relationship

The ethics officer's credibility depends heavily on whom they report to — the line must let them address situations where executive management itself may be involved in wrongdoing. OECD guidance recommends senior officers have authority "to report matters directly to independent monitoring bodies… with an adequate level of autonomy from management, resources, and authority" (OECD, 2010, p. 3). The DOJ's (2023) guidance likewise calls for sufficient seniority, sufficient staff, and sufficient autonomy, such as direct board or audit-committee access (p. 10).

Fewer ethics officers now report to the general counsel; increasing numbers report directly to the CEO or board (Deloitte, 2017). An officer can be caught in a bind — monitoring, while also reporting to, senior managers who control their promotion, and who may recommend ignoring misconduct. Figure 9.2 illustrates a progression of possible reporting relationships, each with different implications for the officer's independence.

The FSGO requires adequate personnel and budget for whoever holds day-to-day responsibility (United States Sentencing Commission, 2023). Program size scales with company size: companies under 2,000 employees typically run 2–5 ethics professionals, while more than half of companies with 30,000+ employees have more than 11 (Society of Corporate Compliance and Ethics, 2023). The DOJ (2023) suggests boards assess resourcing across four areas: Seniority and Stature, Experience and Qualifications, Funding and Resources, and Data Resources and Access (p. 11).

THE FOUNDATION DOCUMENT: TITLE, CONTENT, AND QUALITY

4

9.2 Developing a Code of Conduct — Content and Structure


The ethics office typically creates the company's code of conduct, the foundation of the program, outlining ethically appropriate workplace behavior. A well-designed code can even overcome weak societal and legal institutions in some nations (Parboteeah et al., 2024). Erwin (2011) found companies with a high-quality code are seen as leaders in corporate citizenship and trustworthiness; in smaller organizations, a code increases an employee's sense of control, which increases ethical behavior (Valentine et al., 2019). LRN (2024) found 48% of large and 42% of mid-sized companies already have a strong code.

Merely having a code is not enough — content quality and employee familiarity are the real drivers of an ethical culture (Andreoli & Lefkowitz, 2009; Kaptein, 2011; Treviño et al., 1999). Familiarity drops in ambiguous situations or when the code's framing conflicts with an employee's own values (Lombard & Gibson-Brandon, 2024); managers with a relativist orientation are less likely than idealists to treat the code as binding (Chonko et al., 2003).

Rules-Based vs. Values-Based Titles

Even the code's title shapes whether employees uphold it. A rules-based code reads as punitive — a "thou shalt not" document (Ethics & Compliance Officer Association Foundation, 2008); a compliance code signals that following the law is sufficient, rather than framing ethics as choice guided by values. Values-based codes — like FedEx's Code of Conduct: Delivering With Integrity — connect values to behavior instead (FedEx, 2024). Multinationals weigh translation carefully: "ethics" carries moralistic connotations in some regions, "compliance" can feel imposed (Martens, 2012); North American codes tend to focus on values, European codes more on standards and laws (Vandenbroucke et al., 2024). Ambiguous enforcement phrases like "may result in disciplinary action" have been found by U.S. courts to negate a code's contractual force (Kenny, 2007).

Code Content and the Eight Recommended Elements

Designing a code means choosing topics and tone that resonate with the workforce, since employees often struggle to name the specific behaviors a code requires or prohibits (J. S. Adams et al., 2001; Stöber et al., 2019). The Ethics and Compliance Handbook warns against codes that are generic, bland, or legalistic — the code should reflect the organization's own culture, risks, and history, with content varying by regulatory environment and function (Ethics & Compliance Officer Association Foundation, 2008).

The Ethics and Compliance Handbook recommends eight sections for a code of conduct (Ethics & Compliance Officer Association Foundation, 2008):

  1. An introductory letter from senior management or the CEO reinforcing top-management support for ethics and compliance.
  2. A mission statement, statement of values, and guiding principles of the company.
  3. An ethical decision-making framework to guide employee choices.
  4. Resources for seeking advice and reporting misconduct.
  5. Substantive rules and guidance for acceptable and unacceptable behavior in risk areas.
  6. Disciplinary rules and enforcement procedures for unethical behavior.
  7. Protection against retaliation for reporting misconduct.
  8. An acknowledgment or certification that employees have received and read the code.

A code's quality contributes directly to how well it deters misconduct. A 1970s review found limited coverage of relevant issues and few procedures for advice, reporting, or discipline (Cressey & Moore, 1983); by sharing best practices, more companies now incorporate all eight sections. Table 9.2 gives evaluation components for benchmarking code quality.

ComponentComponent description
Public availabilityThe code should be readily available to all stakeholders. What is the availability and ease of access to the code?
Tone from the topThe level at which leadership is visibly committed to the values and topics covered in the code.
Readability and toneWhat is the style and tone of the language used? Is it easy to read and reflective of its target audience?
Non-retaliation & reportingIs there a stated, explicit non-retaliation commitment and dedicated resources for reporting code violations, presented clearly?
Commitment & valuesDoes the code embed corporate values or mission language, and identify ethical commitments to stakeholders (customers, vendors, communities)?
Risk topicsDoes the code address all appropriate and key risk areas for the company's industry?
Comprehension aidsDoes the code provide FAQs, checklists, examples, or case studies to help stakeholders understand key concepts?
Presentation and styleHow compelling or difficult is the code to read, given its layout, fonts, pictures, taxonomy, and structure?

(Sources: Erwin, 2011; NYSE Governance Services, 2014.)

Best practice for a global code is to seek input from legal, managers, and workers while drafting, identifying key legal concerns, cultural/historical issues, workforce dynamics, and terminology issues (Ethics & Compliance Officer Association Foundation, 2008, p. 62). International companies must decide between one common global code or separate country codes; a common code offers a single definition of right and wrong and clarity for traveling employees, while a middle path uses one common code with regional variations bridging local law/custom and company standards (Martens, 2012).

Focusing the Code on Key Risk Areas

Code focus shifts over time and by region. A 1970s review found codes emphasized misconduct with direct profit impact (e.g., conflict of interest) over responsibilities to others (Cressey & Moore, 1983); 21st-century codes show increased focus on social, governance, and environmental issues and technology risks like cybersecurity and AI (Loughran et al., 2023). Table 9.3 lists possible topics from these reviews — the full list is long, and including everything is neither practical nor necessary for most organizations.

Possible code of conduct topics
Company values
Diversity, equity & inclusion / respect and fair treatment
Good governance
Complying with laws
Discrimination
Business records retention
Reporting misconduct
Harassment/bullying (sexual and otherwise)
Confidential and proprietary information
Retaliation/whistleblower
Substance abuse
Copyrights, patents, and intellectual property
Investigations
Workplace violence
Financial accuracy, disclosures, audit
Professional standards, competence, and due care
Human rights/slavery
Global trade — export controls & sanctions
Customer service and customer relations
Human trafficking
Embezzlement/theft/fraud
Gifts, entertainment, and gratuities
Workplace safety
Money laundering
Marketing, sales, advertising, and promotions
Environmental protection
Securities trading and insider information
Product quality & safety
Community or civic activities
Technology
Bribery and corruption
External inquiries/public disclosure and reporting
Artificial intelligence
Responsible sourcing
Government contracting, transactions, and relationships
Cybersecurity, malware
Privacy and safeguarding information (company, customer, employee)
Government relations and lobbying
IT system & equipment use
Expense reimbursement and time reporting
Media relationships
Personal devices, messaging apps
Conflicts of interest
Political contributions
Social media

Executives weigh three factors when choosing risk areas: external forces (legal/regulatory/competitive environment — a 2023 DOJ guidance directs coverage of social media, personal devices, and messaging apps including ephemeral messaging, U.S. Department of Justice, 2023, p. 17); internal forces (industry, size, or scope — a company manufacturing in emerging markets may emphasize environmental impact, human rights, and safety); and historical data (past audit findings or common violations). It is useful to organize issues by stakeholder, corporate value, or employee conduct (Kaptein, 2004).

READABILITY, CULTURE, AND ROLLING THE CODE OUT

5

9.2 Developing a Code of Conduct — Global Reach and Implementation


Readability and Tone

An effective code helps employees manage contradictions between local norms and company standards. Ethisphere reports 94% of employees feel the code explains what is expected of them (Ethisphere, 2023b), and two-thirds of high-performing programs write in simple language (LRN, 2024). Still, Ethisphere (2023b) cautions: "It only takes one unethical employee to cause an issue that could become a reputational disaster" (p. 7). Positively phrased codes are better remembered and followed; negatively phrased codes correlate with poorer attitudes and higher unethical-behavior risk (Stöber et al., 2019). A signed, authentic CEO message is one of the most cited reasons employees trust a code (Stöber et al., 2019; Waegeneer et al., 2016).

Chapter 5 covered how cultural differences shape ethical positions in a global organization. One case cited: an ethics officer investigating sexist/ageist "jokes" by an executive discovered he was unaware the remarks were offensive, since they'd be acceptable in his own country (LRN, 2006, p. 3). Suggested global-code practices include identifying dimensions of difference, giving everyone a voice, protecting creative units, training everyone in key norms, and being heterogeneous everywhere (E. Meyer, 2015, p. 69). New technology needs new language too — for AI policy, a Singapore executive described designing messaging "contextually and culturally relevant… easily understood in Indonesia and by someone in London" (Kelley, 2022, pp. 878–879).

Organizations should avoid region-specific terms for a global audience — a U.S. firm shouldn't call a non-U.S. government employee a "foreign official" in anti-bribery sections meant for multiple countries, since local employees wouldn't consider their own officials foreign. Terms tied to national regulation, like "equal employment opportunity," fail to convey the underlying standard elsewhere. Table 9.4 gives replacement terms for culturally specific language.

TermCountry/region associationReplacement term
Equal employment opportunityUnited States-centricFair hiring practices / no discrimination
AntitrustUnited States-centricFair competition
AntimonopolyUnited Kingdom-centricFair competition
Bullying/mobbingUnited Kingdom and EuropeHarassment, disrespectful treatment
AntibriberyUnited KingdomImproper payments
FCPAUnited StatesImproper payments

(Source: Globalising a Business Ethics Programme, p. 25, by L. T. Martens, 2012, Institute of Business Ethics.)

Graphic design should reflect cultural sensitivity in color, symbols, and photos (Martens, 2005) — red print, for instance, may trigger negative associations with forced compliance in Western countries. Universal symbols are preferable (a dollar gift threshold should also list euro/yen equivalents), and photos should represent the company's international character without offending any region.

Implementation and Distribution

Implementing a code requires a plan: distribute it to all employees, give tools to apply it daily, and record acceptance. A study of accounting professionals found employees understood the code but rarely reviewed it again after initial hire (Seifert et al., 2023) — familiarity fades without reinforcement.

Distribution should stay easily accessible (NYSE Governance Services, 2014): new employees receive the code at hiring and orientation, with printed copies where computer access is limited. Many companies now offer a searchable, interactive web-based code with tools for finding information and learning scenarios — LRN (2024) found almost 30% of companies have one, and 57% of the rest see it as a near-term priority, since a searchable page also lets a company track which policies draw the most attention.

Many organizations require signed certification that employees have received and read the code, demonstrating program commitment to regulators (NYSE Governance Services, 2014). Certifications confirm receipt, acknowledgment, agreement to abide, reporting of known breaches, and manager discussion (Institute of Business Ethics [IBE], 2012); about half of companies surveyed by IBE (2012) referenced certifications during disciplinary decisions, though compelling a signature may depend on local labor law.

Certification alone does not prove employees understood the code, and explaining it only at hire is no longer a sufficient good-faith effort — the gap that ongoing workforce education, covered next, is meant to close.

WHY ONE-TIME TRAINING FAILS, AND WHAT WORKS INSTEAD

6

9.3 Educating the Workforce


The chapter compares one-time ethics training to witnessing a traffic accident: people drive carefully for a week, then revert to old habits. Research confirms one-time training has only transient effects unless organizations provide ongoing, interactive training and support (H. J. Martin, 2010; C. Richards, 1999; Warren et al., 2014). A well-planned program, by contrast, can help establish an actual culture of ethics and compliance.

Training depth should match whether a group needs to create, identify, or simply understand a risk. Discrimination, for example, drives DEI training (Cox, 2023): managers who hire, promote, and terminate carry lawsuit risk and need in-depth, frequent instruction, while other employees mainly need training on identifying and reporting discriminatory practices, reinforced through ongoing communication. Table 9.5 shows a sample training curriculum and schedule.

Compliance topicTarget audienceInitial requirementRecurrence
Code of ConductAll employeesWithin 30 days of hiringAnnually or continuous learning
Data Privacy & Information SecurityAll employees with access to computersWithin 30 days of hiringAnnually
Anti-Bribery / Anti-CorruptionField sales employees, procurement staffWithin 30 days or when moved to roleAnnually
Gifts & EntertainmentField sales employees, procurement staffWithin 30 days or when moved to roleAnnually
Sexual HarassmentAll employeesWithin 30 days of hiringAnnually
Fair Hiring & Promotion PracticesManagers and supervisorsWhen moved to roleTriggered when position posted
Expense ReportingAll employees with travel/expensesWithin 30 days of hiring or moved to roleTriggered when travel scheduled
Social Media, BYOD & MessagingAll employeesWithin 30 days of hiringWithin 5 days of failing a phishing email test
Diversity, Equity, Inclusion & BelongingAll employeesWithin 30 days of hiringContinuous learning

A survey of ethics and compliance professionals found training "has evolved away from 'one size fits all' lectures complete with legal citations towards a focus on content that's easier to access, more relevant to employees' day-to-day work, and more tailored to individual roles" (LRN, 2024, p. 47).

Training Delivery

Organizations use varied training and communication methods to reach diverse learning styles and a dispersed workforce. Over half blend in-person and online training, tailored by role, region, or seniority (LRN, 2024). The DOJ (2023) poses delivery questions: Is training offered in an appropriate form and language? Online, in-person, or both, and why? Does it address lessons from prior incidents? Can employees ask questions? How is effectiveness measured, and how does the company handle employees who fail testing? Has impact on actual behavior been evaluated? (p. 5).

As more employees work remotely, virtual training is particularly effective for building an ethical culture (S. Gupta & Pathak, 2024). Most companies rely on third-party providers or learning libraries like Skillsoft (LRN, 2024), though large corporations like Lockheed Martin build custom training in-house. For continuous learning, Lockheed Martin distributes its Integrity Minute series — short soap-opera-style videos reinforcing policy, timed well (e.g., before expense reports or travel to high-corruption locations). Vendors like Learnings Entertainment and RealBiz Shorts supply similar customizable video content.

LRN (2024) found 60% of high-impact programs let employees "test out" of training by demonstrating competency. In order of use, methods for measuring training effectiveness include: content quizzes, training-system data (mastery time, error rates, retakes), end-of-course surveys, completion rates, and root cause analysis of misconduct to identify training failures (LRN, 2024, p. 53).

ADVICE CHANNELS, CONFIDENTIALITY, AND WHY NAMING MATTERS

7

9.4 Reporting Misconduct — Building the Mechanism


For a culture to encourage ethical behavior, employees must feel comfortable seeking advice and reporting misconduct. A simple starting point is an open-door policy — IBM used this in the early years of its program (Carroll, 1991). In the U.S., Sarbanes-Oxley and the FSGO require a publicized system for ethics inquiries (Sarbanes-Oxley Act of 2002; United States Sentencing Commission, 2023); the U.K. Bribery Act 2010 requires "speak up" or whistleblowing procedures (Ministry of Justice, 2011, p. 22). Regulation appears to drive investment: 55% of surveyed U.S. companies created internal reporting mechanisms after Sarbanes-Oxley (J. Weber & Wasieleski, 2013), and by 2024, 76% had implemented or improved reporting/investigation processes (LRN, 2024).

Designing the Mechanism

Designing a reporting mechanism requires deciding: What will it be called and how branded? How communicated? What falls outside ethics and compliance (e.g., payroll routed to HR)? What formats — phone, internet, email, text? 24/7 access? What languages? Is reporting mandatory or encouraged (Ethics & Compliance Officer Association Foundation, 2008)?

A system employees will actually use must allow anonymous inquiries, protect confidentiality, prevent retaliation, and disclose outcomes where possible — the FSGO requires "mechanisms that allow for anonymity or confidentiality" (United States Sentencing Commission, 2023, p. 526). Recent practice favors "employee-centered investigations": keeping the reporting employee's experience consistent regardless of channel used — HR, compliance, manager, or portal (Salmon-Byrne et al., 2023, p. 1).

Employees may fear an inquiry triggers retaliation or scrutiny of their own conduct — pejorative labels for whistleblowers persist across cultures ("snitch," "rat," German Spitzel; Riebl, 2004). Organizations counter this with multiple channels; web portals are gaining popularity though many still prefer speaking to a person (Ethisphere, 2023a), and anonymous reporting is available at 60% of North American companies (LRN, 2024). In order of preference, Ethisphere's (2023a) Ethical Culture Report lists: immediate manager; HR representative; manager's manager; Ethics & Compliance office; phone helpline; web portal; internal audit; board audit committee; ombudsperson (p. 24).

Even the name matters — "hotline" implies urgency, so many companies switched to "helpline" (Weaver et al., 1999; J. Weber & Wasieleski, 2013). Branded examples: Integrity Helpline (Clarios, 2024b), FedEx Alert Line (FedEx, 2024), Ethics and Compliance Helpline (United Airlines, 2023), Integrity Line (Alcoa, 2022).

Confidential, Neutral, and Independent

Employees need confidence reports are confidential and advice is neutral and independent. Some companies assign tracking numbers to anonymous reports so employees can still get status updates (Kusserow, 2013). Confidentiality helps avoid retaliation (Chapter 4); whistleblower protections now exist across many countries, including Australia, Canada, Japan, the U.K., and the U.S. (OECD, 2016).

For advice to be independent, the reporting system must operate separately from management — companies run reporting in-house, outsourced, or hybrid, each affecting perceived independence (Riebl, 2004). Most U.S. organizations used internal staff in 1994 (Weaver et al., 1999); now 65% rely on third-party vendors for assured anonymity (LRN, 2024). Global companies add complexity: PepsiCo notes anonymous reporting isn't legal everywhere (PepsiCo, 2023); French privacy law restricts anonymous reporting for some matters.

Receiving Reports

Employees expect a timely, credible response. Supervisors need training in active listening, since employees may struggle to articulate concerns; all inquiries must be documented without compromising confidentiality, and 85% of companies now use some tracking system (Salmon-Byrne et al., 2023).

Employees must not fear becoming the investigation's subject — though knowingly false accusations are themselves subject to discipline. The Ethics and Compliance Handbook lists red flags suggesting a report's motive may affect accuracy: frequent allegations, a personal dispute with the subject, or facing discipline (Ethics & Compliance Officer Association Foundation, 2008) — but a perceived motive alone must not justify dismissing an allegation; that's what the investigation is for.

THE FOUR STEPS FROM ALLEGATION TO DISCIPLINE

8

9.4 Reporting Misconduct — Investigations


Investigating an allegation means establishing exactly what happened and what the organization can learn to prevent future misconduct. No single process fits every organization — a large, dispersed company may need regional coordination, while a small company moves faster. Figure 9.3 lays out four steps for organizations of any size: (a) determine the nature of the allegation, (b) make a plan, (c) develop the facts, and (d) document the investigation.

In most companies, ethics and compliance staff handle investigations; small companies may rely on outside counsel or HR. The process is triggered by documenting the allegation, arriving via a helpline, the ethics office, or a supervisor. Whoever receives the report must immediately assess whether the conduct endangers life or property and needs immediate attention — every channel must know when to call 911 or notify security.

Step 1: Determine the Nature of the Allegation

This step establishes scope and seriousness, and whether ethics and compliance should even conduct the investigation — some matters, like a production safety issue, are handled more efficiently at the functional level. Guiding questions: What specific misconduct was reported, and by whom? Is the allegation plausible? What are the initial facts, and are there inconsistencies or mitigating circumstances? How serious does it appear? Is the scope broad enough for remedial action? Will findings likely go to regulators or law enforcement (E. Jones et al., 2013)?

Step 2: Make a Plan

The plan addresses what the investigation must answer and what's still missing: Who will be interviewed, and in what order? What documents will be examined, and shared with witnesses? At what stage will the subject be told what they're accused of? Who else will be notified (Ethics & Compliance Officer Association Foundation, 2008, p. 100)?

Step 3: Develop the Facts

Executing the plan means: reviewing relevant policies and codes; assembling documents (personnel files, emails, messaging apps, security video); and preparing interview questions with adequate time per witness. Witnesses should be told not to discuss interviews with coworkers. The funnel technique — broad open-ended questions narrowing to specific details — structures a good interview, closing with "is there anything else?"

Step 4: Document the Investigation

The final step documents facts clearly, supported by documentation and interview notes, avoiding conclusions or personal opinions (see Figure 9.4 on determining discipline). Investigators consult management on whether evidence is sufficient to reach a conclusion and whether discipline follows; once documented, the investigation closes.

The DOJ's (2023) guidance on discipline covers process, actions, fairness, and financial impact, asking whether the company has "clear consequence management procedures... in place, enforces them consistently... and ensures that the procedures are commensurate with the violations" (p. 12).

Disclosing results demonstrates real commitment. At minimum, the reporting person should learn the outcome; results may also go to the subject's supervisor or the board. Some companies present disguised outcomes as training case studies, preserving confidentiality while reinforcing the lesson organization-wide.

TWO WAYS TO MEASURE A PROGRAM, AND WHAT AUDITS ADD

9

9.5 Monitoring and Assessing Progress


The FSGO requires regular review to "ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; and to evaluate periodically the effectiveness" of the program (United States Sentencing Commission, 2023, p. 526). The goal across assessment, monitoring, and auditing is continuous improvement, not a one-time verdict.

Companies should not wait for a crisis to assess their program — boards want a return on their investment, and regulators want proof policies are actually followed. A 2023 survey found 79% of organizations can demonstrate code effectiveness, 62% assess training positively, and 71% show consistent policy use (LRN, 2024). But the true test is whether the program changes employee awareness, attitudes, and behavior — not whether it merely exists.

Measuring Ethical Performance: Activity vs. Outcomes

Measuring effectiveness starts with asking what the program has achieved and where it can improve. There are two broad approaches: measuring activity (transaction counts per program element — easier to track, more commonly used) and measuring outcomes (whether behavior actually changed and misconduct was reduced — harder to measure, but the real target). Table 9.6 lists common metrics for each program component.

Ethics and compliance program componentMeasuring activityMeasuring outcomes
Overall ethical cultureNumber of complaintsRetention rate of employees; employee questionnaire and culture surveys; exit interviews; supplier surveys; customer surveys; web content; press coverage
Code of conductNumber of code of conduct certifications; number of clicks and subjects chosen in web-based codesNumber and type of substantiated violations of code of conduct
TrainingNumber of training courses completed; percent participation; content quizzes during/at end of trainingEmployee surveys; number and type of ethical violations
Advice and reporting mechanismsNumber of hotline/helpline calls; number of reports of misconductAnonymous vs. identified callers (percentage fearing retaliation); number of reports leading to investigation; units/managers with concentrated misconduct
InvestigationsNumber of completed investigationsNumber of disciplinary actions; number of revised policies, procedures, and training elements
Monitoring and auditingNumber of audits completedBenchmarking to best practices; number of issues addressed

(Sources: LRN, 2024; PwC, 2014; SAI Global & Baker & McKenzie, 2013.)

Multiple methods feed these measures. Employee surveys assess awareness and confidence in acting ethically, though they can be expensive and employees may distrust confidentiality (Edwards, 2010). Exit interviews are underused — only about a third of companies use this information, missing insight into why people actually leave (PwC, 2014; SAI Global & Baker & McKenzie, 2013). Social media is an emerging signal, since employees share dissatisfaction online (Ravazzani & Mazzei, 2018); PwC (2014) notes stakeholder web content "can provide insight into elements relevant to the overall objectives of an ethics and compliance program" (p. 20), yet fewer than 20% of companies monitor press coverage this way — a comprehensive assessment should draw on all stakeholders, not employees alone.

Monitoring and Auditing: Two Different Functions

Monitoring and auditing are related but distinct from assessment: assessment asks what the program achieved; monitoring and auditing ask whether the process itself works. Monitoring is "a system of activities that provide an organization with a self-appraisal of its control system's performance" (Hedley & Ben-Chorin, 2011, p. 69) — reviewing travel expenses, using QA checklists, listening to service calls, surveying email. Intensity varies, but excessive controls can signal distrust and reduce employee commitment.

Auditing is a periodic review confirming all elements of an effective program actually exist. For public companies, the board's audit committee oversees this; Sarbanes-Oxley requires the committee to select external auditors and establish anonymous-concern mechanisms (Felo & Solieri, 2003).

The DOJ's (2023) guidance frames three linked question sets. Internal Audit: What determines audit frequency and scope, and what findings get reported to the board? Control Testing: Has the company reviewed and audited areas tied to past misconduct, and how are results tracked? Evolving Updates: How often are risk assessments and policies updated, and does the company adapt based on lessons from its own or peers' misconduct?

Formal audits, ongoing monitoring, and periodic evaluation together let a company continuously improve its ethical environment — but no two programs are identical, since size, industry, location, and history all shape implementation.

THE FIVE STEPS, IN ONE PASS

10

Chapter Summary


An ethics and compliance program should meet the organization's actual needs, often now including sustainability/ESG, privacy and cybersecurity, and diversity/DEI. Implementing an effective program follows five steps.

First, designers create a structure to manage and oversee the program. An ethics officer serves as steward of the program and needs sufficient authority and resources to encourage compliance with legal and ethical standards.

Second, the program communicates clear standards of acceptable behavior addressing the organization's risks — typically through a code of conduct. Those designing the code should tailor it to the organization's culture, risks, and history, since content varies with industry and geographic regulatory environment.

Third, the organization educates the workforce through a training program that resonates with its audience and makes ethical behavior the norm. This requires ongoing, interactive training, regular communication, and management follow-up support — the goal is decisions consistent with company values, delivered through a mix of classroom and online methods.

Fourth, procedures respond to reported misconduct through a transparent, fair investigation process. A usable system provides for anonymous inquiries, protects confidentiality, prevents retaliation, and discloses investigation results where possible, offering employees multiple channels for advice and reporting. Investigating an allegation means establishing exactly what happened and what the organization can do to prevent future misconduct.

Fifth and finally, the organization monitors and assesses program effectiveness to identify areas for improvement. Monitoring sets controls for compliance and catches noncompliance early. Effectiveness is measured two ways — activity metrics (transaction counts, how many people the program touches) and outcome metrics (actual behavior change and reduced misconduct). Auditing is the periodic review confirming that every element of an effective program genuinely exists.

THE CHAPTER'S OWN QUESTIONS, WITH MODEL ANSWERS

11

Critical Thinking and Discussion Questions


Chapter 9 closes with six critical thinking and discussion questions, each paired below with a concise model answer grounded in the chapter's content.

1. How could a company of 75 employees with limited resources implement an effective ethics program?

A small company can still cover all five elements at a proportionate scale: assign ethics responsibility to an existing role (HR or legal) rather than hiring a dedicated officer, keep the code of conduct focused on the company's actual top risks rather than an exhaustive topic list (Table 9.3), rely on lower-cost or hybrid reporting channels instead of a fully outsourced 24/7 helpline, and use lighter-weight activity metrics (completion rates, number of complaints) rather than expensive culture surveys. The chapter's own data shows companies under 2,000 employees typically run with just two to five ethics professionals (Society of Corporate Compliance and Ethics, 2023) — scale is expected, not a disqualifier.

2. Choose an organization you work for or are interested in working for. Locate its code of conduct. Score it using the Table 9.2 benchmarking criteria. How does it compare to similar firms in the industry?

A strong answer walks through each of Table 9.2's eight components in turn — public availability, tone from the top, readability and tone, non-retaliation and reporting, commitment and values, risk topics, comprehension aids, and presentation and style — scoring the chosen company's actual code against each, then comparing it to a named competitor's code on the same criteria rather than a general impression.

3. Write a code of conduct for a small fictitious business.

A complete answer includes the eight recommended sections from the Ethics and Compliance Handbook: an introductory leadership letter, a mission/values statement, an ethical decision-making framework, resources for advice and reporting, substantive rules for key risk areas relevant to the fictitious business, disciplinary and enforcement procedures, a non-retaliation protection statement, and an acknowledgment/certification section.

4. How can a company determine if ethical training is effective, other than showing completion of online courses or attendance?

Completion and attendance are activity metrics, not outcome metrics. Effectiveness is better shown through content quizzes and mastery data, end-of-course surveys, post-training employee surveys on awareness and confidence, tracking the number and type of ethical violations after training, and root cause analysis linking specific misconduct back to training gaps (LRN, 2024, p. 53) — in short, evidence that behavior actually changed, not just that a course was opened.

5. Should reporting of observed misconduct be mandatory? How could the policy be communicated and enforced? What are the unintended consequences of potential discipline if an employee does not speak up?

A thoughtful answer weighs the FSGO's expectation of a publicized reporting system (United States Sentencing Commission, 2023) against the risk that mandatory reporting, if punitive, could deepen the same fear of being labeled a "snitch" or "rat" that already discourages speaking up (Riebl, 2004). Communication should pair any mandatory-reporting policy with strong non-retaliation guarantees and multiple confidential channels; enforcement that disciplines silent bystanders too harshly risks driving concerns underground rather than into the open, undermining the very trust the reporting system depends on.

6. Why would questions on the ethical culture of an organization be valuable during an exit interview? What questions would you ask?

Departing employees have less incentive to protect the company's image and more freedom to be candid, yet the chapter notes only about a third of companies actually use exit-interview data on ethics (PwC, 2014; SAI Global & Baker & McKenzie, 2013) — a missed opportunity to learn why people really leave. Useful questions include whether the employee ever felt pressured to act against their values, whether they knew how to report a concern and felt safe doing so, whether they saw misconduct go unaddressed, and how they would rate leadership's "tone from the top" on ethics.

PRINT THIS

12

Glossary of Key Terms


Every bolded or explicitly defined term in Chapter 9, in one line each, in the order the chapter introduces them.

TermDefinition in one line
Ethics officerThe individual appointed to oversee compliance with legal and ethical standards and act as steward of the organization's ethics and compliance program.
Board oversight (of ethics programs)The governing body's duty to monitor management practices and protect the organization from reputational and financial risk arising from ethical misconduct.
Code of conductThe foundational document of an ethics and compliance program, outlining ethically appropriate behavior in the workplace.
Rules-based codeA code of conduct with a punitive, "thou shalt not" tone, focused on standards and rules applicable to an issue area (Ethics & Compliance Officer Association Foundation, 2008).
Values-based codeA code of conduct that connects company values with expected employee behavior, rather than framing conduct purely as rule-following.
Common (global) codeA single code of conduct applied across all countries an organization operates in, sometimes with regional or country-level variations.
Training plan curriculum and scheduleA structured mapping of compliance topics to target audience, initial training requirement, and recurrence (illustrated in Table 9.5).
Open-door policyAn informal mechanism allowing employees to seek ethics counsel from any manager, an early approach used by IBM (Carroll, 1991).
Helpline / hotlineA telephone (or multichannel) reporting system for ethics concerns; many companies rebranded "hotline" to "helpline" to reduce the perceived bar for reporting.
Employee-centered investigationsAn approach that keeps the reporting employee's experience consistent regardless of which channel (HR, compliance, manager, portal) they used to raise a concern (Salmon-Byrne et al., 2023).
Anonymous reportingA reporting option that conceals the identity of the person raising a concern, sometimes using a tracking number so status updates can still be provided.
Whistleblower protectionLegislation protecting employees who report misconduct from retaliation, now present in many countries worldwide (OECD, 2016).
In-house, outsourced, and hybrid reporting modelsThe three structural options for operating an ethics reporting/helpline system, each affecting employees' perception of its independence (Riebl, 2004).
Funnel techniqueAn investigative interview method that starts with open-ended questions and narrows to specific clarifying details.
Four steps of investigationDetermine the nature of the allegation, make a plan, develop the facts, and document the investigation (Figure 9.3).
Consequence management proceduresProcedures to identify, investigate, discipline, and remediate violations of law, regulation, or policy, applied consistently across an organization (DOJ, 2023, p. 12).
Monitoring"A system of activities that provide an organization with a self-appraisal of its control system's performance" (Hedley & Ben-Chorin, 2011, p. 69), used to catch noncompliance early.
AuditingA periodic review of company compliance with ethical and legal standards to determine whether all elements of an effective ethics and compliance program exist.
Activity metricsMeasures of the number of transactions with a given program element, such as training completions or hotline calls — easier to track than outcomes.
Outcome metricsMeasures of whether a program element actually changed behavior or reduced misconduct, such as substantiated violations or disciplinary actions.
In situ performance (ethics-program context)The chapter's broader framing that a program's true effectiveness must be judged through both activity and outcome measurement, not activity alone.

THE ONE-PAGE VERSION

13

Quick Reference


A single table capturing the chapter's five-step framework, its core structural and code-design concepts, and its most important names, tools, and findings.

ElementWhat to remember
The five common elements (FSGO, FCPA, U.K. Bribery Act, OECD)Create program structure, establish corporate standards, educate the workforce, create investigation procedures, and assess program effectiveness.
Program structure's three componentsAn appointed ethics officer; oversight by the governing body (board); and the reporting relationship between the two, which shapes the officer's real independence.
Board oversight toolTable 9.1's sample board questions, organized by program element — structure, code, training, risk assessment, monitoring/auditing, reporting, and continual improvement.
The eight recommended code of conduct sectionsLeadership letter; mission/values/principles; ethical decision-making framework; advice/reporting resources; substantive risk-area rules; disciplinary/enforcement procedures; non-retaliation protection; acknowledgment/certification.
Code title choiceRules-based codes read as punitive rule lists; values-based codes tie behavior to company values — the choice, and its translation, shapes employee buy-in.
Code quality benchmarking (Table 9.2)Public availability, tone from the top, readability and tone, non-retaliation and reporting, commitment and values, risk topics, comprehension aids, presentation and style.
Global code design considerationsOne common code vs. separate country codes (or a hybrid); avoiding country-specific terms (Table 9.4); culturally sensitive graphic design; multilingual, interactive delivery.
Training must be ongoing, not one-timeOne-time training has only transient effects, similar to slowing down briefly after witnessing a traffic accident — ongoing, interactive, role-tailored training and management support are required.
Reporting mechanism designMust offer confidentiality, neutrality, independence, and multiple channels; naming (helpline vs. hotline) and anonymity options directly affect whether employees actually use the system.
Four steps of investigationDetermine the nature of the allegation, make a plan, develop the facts, document the investigation — same sequence for large and small organizations (Figure 9.3).
Assessment vs. monitoring vs. auditingAssessment measures program impact/achievement; monitoring is ongoing real-time control activity catching noncompliance early; auditing is periodic formal verification that all program elements exist.
Activity metrics vs. outcome metricsActivity = transaction counts (easier to track, more commonly used). Outcome = actual behavior change and reduced misconduct (the real measure of impact).
The Gunvor caseTwo bribery scandals roughly a decade apart, both traced by regulators to the same root cause: no program structure, no dedicated risk staff, no code of conduct — the chapter's real-world argument for why all five steps matter together.