WHAT THIS CHAPTER PROMISES YOU CAN DO BY THE END
Learning Goals
Chapter 9 opens with five learning outcomes. After reading the chapter, you should be able to do each of the following.
- Explain how an organization can structure and manage an ethics program.
- Develop a code of conduct that articulates standards to company stakeholders.
- Create an ethics training and communications plan.
- Evaluate mechanisms for obtaining advice on ethical issues and reporting ethical misconduct.
- Design an effective monitoring and auditing system.
WHAT HAPPENS WHEN A COMPANY SKIPS THE PROGRAM
Introduction — Gunvor Learns That Ethics and Compliance Matters
The chapter opens with global energy trader Gunvor Group as a cautionary tale. In the oil and gas industry, where intense competition can normalize a culture of misconduct, Gunvor learned the cost of not having an effective ethics and compliance program the hard way, across two separate scandals roughly a decade apart.
In 2019, Gunvor International BV (via Gunvor Ltd in Geneva) was found guilty by the Office of the Attorney General (OAG) of Switzerland of bribing public officials in the Republic of Congo and Ivory Coast between 2008 and 2011. The OAG's press release was blunt: Gunvor "had taken no organisational measures to prevent corruption in its business activities: the company did not have a code of conduct... nor did it have a compliance programme" (Office of the Attorney General of Switzerland, 2019, para. 3), and had no dedicated risk staff. Gunvor responded by investing in compliance procedures aligned with international anti-bribery standards.
Less than five years later, an investigation of parent company Gunvor Group uncovered a bribery scheme involving Ecuadorian officials between 2012 and 2020, paying more than $97 million in bribes through shell companies in Panama and the British Virgin Islands, routed through U.S. banks (Office of the Attorney General of Switzerland, 2023; U.S. Department of Justice, 2024). The DOJ set the penalty at $661 million, crediting Gunvor's cooperation and remedial steps: ending use of third parties for business origination, implementing payment control frameworks, modifying compensation structure, investing in compliance personnel, and reviewing high-risk transactions (DOJ, 2024). The Swiss OAG remained unconvinced the program had actually prevented corruption, noting only that "certain measures were implemented by the Gunvor Group, albeit belatedly" (Office of the Attorney General of Switzerland, 2023, para. 7).
The DOJ (2023) evaluates programs partly by asking "if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting" (p. 14) — judged not on paper, but on whether it actually catches problems in time. Four major frameworks converge on the same five elements for an excellent program: the U.S. Federal Sentencing Guidelines for Organizations (FSGO), the FCPA, the U.K. Bribery Act 2010, and the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. Each recommends: (a) create program structure, (b) establish corporate standards, (c) educate the workforce, (d) create investigation procedures, and (e) assess program effectiveness — though none dictates exactly how, since organizations tailor programs to their own industry, size, and risk (United States Sentencing Commission, 2023). As ethics becomes more strategic, companies increasingly fold in sustainability/ESG, privacy/cybersecurity, and diversity/DEI alongside the core ethics function (LRN, 2023, 2024). The rest of the chapter walks through the five steps in order.
THE ETHICS OFFICER, THE BOARD, AND THE REPORTING LINE
9.1 Creating a Program Structure
Simply creating an ethics program is not enough to prevent misconduct — a designated individual or group must have the authority and responsibility to oversee it. The chapter identifies three components of an effective program structure: (1) an appointed ethics officer who oversees legal and ethical compliance and acts as steward of the program, (2) oversight by the organization's governing body (e.g., the board of directors), and (3) the reporting relationship between the ethics officer and whomever they report to — which can help or hinder the program's effectiveness.
Approaches vary. Some companies maintain a distinct department, such as Lockheed Martin's Office of Ethics and Business Conduct (Lockheed Martin, 2024); others assign responsibility to an existing function such as HR or legal. Organizations designing a program should ask: How does the function relate to the business, the CEO, and top management? To functional departments? To external stakeholders (customers, suppliers, regulators)? To the board? What should it report, to whom, how, and when?
The Role of the Ethics Officer
Patrick Gnazzo, former Chief Ethics, Risk and Compliance Officer of CA Technologies, described the role as guarding "the organization's culture, the tone that a company has set, and the company's reputation" (Gnazzo, 2011, p. 549). SHRM describes it as the organization's "internal control point for ethics and improprieties, allegations and complaints, and conflicts of interest" (SHRM, 2014, para. 1) — in practice a broader role spanning strategic input, culture leadership, global responsibilities, and risk management.
Regulatory guidelines require the function be led by high-level personnel (United States Sentencing Commission, 2023). As covered in Chapter 1, the field shifted from a solely compliance focus in the early 1990s to a combined or solely ethics focus in the 2000s — a C-Suite chief ethics officer is generally taken more seriously. The officer coordinates with HR, finance, IT, risk management, and governance, and may communicate with customers and media; a 2023 survey found ethics officers spend a little over a day per week tracking regulatory developments (Thomson Reuters Regulatory Intelligence, 2023). The relationship to the governing authority shifted from informal to a formal reporting requirement after Sarbanes-Oxley (Chapter 4); the 2004 and 2010 FSGO amendments encourage direct board access to report observed misconduct.
Board Oversight
Board oversight differs from the ethics officer's daily management: the board monitors management practices and protects the organization from risk, and members can be personally liable for failing to guard against misbehavior. Recall from Chapter 1 that Medicare/Medicaid fraud scrutiny led to the 1996 Caremark decision, holding that directors must ensure accurate reporting systems are in place (Cohan, 2002; Robinson & Pauzé, 1997); Enron's board twice waiving its conflict-of-interest policy for its CFO intensified regulatory attention on board oversight of ethics (Felo & Solieri, 2003).
The FSGO requires the governing authority "be knowledgeable about the content and operation of the compliance and ethics [program] and... exercise reasonable oversight," giving whoever holds day-to-day responsibility "adequate resources, appropriate authority, and direct access" to the board (United States Sentencing Commission, 2023, pp. 525–526) — a global trend also seen in U.S. healthcare and the Bank of England (Penman, 2016).
Because a board cannot manage every detail, it relies on the ethics officer to build an ethical culture, even though boards often aren't sure how to evaluate a program (Vollmer, 2018). Table 9.1 supplies sample board questions by program element.
| Board oversight question | Element of ethics program | The board needs to ensure that… |
|---|---|---|
| Do we have the right model to oversee, manage, and implement the E&C program? | Program structure; governance; executive oversight; resources | A CECO or equivalent is appointed with sufficient personnel, resources, and executive-team integration. |
| How do we assess adherence to standards and determine effectiveness? How are we using technology? | Code of conduct and appropriate policies | The code is referenced with all employees, the board, and third parties; E&C is factored into performance evaluations. |
| How do we ensure visibility of high-risk matters? Are policies updated for new law or innovation? | Code of conduct and appropriate policies | High-risk policies are continually updated and available electronically and interactively. |
| How do we train employees and raise awareness of the E&C program? | Targeted training and communications | Training occurs for all employees via multiple methods; completion is tracked; the board receives periodic integrity education. |
| Are we identifying and prioritizing the right compliance risks? | Periodic risk assessment | Risk assessment is completed periodically, targets high-risk areas, and connects to enterprise risk management. |
| Do we have the resources and technology to monitor and enforce compliance? | Monitoring, investigating, and auditing | Monitoring/auditing is automated with board reporting; routine audits, an investigations protocol, and exit interviews occur. |
| Do we have systems ensuring misconduct is reported? Are employees comfortable raising issues? | Anonymous reporting and helplines | A no-retaliation system exists; supervisors are trained; the board receives periodic hotline statistics and trends. |
| How do we measure E&C program effectiveness? | Continual review and improvement | Lessons from mistakes are sought by the board; management is accountable for improvements; the CECO benchmarks via peer associations. |
The ethics officer must inform the board of risks, incidents, and activities quarterly, with a full annual debrief, without fear of retaliation (Bagley et al., 2017). Quantitative dashboards typically cover helpline statistics, investigations, training completion, code certifications, culture-survey results, and turnover; qualitative reporting covers new laws, audit findings, and risk assessments.
Reporting Relationship
The ethics officer's credibility depends heavily on whom they report to — the line must let them address situations where executive management itself may be involved in wrongdoing. OECD guidance recommends senior officers have authority "to report matters directly to independent monitoring bodies… with an adequate level of autonomy from management, resources, and authority" (OECD, 2010, p. 3). The DOJ's (2023) guidance likewise calls for sufficient seniority, sufficient staff, and sufficient autonomy, such as direct board or audit-committee access (p. 10).
Fewer ethics officers now report to the general counsel; increasing numbers report directly to the CEO or board (Deloitte, 2017). An officer can be caught in a bind — monitoring, while also reporting to, senior managers who control their promotion, and who may recommend ignoring misconduct. Figure 9.2 illustrates a progression of possible reporting relationships, each with different implications for the officer's independence.
The FSGO requires adequate personnel and budget for whoever holds day-to-day responsibility (United States Sentencing Commission, 2023). Program size scales with company size: companies under 2,000 employees typically run 2–5 ethics professionals, while more than half of companies with 30,000+ employees have more than 11 (Society of Corporate Compliance and Ethics, 2023). The DOJ (2023) suggests boards assess resourcing across four areas: Seniority and Stature, Experience and Qualifications, Funding and Resources, and Data Resources and Access (p. 11).
THE FOUNDATION DOCUMENT: TITLE, CONTENT, AND QUALITY
9.2 Developing a Code of Conduct — Content and Structure
The ethics office typically creates the company's code of conduct, the foundation of the program, outlining ethically appropriate workplace behavior. A well-designed code can even overcome weak societal and legal institutions in some nations (Parboteeah et al., 2024). Erwin (2011) found companies with a high-quality code are seen as leaders in corporate citizenship and trustworthiness; in smaller organizations, a code increases an employee's sense of control, which increases ethical behavior (Valentine et al., 2019). LRN (2024) found 48% of large and 42% of mid-sized companies already have a strong code.
Merely having a code is not enough — content quality and employee familiarity are the real drivers of an ethical culture (Andreoli & Lefkowitz, 2009; Kaptein, 2011; Treviño et al., 1999). Familiarity drops in ambiguous situations or when the code's framing conflicts with an employee's own values (Lombard & Gibson-Brandon, 2024); managers with a relativist orientation are less likely than idealists to treat the code as binding (Chonko et al., 2003).
Rules-Based vs. Values-Based Titles
Even the code's title shapes whether employees uphold it. A rules-based code reads as punitive — a "thou shalt not" document (Ethics & Compliance Officer Association Foundation, 2008); a compliance code signals that following the law is sufficient, rather than framing ethics as choice guided by values. Values-based codes — like FedEx's Code of Conduct: Delivering With Integrity — connect values to behavior instead (FedEx, 2024). Multinationals weigh translation carefully: "ethics" carries moralistic connotations in some regions, "compliance" can feel imposed (Martens, 2012); North American codes tend to focus on values, European codes more on standards and laws (Vandenbroucke et al., 2024). Ambiguous enforcement phrases like "may result in disciplinary action" have been found by U.S. courts to negate a code's contractual force (Kenny, 2007).
Code Content and the Eight Recommended Elements
Designing a code means choosing topics and tone that resonate with the workforce, since employees often struggle to name the specific behaviors a code requires or prohibits (J. S. Adams et al., 2001; Stöber et al., 2019). The Ethics and Compliance Handbook warns against codes that are generic, bland, or legalistic — the code should reflect the organization's own culture, risks, and history, with content varying by regulatory environment and function (Ethics & Compliance Officer Association Foundation, 2008).
The Ethics and Compliance Handbook recommends eight sections for a code of conduct (Ethics & Compliance Officer Association Foundation, 2008):
- An introductory letter from senior management or the CEO reinforcing top-management support for ethics and compliance.
- A mission statement, statement of values, and guiding principles of the company.
- An ethical decision-making framework to guide employee choices.
- Resources for seeking advice and reporting misconduct.
- Substantive rules and guidance for acceptable and unacceptable behavior in risk areas.
- Disciplinary rules and enforcement procedures for unethical behavior.
- Protection against retaliation for reporting misconduct.
- An acknowledgment or certification that employees have received and read the code.
A code's quality contributes directly to how well it deters misconduct. A 1970s review found limited coverage of relevant issues and few procedures for advice, reporting, or discipline (Cressey & Moore, 1983); by sharing best practices, more companies now incorporate all eight sections. Table 9.2 gives evaluation components for benchmarking code quality.
| Component | Component description |
|---|---|
| Public availability | The code should be readily available to all stakeholders. What is the availability and ease of access to the code? |
| Tone from the top | The level at which leadership is visibly committed to the values and topics covered in the code. |
| Readability and tone | What is the style and tone of the language used? Is it easy to read and reflective of its target audience? |
| Non-retaliation & reporting | Is there a stated, explicit non-retaliation commitment and dedicated resources for reporting code violations, presented clearly? |
| Commitment & values | Does the code embed corporate values or mission language, and identify ethical commitments to stakeholders (customers, vendors, communities)? |
| Risk topics | Does the code address all appropriate and key risk areas for the company's industry? |
| Comprehension aids | Does the code provide FAQs, checklists, examples, or case studies to help stakeholders understand key concepts? |
| Presentation and style | How compelling or difficult is the code to read, given its layout, fonts, pictures, taxonomy, and structure? |
(Sources: Erwin, 2011; NYSE Governance Services, 2014.)
Best practice for a global code is to seek input from legal, managers, and workers while drafting, identifying key legal concerns, cultural/historical issues, workforce dynamics, and terminology issues (Ethics & Compliance Officer Association Foundation, 2008, p. 62). International companies must decide between one common global code or separate country codes; a common code offers a single definition of right and wrong and clarity for traveling employees, while a middle path uses one common code with regional variations bridging local law/custom and company standards (Martens, 2012).
Focusing the Code on Key Risk Areas
Code focus shifts over time and by region. A 1970s review found codes emphasized misconduct with direct profit impact (e.g., conflict of interest) over responsibilities to others (Cressey & Moore, 1983); 21st-century codes show increased focus on social, governance, and environmental issues and technology risks like cybersecurity and AI (Loughran et al., 2023). Table 9.3 lists possible topics from these reviews — the full list is long, and including everything is neither practical nor necessary for most organizations.
| Possible code of conduct topics |
|---|
| Company values |
| Diversity, equity & inclusion / respect and fair treatment |
| Good governance |
| Complying with laws |
| Discrimination |
| Business records retention |
| Reporting misconduct |
| Harassment/bullying (sexual and otherwise) |
| Confidential and proprietary information |
| Retaliation/whistleblower |
| Substance abuse |
| Copyrights, patents, and intellectual property |
| Investigations |
| Workplace violence |
| Financial accuracy, disclosures, audit |
| Professional standards, competence, and due care |
| Human rights/slavery |
| Global trade — export controls & sanctions |
| Customer service and customer relations |
| Human trafficking |
| Embezzlement/theft/fraud |
| Gifts, entertainment, and gratuities |
| Workplace safety |
| Money laundering |
| Marketing, sales, advertising, and promotions |
| Environmental protection |
| Securities trading and insider information |
| Product quality & safety |
| Community or civic activities |
| Technology |
| Bribery and corruption |
| External inquiries/public disclosure and reporting |
| Artificial intelligence |
| Responsible sourcing |
| Government contracting, transactions, and relationships |
| Cybersecurity, malware |
| Privacy and safeguarding information (company, customer, employee) |
| Government relations and lobbying |
| IT system & equipment use |
| Expense reimbursement and time reporting |
| Media relationships |
| Personal devices, messaging apps |
| Conflicts of interest |
| Political contributions |
| Social media |
Executives weigh three factors when choosing risk areas: external forces (legal/regulatory/competitive environment — a 2023 DOJ guidance directs coverage of social media, personal devices, and messaging apps including ephemeral messaging, U.S. Department of Justice, 2023, p. 17); internal forces (industry, size, or scope — a company manufacturing in emerging markets may emphasize environmental impact, human rights, and safety); and historical data (past audit findings or common violations). It is useful to organize issues by stakeholder, corporate value, or employee conduct (Kaptein, 2004).
READABILITY, CULTURE, AND ROLLING THE CODE OUT
9.2 Developing a Code of Conduct — Global Reach and Implementation
Readability and Tone
An effective code helps employees manage contradictions between local norms and company standards. Ethisphere reports 94% of employees feel the code explains what is expected of them (Ethisphere, 2023b), and two-thirds of high-performing programs write in simple language (LRN, 2024). Still, Ethisphere (2023b) cautions: "It only takes one unethical employee to cause an issue that could become a reputational disaster" (p. 7). Positively phrased codes are better remembered and followed; negatively phrased codes correlate with poorer attitudes and higher unethical-behavior risk (Stöber et al., 2019). A signed, authentic CEO message is one of the most cited reasons employees trust a code (Stöber et al., 2019; Waegeneer et al., 2016).
Chapter 5 covered how cultural differences shape ethical positions in a global organization. One case cited: an ethics officer investigating sexist/ageist "jokes" by an executive discovered he was unaware the remarks were offensive, since they'd be acceptable in his own country (LRN, 2006, p. 3). Suggested global-code practices include identifying dimensions of difference, giving everyone a voice, protecting creative units, training everyone in key norms, and being heterogeneous everywhere (E. Meyer, 2015, p. 69). New technology needs new language too — for AI policy, a Singapore executive described designing messaging "contextually and culturally relevant… easily understood in Indonesia and by someone in London" (Kelley, 2022, pp. 878–879).
Organizations should avoid region-specific terms for a global audience — a U.S. firm shouldn't call a non-U.S. government employee a "foreign official" in anti-bribery sections meant for multiple countries, since local employees wouldn't consider their own officials foreign. Terms tied to national regulation, like "equal employment opportunity," fail to convey the underlying standard elsewhere. Table 9.4 gives replacement terms for culturally specific language.
| Term | Country/region association | Replacement term |
|---|---|---|
| Equal employment opportunity | United States-centric | Fair hiring practices / no discrimination |
| Antitrust | United States-centric | Fair competition |
| Antimonopoly | United Kingdom-centric | Fair competition |
| Bullying/mobbing | United Kingdom and Europe | Harassment, disrespectful treatment |
| Antibribery | United Kingdom | Improper payments |
| FCPA | United States | Improper payments |
(Source: Globalising a Business Ethics Programme, p. 25, by L. T. Martens, 2012, Institute of Business Ethics.)
Graphic design should reflect cultural sensitivity in color, symbols, and photos (Martens, 2005) — red print, for instance, may trigger negative associations with forced compliance in Western countries. Universal symbols are preferable (a dollar gift threshold should also list euro/yen equivalents), and photos should represent the company's international character without offending any region.
Implementation and Distribution
Implementing a code requires a plan: distribute it to all employees, give tools to apply it daily, and record acceptance. A study of accounting professionals found employees understood the code but rarely reviewed it again after initial hire (Seifert et al., 2023) — familiarity fades without reinforcement.
Distribution should stay easily accessible (NYSE Governance Services, 2014): new employees receive the code at hiring and orientation, with printed copies where computer access is limited. Many companies now offer a searchable, interactive web-based code with tools for finding information and learning scenarios — LRN (2024) found almost 30% of companies have one, and 57% of the rest see it as a near-term priority, since a searchable page also lets a company track which policies draw the most attention.
Many organizations require signed certification that employees have received and read the code, demonstrating program commitment to regulators (NYSE Governance Services, 2014). Certifications confirm receipt, acknowledgment, agreement to abide, reporting of known breaches, and manager discussion (Institute of Business Ethics [IBE], 2012); about half of companies surveyed by IBE (2012) referenced certifications during disciplinary decisions, though compelling a signature may depend on local labor law.
Certification alone does not prove employees understood the code, and explaining it only at hire is no longer a sufficient good-faith effort — the gap that ongoing workforce education, covered next, is meant to close.
WHY ONE-TIME TRAINING FAILS, AND WHAT WORKS INSTEAD
9.3 Educating the Workforce
The chapter compares one-time ethics training to witnessing a traffic accident: people drive carefully for a week, then revert to old habits. Research confirms one-time training has only transient effects unless organizations provide ongoing, interactive training and support (H. J. Martin, 2010; C. Richards, 1999; Warren et al., 2014). A well-planned program, by contrast, can help establish an actual culture of ethics and compliance.
Training depth should match whether a group needs to create, identify, or simply understand a risk. Discrimination, for example, drives DEI training (Cox, 2023): managers who hire, promote, and terminate carry lawsuit risk and need in-depth, frequent instruction, while other employees mainly need training on identifying and reporting discriminatory practices, reinforced through ongoing communication. Table 9.5 shows a sample training curriculum and schedule.
| Compliance topic | Target audience | Initial requirement | Recurrence |
|---|---|---|---|
| Code of Conduct | All employees | Within 30 days of hiring | Annually or continuous learning |
| Data Privacy & Information Security | All employees with access to computers | Within 30 days of hiring | Annually |
| Anti-Bribery / Anti-Corruption | Field sales employees, procurement staff | Within 30 days or when moved to role | Annually |
| Gifts & Entertainment | Field sales employees, procurement staff | Within 30 days or when moved to role | Annually |
| Sexual Harassment | All employees | Within 30 days of hiring | Annually |
| Fair Hiring & Promotion Practices | Managers and supervisors | When moved to role | Triggered when position posted |
| Expense Reporting | All employees with travel/expenses | Within 30 days of hiring or moved to role | Triggered when travel scheduled |
| Social Media, BYOD & Messaging | All employees | Within 30 days of hiring | Within 5 days of failing a phishing email test |
| Diversity, Equity, Inclusion & Belonging | All employees | Within 30 days of hiring | Continuous learning |
A survey of ethics and compliance professionals found training "has evolved away from 'one size fits all' lectures complete with legal citations towards a focus on content that's easier to access, more relevant to employees' day-to-day work, and more tailored to individual roles" (LRN, 2024, p. 47).
Training Delivery
Organizations use varied training and communication methods to reach diverse learning styles and a dispersed workforce. Over half blend in-person and online training, tailored by role, region, or seniority (LRN, 2024). The DOJ (2023) poses delivery questions: Is training offered in an appropriate form and language? Online, in-person, or both, and why? Does it address lessons from prior incidents? Can employees ask questions? How is effectiveness measured, and how does the company handle employees who fail testing? Has impact on actual behavior been evaluated? (p. 5).
As more employees work remotely, virtual training is particularly effective for building an ethical culture (S. Gupta & Pathak, 2024). Most companies rely on third-party providers or learning libraries like Skillsoft (LRN, 2024), though large corporations like Lockheed Martin build custom training in-house. For continuous learning, Lockheed Martin distributes its Integrity Minute series — short soap-opera-style videos reinforcing policy, timed well (e.g., before expense reports or travel to high-corruption locations). Vendors like Learnings Entertainment and RealBiz Shorts supply similar customizable video content.
LRN (2024) found 60% of high-impact programs let employees "test out" of training by demonstrating competency. In order of use, methods for measuring training effectiveness include: content quizzes, training-system data (mastery time, error rates, retakes), end-of-course surveys, completion rates, and root cause analysis of misconduct to identify training failures (LRN, 2024, p. 53).
ADVICE CHANNELS, CONFIDENTIALITY, AND WHY NAMING MATTERS
9.4 Reporting Misconduct — Building the Mechanism
For a culture to encourage ethical behavior, employees must feel comfortable seeking advice and reporting misconduct. A simple starting point is an open-door policy — IBM used this in the early years of its program (Carroll, 1991). In the U.S., Sarbanes-Oxley and the FSGO require a publicized system for ethics inquiries (Sarbanes-Oxley Act of 2002; United States Sentencing Commission, 2023); the U.K. Bribery Act 2010 requires "speak up" or whistleblowing procedures (Ministry of Justice, 2011, p. 22). Regulation appears to drive investment: 55% of surveyed U.S. companies created internal reporting mechanisms after Sarbanes-Oxley (J. Weber & Wasieleski, 2013), and by 2024, 76% had implemented or improved reporting/investigation processes (LRN, 2024).
Designing the Mechanism
Designing a reporting mechanism requires deciding: What will it be called and how branded? How communicated? What falls outside ethics and compliance (e.g., payroll routed to HR)? What formats — phone, internet, email, text? 24/7 access? What languages? Is reporting mandatory or encouraged (Ethics & Compliance Officer Association Foundation, 2008)?
A system employees will actually use must allow anonymous inquiries, protect confidentiality, prevent retaliation, and disclose outcomes where possible — the FSGO requires "mechanisms that allow for anonymity or confidentiality" (United States Sentencing Commission, 2023, p. 526). Recent practice favors "employee-centered investigations": keeping the reporting employee's experience consistent regardless of channel used — HR, compliance, manager, or portal (Salmon-Byrne et al., 2023, p. 1).
Employees may fear an inquiry triggers retaliation or scrutiny of their own conduct — pejorative labels for whistleblowers persist across cultures ("snitch," "rat," German Spitzel; Riebl, 2004). Organizations counter this with multiple channels; web portals are gaining popularity though many still prefer speaking to a person (Ethisphere, 2023a), and anonymous reporting is available at 60% of North American companies (LRN, 2024). In order of preference, Ethisphere's (2023a) Ethical Culture Report lists: immediate manager; HR representative; manager's manager; Ethics & Compliance office; phone helpline; web portal; internal audit; board audit committee; ombudsperson (p. 24).
Even the name matters — "hotline" implies urgency, so many companies switched to "helpline" (Weaver et al., 1999; J. Weber & Wasieleski, 2013). Branded examples: Integrity Helpline (Clarios, 2024b), FedEx Alert Line (FedEx, 2024), Ethics and Compliance Helpline (United Airlines, 2023), Integrity Line (Alcoa, 2022).
Confidential, Neutral, and Independent
Employees need confidence reports are confidential and advice is neutral and independent. Some companies assign tracking numbers to anonymous reports so employees can still get status updates (Kusserow, 2013). Confidentiality helps avoid retaliation (Chapter 4); whistleblower protections now exist across many countries, including Australia, Canada, Japan, the U.K., and the U.S. (OECD, 2016).
For advice to be independent, the reporting system must operate separately from management — companies run reporting in-house, outsourced, or hybrid, each affecting perceived independence (Riebl, 2004). Most U.S. organizations used internal staff in 1994 (Weaver et al., 1999); now 65% rely on third-party vendors for assured anonymity (LRN, 2024). Global companies add complexity: PepsiCo notes anonymous reporting isn't legal everywhere (PepsiCo, 2023); French privacy law restricts anonymous reporting for some matters.
Receiving Reports
Employees expect a timely, credible response. Supervisors need training in active listening, since employees may struggle to articulate concerns; all inquiries must be documented without compromising confidentiality, and 85% of companies now use some tracking system (Salmon-Byrne et al., 2023).
Employees must not fear becoming the investigation's subject — though knowingly false accusations are themselves subject to discipline. The Ethics and Compliance Handbook lists red flags suggesting a report's motive may affect accuracy: frequent allegations, a personal dispute with the subject, or facing discipline (Ethics & Compliance Officer Association Foundation, 2008) — but a perceived motive alone must not justify dismissing an allegation; that's what the investigation is for.
THE FOUR STEPS FROM ALLEGATION TO DISCIPLINE
9.4 Reporting Misconduct — Investigations
Investigating an allegation means establishing exactly what happened and what the organization can learn to prevent future misconduct. No single process fits every organization — a large, dispersed company may need regional coordination, while a small company moves faster. Figure 9.3 lays out four steps for organizations of any size: (a) determine the nature of the allegation, (b) make a plan, (c) develop the facts, and (d) document the investigation.
In most companies, ethics and compliance staff handle investigations; small companies may rely on outside counsel or HR. The process is triggered by documenting the allegation, arriving via a helpline, the ethics office, or a supervisor. Whoever receives the report must immediately assess whether the conduct endangers life or property and needs immediate attention — every channel must know when to call 911 or notify security.
Step 1: Determine the Nature of the Allegation
This step establishes scope and seriousness, and whether ethics and compliance should even conduct the investigation — some matters, like a production safety issue, are handled more efficiently at the functional level. Guiding questions: What specific misconduct was reported, and by whom? Is the allegation plausible? What are the initial facts, and are there inconsistencies or mitigating circumstances? How serious does it appear? Is the scope broad enough for remedial action? Will findings likely go to regulators or law enforcement (E. Jones et al., 2013)?
Step 2: Make a Plan
The plan addresses what the investigation must answer and what's still missing: Who will be interviewed, and in what order? What documents will be examined, and shared with witnesses? At what stage will the subject be told what they're accused of? Who else will be notified (Ethics & Compliance Officer Association Foundation, 2008, p. 100)?
Step 3: Develop the Facts
Executing the plan means: reviewing relevant policies and codes; assembling documents (personnel files, emails, messaging apps, security video); and preparing interview questions with adequate time per witness. Witnesses should be told not to discuss interviews with coworkers. The funnel technique — broad open-ended questions narrowing to specific details — structures a good interview, closing with "is there anything else?"
Step 4: Document the Investigation
The final step documents facts clearly, supported by documentation and interview notes, avoiding conclusions or personal opinions (see Figure 9.4 on determining discipline). Investigators consult management on whether evidence is sufficient to reach a conclusion and whether discipline follows; once documented, the investigation closes.
The DOJ's (2023) guidance on discipline covers process, actions, fairness, and financial impact, asking whether the company has "clear consequence management procedures... in place, enforces them consistently... and ensures that the procedures are commensurate with the violations" (p. 12).
Disclosing results demonstrates real commitment. At minimum, the reporting person should learn the outcome; results may also go to the subject's supervisor or the board. Some companies present disguised outcomes as training case studies, preserving confidentiality while reinforcing the lesson organization-wide.
TWO WAYS TO MEASURE A PROGRAM, AND WHAT AUDITS ADD
9.5 Monitoring and Assessing Progress
The FSGO requires regular review to "ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; and to evaluate periodically the effectiveness" of the program (United States Sentencing Commission, 2023, p. 526). The goal across assessment, monitoring, and auditing is continuous improvement, not a one-time verdict.
Companies should not wait for a crisis to assess their program — boards want a return on their investment, and regulators want proof policies are actually followed. A 2023 survey found 79% of organizations can demonstrate code effectiveness, 62% assess training positively, and 71% show consistent policy use (LRN, 2024). But the true test is whether the program changes employee awareness, attitudes, and behavior — not whether it merely exists.
Measuring Ethical Performance: Activity vs. Outcomes
Measuring effectiveness starts with asking what the program has achieved and where it can improve. There are two broad approaches: measuring activity (transaction counts per program element — easier to track, more commonly used) and measuring outcomes (whether behavior actually changed and misconduct was reduced — harder to measure, but the real target). Table 9.6 lists common metrics for each program component.
| Ethics and compliance program component | Measuring activity | Measuring outcomes |
|---|---|---|
| Overall ethical culture | Number of complaints | Retention rate of employees; employee questionnaire and culture surveys; exit interviews; supplier surveys; customer surveys; web content; press coverage |
| Code of conduct | Number of code of conduct certifications; number of clicks and subjects chosen in web-based codes | Number and type of substantiated violations of code of conduct |
| Training | Number of training courses completed; percent participation; content quizzes during/at end of training | Employee surveys; number and type of ethical violations |
| Advice and reporting mechanisms | Number of hotline/helpline calls; number of reports of misconduct | Anonymous vs. identified callers (percentage fearing retaliation); number of reports leading to investigation; units/managers with concentrated misconduct |
| Investigations | Number of completed investigations | Number of disciplinary actions; number of revised policies, procedures, and training elements |
| Monitoring and auditing | Number of audits completed | Benchmarking to best practices; number of issues addressed |
(Sources: LRN, 2024; PwC, 2014; SAI Global & Baker & McKenzie, 2013.)
Multiple methods feed these measures. Employee surveys assess awareness and confidence in acting ethically, though they can be expensive and employees may distrust confidentiality (Edwards, 2010). Exit interviews are underused — only about a third of companies use this information, missing insight into why people actually leave (PwC, 2014; SAI Global & Baker & McKenzie, 2013). Social media is an emerging signal, since employees share dissatisfaction online (Ravazzani & Mazzei, 2018); PwC (2014) notes stakeholder web content "can provide insight into elements relevant to the overall objectives of an ethics and compliance program" (p. 20), yet fewer than 20% of companies monitor press coverage this way — a comprehensive assessment should draw on all stakeholders, not employees alone.
Monitoring and Auditing: Two Different Functions
Monitoring and auditing are related but distinct from assessment: assessment asks what the program achieved; monitoring and auditing ask whether the process itself works. Monitoring is "a system of activities that provide an organization with a self-appraisal of its control system's performance" (Hedley & Ben-Chorin, 2011, p. 69) — reviewing travel expenses, using QA checklists, listening to service calls, surveying email. Intensity varies, but excessive controls can signal distrust and reduce employee commitment.
Auditing is a periodic review confirming all elements of an effective program actually exist. For public companies, the board's audit committee oversees this; Sarbanes-Oxley requires the committee to select external auditors and establish anonymous-concern mechanisms (Felo & Solieri, 2003).
The DOJ's (2023) guidance frames three linked question sets. Internal Audit: What determines audit frequency and scope, and what findings get reported to the board? Control Testing: Has the company reviewed and audited areas tied to past misconduct, and how are results tracked? Evolving Updates: How often are risk assessments and policies updated, and does the company adapt based on lessons from its own or peers' misconduct?
Formal audits, ongoing monitoring, and periodic evaluation together let a company continuously improve its ethical environment — but no two programs are identical, since size, industry, location, and history all shape implementation.
THE FIVE STEPS, IN ONE PASS
Chapter Summary
An ethics and compliance program should meet the organization's actual needs, often now including sustainability/ESG, privacy and cybersecurity, and diversity/DEI. Implementing an effective program follows five steps.
First, designers create a structure to manage and oversee the program. An ethics officer serves as steward of the program and needs sufficient authority and resources to encourage compliance with legal and ethical standards.
Second, the program communicates clear standards of acceptable behavior addressing the organization's risks — typically through a code of conduct. Those designing the code should tailor it to the organization's culture, risks, and history, since content varies with industry and geographic regulatory environment.
Third, the organization educates the workforce through a training program that resonates with its audience and makes ethical behavior the norm. This requires ongoing, interactive training, regular communication, and management follow-up support — the goal is decisions consistent with company values, delivered through a mix of classroom and online methods.
Fourth, procedures respond to reported misconduct through a transparent, fair investigation process. A usable system provides for anonymous inquiries, protects confidentiality, prevents retaliation, and discloses investigation results where possible, offering employees multiple channels for advice and reporting. Investigating an allegation means establishing exactly what happened and what the organization can do to prevent future misconduct.
Fifth and finally, the organization monitors and assesses program effectiveness to identify areas for improvement. Monitoring sets controls for compliance and catches noncompliance early. Effectiveness is measured two ways — activity metrics (transaction counts, how many people the program touches) and outcome metrics (actual behavior change and reduced misconduct). Auditing is the periodic review confirming that every element of an effective program genuinely exists.
THE CHAPTER'S OWN QUESTIONS, WITH MODEL ANSWERS
Critical Thinking and Discussion Questions
Chapter 9 closes with six critical thinking and discussion questions, each paired below with a concise model answer grounded in the chapter's content.
1. How could a company of 75 employees with limited resources implement an effective ethics program?
A small company can still cover all five elements at a proportionate scale: assign ethics responsibility to an existing role (HR or legal) rather than hiring a dedicated officer, keep the code of conduct focused on the company's actual top risks rather than an exhaustive topic list (Table 9.3), rely on lower-cost or hybrid reporting channels instead of a fully outsourced 24/7 helpline, and use lighter-weight activity metrics (completion rates, number of complaints) rather than expensive culture surveys. The chapter's own data shows companies under 2,000 employees typically run with just two to five ethics professionals (Society of Corporate Compliance and Ethics, 2023) — scale is expected, not a disqualifier.
2. Choose an organization you work for or are interested in working for. Locate its code of conduct. Score it using the Table 9.2 benchmarking criteria. How does it compare to similar firms in the industry?
A strong answer walks through each of Table 9.2's eight components in turn — public availability, tone from the top, readability and tone, non-retaliation and reporting, commitment and values, risk topics, comprehension aids, and presentation and style — scoring the chosen company's actual code against each, then comparing it to a named competitor's code on the same criteria rather than a general impression.
3. Write a code of conduct for a small fictitious business.
A complete answer includes the eight recommended sections from the Ethics and Compliance Handbook: an introductory leadership letter, a mission/values statement, an ethical decision-making framework, resources for advice and reporting, substantive rules for key risk areas relevant to the fictitious business, disciplinary and enforcement procedures, a non-retaliation protection statement, and an acknowledgment/certification section.
4. How can a company determine if ethical training is effective, other than showing completion of online courses or attendance?
Completion and attendance are activity metrics, not outcome metrics. Effectiveness is better shown through content quizzes and mastery data, end-of-course surveys, post-training employee surveys on awareness and confidence, tracking the number and type of ethical violations after training, and root cause analysis linking specific misconduct back to training gaps (LRN, 2024, p. 53) — in short, evidence that behavior actually changed, not just that a course was opened.
5. Should reporting of observed misconduct be mandatory? How could the policy be communicated and enforced? What are the unintended consequences of potential discipline if an employee does not speak up?
A thoughtful answer weighs the FSGO's expectation of a publicized reporting system (United States Sentencing Commission, 2023) against the risk that mandatory reporting, if punitive, could deepen the same fear of being labeled a "snitch" or "rat" that already discourages speaking up (Riebl, 2004). Communication should pair any mandatory-reporting policy with strong non-retaliation guarantees and multiple confidential channels; enforcement that disciplines silent bystanders too harshly risks driving concerns underground rather than into the open, undermining the very trust the reporting system depends on.
6. Why would questions on the ethical culture of an organization be valuable during an exit interview? What questions would you ask?
Departing employees have less incentive to protect the company's image and more freedom to be candid, yet the chapter notes only about a third of companies actually use exit-interview data on ethics (PwC, 2014; SAI Global & Baker & McKenzie, 2013) — a missed opportunity to learn why people really leave. Useful questions include whether the employee ever felt pressured to act against their values, whether they knew how to report a concern and felt safe doing so, whether they saw misconduct go unaddressed, and how they would rate leadership's "tone from the top" on ethics.
PRINT THIS
Glossary of Key Terms
Every bolded or explicitly defined term in Chapter 9, in one line each, in the order the chapter introduces them.
| Term | Definition in one line |
|---|---|
| Ethics officer | The individual appointed to oversee compliance with legal and ethical standards and act as steward of the organization's ethics and compliance program. |
| Board oversight (of ethics programs) | The governing body's duty to monitor management practices and protect the organization from reputational and financial risk arising from ethical misconduct. |
| Code of conduct | The foundational document of an ethics and compliance program, outlining ethically appropriate behavior in the workplace. |
| Rules-based code | A code of conduct with a punitive, "thou shalt not" tone, focused on standards and rules applicable to an issue area (Ethics & Compliance Officer Association Foundation, 2008). |
| Values-based code | A code of conduct that connects company values with expected employee behavior, rather than framing conduct purely as rule-following. |
| Common (global) code | A single code of conduct applied across all countries an organization operates in, sometimes with regional or country-level variations. |
| Training plan curriculum and schedule | A structured mapping of compliance topics to target audience, initial training requirement, and recurrence (illustrated in Table 9.5). |
| Open-door policy | An informal mechanism allowing employees to seek ethics counsel from any manager, an early approach used by IBM (Carroll, 1991). |
| Helpline / hotline | A telephone (or multichannel) reporting system for ethics concerns; many companies rebranded "hotline" to "helpline" to reduce the perceived bar for reporting. |
| Employee-centered investigations | An approach that keeps the reporting employee's experience consistent regardless of which channel (HR, compliance, manager, portal) they used to raise a concern (Salmon-Byrne et al., 2023). |
| Anonymous reporting | A reporting option that conceals the identity of the person raising a concern, sometimes using a tracking number so status updates can still be provided. |
| Whistleblower protection | Legislation protecting employees who report misconduct from retaliation, now present in many countries worldwide (OECD, 2016). |
| In-house, outsourced, and hybrid reporting models | The three structural options for operating an ethics reporting/helpline system, each affecting employees' perception of its independence (Riebl, 2004). |
| Funnel technique | An investigative interview method that starts with open-ended questions and narrows to specific clarifying details. |
| Four steps of investigation | Determine the nature of the allegation, make a plan, develop the facts, and document the investigation (Figure 9.3). |
| Consequence management procedures | Procedures to identify, investigate, discipline, and remediate violations of law, regulation, or policy, applied consistently across an organization (DOJ, 2023, p. 12). |
| Monitoring | "A system of activities that provide an organization with a self-appraisal of its control system's performance" (Hedley & Ben-Chorin, 2011, p. 69), used to catch noncompliance early. |
| Auditing | A periodic review of company compliance with ethical and legal standards to determine whether all elements of an effective ethics and compliance program exist. |
| Activity metrics | Measures of the number of transactions with a given program element, such as training completions or hotline calls — easier to track than outcomes. |
| Outcome metrics | Measures of whether a program element actually changed behavior or reduced misconduct, such as substantiated violations or disciplinary actions. |
| In situ performance (ethics-program context) | The chapter's broader framing that a program's true effectiveness must be judged through both activity and outcome measurement, not activity alone. |
THE ONE-PAGE VERSION
Quick Reference
A single table capturing the chapter's five-step framework, its core structural and code-design concepts, and its most important names, tools, and findings.
| Element | What to remember |
|---|---|
| The five common elements (FSGO, FCPA, U.K. Bribery Act, OECD) | Create program structure, establish corporate standards, educate the workforce, create investigation procedures, and assess program effectiveness. |
| Program structure's three components | An appointed ethics officer; oversight by the governing body (board); and the reporting relationship between the two, which shapes the officer's real independence. |
| Board oversight tool | Table 9.1's sample board questions, organized by program element — structure, code, training, risk assessment, monitoring/auditing, reporting, and continual improvement. |
| The eight recommended code of conduct sections | Leadership letter; mission/values/principles; ethical decision-making framework; advice/reporting resources; substantive risk-area rules; disciplinary/enforcement procedures; non-retaliation protection; acknowledgment/certification. |
| Code title choice | Rules-based codes read as punitive rule lists; values-based codes tie behavior to company values — the choice, and its translation, shapes employee buy-in. |
| Code quality benchmarking (Table 9.2) | Public availability, tone from the top, readability and tone, non-retaliation and reporting, commitment and values, risk topics, comprehension aids, presentation and style. |
| Global code design considerations | One common code vs. separate country codes (or a hybrid); avoiding country-specific terms (Table 9.4); culturally sensitive graphic design; multilingual, interactive delivery. |
| Training must be ongoing, not one-time | One-time training has only transient effects, similar to slowing down briefly after witnessing a traffic accident — ongoing, interactive, role-tailored training and management support are required. |
| Reporting mechanism design | Must offer confidentiality, neutrality, independence, and multiple channels; naming (helpline vs. hotline) and anonymity options directly affect whether employees actually use the system. |
| Four steps of investigation | Determine the nature of the allegation, make a plan, develop the facts, document the investigation — same sequence for large and small organizations (Figure 9.3). |
| Assessment vs. monitoring vs. auditing | Assessment measures program impact/achievement; monitoring is ongoing real-time control activity catching noncompliance early; auditing is periodic formal verification that all program elements exist. |
| Activity metrics vs. outcome metrics | Activity = transaction counts (easier to track, more commonly used). Outcome = actual behavior change and reduced misconduct (the real measure of impact). |
| The Gunvor case | Two bribery scandals roughly a decade apart, both traced by regulators to the same root cause: no program structure, no dedicated risk staff, no code of conduct — the chapter's real-world argument for why all five steps matter together. |