What Does an Ethical Culture of Compliance Look Like?

Cheat Sheet 

More than legal compliance. An ethical culture goes beyond avoiding legal peril to encouraging individual integrity and trust among all stakeholders.  

Assessments. Recent US DOJ guidance emphasizes methodologically sound, data-driven, and company-specific risk assessments. 

Program design. Guidance also outlines the expectation of a data-driven approach to promoting a company’s non-retaliation program and fostering a “speak-up” culture.   

Leading by example. Leadership should encourage ethical behavior by living it. 

Given the high stakes for corporations developing, implementing, and monitoring their own effective compliance programs, it is essential that corporate leadership understand the extent of their responsibilities, roles, and options for succeeding at this critical objective. While each company will design and implement their compliance program with unique attributes depending on the industry, regulations, and their unique risk profile — all best-in-class compliance programs are built upon a few foundational principles. 

These principles ― combined with the US Sentencing Commission’s Sentencing Guidelines and the June 2020 US Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs ― can guide today’s corporate leaders in meeting the requirements of legal compliance and building an ethical culture that will strengthen their organizations in the long run. 

The foundation of compliance: Ethical corporate culture 

First, we need to establish the subtle but important distinction between compliance and ethics when it comes to corporate culture and how it impacts the people involved. Compliance is understanding and acting in accordance with the laws, regulations, policies, and procedures that apply to your organization.  

That said, a company can be in compliance without necessarily having ethics. An ethical culture is more than just legal compliance. Can we engage in the conduct without creating significant legal risks? Is the conduct consistent with our corporate values? Is it something we want to promote within the company? 

An ethical culture certainly embraces compliance but sets the bar even higher.

We share the conviction that a strong compliance program will be even stronger when it is built alongside the commitment to nurturing an ethical corporate culture. Avoiding potential legal peril is fundamental, but companies concerned with mitigating compliance risk over the long term emphasize the importance of individual integrity and actively building trust among all stakeholders.  

In other words, an ethical culture benefits a company in several significant respects:  

  • employee morale improves,  
  • employee misconduct declines,  
  • employee willingness to report misconduct increases, and
  • overall corporate profitability and sustainability of operations increases. 

An ethical culture certainly embraces compliance but sets the bar even higher.  

One way to encourage ethical behavior is to take the time to collectively discuss, agree upon, and inscribe a set of core values. In the case of Level Legal, we are an organization that deals with complex data issues under tight deadlines, and these values came to life as give a damnget it done right, and show respect. Each organization will express its values differently. The point is that when ethical behavior is an integral part of a company’s cultural values, voluntary compliance is a much more likely outcome.  

New emphasis on data-driven program design 

The most current DOJ guidance for evaluating the design, implementation, and operation of effective corporate compliance programs was issued in June 2020. It is organized around three fundamental questions taken from the Justice Manual:  

  • Is the corporation’s compliance program well designed? 
  • Is the program being applied earnestly by the organization and in good faith? In other words, is the program adequately resourced and empowered to function effectively? 
  • Does the corporation’s compliance program work in practice? 

Regarding the first question of program design, the June 2020 DOJ guidance places increased emphasis on methodologically sound, data-driven, company-specific risk assessments. Assessments should be “based upon continuous access to operational data and information across functions” and should inform a company’s updates to its “policies, procedures, and controls.”  

Moreover, the DOJ guidance and Sentencing Guidelines make clear that such risk assessments must occur “periodically.” While neither defines “periodically,” it implies some sort of required frequency.

The “design” hallmark in the DOJ guidance encompasses the hotline and investigations function of a corporate compliance program. According to the guidance document, prosecutors are to “assess whether the company’s complaint-handling process includes proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.” Accordingly, developing a data-driven approach to promoting a speak-up culture and awareness for a company’s non-retaliation program is vital. Possible methods for doing this include: 

  • Surveying employees regularly to identify trends in responses to survey questions about, among other things, whether the employee has witnessed misconduct and not reported it and why; 
  • Checking in with whistleblowers following the conclusion of investigations to ensure the reporters have not experienced retaliation; and 
  • Reviewing reduction-in-force lists for witnesses in investigations to ensure managers aren’t using — or creating the misimpression of using — RIF to exit employees who cooperated in a company investigation.  

Other design considerations include:  

  • Is there a code of conduct that formalizes the company’s commitment to full compliance?  
  • Do the company’s policies and procedures incorporate the culture of compliance into its day-to-day operations?  
  • Do relevant employees regularly receive appropriate risk-based training?  

Compliance professionals have long sought to make compliance training as impactful as possible. Such efforts to produce impactful, risk-based training include the following: 

  • “Profiling” compliance training so that modules are delivered based on need (e.g., role or function in the company, whether the employee is a people manager, etc.); 
  • “Just in time” training such as a mini-module or toolkit on business courtesies that is deployed when an employee books travel to certain high-risk jurisdictions; and 
  • Content, such as vignettes or scenarios, for mid-level managers to use in team meetings to invite compliance-related discussions and questions and thus foster a speak-up culture. 

The importance of resourcing and empowerment 

Another key takeaway from the updated DOJ guidance centers on a change of wording to its second design consideration above, which previously asked, “Is the program being implemented effectively?” Company leadership should be aware that the guidance places new emphasis on programs that “work in practice,” are “adequately resourced,” and are “empowered to function effectively.”  

The guidance documents make explicit reference to developing “a culture of ethics and compliance” with a “high-level commitment by company leadership to implement a culture of compliance from the middle and the top." Leadership must live the example by demonstrating clearly to employees at every level that ethical behavior is expected. When everyone in the organization is consistently evaluated and rewarded by this standard, over time these lived values will spread through the organization and permeate the culture. 

Effective compliance
requires investments in personnel and

The DOJ guidance focuses on empowering compliance personnel with sufficient autonomy and resources to carry out their mission. Companies should clearly define how they position the compliance function within the overall organizational structure. Furthermore, effective compliance requires investments in personnel and technology (what the guidelines refer to as “data resources”). The compliance function should have the ability to operate independently.   

Programs must continually evolve 

The DOJ has also updated its guidance to require prosecutors to determine whether a program works “in practice,” with particular emphasis on continuous improvement, periodic testing, and review. Companies will be scrutinized for their efforts to regularly and meaningfully review their program, and the ability of the program to evolve “based on lessons learned.” Demonstrating a capacity for sound assessment will likely depend on the use of effective technology for measuring compliance, whether you are auditing transactions, analyzing the use of expense accounts, conducting behavioral audits of employees in client interactions, or identifying data anomalies within your enterprise resource planning (ERP) systems. 

New incentives for improving your program 

Finally, the DOJ guidance indicates the “adequacy and effectiveness” of a company’s compliance program should be considered when investigating prosecutors are determining whether to bring charges and when negotiating a plea or other agreement in the event of possible violations. 

It is clear that a program’s design, application, and its actual functioning will be subject to close scrutiny by regulators investigating and pursuing alleged misconduct. This suggests that corporations should have every incentive, not only to correct potential violations that may come to their attention, but to continually revisit every facet of their compliance program in the months and years to come.  


Companies that are serious about developing and sustaining a rigorous, proactive compliance program know that monitoring changes in the regulatory environment is only one facet of compliance. Compliant behavior emerges from a strong company culture and consistent practice over time. It is reflected in the organization’s core values, which should address ethical principles as well as legal imperatives. It is never taken for granted but continually subject to measurement and monitoring rooted in data, so the organization can quickly respond as new problems arise. Finally, it requires strong leaders who are prepared to invest sufficient resources in an independent compliance function, and who hold themselves and everyone in the organization accountable for their conduct.  

The opinions expressed in this column are the authors’ own and do not necessarily reflect the views of their employers.