_{Going From Good to Great:}
Evolving E&C Metrics

The Case for Outcome-Focused Metrics

An increasing focus on E&C program effectiveness requires leaders to re-evaluate their programs. Corporate leaders and evolving regulatory expectations are raising the bar, as the U.S. Department ofJustice’s 2024 update to its Evaluation of Corporate Compliance Programs (ECCP) explicitly calls for evidence of a program's effectiveness, not just proof of its existence.

For example, the DOJ now directs prosecutors to ask whether companies are leveraging data to identify misconduct or deficiencies in the E&C program, confirm that employees know how to access relevant policies, and assess willingness to report misconduct. Prosecutors will “look carefully (and with a jaded eye)” at any gap in tech investment between E&C and other functions like Sales. This clearly indicates that data-driven E&C programs are no longer a future state. They are an expectation of boards of directors, executive leadership, and investors alike.

Great E&C programs respond to these demands by tracking metrics that matter: not just how many people took training, but whether the training changed behavior. Not just how many calls came into the hotline, but whether employees trust the system enough to speak up without fear.

Moreover, global regulation is not letting up: the EU AI Act, for example, imposes strict requirements on how companies govern AI systems. Non-compliance could mean fines up to 7% of worldwide revenue. This ups the ante for compliance teams to monitor new risk metrics, from algorithmic bias audits to AI inventory tracking.

The mandate for 2026 is clear: Evolve from activity-based metrics to outcome-based metrics to meet rising expectations. This is the way from good to great.

The State of Board Reporting

There is no venue where data metrics regarding E&C programs matter more than in the boardroom. Directors are increasingly looking for more than information about hotline reporting metrics, investigation substantiation rates, and information core E&C program elements.

Directors want to understand the story behind the data: What is the data saying? For example, is there a more complete picture if the E&C function overlays their data (such as that regarding cultural areas of concern) with other data (such as safety incidents from the same location)?

Answering such questions enables the E&C function to get predictive and intercept small problems before they become more significant, enterprise-threatening crises.

Cadence & Setup

Ethisphere data shows that best in class programs…

EXECUTIVE SESSIONS

66% schedule regular in‑camera sessions with Board without management present to discuss E&C.

CHAIR TOUCHPOINTS

68% of E&C leaders have pre‑meeting check‑ins with the oversight chair ~10% meet monthly.

FULL BOARD EXPOSURE

72% of boards received an in‑person E&C program briefing within the last year.

The State of Board Reporting

88% provide E&C updates to the Board/oversight committee at least quarterly

Table-Stakes Content
Hotline & misconduct reporting stats	99%
E&C training initiatives	99%
E&C risk mitigation strategy and tactics	99%
E&C program assessment/benchmarking findings	97%
E&C communications initiatives	97%
E&C risk assessment findings	96%
Details on misconduct investigations & resolutions	95%
Culture of ethics assessment or survey findings	91%
E&C program audit results	90%
Code of Conduct updates	89%
Privacy risk assessment and results	77%
Resources needed for program objectives	63%

Building Data-Driven E&C Dashboards

Great E&C programs leverage data dashboards much like a sales or finance team would. Instead of using spreadsheets, they use live analytics to track key E&C indicators in real time.This streamlines reporting and proactively identifies patterns and trends. Data-driven dashboards typically aggregate metrics across the whistleblower hotline, case management system, learning management system (LMS), third-party due diligence, and more, providing a one-stop view of program health.

Importantly, these dashboards align with the DOJ’s 2024 guidance:

Prosecutors have made it clear that they expect E&C programs to utilize modern data tools. In fact, the DOJ update to the ECCP notes that it will view skeptically any organization where the technology investment for E&C significantly lags that of other functions (such as Marketing or Sales).

Using Data to Inform Discussion Content

Good vs. Great: Key Differences in E&C Metrics

What distinguishes between good and great E&C metrics? It often comes down to what and how you measure performance.

Great programs build on the basics but go further to capture effectiveness and drive improvement.

Here are a few contrasts:

Good vs. Great:

Key Differences in E&C Metrics

What distinguishes between good and great E&C metrics? It often comes down to what and how you measure performance.

Great programs build on the basics but go further to capture effectiveness and drive improvement.

Here are a few contrasts:

What “Board-Ready" Metrics Look Like

Boards expect sharper, data-driven and outcome-oriented E&C updates. 88% brief at least quarterly, and the strongest updates span all core aspects of the E&C program.

THE FOUR REPORTING PILLARS:

Activities

“Are we doing it?”

Shows table-stakes execution and coverage: training completion, policy attestations, case intake, third-party screenings.

Quality

"Is it good?"

Proves comprehension and process health: in-course and real-time knowledge checks, post-course retention, and investigation perception survey data. To assess quality, look at previous performance and align with benchmarks from organizations with great programs.

Outcomes

“Does it work?”

Shows behavior change and risk movement: after increasing in manager communications about E&C topics, seeing changes in manager-reported vs. hotline ratio, and risk severity shifts post-control adoption.

Culture

“Will it sustain?'”

Ties program activities and outcomes to your employees' perception: comfort speaking up, perceived fairness, manager role-modeling, and action planning follow-through after each culture cycle.

Overcoming Data Silos

Siloed data kills signal. Most E&C programs are stuck with siloed tools (LMS, case management, COI/disclosures, culture, TPRM), and the data never intersects. Stand up a lightweight metrics warehouse or BI workspace keyed on Person_ID, Org/Manager, Geo/BU, and Date and pipe in six feeds first (training, hotline intake, investigations, disclosures/COI, culture/pulse, TPRM) This lets you correlate activities, and ship a board-ready view each quarter.

To accelerate without heavy lift, partner with a built-for-E&C analytics platform with pre-built dashboards, KPI reporting across risk/compliance, including case management/whistleblowing analytics and GRC dashboards.

A single, board-ready dashboard enables E&C to correlate actions to outcomes and make faster, defensible decisions on risk and resourcing.

Overcoming Data Silos

A single, board-ready dashboard enables E&C to correlate actions to outcomes and make faster, defensible decisions on risk and resourcing.

Most programs already have the horsepower to connect siloed systems, standardize shared keys, and turn multi-source data into board-ready insight.

Elevating Training and Communications Reporting

Great programs go beyond merely reporting that employees successfully completed their training and prove how that training changed employee behavior.

TRAINING DESIGN:

Role-based micro learning and scenario vignettes that mirror real risk moments for your employees (by role, region, etc).

TRAINING MEASURE:

Blend direct signals (pre-testing and knowledge checks) and indirect signals (case trends, policy search/downloads, content engagement). Most teams run post-course quizzes yet far fewer test knowledge weeks/months later, a gap to close.

COMMUNICATIONS DESIGN:

Treat comms like product marketing: role/region-targeted, multi-format assets (short videos, manager talk tracks, Slack/Teams nudges) timed to business rhythms (QBRs, launches, audits).

COMMUNICATIONS MEASURE:

Report reach (% of audience touched), frequency (avg. touches per quarter), recall (2–4 week pulse quiz on the message), and behavioral lift (policy views, acknowledgment timeliness). Use trackable links to attribute impact.

How Training and Comms Shows Up with the Board

Have had their Training/Comms lead attend Board/governing authority in the last 2 years

Have included E&C training initiatives in their E&C program presentations to the Board or governing authority of E&C within the last 12 months.

Have assigned their employee Code of Conduct training to the Board or governing authority in the last 3 years

The Value of Enabling Managers and How To Measure It

E-learning and emails are the starting point for training and communications. To create a visible presence and strengthen the understanding of E&C issues throughout the organization, you need to engage your people leaders. As the everyday face of E&C, they shape culture, process, expectation, and model each of those in practice. Enable your managers and track Manager Enablement as a performance driver.

KPIs TO REPORT:

Coverage (how many leaders are activated)
Cadence (how often conversations occur)
Quality (whether the discussion hits core elements)
Program effects (training lift, policy acknowledgment timeliness, and culture-understanding scores)

Benchmarks indicate that 58% of organizations require managers to hold E&C conversations and that 38% hold them monthly. Aim to exceed that benchmark and show measurable gains in completion, clarity, and confidence where manager cadence is strong.

People who frequently have these conversations are:

30 POINTS MORE LIKELY

to report misconduct that they observe

43 POINTS MORE LIKELY

to believe that the organizations will take action if they raise their hand

Reporting on Speak-Up: Are We Hearing Everything?

A healthy speak-up system is omni-channel, integrated, and measured, so nothing gets lost between managers, HR, E&C, or the hotline.

WHAT TO TRACK:

Reporting rate (per 1,000 employees) and reporting channel (manager/HR/E&C/web/phone)
Time-of-report and time-to-close by allegation category and investigatory function
Substantiation rate and appeals
Post investigation follow-up to inquire about investigation experience and any concerns of retaliation

How Great Programs Collect Speak-Up Data

Route all reports into a single system

Track reporting modality

Capture reports that originate with managers

Measuring Speak-Up Through Employee Surveys

Hotline data shows who reported and confirms that the E&C program has a reporting system in place. Surveys reveal if employees stayed silent and why. Pairing employee perceptions with intake data completes the speak-up picture and gives the board a leading indicator of future risk.

Run an organization-wide culture survey every other year. In-between, deploy targeted pulse surveys, and add focus groups/interviews at site visits to capture nuance and identify hotspots.

WHAT TO MEASURE:

Comfort speaking up
Trust in non-retaliation
Knowledge of how/where to report
Observed vs. reported misconduct
Perceived fairness/organizational justice
Manager discussion frequency
Awareness of E&C resources
Perceptions of the E&C function

Voice of exiting employees: % exit interviews completed, % with misconduct prompts, % routed to E&C within SLA. (84% route misconduct-related exit intel promptly to E&C.)

Investigations Reporting: Speed, Quality, and Consistency

Leading programs standardize the process and then measure it.

89% of misconduct investigations processes are global processes (with regional and functional variations as needed), and 93% of investigators come from within E&C. (96% come from other functions, and 92% come from external resources.)

Track the function and geographic location from which a report originates, what function conducts the investigation, and how efficiently the matter is closed.

Core Investigation KPIs:

Cycle time from open to close by investigatory function and case type

Report category

Root cause themes

Case load per investigator; service level agreement (SLA) performance for high-severity matters

Report modality (manager-handled vs. routed into the system)

Disciplinary response

Board view: Boards routinely receive data on report numbers and investigation outcomes. Keep a concise, quarter-over-quarter snapshot that broadens the data that is tracked and analyzed.

Transparency Builds Trust and Reporting

Transparency is a performance lever, not a press release.

Among best in class programs, 71% share speak-up activity and results with all employees (many also disclose in ESG/annual reports), while 95% circulate this information to the C-suite and 90% to other management layers.

Employee experience data reinforces the why: large majorities say they’ll report, yet only about half of those who observe misconduct actually do , largely out of a fear of retaliation. And as we established earlier, most concerns are raised to people (e.g., managers/HR/E&C) instead of portals .

To help employees understand the importance of speak-up and get insight into how investigations are handled, establish a process for sharing KPIs and sanitized stories internally.

What to share internally:

Volume & modality mix, top allegation themes, and median cycle time
Substantiation rate, corrective actions, and a plain-language anti-retaliation reaffirmation with how to seek support
“You said, we did” examples that show the survey findings and actions the E&C team is taking to to close the gap. (This transparency improves trust and future reporting)

Reporting on E&C Risk Assessment

Enterprise Risk Management helps organizations focus on mission-critical risks to the organization. However, risk assessment activity shouldn’t stop there. To assess the adequacy of the controls that are in place, conduct an E&C risk assessment to assess those risks that may not make it into the top risks for the organization overall. This data can then be used to guide program design and resource allocation. Brief the Board on shifts and actions each quarter.

Most organizations report a close relationship between ERM and the E&C teams. Coordination among the two functions when conducting risk assessment activities is key in order for executive leadership and the board to obtain a fulsome view of business and behavioral risks, allowing leadership to make smarter, faster and more credible decisions.

WHAT TO SHOW THE BOARD EACH QUARTER:

Top E&C risks
Risk velocity and residual-risk trend, quarter-over-quarter
Controls & mitigations: status, exceptions, and time-to-mitigate (by business/region)
Funding & ownership: cross-functional actions agreed to by the steering committee

Benchmarks to Cite

Risk Assessment findings included in Board updates

E&C coordinates with ERM/Risk Management 

E&C steering committee is cross-functional

E&C steering committee meets at least quarterly

Third-Party Risk: Lifecycle KPIs That Belong in the Board Pack

Treat third-party risk as an end-to-end system: diligence, onboarding, monitoring, remediation, and offboarding.

Report both coverage (what is in scope) and effectiveness (what has changed).

KPIs TO TRACK

Screening & diligence coverage: % of third parties screened, % high/medium/≥“more than low” risk.

Onboarding speed: median days for high/medium/≥“more than low” risk approvals (target SLA)

Diligence refresh SLAs: % on-time refresh, exceptions opened/closed

Monitoring & audits: % third parties monitored by risk tier, % audited and audit triggers

Issues & remediation: # of issues by type, corrective action rate, repeat-issue rate

G&E/COI linkages: G&E/COI issues tied to third parties (from expense and disclosure tools) and investigation outcome

Justifying E&C to the Board

Every budget season, boards invite control functions to justify their existence. For ethics and compliance leaders used to seeing their work as inherently beneficial, having to justify it can seem like board-level antagonism. But this a common question to answer meant not out of hostility toward business integrity, but with an eye toward reducing unnecessary spend and ensuring that each function is building value.

Where this creates issues for E&C is that the function's wins are mostly invisible. It’s a classic Catch-22: By working well, E&C denies itself the very evidence—fines, investigations, lawsuits, and crises—that most easily justifies its continued existence.

But there’s no telling how high those costs are if E&C keeps preventing them. Thus, E&C work can look like overhead unless you can showcase prevention as outcomes the Board recognizes.

On the risk side, the scale is real. Since 2000, U.S. companies have given up more than $1 trillion in fines, penalties, and settlements. More than $222 billion of that has been in the last five years alone, and to put that in context, that figure is equivalent to the current worth of both the National Football League and TikTok combined.

On the value side, Boards steward what now drives enterprise worth: over 80% of company value is intangible (brand, people, IP, trust). E&C protects those assets by reducing incident likelihood, shortening time-to-remediate, and signaling organizational justice…things that investors interpret as durability.

Expectations are high. Among honorees, 88% brief their Board at least quarterly, and the standard pack already includes risk findings, investigations outcomes, training/comms, and culture signals. Your job is to convert that data into outcomesso that E&C is seen not as a fixed cost but as an engine for risk reduction and value protection.

The answer is to change the frame and walk two paths at once: quantify risk avoided and demonstrate value created.

PROOF THAT RESONATES

Risk Avoided: >$222B since 2020

Value Protected: >80% intangible value

Governance Norm: 88% quarterly Board cadence

Possible Objection: “FCPA scrutiny is easing. Why invest now?”

Enforcement ebbs and flows, but betting on lighter scrutiny is a bad strategy. In 2024, total FCPA penalties doubled to roughly $1.7 billion even with fewer cases, driven by multi-hundred-million-dollar resolutions.

The DOJ also expanded whistleblower rewards in 2024, making it more likely that tips will become cases. This keeps pressure on companies to incentivize compliance via pay (the clawback/compensation pilot remains in effect) and create and measure speak-up culture.

Even if U.S. enforcement priorities shift, cross-border enforcements remain active (over $400M in foreign penalties were credited alongside U.S. actions last year). Plus, current U.S. enforcement priorities are subject to change with the arrival of new administrations.

Your plan needs to manage to the risk, not the news cycle. This means reducing incident likelihood and time-to-remediate, which protects the brand and other intangibles that drive enterprise value.

BACK-POCKET STATS

Whistleblower expansion:

DOJ’s 2024 pilot program pays awards for tips on corporate crime, including foreign corruption outside SEC jurisdiction. This broadens the pipeline beyond traditional FCPA channels.

Penalties remain harsh:

2024 saw fewer FCPA resolutions than 2023, yet nearly double the total monetary penalties. So far, “less focus” has not translated to lower exposure.

Compliance incentives:

DOJ’s compensation/clawback pilot program and recently updated ECCP guidance tie program quality to outcomes. How we pay and hold people accountable still matters to prosecutors.

How to Communicate E&C’s Value Creation

There are multiple avenues to provide evidence that the E&C function builds value with markets, among customers, in the capital stack, and across the workforce. The key is to partner with allied functions within the organization to show where E&C makes the company cheaper to finance, easier to insure, easier to buy from, and harder to disrupt.

Partner with Investor Relations to surface what investors ask about program quality. Connect those signals to your controls. Engage ESG and credit ratings owners. Map your program to specific criteria used by rating agencies, and note any upgrades or positive outlook commentary that cite controls, policies, or culture indicators. If your posture improves access to capital or terms, quantify the spread savings on current or recent issuances, and log those outcomes when briefing lenders (i.e., “Compliance briefing to lending syndicate supported a rate reduction of X bps, annual interest savings of $Y, exceeding current program spend.”). All of this amounts to a credibility premium.

Coordinate with Risk/Insurance to capture any pricing credits or retentions improved due to governance, investigations discipline, training quality, and speak-up health. Then, Put the numbers in Board language: “D&O renewal achieved Z percent premium improvement attributable to program controls, equal to $Y in annual savings.” This shows how risk reduction translates into premium relief.

Ask Sales which RFPs require control attestations. Build a standard “Assurance Annex” that shortens diligence and reduces friction in vendor onboarding. And most of all, track wins enabled. Attribute cycle time reduction and wins protected when your controls cleared customer concerns, and you can show how to make compliance a customer advantage.

How to Communicate E&C’s Value Creation

Work with HR to overlay culture survey results with turnover and engagement by business unit. Expect there to be a relationship between high speak-up rates and lower attrition. Quantify replacement cost avoided where safety scores improved and exits declined. Then add external proof. Where culture scores sit one standard deviation above benchmark, highlight associated financial outperformance. Present this as directional evidence that culture pays. This links psychological safety to retention and performance.

With Security and IT, show how E&C policies and training reduce loss events involving confidential information, fraud attempts, and misuse of AI tools. Track incidents caught early and the cycle time to containment to show the delta in severity at discovery versus resolution. This makes the case for how E&C builds resilience.

Begin with the director’s mandate: diligent risk oversight and protection of enterprise value. Remind that most company worth is intangible. Position E&C as the operating system that protects brand, reputation, people, confidential information, and IP. Then link each metric above to one of those assets. This speaks to the board’s fiduciary duty and its appreciation of the organization’s intangible value.

Ethicast is Ethisphere’s signature podcast and live-stream series, where ethics, compliance, and leadership intersect with excellence in action. Each week, we bring together leading voices to share best practices exploring how organizations can strengthen trust, resilience, and performance through effective ethics, compliance, and culture programs.

Subscribe Today

The Data and Organizations Behind This Report

Real-World Ethics & Compliance Data: For years, Ethisphere has built data sets that prove strong ethics is good business. Our program and ethical culture benchmarking data shows what excellence looks like for organizations seeking to develop best-in-class business integrity. And our Ethics Premium proves how much highly ethical organizations outperform their peers.

This report features insights from Ethisphere's proprietary data set, the 2025 World’s Most Ethical Companies^® and Ethical Culture dataset, part of the data intelligence BELA clients access to benchmark and strengthen their programs.

Ethisphere is the trusted community for enabling global leaders to measure, mature, and unlock and demonstrate the power and value of their integrity programs. With 400+ global organizations, thousands of resources, and millions of ethical culture and E&C program data points, Ethisphere is re-defining how programs accelerate maturity.

SAI360 is giving companies a new perspective on risk management. By integrating ethics, governance, risk, and compliance within a single platform, SAI360 helps companies broaden their risk horizon so they can manage risk from every angle. Visit sai360.com to learn more.