Defining and Measuring Effectiveness: Responding to the DOJ’s Evaluation of Corporate Compliance Programs Speak Up Guidance

by: Vault Platform and Emily Rickaby

Rather than empowering employees to speak up, change the power dynamic and say we are listening, we hear you.
 

The Department of Justice (DOJ) has provided much-needed insight for ethics and compliance leaders tasked with evolving internal reporting mechanisms and investigations procedures.

Earlier this year, the DOJ implemented its pilot whistleblower program, which created a monetary reward structure for employees who voluntarily report corporate misconduct to federal authorities. This creates new pressure on companies that either lack internal reporting channels to uncover misconduct or fail to act on reports. Through the DOJ’s updates to their Evaluation of Corporate Compliance Programs, companies now get a clearer view of what the Department expects when examining the strength and effectiveness of an employee reporting system and process.

We’ve compiled recommendations that Compliance, HR, ER, and Legal leaders can lean on when evolving and enhancing their programs in light of this guidance, with a particular emphasis on defining and measuring your Speak Up Program to fit the ‘adequate, effective, and well-designed’ expectations of the DOJ.

‘Adequate and effective’ for Speak Up programs comes down to engagement and usage. So how do you demonstrate the company is effective at encouraging speaking up without relying on volume of reports alone?

As you take stock of your current program and think about demonstrating impact on company Speak Up culture, here are a few metrics you can establish and monitor to prove to your business– and to the regulators–that you are evaluating and evolving your Speak Up program approach.

Benchmark your Trust Gap

Benchmarking and continuously measuring your internal Trust Gap is the most effective way to demonstrate ongoing improvement and effectiveness of your compliance program. 

Globally and across industries, there exists a gap between employee’s willingness to report (93%) and actual reporting rates (46%). Closing this trust gap is crucial for building a reliable compliance environment. This is the reality you’re operating in – a company with 10,000 employees should expect 500-1,500 incidences of misconduct a year will occur, half of which will go unreported. Mitigating risk is not possible when half of the issues are unsurfaced. 

Data collected by Vault Platform has revealed the scope of this issue:

  • Frequency of Misconduct: Up to 48% of employees witness or experience misconduct monthly 
  • Lack of Employer Accountability: More than 50% of employees feel their employers need to be more ethical and transparent. 
  • Impact on Personal Wellbeing: Nearly 50% of employees experiencing misconduct report a negative effect on their wellbeing, which leads to absenteeism and decreased productivity.
  • Employee Retention Concerns: Misconduct impacts retention, with a significant portion of affected employees eventually leaving their roles due to unresolved issues.

With 86% of employees emphasizing the need for safe reporting channels, an environment that bridges the Trust Gap empowers employees to speak up, strengthening both compliance and organizational health.

Data from Ethisphere shows that 100% of the World’s Most Ethical Companies® measure employee perceptions of ethical culture with 74% doing so with a dedicated ethical culture or compliance program survey, as opposed to one or two questions in a broader employee engagement survey. These same companies are administering these surveys at least every two years (21%), if not annually (49%).

Employees are reluctant to report concerns if they don’t believe the reporting process works or that the company takes any actions on reports. To bolster employee confidence in the reporting and investigation process, 69% of the World’s Most Ethical Companies® companies provide employees with some level of reporting on the number and types of concerns that were reported as well as the results of those reports and any subsequent investigations.

To benchmark and address the Trust Gap effectively:

  • Survey Employee Willingness and Experiences: Effective Speak Up Programs require cross-functional collaboration. Partner with HR and People Teams to benchmark willingness to speak up versus actual speak up rates at least annually. Regularly survey employees to track their readiness to report issues and to monitor progress over time to help identify barriers and opportunities to increase awareness of actual Speak Up processes.
  • Monitor Reporting Rates: Measure actual reporting volume on all channels. It’s best practice to also monitor outcomes, focusing on resolutions and the impacts on productivity, employee well-being, and retention. Benchmarking against yourself year over year with comprehensive analytics is the most effective approach, as industry or geographic speak up programs vary.
  • Calculate your Trust Gap: Willingness to Speak Up (as percentage of employee population) minus your Actual Report Rate for the same period (as percentage of employee population) = Trust Gap
Compliance DOJ ECCP GUIDANCE
Get access to Expert Insights and Fortune 500 Program Templates and Examples for today’s top risk areas.
Request Guest Access

Monitor Retaliation Fears as a Speak Up Barrier

Retaliation is the most commonly cited barrier to speaking up at work. 48% of employees cited concerns about retaliation as preventing them from speaking up about misconduct. 

Some leaders see this data point and jump to forming an anti-retaliation program and increasing communication about anti-retaliation policies. But to focus on policy without an approach to building psychological safety will set you up for failure. 

33% of employees do not believe anti-retaliation policies will be enforced. 

The foundation of a successful compliance program–and moving the needle on retaliation fears– lies in the organizational culture. Compliance leaders must work actively to cultivate an environment where employees feel safe to voice their concerns which means increasing transparency, demonstrating accountability, and proving you are Listening Up.

To foster an open and trusting culture:

  • Proactively Position Compliance as Listening Up: 50% of employees who witness or experience misconduct will not report. Listening to employee feedback is just as crucial as encouraging them to speak up. Compliance leaders should prioritize creating channels through which employees feel heard and respected. Regularly evaluate employee sentiment and belief that the ethics, HR, and/or leadership teams are listening.
  • Increase Investigations Transparency: Regularly bring awareness to the company’s commitment to ethical behavior and compliance through various channels—emails, team meetings, and town halls. Consider developing reports that promote transparency into aggregate resolutions metrics.
  • Demonstrate Accountability- Ensure that executives and managers exemplify the values of transparency and accountability in their actions and decisions.

Best Practice Spotlight:

Allianz Life’s VP & Chief Ethics and Compliance Officer, Steve Koslow, speaks to the value of a Hear Me/I’m Listening Culture, “There is a power paradigm in a speak up culture message. Rather than empowering employees to speak up, change the power dynamic and say we are listening, we hear you. Shifting the compliance frame of mind from Speak Up to a Hear Me culture shifts the power paradigm.”

Review and Revisit Intake Channel Preferences and Promotion

‘Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.’ 

The DOJ emphasizes that compliance programs must be dynamic and adaptable. Compliance leaders should regularly evaluate and refine their programs based on employee feedback and changing regulatory environments.There are three constant changes within our workplaces: People are changing, technology is changing, and communication preferences are constantly changing.  

Compliance leaders must ensure that reporting mechanisms are easily accessible and user-friendly to encourage employees to speak up. Before misconduct occurs is the best time to educate and assess awareness and comfort with available intake channel options. All employees should be aware of their options for speaking up, both directly and anonymously. 

77% of employees want an anonymized app-based reporting channel.

73% will report if they don’t have to speak to anyone.

Employees shouldn’t have to navigate a choose-you-own adventure style code of conduct when attempting to make a report. Every decision your employee is faced with after experiencing or witnessing misconduct should be propelling them towards making a report. Assess what is working well and feeling safe, and expand that approach.

To keep a pulse on meeting employees where they are: 

  • Simplify the Speak Up Landscape – Complicated processes can discourage employees from reporting issues, leading to a culture of silence that is detrimental to compliance efforts. Consolidate your Speak Up tech stack optimizing for trust, confidentiality, and ease of use. 
  • Emphasize accessibility: Provide frictionless reporting channels that reflect employee preferences. While some may prefer to rely on an anonymous hotline, others prefer online portals that allow them to report anonymously while tracking their case.
  • Anonymous channels should be varied and accessible by multiple avenues (app, web, phone, direct). The key is to remain creative in reducing reporting friction. If other channels are commonly used day-to-day, such as Slack, consider incorporating the messaging app into a reporting channel. This flexibility accommodates different comfort levels and preferences.Identify which channels are most utilized, and take it a step further and learn which are most trusted. 
  • Equipping managers for ethics pulse taking: Ethisphere’s Speak Up Culture Report shows the people who do report have a strong preference (5:1) for direct to internal human reporting. Emphasize manager training for hard conversations, active listening, and ethics pulsetaking. Regularly assess how aware and confident managers feel identifying ethically gray and reportable situations.

Incorporating these best practices into compliance programs can significantly enhance the culture of speaking up within an organization and prepare you to demonstrate your commitment to data-driven effectiveness. By identifying your trust gap, fostering an open culture, and simplifying reporting mechanisms, compliance leaders can build a resilient, adequate compliance program that not only meets DOJ expectations but also empowers employees.

This environment, where employees feel safe and encouraged to voice their concerns, is not just a regulatory obligation– it is a strategic advantage. Benefits include decision-making, increased employee engagement, and a stronger overall organizational culture. As compliance leaders navigate the updated guidance from the DOJ, prioritizing employee engagement and feedback will be crucial for driving compliance success and fostering long-term ethical business practices.

Summary:

Key metrics for identifying the Trust Gap

  1. Willingness to report 
  2. Witnessing or experiencing misconduct
  3. Actual Reporting volume

Key Speak Up Barrier Metrics:

  1. Awareness of Anti-Retaliation Policies
  2. Belief Anti-Retaliation Policies will be enforced
  3. Belief Compliance (and/or HR) is listening to employee concerns and issues

Key Metrics for Intake Channel Review

  1. Awareness of reporting options
  2. Comfort with available reporting options
  3. Trust in anonymous reporting options
  4. Manager survey: awareness of code of ethics
  5. Manager survey: comfort with identifying ethical gray situations

Ethical Assessments identifies Excellence in Action

Showcasing Best Practices from AtkinsRealis, Ingredion, and JBS Foods

The willingness of these companies to prioritize ethics and compliance provides a model for integrity in action.
 

Ethisphere’s mission is to build a better world by advancing business integrity. And a big part of that is not just directly helping organizations across the globe achieve ethics and compliance excellence, but in sharing those stories so that everyone in the ethics economy can see what great looks like. That is why we showcase those companies whose business integrity efforts truly stand out. 

Some of these may have earned recognition through Ethisphere’s rigorous Compliance Leader Verification ethical assessment process—which identify areas of strength and improvement around six key areas: program resources and structure; perceptions of ethical culture; written standards; training and communication; risk assessment, monitoring and auditing; and enforcement, discipline, and incentives. Others may be a World’s Most Ethical Companies® honoree. And others still may be forging ahead boldly on their ethics and compliance journey in a way that is bound to educate and inspire others. But all of the exemplify excellence in action.

ATKINSRÉALIS

Founded in 1911, AtkinsRéalis is a global, fully integrated professional services and project management company that supports various sectors, including buildings and places, defense, industrial, minerals and metals, nuclear, power and renewables, transportation, and water. 

AtkinRealis’s exemplary ethics and compliance program embeds integrity across the organization. The company has made significant investments in compliance and ESG, and implemented major initiatives, from building a culture that requires managers to frequently communicate with their teams on ethics and compliance, to robust third-party risk management procedures. 

For these things and more, AtkinsRéalis received Ethisphere’s Compliance Leader Verification in May 2023. And just recently, it became the first engineering company in the UK to achieve the Clear Assured Platinum Standard for its progress and impact with DE&I initiatives. With 37,000 employees that speak, over 70 languages and representing 130 nationalities across six continents, AtkinsRéalis works across a diverse set of markets, from buildings and places to defense, industrial, minerals and metals, power and renewables, transportation, water, and even nuclear. These factors collectively require a certain diversity-driven perspective within the compliance program and around business integrity in general.

“I would say our long-term strategic plan has always been about ensuring that our integrity program is there to support employees in their day-to-day workings and to make sure that it’s pragmatic and as much as possible integrated,” says Hentie Dirker, Chief ESG & Integrity Officer for AtkinsRéalis. “I come from a business background. I was in sales and marketing. And people on the ground are really busy. So in order to make things easy and to get that buy-in from them, you have to really make sure that you always integrate your systems as much as possible into things that they would already be doing or interacting with from a day-to-day basis and to really to avoid unnecessary bureaucracy.”

Click here to learn more about the many different ways in which AtkinsRéalis builds and advances its culture of integrity. And to learn more about how Hentie and his team are moving the needle within AtkinsRéalis, check out Hentie’s Ethicast interview here.

Compliance DOJ ECCP GUIDANCE
Get access to Expert Insights and Fortune 500 Program Templates and Examples for today’s top risk areas.
Request Guest Access

INGREDION

Ingredion is a leading plant-based global ingredients solutions company headquartered in Westchester, IL. The company makes sweeteners, starches, nutrition ingredients and biomaterials that are used in a wide range of food, beverages, paper, and pharmaceuticals. Or to quote Ingredion itself: “We turn grains, fruits, vegetables and other plant materials into ingredients that make crackers crunchy, candy sweet, yogurt creamy, lotions and creams silky, plastics biodegradable and tissues softer and stronger.”

Ingredion is also a current World’s Most Ethical Companies honoree – a distinction it has earned an impressive 10 times. So it comes as no surprise to learn that the company is doing some compelling work in the area of speak-up culture and internal investigations, such as conducting post-investigation surveys with all parties involved in an investigation as well as detailed walkthroughs of the investigations process to demystify it and make it less intimidating. 

“When you start pulling the lid off of things and you really start shining a spotlight on it, it becomes less scary. And if it’s less scary, then people are more likely to engage,” says Kimberly White, Ingredion Vice President and General Counsel-Compliance. “We have gotten more than 100 responses. from those [post-investigation] surveys. And we have found even with people who are implicated, they are coming up and saying, you know what, this was not a bad experience. And I think that’s a real testament to our speak-up culture and also our processes.”

Kimberley adds that this is all a part of how seriously Ingredion takes its speak-up culture, and its business integrity program. But it never hurts to have a little help from the outside, too.

“Of course, we have Ethisphere that helps us also continuously improve,” Kimberley says. “Thank you to Ethisphere and thank you to all of my colleagues out there who make this such a wonderful practice so that we can really level up the game for all corporations to be ethical business partners.”

Click here to learn more about Ingredion’s Business Integrity, Ethics & Compliance program, including a special integrity message from Ingredion CEO Jim Zallie, Ingredion’s Code of Conduct, and more. And to learn more about Ingredion’s innovative approach to internal investigations and speak-up culture, check out Kimberley’s Ethicast interview here.

JBS FOODS

JBS Foods is a leading global food company that processes, prepares, packages and delivers fresh, further-processed and value-added premium protein products for sale to customers in approximately 100 countries on six continents.

With more than 250,000 team members and operations in 15 countries, JBS is the #1 global beef producer, the #1 global poultry producer, the #2 global pork producer, and the mothership for major- brands such as Pilgrims and Primo. It’s safe to say that if you haven’t yet eaten a JBS product, you probably know someone who has.

Over the last several years, JBS has made substantial efforts not only to deepen and expand its ethics and compliance program, but more importantly, it has done so with an eye towards the future sustainability of the program itself, especially when it comes to budgeting.

You have to realize, when you’re forming budgets, what hills to die on, says Michael Koenig, Global Chief Ethics and Compliance Officer. “Every compliance officer has their wish list, but you’re not going to get everything you wish for. What are the things I absolutely must have, what I’d like to have, and what are the things that would be nice, but if I don’t have, that’s okay? You have to think of budgeting that way as well. You have to build internal trust and confidence that when you go asking for more resources for something, the leadership will say, you know what, we trust what they’ve done.”

People don’t like surprises, Michael says, especially when it comes to budget. The key is to have candid, ongoing discussions about resources, especially around issues that could suddenly require unexpected costs. That’s when all that discussion pays off. “I would much rather deal with problems than surprises,” Michael says. “That’s true in the substantive world, and it’s true in the budgeting world.”

Click here to learn more about Governance and Compliance at JBS—as well as its culture, leadership, and sustainability efforts. And to learn more about JBS’s remarkable compliance journey, check out Michael’s Ethicast interview here.

Making Supply Chain Due Diligence Practical

by Craig Moss and Patrick Neyts.

To make supply chain due diligence practical, take reasonable steps to cover the breadth of your supply chain and focus on the highest-risk suppliers.
 

The number of supply chain due diligence laws is growing rapidly. Some have been around for years (the first since 2010 – California Supply Chain Transparency Act), and some are new. The pace of new supply chain laws is increasing. The EU’s approval of the Corporate Sustainability Due Diligence Directive (CSDDD) will lead to new laws in each EU country as the directive is transposed into national legislation.

To make it harder, the laws cover environmental and social risks in your supply chain. On the environmental side, they cover everything from carbon output (currently a high-profile topic) to water conservation, air pollution, disposal of hazardous materials, and beyond. On the social side, they cover forced labor, child labor, working hours, discrimination, and more.

A Tip For Managing Supply Chain Due Diligence

It is neither practical nor efficient for you to react law by law and jurisdiction by jurisdiction. We’ll give you a tip: All the laws are based on the OECD Due Diligence Guidance For Responsible Business Conduct (RBC). The practical (and smart) thing to do is to develop a supply chain due diligence program aligned with the structure and management system approach recommended by the OECD. Easy to say. Harder to do. It is even harder because your program needs to manage your environmental and social risks and those of your suppliers.

It does not matter if you have 100 or 100,000 suppliers; the laws require you to consider all their environmental and social risks – to a certain extent. That doesn’t sound too practical. Especially when considering the wide range of risks impacting environmental and social performance.

Not to make it more difficult, but the OECD and the derivative CSDDD have a comprehensive view of what they consider due diligence. Pre-contract background checks or social audits during the commercial relationship are only a small part of the overall management system requirements. The CSDDD, like the OECD Due Diligence Guidance for RBC, has six interrelated elements.

1.    Integrate due diligence into company policies

2.    Identify potential or actual adverse impacts – social and environmental

3.    Prevent, end, and mitigate potential impacts and bring actual impacts to an end

4.    Engage external stakeholders as part of the due diligence process

5.    Establish a grievance mechanism

6.    Monitor the effectiveness of the system using qualitative and quantitative KPIs

How to Make Managing Supply Chain Due Diligence Practical

As you can see, this goes way beyond the check-the-box compliance approach. So, what are supply chain due diligence best practices, and how do you make it practical? You make it practical by taking a breadth and depth approach. You take reasonable steps to cover the breadth of your supply chain and then focus on the residual risk of the most critical or highest-risk suppliers.

  • First, you need to have a good idea of who your suppliers are. Based on our experience, this alone challenges many large organizations.
  • Second, most legislations refer to “Primary” Supply Chain actors. Primary means they are important or material from a business as well as from an environmental and social risk point of view. It is possible that your Primary Supplier is not a direct supplier but one or two levels down in the supply chain.
  • Third, the most important thing beyond the mapping is establishing a reasonable and scalable risk assessment process.

We recommend starting your process by having a logic for determining where to go in-depth. This logic may be a combination of basic inherent risk factors (where they are located, what they do) coupled with how important they are to you (amount of spend, criticality to business continuity, etc.).

Once you’ve narrowed your suppliers down from 100 to 10 or 10,000 to 100, it’s time to focus on residual risk.

Start by taking a more sophisticated look at inherent risk. To what extent do they use hazardous materials in their manufacturing? Do they use migrant labor through employment agencies? Next look at the maturity of their control processes to manage risk. Your “ important” suppliers should have similar management systems to yours. Of course, they should scale their controls to their size and the nature of their business.

Compliance DOJ ECCP GUIDANCE
Get access to Expert Insights and Fortune 500 Program Templates and Examples for today’s top risk areas.
Request Guest Access

11 Supply Chain Due Diligence Best Practices

So what does a good supply chain due diligence program look like? Here’s another tip: It has eleven interrelated categories. To understand residual risk, you need to understand your maturity and that of your key suppliers in each category.

  1. Supply Chain Mapping: The first step in establishing a supply chain due diligence program is to identify and map the organization’s supply chain partners, looking at who provides services or materials and where they are located. 
  2.  Risk Assessment: An effective program is risk-based. It is important to have a process for evaluating the likelihood and potential impact of supply chain risks and prioritize them across the environmental and human rights spectrum.
  3. Strategy & Goals: Supply chain due diligence should be aligned with the overall business strategy and ESG goals. The due diligence process should provide data needed for tracking progress and public reporting.
  4. Policies, Procedures & Records: The due diligence program should be defined in a reasonable number of policies and procedures, shaped by the risk assessment and the relevant laws.
  5. Responsible Supply Chain Engagement: ESG expectations should be communicated to suppliers frequently and through a Supplier Code of Conduct. A process should exist for vetting, approving, and onboarding new suppliers, along with considerations for disengaging from a supplier when necessary.
  6. Governance and Oversight: Senior leadership’s level of involvement is important in embedding responsible supply chain engagement practices and mitigating potential supply chain risks. Part of an effective program is having trusted grievance reporting channels for employees, suppliers, and other stakeholders to access.
  7. Training & Communication: Effective training and communication is critical to building awareness of the ESG expectations and gaining commitment internally and with suppliers. You should also communicate information on the actions to take to meet legal requirements. 
  8. Monitoring: An ongoing process is needed for assessing the supplier’s ability to adhere to the supply chain due diligence expectations for mitigating potential risks. 
  9. Corrective Action & Collaborative Remediation: Define the corrective actions required of suppliers or to be conducted in collaboration with suppliers. This includes assessing the roles and responsibilities in the remediation efforts, as well as assessing the effectiveness of remediation efforts. 
  10. Stakeholder Engagement: Engage with external stakeholders (including workers of suppliers) to establish and monitor the ongoing effectiveness of the supply chain due diligence strategy and related goals. This includes how the organization considers the potential impacts its supply chain has on the communities of its suppliers.
  11. Reporting & Disclosure: Reporting is a critical requirement in meeting the supply chain due diligence regulations. There should be a process in place for assessing the reliability of the data being collected from suppliers and third parties (e.g., audit firms, consultants) and for determining the appropriate level of transparency and disclosure. 

Understanding your current level of maturity is a critical step to prioritizing where to focus efforts and proceed efficiently. Just as you need to prioritize where to go in-depth with your suppliers, you need to prioritize which elements of your supply chain due diligence program to focus on. You can’t work on everything at once. You need to measure so you know where to improve.

To make it practical, it takes a combination of technology and human expertise to understand and make decisions effectively and efficiently. This will require new internal collaborations and new collaborations with your key suppliers.

For these collaborations to be effective, the parties must commit to a common goal and move beyond sharing transactional data to trading strategic data. They must also establish a common language and shared performance metrics.

Scaling Supply Chain Risk Management

We know that the plethora of supply chain risk, due diligence, and reporting legislations can be overwhelming and managing and mitigating environmental and social risks in your supply chain can be complicated. A well-structured supply chain due diligence program requires time, analytics, and subject matter expertise.

We believe that the structured, systemic, collaborative measure and improve approach based on the OECD Due Diligence Guidance For Responsible Business Conduct framework is the reasonable way to improve your supply chain risk performances scalably.

To learn more about how Ethisphere can help improve your supply chain due diligence program and systematically and practically understand your current suppliers, and their inherent and residual risk, explore these resources: