What the Data Reveals About Strong E&C Governance

---

Strong ethics and compliance governance rarely turns on one reporting line or one committee assignment. It depends on whether the structure gives the function enough authority, independence, access, and visibility to do the work effectively.

That distinction matters. A company can say that ethics and compliance has access to the board, but if the board has little visibility into the person leading the program, limited involvement in evaluating that leader’s performance, and no meaningful view of the team behind the program, oversight remains narrow. The structure may exist on paper, but the governance model may not yet support the function as a true control.

Ethisphere’s 2026 Ethics Quotient data offers a useful view into how leading companies are approaching this question. The data shows that many organizations continue to place ethics and compliance inside legal, while also creating direct board access and formal oversight mechanisms that help protect the independence of the function. It also points to a growing practice that deserves more attention: bringing more members of the ethics and compliance team into the boardroom.

For leaders assessing their own governance model, the message is clear. The question is not only where ethics and compliance sits on the org chart. The more important question is whether the governance structure helps the board understand how the program actually operates.

Most ethics and compliance functions still sit within legal

Across the last several years, Ethisphere’s data has remained relatively stable on where the ethics and compliance function sits inside the organization.

Among World’s Most Ethical Companies honorees, about 70% report that the function sits within the legal team. In many of those companies, the chief ethics and compliance officer still has a line to the board, but from an organizational chart perspective, the function is housed within legal.

The remaining 30% sit elsewhere. About 23% report into the CEO, positioning ethics and compliance as a control function alongside legal rather than within it. The remaining 7% report into other functions, such as risk, audit, the chief administrative officer, or the chief operating officer.

There is no single structure that works for every company. Industry, size, regulatory profile, maturity, and leadership expectations all matter. However, the data does show that leading companies are thinking seriously about how structure influences authority. If ethics and compliance sits inside legal, the organization still needs to ensure that the function can raise concerns independently, access the board directly, and operate with a clear mandate. If the function reports elsewhere, the company still needs strong coordination with legal, risk, audit, human resources, and other critical partners.

The governance question, in other words, is not whether one model is universally superior. It is whether the model in place gives the ethics and compliance leader enough practical authority to lead the program.

Board involvement should protect independence, not just receive updates

Board oversight becomes more meaningful when directors have a role in the conditions that shape the ethics and compliance leader’s judgment.

Ethisphere’s 2026 data shows that a little more than one-third of World’s Most Ethical Companies honorees indicate that the board has a formal role in evaluating the job performance of the person who runs the ethics and compliance program. In those organizations, the board is not merely receiving updates from the function. It has a defined place in assessing the leader responsible for the program.

The data also shows that 37% of honorees say the board must both be notified and approve termination of the chief ethics and compliance officer, with that requirement included in the charter. Almost 60% say the board must be formally notified before the chief ethics and compliance officer can be terminated.

These practices matter because they help protect the independence of the role. A chief ethics and compliance officer may need to raise uncomfortable issues, challenge business decisions, escalate misconduct concerns, or identify weaknesses in senior leadership behavior. If the role can be removed without board awareness, the function’s independence is more vulnerable.

Formal board involvement in performance evaluation and termination decisions does not eliminate pressure, but it does create a governance safeguard. It signals that the chief ethics and compliance officer is accountable to the organization’s oversight structure, not only to management.

In practice, that relationship often runs through the chair of the relevant oversight committee. Ethisphere’s data indicates that the chair of the oversight committee is the most common person involved in the performance evaluation process for the ethics and compliance leader. That makes the relationship between the chief ethics and compliance officer and the committee chair especially important. It should be candid, consistent, and substantive enough to support real oversight.

Audit committees remain the most common oversight home

The audit committee continues to be the most common location for board oversight of ethics and compliance. In Ethisphere’s 2026 data, 72% of honorees say oversight responsibility sits with the audit committee.

That finding is not surprising. Audit committees have long carried responsibility for key control functions, financial reporting, investigations, and risk-related oversight. For many organizations, ethics and compliance naturally fits within that mandate.

Still, the data also shows some variation. A sizable percentage of companies place oversight with a risk or regulatory compliance committee. A smaller percentage assign responsibility to the nominating and governance committee, while others use another board committee structure.

The right committee may vary by company, but the committee’s mandate should be clear. Directors need to understand what they are expected to oversee, how often they will hear from the function, what information they should receive, and how they will evaluate whether the program is effective.

A governance structure that names a committee but gives that committee limited time, limited context, or overly sanitized reporting will not accomplish much. Effective oversight requires more than agenda placement. It requires directors to see the real risks, pressures, program gaps, resource constraints, and progress indicators that define the ethics and compliance function’s work.

The board should hear from more than one person

One of the most encouraging findings in the 2026 data concerns who participates in board presentations.

Half of World’s Most Ethical Companies honorees report that, within the last year, different members of the ethics and compliance team presented or participated in updates to the board. Another 8% say they brought other team members into board presentations within the last two years. That means a majority of honorees have recently given the board an opportunity to hear from someone other than the most senior person responsible for the program.

This practice deserves more attention.

When the chief ethics and compliance officer is the only person who regularly speaks to the board, the rest of the function can become abstract. Directors may hear about investigations, sanctions, conflicts of interest, training, data analytics, policy management, or third-party risk, but they may not get a grounded sense of the people doing that work or the judgment those roles require.

Bringing other team members into the boardroom changes that dynamic. A head of investigations can speak directly about case trends and process challenges. A sanctions leader can explain how geopolitical risk is affecting the business. A conflicts of interest lead can discuss disclosure patterns and employee behavior. These conversations help directors understand the scope and complexity of the program in a more practical way.

They also support succession planning. Boards should know whether the ethics and compliance function has depth. If the chief ethics and compliance officer leaves unexpectedly, directors should have some sense of who else understands the program, who has credibility with the business, and where the next layer of leadership may come from.

For companies that believe their board agenda is too controlled to allow additional voices, the better question may be whether that control is serving the board well. Directors benefit from hearing different perspectives, especially from the people closest to the work.

Smaller companies face a different governance challenge

Governance questions can look different at smaller organizations. Ethisphere’s World’s Most Ethical Companies data set tends to skew larger, but the underlying issue remains relevant across company sizes.

In smaller companies, the challenge is often role consolidation. The senior person responsible for ethics and compliance may also be the general counsel, the chief audit executive, the head of human resources, or another senior leader with a full-time job. When that happens, the organization needs to ask who is actually running the ethics and compliance program day to day.

That question is more than administrative. Ethics and compliance is not a side assignment. It requires dedicated attention, judgment, and follow-through. A company that relies on “program oversight by committee” may still have committed leaders, but it also needs clarity on accountability. Someone must own the program’s design, execution, escalation pathways, reporting cadence, and improvement priorities.

For smaller organizations, the answer may not be a large standalone function. The answer may be a clearly designated program leader, defined reporting expectations, documented board access, and a practical plan for resourcing the work as the company grows.

Board involvement should begin before the chief ethics and compliance officer is hired

One governance practice that remains less common, but increasingly worth considering, is involving the board in the hiring process for a new chief ethics and compliance officer.

The rationale is straightforward. The relationship between the chief ethics and compliance officer and the board’s oversight committee is one of the most important relationships in the governance structure. If the board will rely on this person for candid reporting, risk insight, escalation, and assurance, the chair of the oversight committee should have an opportunity to meet the candidate and provide input.

This does not mean the board needs to run the hiring process. Management still has a central role. But involving the oversight committee chair can help ensure alignment on expectations, independence, communication style, and the authority the role will need.

Given the amount of movement in chief ethics and compliance officer roles, companies hiring for these positions should consider whether the board’s involvement is appropriate. For many organizations, that time would be well spent.

Strong governance gives the board a fuller view of the program

The most useful lesson from the data is that ethics and compliance governance should be evaluated as a living structure.

Reporting lines matter. Committee assignments matter. Charter language matters. Performance evaluation and termination protections matter. But each of those elements should serve a larger goal: helping the board understand whether the ethics and compliance program has the authority, resources, independence, and leadership depth it needs.

A board that only hears from one person may miss the broader reality of the function. A company that gives the chief ethics and compliance officer board access but no meaningful protection may leave the role exposed. A smaller organization that assigns ethics and compliance to an already overloaded executive may underestimate the work required to run the program effectively.

Strong governance makes the program visible. It gives directors a clearer picture of how ethics and compliance operates, who is doing the work, what risks are emerging, and whether the function has the standing to challenge the business when necessary.

That visibility is not a procedural nicety. It is one of the conditions that allows an ethics and compliance program to do its job.

---