What the Data Reveals About Strong E&C Governance

Governance is often treated as an org chart question: Where does ethics and compliance sit? Who does the function report to? Which board committee owns oversight?

Those questions matter. But for ethics and compliance leaders, the more practical governance question is whether the structure supports independence, accountability, and meaningful access to the board. A program may technically have a reporting line to the board, but that line only becomes useful when directors understand the program, hear from the right people, and have a role in protecting the independence of the leader responsible for it.

Ethisphere’s 2026 Ethics Quotient data offers a useful view into how leading companies are approaching that relationship. The data does not point to one universal structure that every company should copy. Instead, it points to a set of governance practices that help ethics and compliance programs operate with credibility inside the business and visibility at the board level.

Most E&C Functions Still Sit Within Legal

Among World’s Most Ethical Companies honorees, the structure of the ethics and compliance function has remained relatively stable over the last several years. About 70% report that the function sits within the legal department. In many of those cases, the chief ethics and compliance officer still has a direct line to the board, even though the function is housed within legal from an organizational standpoint.

The remaining 30% sit elsewhere. Approximately 23% report into the CEO, positioning ethics and compliance as a control function alongside legal. The final 7% report through another structure, such as risk, audit, the chief administrative officer, or the chief operating officer.

This distribution is important because it reflects the reality many E&C leaders already know: independence is not determined by one box on the org chart. A function can sit within legal and still have meaningful access to the board. It can report to the CEO and still need stronger oversight practices. The question is whether the governance model gives the program leader enough authority, visibility, and protection to raise hard issues when they arise.

That becomes especially important when the same leader carries multiple responsibilities. Smaller companies are more likely to combine roles, with a general counsel, chief audit executive, head of HR, or another senior leader also holding responsibility for ethics and compliance. That may be practical from a resource standpoint, but companies should be clear-eyed about the limits of that model. Being a general counsel and running an effective ethics and compliance program are both full-time jobs in mature organizations.

When one executive holds both responsibilities, the board and senior management should ask who is actually running the program day to day. If oversight is spread across a committee or divided among several leaders, the company still needs clear accountability for program design, execution, escalation, and continuous improvement.

Board Oversight Should Protect the Role, Not Just Receive Updates

Strong governance requires more than periodic board presentations. The board’s role should help protect the independence and authority of the senior-most person responsible for the ethics and compliance program.

Ethisphere’s 2026 data shows that slightly more than one-third of World’s Most Ethical Companies honorees say the board has a formal role in evaluating the job performance of the person who runs the program. Another 37% say the board must both be notified of and approve that person’s termination, with that requirement reflected in the relevant charter. Nearly 60% say the board must be formally notified before the chief ethics and compliance officer can be terminated.

Those practices matter because they shape behavior. If the E&C leader is expected to raise difficult issues, challenge influential executives, or escalate concerns about program risk, the governance structure should not leave that person exposed. Board involvement in evaluation and termination decisions helps reinforce that the role serves the organization’s integrity obligations, not only the preferences of the executive team.

In practice, the chair of the board committee responsible for oversight is often the person most directly involved in the performance evaluation process. That makes the relationship between the chief ethics and compliance officer and the committee chair especially important. It should be substantive, regular, and candid enough that the committee chair understands not only what the program is doing, but how effectively the program leader is navigating risk, influence, resources, and escalation.

Audit Committees Still Carry Most E&C Oversight

When companies assign board-level oversight for ethics and compliance, the audit committee remains the most common home. In Ethisphere’s 2026 data, 72% of honorees report that the audit committee has responsibility for overseeing the ethics and compliance program.

That is not surprising. Audit committees have long been the default board committee for compliance oversight, especially where the program intersects with controls, investigations, reporting, and regulatory risk. Some companies, however, assign oversight to a risk or regulatory compliance committee, while a smaller number assign it to nominating and governance or another committee.

The right structure depends on the company’s risk profile, industry, maturity, and board design. A heavily regulated company may benefit from a dedicated risk or regulatory committee. Another company may find that the audit committee is well positioned to oversee the program because of its existing role in financial controls, investigations, and reporting channels.

What matters most is not the label on the committee, but whether the committee has the time, expertise, and seriousness to engage with the program. Ethics and compliance oversight cannot be a short standing item at the end of an overloaded agenda. Directors need enough visibility to understand trends, test assumptions, and ask better questions about program effectiveness.

Bring More E&C Leaders Into the Boardroom

One encouraging development in the 2026 data is the growing practice of bringing additional members of the ethics and compliance team into board presentations. Half of World’s Most Ethical Companies honorees report that, within the last year, different members of the E&C team participated in or presented during a board or committee update. Another 8% say they did so within the last two years.

That means a majority of honorees have recently given the board direct access to someone other than the senior-most program leader.

This is a strong practice for several reasons. First, it gives directors a more accurate understanding of the scope of the program. If the board only hears from the chief ethics and compliance officer, the broader team can remain abstract. Bringing in the head of investigations, the leader responsible for sanctions, or the person managing conflicts of interest disclosures helps directors see the scale, specialization, and judgment required to run the program well.

Second, it improves the quality of board discussion. The people closest to a specific area of work are often best positioned to answer detailed questions, explain patterns, and identify practical constraints. Their perspective can help the board move beyond high-level reporting and into a more grounded conversation about how the program operates.

Third, it supports succession planning. Boards should know who else on the team has the judgment, credibility, and operational understanding to step into a larger role if needed. Giving those leaders exposure to directors helps build confidence before a transition is urgent.

Some E&C leaders may feel that their board agenda is too controlled to make room for additional presenters. That concern is real, but it should not end the conversation. If directors are responsible for oversight, they benefit from hearing multiple informed perspectives. A tightly managed agenda may require creativity, but it should not prevent the board from understanding the program it is charged with overseeing.

Involve the Board Earlier When Hiring the CECO

Another governance practice worth considering is involving the board, or at least the chair of the relevant oversight committee, in the hiring process for a new chief ethics and compliance officer. This is not yet a majority practice, but it deserves attention, particularly as many senior E&C roles continue to turn over.

The CECO’s relationship with the board is central to the role. If the board committee chair will be a key partner in oversight, escalation, and performance evaluation, that person’s input during the hiring process can be valuable. It can help test whether the candidate has the right judgment, independence, communication style, and credibility to serve both management and the board.

This does not mean the board needs to manage the search process. It does mean the company should consider whether the oversight committee chair should meet serious finalists, provide input, and begin building the relationship before the new leader steps into the role.

Governance Should Make the Program Stronger in Practice

The data does not suggest that every company needs to pull ethics and compliance out of legal, create a new board committee, or redesign its governance model from the ground up. It does suggest that mature programs pay attention to the mechanics that make governance real.

Does the E&C leader have meaningful access to the board? Does the board have a role in performance evaluation or termination protections? Does the right committee have enough time and capability to oversee the program? Do directors hear from leaders beyond the CECO? Is there a clear person accountable for running the program, especially in smaller organizations where roles may be combined?

These are the governance questions that matter most because they determine whether the program can function with independence, credibility, and practical influence. A strong ethics and compliance program needs more than a reporting line. It needs a governance structure that helps the board understand the work, protects the people responsible for doing it, and gives the organization a clearer view of its own integrity risks.

---