Reinforcing Ethics and Oversight in Corporate Governance: Essentials for Public Companies

In an environment where public scrutiny is high and enforcement expectations are rising, investing in strong corporate ethics and oversight frameworks has become a strategic necessity for public companies. Effective compliance programs are no longer merely regulatory check-the-box exercises. They are essential tools for managing risk, safeguarding reputation, and meeting the expectations of regulators, investors, and other stakeholders.

In this Insight, we explore core elements of ethical governance for public companies, focusing on compliance programs, oversight and governance, codes of ethics, reporting mechanisms, investigations, and the nuanced landscape of code waivers and disclosures.

COMPLIANCE STILL MATTERS

Despite speculation about regulatory fatigue, compliance remains central to corporate governance. As emphasized by the head of the US Department of Justice’s (DOJ’s) Criminal Division at SIFMA’s Anti-Money Laundering and Financial Crimes Conference earlier this year, companies with well-functioning compliance programs “have a unique role to play” in detecting and preventing misconduct and will be held accountable if they fail to do so.

Compliance is fundamentally the process of ensuring companies and their employees follow applicable laws, regulations, and internal standards. Effective programs reduce the risk of misconduct and support early detection. Regulators, law enforcement, and shareholders now expect tailored compliance structures that reflect a company’s specific risks, industry, size, and global footprint.

CORE ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM

Seven core elements shape a strong compliance program:

1. Oversight and governance
2. Code, policies, and procedures
3. Training and communication
4. Risk assessment, monitoring, and auditing
5. Reporting and investigation mechanisms
6. Compensation structures and consequence management
7. Response and prevention strategies

Other hallmarks include third-party risk management, robust merger and acquisition due diligence, processes for new market or product entry, and business record retention policies and procedures across all platforms, including messaging apps and personal devices.

OVERSIGHT AND GOVERNANCE

Oversight begins at the board level. Regulators expect boards (or designated subcommittees, such as audit committees) to oversee ethics and compliance programs. These programs must be reasonably designed to prevent and detect misconduct, including both criminal liability and reputational harm.

Companies must designate qualified compliance leadership with sufficient seniority, autonomy, and resources. Chief compliance officers should have direct access to the board and operate with independence.

In addition, management-level compliance committees, composed of senior leadership from across business, functional, and geographic areas, should meet regularly to support a culture of compliance and prepare for board-level reporting. Quarterly reporting to both senior management and the board subcommittee is considered best practice.

CODES OF ETHICS: REQUIREMENTS AND BEST PRACTICES

A cornerstone of governance is a clear, accessible, and comprehensive code of ethics. Regulators expect companies to not only make their codes publicly available (ideally online) but also ensure they are understandable and actively promoted.

Best practices include the following:

• Publishing codes in multiple languages
• Posting in PDF format with table of contents for searchability
• Periodically reminding employees where to find the code and how to report issues
• Ensuring codes are readable, ideally at an eighth- or ninth-grade level for broader comprehension

Codes should also align with applicable regulatory frameworks. For example:

• SEC Requirements and Item 406 of Regulation S-K: Applies to principal executive officers, principal financial officers, principal accounting officers or controllers, and those performing similar functions. Codes must promote honest conduct, proper disclosure, legal compliance, internal reporting, and accountability.
• NYSE and Nasdaq Listing Rules: Broader in scope, applying to all directors, officers, and employees. The NYSE’s Section 303A.10 and Nasdaq’s Rule 5610 both mandate adoption and public disclosure of a code of ethics. Both exchanges expect enforcement mechanisms and reporting of violations.

Required topics for codes of ethics under the NYSE’s rules include conflicts of interest, corporate opportunities, confidentiality, fair dealing, protection and proper use of company assets, legal compliance (including insider trading laws), and reporting of any illegal or unethical behavior. Nasdaq does not prescribe specific topics, but it requires compliance with definitions and principles set forth in Section 406(c) of the Sarbanes-Oxley Act and Item 406 of Regulation S-K.

REPORTING AND INVESTIGATIONS

To ensure early detection of misconduct, regulators encourage companies to provide multiple reporting avenues (including anonymous channels) and to actively promote their use. Most employees raise concerns to their managers first, so management training on how to escalate issues is essential.

Reporting mechanisms should be:

• Accessible through several channels (e.g., direct to compliance, HR, legal, managers, or third-party helplines)
• Confidential and anonymous, with multilingual support and 24/7 access
• Centrally tracked and analyzed to detect patterns and systemic risks

Anti-retaliation is a key focus. Companies should maintain stand-alone anti-retaliation policies and conduct post-investigation check-ins with individuals who raised or were involved in the matter.

Investigations must be objective, consistent, and well-documented. Companies should ensure the following:

• Qualified personnel are in place to investigate each matter based on its complexity
• A standardized investigation process is used enterprise-wide
• Ethics and compliance teams can access case data for benchmarking and trend analysis
• Significant matters are escalated to the board or audit committee promptly, particularly if they involve systemic issues or senior leadership

AMENDMENTS, WAIVERS, AND IMPLICIT WAIVERS OF THE CODE

Under Item 5.05 of Form 8-K, domestic public companies must disclose material amendments or waivers to the code of ethics for the officers subject to Item 406 of Regulation S-K. Companies may

1. File a Form 8-K describing the waiver or amendment; or
2. Post the information on their website (with prior notice in the annual report).

Item 5.05 of Form 8-K also requires disclosure of “implicit waivers,” which can occur when a company fails to act on a known violation in a reasonable timeframe. Foreign public companies that file annual reports on Form 20-F are subject to similar requirements under Item 16B of Form 20-F. To avoid unintentional waivers, companies must have mechanisms to address and document any departures from code provisions quickly and appropriately.

NYSE and Nasdaq rules are stricter and require disclosure of waivers granted to any executive officer (as defined under Rule 16a-1(f) under the Securities Exchange Act of 1934, as amended) or director. Additional key requirements include the following:

• Approval Authority: Waivers may only be approved by the full board of directors or a board committee; this ensures that such decisions carry appropriate governance oversight
• Disclosure Deadline: Both NYSE and Nasdaq mandate that companies disclose any waiver within four business days of board or committee approval
• Disclosure Method: Companies may use a Form 8-K, press release, or website posting to disclose the waiver; however, any online posting must remain publicly accessible for at least 12 months and retained internally for at least a further five years in case of Securities and Exchange Commission (SEC) inquiry
• Substance of Disclosure: Nasdaq rules require companies to include a brief description of the reason for the waiver, while NYSE rules do not specify the content of the disclosure, leaving more discretion to the company

Because “materiality,” “reasonable time,” and even whether a violation occurred are often subjective judgments, disclosures of waivers and implicit waivers are rare. Nevertheless, companies should be vigilant, especially where codes integrate other policies (e.g., insider trading, anti-pledging), as exceptions granted under one policy may inadvertently trigger waivers under the code of ethics.

ONE CODE OR MANY?

While the SEC allows different codes for different groups (e.g., executives, employees, board members), many compliance professionals recommend maintaining a single, comprehensive code for all personnel. Tailored training can then address the specific responsibilities of high-risk or gatekeeper functions, such as legal, finance, HR, or procurement.

Only one code that satisfies Item 406 of Regulation S-K requirements must be disclosed, and only the portions covering the required officers and topics need to be made publicly available to comply with SEC regulations.

CONCLUSION

Ethics and oversight are not static compliance exercises. Rather, they are dynamic, enterprise-wide commitments essential to public company governance. With regulatory scrutiny intensifying and stakeholders demanding transparency and accountability, companies must maintain their compliance infrastructure accordingly. By embedding the principles discussed above into daily operations and remaining agile in the face of evolving regulatory complexity, companies can minimize risk and build stronger, more resilient organizations.