Anyone who ever watched “Bad Blood” on Netflix about the Theranos scandal could be forgiven for thinking that ethics and compliance isn’t a natural fit with the Silicon Valley ethos of “move fast and break things” or “fake it til you make it.” Theranos, a much celebrated start-up with blue-ribbon backers, burned through nearly a billion dollars of investor money with a product that simply didn’t work, while making false claims and persecuting whistleblowers. Its former CEO and COO are now serving jail sentences.

And it’s not just a Silicon Valley thing. Binance, a global cryptocurrency firm incorporated in the UAE,  embraced a business model that didn’t bother with “know your customer rules” and included terrorists and Russian drug gangs as clients. In 2023, Binance agreed to pay $4.3 billion in fines and for its CEO to serve a jail sentence for violations of U.S. money laundering. As part of the settlement, the company has to implement a “robust” ethics and compliance program under the supervision of an independent monitor.

Even entrepreneurs with more steady moral compasses sometimes seem to think that E&C programs are a luxury they can’t afford. That couldn’t be further from the truth. At their essence, ethics and compliance programs are about identifying risks that can literally obliterate the company (Theranos?  What’s that?) or put founders in jail (just ask Sam Bankman-Fried, former CEO of FTX). Like any risks, the wise thing to do is to mitigate them before they become crises.

And, enforcement by The US Department of Justice (DOJ) and Securities and Exchange Commission (SEC), plus the explosion of sanctions and trade regulations in the wake of the Ukraine war, Middle East conflicts and Iranian nuclear ambitions highlight the need for companies of all sizes to put in place a basic E& C program.  Particularly tech companies with “bleeding edge” technology that has implications for defense or national security.

Let’s look at some useful facts around why small and mid-size companies need ethics and compliance programs. 

Small companies are more likely to be actually sentenced for misconduct.

Most regulatory enforcement actions are settled and having an ethics and compliance program is a major factor in successful settlements and avoiding criminal sentencing.  Data from the United States Sentencing Commission shows that of the nearly 5,000 organizations that have been sentenced for federal crimes since 1991, 70% had fewer than 50 employees. The overwhelming majority of organizational offenders — nearly 90% — did not have an E&C program in place.  

Small and mid-size companies face greater risks than large ones without proper compliance.

Sanctions and trade controls often affect everyone’s supply chain, regardless of size. Effective compliance requires training and an E&C program that identifies and mitigates risks. Take e.l.f Beauty, a mid-size beauty products company based in California, for example. In 2019, the company paid a $1 million fine to settle an enforcement action by the Office of Foreign Assets Control (OFAC) of the US Treasury. E.l.f. imported 156 shipments of false eyelash kits from Chinese suppliers that sourced some of their materials from North Korea. Imagine the social media storm if Academy Award nominees found out they were wearing North Korean eyelashes. The company self-reported the sanctions violations after an internal audit and reportedly paid a lesser fine as a result.  

Most established companies have processes in place to mitigate these risks and screen transactions and supply chains for prohibited parties and destinations.  And this area isn’t going away—Trump 1.0 used export restrictions extensively as a tool.  New restrictions on shipping AI technology or know-how directed particularly at China were imposed as recently on January 15, 2025

Ignorance is no excuse when it comes to ethics and compliance.

Ignorance of what constitutes ethical and compliant behavior does not excuse organizations. In 2014, Smith & Wesson paid $2 million (plus other penalties) to settle bribery charges with the SEC. The company had no compliance program, and employees were not aware that offering gifts to foreign officials to get business violated the law (really??). Training employees on what they can and can’t do is essential. 

E&C programs can identify risks to avoid or mitigate before they become threats.

On the positive side, surveys in the ethics and compliance area indicate consistently that identifying E&C factors and risks helps organizations modify or abandon business initiatives that aren’t such a good deal. A good example of what can happen when this process isn’t implemented effectively is the settlement famed consulting company McKinsey &Co just signed with DOJ.  McKinsey  agreed in December 2024 to pay $120 million in fines for FCPA violations by a South African subsidiary it acquired.  Fines at that level and the damage to reputation they cause can quickly tank the risk–reward ratio for an acquisition or a deal.

Everyone can be a whistleblower, but effective compliance training can help with proactively speaking up.

Since 2010, whistleblowers who spot misconduct that a company hasn’t remediated are eligible for an award when they voluntarily provide the SEC with information that leads to a successful enforcement action. Awards can range from 10% to 30% of the money collected in an investigation. In 2021, total awards to whistleblowers exceeded $1 billion.  DOJ is in the midst of implementing a similar program. 

Compliance programs are the best defense to whistleblower claims. When implemented effectively, they encourage employees to speak up about misconduct and help the organization take steps to address it at an early stage.  One of the most basic elements of any compliance program is a hotline and/or other mechanisms employees can use without threat of retaliation to raise concerns.  But it’s not enough to have a hotline; employees and managers need to be trained and encouraged to speak up and avoid anything suggesting or resembling payback.

Compliance programs reduce fines and penalties.

Given the emphasis by regulators on personal accountability and new, complex risks, organizations would be well advised to ensure that their ethics and compliance program is resourced and supported. Compliance programs help prevent misconduct and, when and if it occurs, result in reduced fines and penalties. In 2022, GOL, a Brazilian airline, received a 25% “discount” in fines and penalties for bribery violations from the SEC and DOJ for redesigning its anti-corruption compliance program. 

The bottom line

For small and mid-size companies, ethics and compliance programs are essential to protect against ever-changing risks, prevent whistleblowers, and reduce fines if misconduct occurs.  And, they help managers and employees identify risks and receive training on how to avoid or mitigate them.