Home > Insights > Industry Insights > Ethics Reporting Trends During Mergers and Acquisitions: How Organizational Change Spikes Compliance Risk

Ethics Reporting Trends During Mergers and Acquisitions: How Organizational Change Spikes Compliance Risk

Ethics Reporting Trends During Mergers and Acquisitions: How Organizational Change Spikes Compliance Risk

Ethics reporting during mergers acquisitions doesn’t just increase — it often doubles or triples in volume. And most compliance teams aren’t ready for it.

Mergers and acquisitions (M&A) create a perfect storm for compliance risk. Two cultures collide. Reporting lines blur. Employees fear for their jobs. Managers cut corners to hit integration deadlines. And the compliance program that worked fine last quarter suddenly can’t keep up.

If you lead an ethics and compliance (E&C) program at an organization going through M&A, this article is for you. We’ll walk through the data on reporting spikes, the specific risks that emerge, and the practical steps you can take to protect your program — and your people — during the transition.

TL;DR: Key Takeaways

  • M&A activity creates predictable spikes in ethics reports across every intake channel.
  • The biggest risks aren’t financial fraud — they’re culture clashes, retaliation fears, and policy confusion.
  • Compliance teams that prepare before the deal closes fare dramatically better.
  • Your reporting infrastructure, case management capacity, and communication strategy all need M&A-specific plans.
  • The DOJ evaluates whether compliance programs function effectively during organizational change — not just during steady state.

Why Ethics Reporting During Mergers Acquisitions Spikes So Dramatically

Organizational change is the single biggest driver of ethics reporting volume. And no change is bigger than a merger or acquisition.

Here’s what happens in the weeks and months around a deal:

  • Uncertainty peaks. Employees don’t know who their boss will be, whether their role will exist, or which policies apply.
  • Loyalty fractures. People who felt connected to the old organization may disengage from the new one.
  • Oversight gaps appear. Managers focused on integration tasks may deprioritize compliance controls.
  • Legacy misconduct surfaces. Employees who tolerated bad behavior under the old regime may see a window to finally report it.
  • New misconduct emerges. Pressure to hit integration milestones can push people toward shortcuts.

Research from the Ethics & Compliance Initiative (ECI) consistently shows that organizations undergoing major change see misconduct observation rates climb by 30-50%. Reporting rates follow a similar trajectory — if the reporting channels are trustworthy and accessible.

That last point matters. In organizations where employees don’t trust the reporting system, misconduct still rises during M&A. They just don’t hear about it until it’s too late.

The Five Compliance Risk Zones in M&A Transitions

Not all M&A risks are created equal. Based on industry patterns, five risk zones demand the most attention from compliance teams.

1. Culture Integration Conflicts

Every organization has unwritten rules. What’s acceptable at Company A may be a fireable offense at Company B. When these cultures merge, friction is inevitable.

Common culture-driven reports during M&A include:

  • Harassment or hostile work environment claims as teams merge
  • Complaints about management style differences
  • Allegations of favoritism toward “legacy” employees from one side of the deal
  • Concerns about diversity and inclusion practices

These reports may seem like HR issues, not compliance issues. But the DOJ’s updated Corporate Enforcement Policy makes clear that culture is a compliance function. A program that ignores culture-driven risk isn’t meeting the standard. Learn more about DOJ compliance program evaluation criteria.

2. Policy and Code of Conduct Confusion

Which gift policy applies? What’s the new threshold for conflicts of interest disclosure? Who approves vendor contracts now?

During the integration window, employees often operate under conflicting or unclear policies. This creates two problems:

  • Unintentional violations. Good-faith employees break rules they didn’t know existed.
  • Intentional exploitation. Bad actors take advantage of the confusion to push boundaries.

Compliance teams need to identify policy conflicts early and communicate a clear “rules of the road” document well before Day One of the combined entity.

3. Retaliation and Speak-Up Culture Erosion

Fear of retaliation always suppresses reporting. During M&A, that fear intensifies.

Employees worry that speaking up will make them a target for the next round of layoffs. They wonder whether the new leadership will protect reporters the way the old leadership did — or didn’t.

Organizations that maintain strong identified caller rates during M&A tend to have better outcomes. When reporters trust the system enough to share their identity, investigations close faster and produce more actionable findings. Read more about anti-retaliation programs and protecting whistleblowers.

4. Third-Party and Vendor Risk Expansion

Acquiring a company means inheriting its vendor relationships, agent networks, and third-party contracts. Many of these relationships were vetted under a different standard — or not vetted at all.

This is especially critical for organizations subject to the Foreign Corrupt Practices Act (FCPA). The DOJ has made clear that acquiring companies are responsible for the compliance failures of the entities they acquire. Explore FCPA compliance program best practices and what the DOJ expects in 2025.

Key actions include:

  • Screening all acquired entity vendors against exclusion and sanctions lists
  • Reviewing existing conflicts of interest disclosures
  • Assessing the acquired entity’s historical reporting data for red flags

5. Data Integration and Case Management Overload

Two organizations mean two reporting systems, two case management platforms, and two sets of historical data. Merging them without losing information — or dropping active cases — is a real operational challenge.

Compliance teams that rely on spreadsheets or outdated systems often hit a wall during M&A. The volume of incoming reports rises. The complexity of each case increases. And the team’s capacity stays the same or shrinks.

This is where centralized case management becomes essential. A platform that aggregates all intake channels — hotline, web, SMS, disclosures — into a single view prevents cases from falling through the cracks during the chaos of integration. Learn how to unify hotline, disclosure, and case data into one view.

What the Data Tells Us About Ethics Reporting During Mergers Acquisitions

Let’s look at the patterns that compliance professionals consistently observe during M&A transitions.

Reporting Volume Increases 30-60% in the First 6 Months

The spike typically begins when the deal is announced — not when it closes. Employees start reporting as soon as uncertainty hits. Volume peaks in the first 90 days post-close and gradually normalizes over 6-12 months.

Anonymous Reporting Rates Climb

During stable periods, organizations with strong speak-up cultures see identified caller rates around 50-75%. During M&A, anonymous reporting tends to increase as trust in the combined organization hasn’t been established yet.

This shift matters because anonymous reports are harder to investigate and slower to resolve.

Report Categories Shift

Pre-M&A, most organizations see a predictable mix of report types: HR issues, policy questions, conflicts of interest, and financial concerns.

During M&A, the mix shifts toward:

  • Retaliation concerns (up significantly)
  • Policy confusion and questions (up significantly)
  • Management conduct complaints (up moderately)
  • Financial irregularities in the acquired entity (new category)

Substantiation Rates May Drop Initially

More reports doesn’t always mean more confirmed misconduct. Some of the spike reflects anxiety-driven reporting — employees flagging concerns that turn out to be policy differences rather than violations.

This is actually healthy. It means people are paying attention and speaking up. But it does require more triage capacity from the compliance team.

Building an M&A-Ready Ethics Reporting Program

The compliance teams that handle M&A transitions well share a few common traits. They plan early. They communicate constantly. And they make sure their reporting infrastructure can handle the surge.

Here’s a practical framework.

Phase 1: Pre-Deal Due Diligence (Before Close)

Assess the target’s compliance program. Request data on:

  • Historical reporting volume and trends
  • Case closure rates and average resolution times
  • Open investigations and their status
  • Policy inventory (code of conduct, COI, gifts, anti-corruption)
  • Regulatory history (enforcement actions, settlements, government investigations)
  • Exclusion screening practices (especially in healthcare)

Identify compliance gaps. Compare the target’s program against your own standards and against the DOJ’s evaluation criteria. Document gaps and build a remediation timeline.

Plan your reporting channel strategy. Decide early whether the acquired entity’s employees will use your existing hotline or maintain a separate channel during transition. Having a single, high-quality reporting channel reduces confusion.

A third-party hotline with live, trained specialists — not automated systems — is especially valuable during M&A. Employees from the acquired company may have never used a hotline before. Their first experience needs to build trust, not destroy it. See how adaptive interview methodology shapes investigation outcomes compared to script-based intake.

Phase 2: Integration Window (Day 1 Through Month 6)

Communicate early and often. Within the first week, every employee in the combined organization should know:

  • How to report an ethics concern
  • That retaliation is prohibited and will be investigated
  • Which policies apply during the transition period
  • Who leads the compliance function

Increase case management capacity. If your team handles 50 cases a month during steady state, plan for 75-100 during the integration window. This might mean:

  • Temporarily reassigning team members to case triage
  • Using workflow automation to route cases faster
  • Setting up escalation protocols for high-priority M&A-related reports

Run a conflicts of interest disclosure campaign. M&A creates new conflicts. An employee who had no conflict yesterday may now report to someone from the acquired entity with a competing interest. A targeted disclosure campaign within the first 90 days catches these early. Learn how to achieve 80%+ response rates on conflict of interest disclosures.

Screen the acquired workforce. In healthcare and other regulated industries, every employee and vendor from the acquired entity needs sanction and exclusion screening. This isn’t optional — it’s a condition of maintaining compliance with federal program requirements.

Phase 3: Stabilization (Month 6 Through Month 18)

Harmonize policies. By month six, the combined organization should operate under a single code of conduct and unified compliance policies. Lingering policy conflicts breed confusion and erode credibility.

Conduct a post-integration risk assessment. Use the reporting data from the integration window to identify where risks concentrated. Did one business unit generate a disproportionate share of reports? Did a specific category spike unexpectedly?

A structured risk assessment with broad participation gives you the data to prioritize resources. Read our guide on conducting a compliance risk assessment that actually drives action.

Benchmark your reporting metrics. Compare your post-M&A reporting data against pre-deal baselines and industry benchmarks. Key metrics to track:

  • Reports per 100 employees
  • Identified vs. anonymous reporting ratio
  • Average time to close cases
  • Substantiation rates by category
  • Reporter satisfaction scores

The DOJ Factor: Why M&A Compliance Programs Get Extra Scrutiny

The Department of Justice doesn’t give organizations a pass during M&A. In fact, the opposite is true.

The DOJ’s evaluation criteria for compliance programs specifically ask whether the program functions effectively during times of organizational stress. Prosecutors want to know:

  • Did the compliance program have adequate resources during the transition?
  • Were reporting channels accessible to all employees, including those from the acquired entity?
  • Did the organization conduct due diligence on the target’s compliance history?
  • Were identified risks from the acquisition remediated in a timely manner?

A compliance program that looks great on paper but collapses under the weight of an acquisition won’t satisfy prosecutors. The standard is operational effectiveness — not just program design.

This is why your reporting infrastructure matters so much during M&A. A hotline with a less-than-1% abandonment rate, average call durations of 14-15 minutes, and trained Risk Specialists who adapt to each caller’s situation produces the kind of high-quality reports that demonstrate program effectiveness. Understand why ethics hotline call duration matters and the 14-minute rule.

Contrast that with a hotline where 15-19% of callers hang up before reaching anyone, calls last 6-7 minutes, and agents read from scripts. The difference in report quality — and in what you can show a regulator — is enormous.

Healthcare M&A: A Special Case for Ethics Reporting During Mergers Acquisitions

Healthcare deserves a separate mention because M&A activity in this sector carries unique compliance obligations.

When a healthcare organization acquires another entity, it inherits:

  • Stark Law and Anti-Kickback Statute exposure from the target’s physician relationships and referral patterns
  • False Claims Act liability for any billing irregularities in the acquired entity
  • Credentialing obligations for every licensed professional in the combined workforce

The credentialing piece is especially time-sensitive. Under JCAHO 2025 requirements, healthcare organizations must verify professional licenses monthly — not just at hire. Acquiring a hospital or health system means immediately bringing hundreds or thousands of licensed professionals into your monitoring program. Learn how to build a defensible verification trail for JCAHO and CMS surveys.

Failing to screen and monitor the acquired workforce from Day One creates real financial and patient safety risk.

Key Takeaways for Compliance Leaders

  1. Expect the spike. Ethics reporting volume will increase 30-60% during M&A. Plan your capacity accordingly.
  2. Start before the deal closes. Pre-deal compliance due diligence isn’t optional — it’s what the DOJ expects.
  3. Protect speak-up culture. Communicate anti-retaliation commitments early and often. Trust takes time to build in a combined organization.
  4. Centralize your reporting and case management. Running two systems during integration creates gaps. A single, unified platform keeps cases from falling through the cracks.
  5. Use the data. Post-integration reporting trends tell you where risk lives in the new organization. Feed that data into your risk assessment process.
  6. Don’t forget credentialing. In healthcare M&A, sanction screening and license monitoring for the acquired workforce must start immediately.

Frequently Asked Questions

How long does the ethics reporting spike last after a merger or acquisition?

Most organizations see elevated reporting volume for 6-12 months after a deal closes. The spike typically peaks in the first 90 days and gradually normalizes as policies harmonize and employees adjust to the new structure.

Should the acquired company’s employees use our existing ethics hotline?

In most cases, yes. Consolidating to a single, high-quality reporting channel reduces confusion and ensures consistent report quality. The key is communicating the change clearly and making the channel easy to access from Day One.

What compliance due diligence should we do before an acquisition closes?

At minimum, review the target’s reporting history, open investigations, policy inventory, regulatory actions, exclusion screening practices, and overall program maturity. Compare against DOJ evaluation criteria and document gaps with a remediation plan.

Does the DOJ hold acquiring companies responsible for the target’s past compliance failures?

Yes. The DOJ has made clear — especially in FCPA enforcement — that acquiring companies inherit compliance liability. Conducting thorough due diligence and promptly remediating identified issues can mitigate this risk, but it doesn’t eliminate it.

How do we maintain reporter trust during a merger?

Three things matter most: consistent communication about reporting channels and anti-retaliation protections, visible leadership commitment to ethics from both legacy organizations, and fast, fair handling of reports that come in during the transition. When reporters see that their concerns are taken seriously, trust follows.

Preparing Your Program for What’s Ahead

M&A activity creates real, measurable compliance risk. But it also creates an opportunity. A well-managed transition demonstrates to employees, regulators, and the board that your compliance program works when it matters most — not just when things are calm.

The organizations that navigate M&A transitions successfully invest in reporting infrastructure that scales, case management that centralizes, and a culture that encourages people to speak up even when everything around them is changing.

If your organization is facing a merger or acquisition and you want to understand how your reporting program compares to industry benchmarks, explore Ethico’s compliance solutions to see how a modern E&C platform supports organizations through their most complex transitions.

Categories:

GRC Software Knowledge Hub

Get E&C industry insights
Ethico
Industry Insights
Compliance Investigations in Financial Services: How SOX, AML, and Securities Regulations Shape Your Case Management Requirements
Explore More
Ethico
Industry Insights
Compliance Case Management Data as a Leading Indicator: How to Spot Organizational Risk Trends Before They Become Crises
Explore More
Ethico
Industry Insights
Continuous Credential Monitoring ROI: How to Calculate Cost Savings vs. Point-in-Time Verification
Explore More
Ethico
Industry Insights
Ethics Hotline Caller Satisfaction: Why It’s the Most Underrated Metric in Your Compliance Program
Explore More
Ethico
Industry Insights
Stay Interviews for Compliance Risk: How Proactive Employee Conversations Surface Ethics Issues Before They Escalate
Explore More
Ethico
Industry Insights
Healthcare Credentialing Audit Preparation: How to Build a Defensible Verification Trail for JCAHO and CMS Surveys
Explore More