From Compliance Policies to a Board-Led Integrity System
Start Reading
1. Company at a Glance
FCC operates in complex, high- risk environments where integrity, transparency and strong governance are critical to business continuity. Following the European economic crisis and increasing regulatory expectations, the company undertook a comprehensive transformation of its ethics and compliance framework. What began as a limited set of policies evolved into a living, continuously reviewed compliance model, embedded across geographies, business areas and relationships with partners and suppliers.
Environmental Services, Water Management, Infrastructure, Concessions
Industry
1900
Founded
Spain
Headquarters
Over 76.000
Number of Employees
35 countries
Global Presence
2. The Challenge
Building trust and integrity in a high-risk sector
FCC operates in the large infrastructure and construction sector, an industry inherently exposed to elevated corruption, bribery and integrity risks due to its reliance on public-sector clients, complex procurement processes and operations across multiple jurisdictions.
When the compliance transformation began, FCC had a Code of Ethics dating back to 2010, but limited supporting structures, controls or systematic implementation. The European economic crisis, combined with increased regulatory scrutiny and international client expectations, exposed the need for a more robust, modern and internationally aligned compliance framework.
The challenge was not only regulatory compliance, but cultural: shifting internal perceptions of compliance from a cost and administrative burden to a strategic enabler of trust, reputation and access to global markets.

3. The Action
From foundational policies to a living compliance model
ESTABLISHING A MODERN ETHICS AND COMPLIANCE FRAMEWORK
Starting in 2017–2018, FCC redesigned its ethics and compliance model in line with international standards. A new Code of Ethics and Conduct was approved in 2018 and most recently updated in July 2024, supported by a comprehensive regulatory framework of policies, procedures and regulations, including: Anti-Corruption Policy, Crime Prevention Manual, Compliance Policy, Competition Policy, Policy on Relationships with Partners in Relation to Compliance, Agents Policy, Gift Policy, Human Rights Policy, Bidding Policy, Internal Reporting System Policy and Procedure, Compliance Committee Regulations, Protocol for the Prevention and Eradication of Harassment, Third- Party Due Diligence Procedure, and a Sponsorship, Collaboration and Donation Management Procedure. The model is treated as a living system, reviewed and updated continuously to reflect regulatory changes and emerging risks. All policies are approved by the FCC Group Board of Directors, ratified by the boards of FCC Construcción and its subsidiaries, and published on the corporate intranet and website.
STRENGTHENING GOVERNANCE, INDEPENDENCE AND OVERSIGHT
FCC established an independent compliance function that does not report to Legal, Internal Audit or any business area, but directly to the Board of Directors through the Audit and Control Committee. In 2018, FCC appointed a Compliance Officer and established a Compliance Committee—a collegiate body composed of the Compliance Officer (Chair), the Director of the Legal Department and the Director of Human Resources—that meets monthly and oversees the implementation and supervision of the compliance model. The model is organized on a three-lines-of-defense structure: business areas as the first line; the Compliance Function as the independent second line; and Internal Audit as the third line. This structural independence enables unrestricted access to information, operational autonomy and credibility across the organization.
RISK-BASED APPROACH AND CONTINUOUS ASSESSMENT
FCC implemented a comprehensive risk assessment framework, initially designed with external advisors and reviewed annually. Risk maps cover corruption and other offenses such as money laundering, harassment, competition and bidding processes. From these assessments, FCC derives risk, offense and control matrices, with designated process and control owners responsible for annual certification and monitoring through a digital tool. In international offices, the Country Manager certifies controls aligned with the FCPA and the UK Bribery Act. FCC’s Crime Prevention Model structures its supervision around a criminal risk catalogue, a risk assessment methodology based on probability and impact criteria, identification of controls, and continuous evaluation through self-assessments, monitoring and internal audits.
EMBEDDING ETHICS THROUGH TRAINING AND COMMUNICATION
Training is the cornerstone of FCC’s compliance culture. Employees receive mandatory online training on the Code of Ethics and Conduct every three years, complemented by in-person training sessions and workshops held at FCC Construcción’s international and Spain`s offices and project sites. Specific mandatory training topics include Anti-Corruption and Public Official Relations, Human Rights and Equality, Labor and Sexual Harassment, and Bidding and Competition Compliance. Some sessions are tailored to specific roles, while others are designed for all employees. Formal acceptance and signature of the Code is required, achieving near-universal adoption including 100% of management staff. Compliance communication is reinforced through emails, posters at offices and project sites, information leaflets, face-to-face sessions and direct engagement with teams across regions.
SPEAK-UP MECHANISMS AND INVESTIGATION PROCESSES
FCC implemented an Internal Reporting System, of which the Whistleblowing Channel forms part. The channel is accessible not only to employees, managers and directors but also to third parties, including suppliers, subcontractors, clients, shareholders, former employees and interns.
The system allows for communications to be submitted with disclosure of identity or anonymously, in writing or verbally, through multiple access points: the corporate website, intranet, the FCC360 app, email (canaletico@fcc.es), by post or through face-to-face meetings.
The system has been updated to comply with the EU Whistleblower Protection Directive (2019/1937) and its transposition into Spanish law (Law 2/2023). Reports are classified by risk level (high, medium, or other communications) and investigated under defined procedures, with the Compliance Committee responsible for the system and delegating day-to-day management to the Compliance Officer. The system guarantees confidentiality, applies a strict zero-retaliation policy, and sanctions are applied where violations are confirmed, reinforcing accountability and trust in the process.
EXTENDING COMPLIANCE ACROSS THE VALUE CHAIN
Compliance requirements are embedded in relationships with business partners and suppliers. FCC conducts integrity due diligence on partners using specialized tools such as Catalyst (Moody’s), requiring questionnaires and assessments of compliance programs. Contracts with suppliers include anti-corruption, ethics and human rights clauses allowing for audits and termination in case of violations. The Agents Policy establishes specific due diligence requirements for commercial agents and business developers. Supplier and partner compliance is increasingly treated as a prerequisite for doing business.
EXTERNAL REVIEW, CONTINUOUS IMPROVEMENT AND STANDARDS ALIGNMENT
In 2024, FCC commissioned a first-tier law firm to conduct a comprehensive review of its compliance model. This review confirmed alignment with international standards, including UNE 19601 (Criminal Compliance Management Systems), ISO 37001 (Anti-Bribery Management Systems) and ISO 37301 (Compliance Management Systems), and led to the approval of updated policies and the Code of Ethics and Conduct in July 2024. Additionally, FCC’s Internal Audit department supervises the compliance model on an annual basis, acting as the independent third line of defense. The compliance model is subject to periodic updates to adapt to the best standards and practices existing at any given time, regulatory changes, new activities, organizational changes and the results of internal assessments.

4. Overcoming Barriers
High Corruption Exposure in Construction Markets
Operating in public-sector-heavy markets and diverse geographies increased exposure to corruption risks. FCC addressed this through strict risk mapping, due diligence, and selective market engagement, prioritizing jurisdictions with stronger governance frameworks.
Cultural Resistance and Perception of Compliance as a Cost
Initially, compliance was viewed internally as bureaucratic and burdensome. This shifted as international clients increasingly demanded evidence of strong compliance, demonstrating its value as a competitive differentiator.
Global Standards vs. Local Realities
Applying uniform policies across regions with very different economic and cultural contexts posed challenges. FCC addressed this by applying common sense and proportionality, adapting implementation while maintaining global standards.
Training Fatigue and Operational Pressure
Employees sometimes perceived recurring controls and training as repetitive. Persistence, continuous communication and efforts to make training more engaging helped sustain participation.
5. Impacts & Results
Speak-up utilization: 160 communications / reports received through the whistleblowing channel of the FCC Group, classified by risk level (high, medium, other communications) and managed through a dedicated Complaints Management System (CMS) with restricted access.
Investigation timelines: harassment investigations are handled within ~1 month from the start (with urgent cases of sexual harassment resolved within 15 working days); other cases within ~2–3 months, with a legal maximum of 3 months extendable by 3 additional months in complex cases. Sanctions are applied when violations are confirmed, including disciplinary measures up to termination.
Mandatory training on the Code of Ethics and Conduct is deployed every three years to all employees, with near- universal completion. Additional specific training sessions (anti-corruption, human rights, harassment, bidding/competition) delivered in-person at international and Spanish offices and project sites, tailored by role and geography.
100% of employees completing mandatory Code of Ethics training (latest cycle).
Compliance Committee activity: monthly meetings of the corporate Compliance Committee, with reporting twice a year to the Board of Directors.
Risk management: annual risk evaluation with risk and control matrix, annual control certifications issued via digital tool, and international Country Manager certifications aligned with FCPA and UK Bribery Act standards.
External validation: comprehensive external review in 2024 confirming alignment with UNE 19601, ISO 37001 and ISO 37301, plus annual Internal Audit supervision of the compliance model.
Third-party due diligence: integrity due diligence conducted on partners and agents using specialized tools (Catalyst/ Moody’s), with anti-corruption, ethics and human rights clauses embedded in contracts.
Code of Ethics acceptance: 100% of management staff have signed and accepted the Code of Ethics and Conduct, with near-universal adoption across all employees.
6. Key Lessons Learned
Tone at the top is foundational
Ethical leadership from the Board and CEO directly shapes employee behavior and credibility of the compliance function.
Independence strengthens effectiveness
An autonomous compliance function reporting directly to the Board enhances trust, authority and objectivity.
Training is the backbone of culture change
Continuous, mandatory and well-communicated training is essential to embedding ethics across a global workforce.
Risk-based models must evolve continuously
Compliance frameworks must adapt to new regulations, markets and operational realities.
Compliance enables business, not just protection
Strong ethics and compliance programs support access to global clients, partnerships and long- term sustainability.

"We believe that in an organization, employees tend to behave as their leaders do. If the bosses, directors, board members, and the CEO behave ethically, the rest of the employees will follow.”
FCC Leadership
7. Company Commitment
FCC has been a committed participant in several UN Global Compact initiatives since 2005:
UN Global Compact & UNODC COSP Private Sector Platform 2025 - 2027
Think Lab on Business Integrity 2024 - 2025

8. Recommended Resources
Recommended UN Global Compact Resources
Download Case Study
Disclaimer: This case example is intended strictly for learning purposes and does not constitute an endorsement of the individual companies by the UN Global Compact.


