Frank Lopez’s recent Compliance Week guest column, “Tips for Mitigating Whistleblower Risk,” (March 3, 2009) provided a good overview of whistleblower policy, as well as some excellent suggestions for improving the anonymous hotline reporting process overall. It also got me thinking about the importance of moving beyond the hotline, and beyond business-as-usual reporting on risk- and compliance-related incidents.
What companies should strive for is an enterprise-wide framework for mitigating the risk of non-compliance within the full range of regulations and corporate standards. That’s certainly an issue for my company, at least. Cognizant Technology Solutions is one of the world’s largest IT services providers with extensive operations around the world, and we must be doubly cautious when it comes to privacy, security, and compliance. We work intimately with our clients on a broad range of projects, through which our employees often have access to confidential information, intellectual property, and proprietary data and systems.
The size and diversity of our employee base also provides us with some challenges. We have approximately 65,000 employees in more than 50 delivery centers around the world. While the majority of our workforce is located in India, our employees reside in more than a dozen countries with varying cultures and backgrounds.
Part of my charter is ensuring compliance with a broad range of internal and external mandates across our diverse and far reaching organization. As such, I need to cover a lot of ground, both geographic and issue-related. I oversee programs that govern acceptable use of Cognizant and client assets and systems, accuracy of books and records, competing honestly and fairly in the marketplace, protection of confidential information and intellectual property, compliance with laws, rules, and regulations, and respectful treatment of employees, clients, and others. When it comes to all of these areas, integrity and respect are values that we embrace and are committed to safeguarding.
In a large and complex organization like ours, it can be difficult to stay on top of things that are happening half a world and a dozen time zones away—yet those incidents can have profound, corporate-wide implications.
Our Old Approach
For a number of years, when it came to monitoring worldwide risk- and compliance-related issues, we relied largely on our whistleblower hotline. Once an issue came to our attention, my team monitored and managed incident resolution and communications through a combination of e-mail and Excel spreadsheets.
This worked well for the incidents that were reported, but it was very time consuming. More importantly, the process allowed at least some incidents to fall through the cracks. Local management might not always have had the time to properly follow up on a situation; they might have overlooked an infraction that seemed minor but could be problematic; something generally accepted in one culture—but not to Cognizant as a whole—might go unchecked.
We really needed a more systematic, company-wide approach to staying on top of risk- and compliance-related incidents—an approach that went beyond the whistleblower hotline and provided us with a new level of accountability and assurance.
We designed a new process around the notion of monthly certification, which we now require from key stakeholders throughout the company. Rather than rely solely on what comes through the whistleblower hotline (or through local management or any other channel, for that matter), we now require stakeholders to report monthly on the existence of new risk- and compliance-related incidents, and on the status of already-reported incidents.
Monthly certification creates a very strong system for accountability, helping ensure that nothing falls through the cracks because someone’s too busy, or may have discounted the importance of a local situation. But there was a catch: Above all, I didn’t want to impose yet another cumbersome paper-, e-mail-, and spreadsheet-intensive process on managers. If our stakeholders were already feeling too busy, I certainly didn’t want to layer on something that would cost them more time and effort.
Fortunately, we were able to make life easier for our stakeholders with a software-as-a-service solution, which we got up and running quickly, from a company called ProcessUnity.
How Life Works Now
When a new incident, issue, or complaint arises—whatever the source—we assign formal resolution to an owner, use the software to follow up with incident owners, and monitor resolution until an incident is closed. Managers can enter new incidents, communicate progress on resolution, and maintain all the documentation regarding an incident in a single place—that is, no more flying e-mails with attachments that can sometimes go astray.
Cognizant’s executive management and audit committee also have round-the-clock access to information. Through a secure Internet-based executive dashboard, they can view the status of all incidents and drill down, making comments and suggestions and asking for clarifications. It’s an effective way to ensure that management is kept current on risk and compliance incidents on a regular basis.
But we wanted more than a process for tracking new and existing risk- and compliance-related incidents. As I mentioned, we really needed a mechanism to identify any incidents that may have been going unreported. This, for us, has been the biggest breakthrough.
Midway through each month, we generate an automated e-mail asking human resources, IT security, and other managers throughout Cognizant to certify that, for the prior month, they have reported any risk- and compliance-related incidents or violations in the company’s Code of Ethics in their area of responsibility, and have provided updated information on progress toward resolving any outstanding issues.
This means that every month, our managers must provide corporate compliance—and in turn, the entire Cognizant executive team—with an assurance that all outstanding issues are present and accounted for. Not only have we become more efficient, and saved ourselves time by automating this process, but we’ve also improved the quality of the information we capture.
Most important, the simple act of requiring our managers to certify that they’re up to date on risk- and compliance-related incidents gives us a level of transparency that, as a public company and an IT service provider, is extremely important to us. We wouldn’t have been able to achieve the level of confidence we have in our compliance efforts if we’d continued to rely on the whistleblower hotline, e-mails, and spreadsheets alone. That approach was good—but our new one is a whole lot better.
No comments yet