The Securities and Exchange Commission's whistleblower program issued its first payout last month, awarding $50,000 for information on a multimillion-dollar fraud.
When Sean McKessey, chief of the SEC's Office of the Whistleblower, announced the award, he stated that the SEC has received an average of about eight solid tips per day since the program was established last year. The news is just the latest reminder that organizations need to ensure that their compliance hotlines are operating as intended and that they are effective. If employees don't feel comfortable raising concerns through the normal chain of command, the internal hotline should serve as a constructive mechanism and last line of defense for companies to know what is happening before the SEC or other enforcement and regulatory bodies become involved.
The 2012 Corporate Governance and Compliance Hotline Benchmarking Report issued by The Network based on data collected from about 3,000 companies observed that “just 28 percent of employees notified management before making a report via a hotline.” And there remain concerns that the SEC whistleblower program will further reduce the number of employees who report internally, especially if employees question the value of the hotline.
So how do you know if your compliance hotline is actually working? The evaluation of the compliance hotline should be part and parcel of an overall review of the effectiveness of the company compliance and ethics program. Given the critical nature of the hotline, however, in identifying significant issues and because the hotline reflects the openness and ethical climate of the organization, special care needs to be taken to ensure a proper review is conducted.
Distinct approaches and additional steps have emerged for reviewing hotlines. It is now understood that basic measurements, such as call volume, cannot be assessed in a vacuum. For example, if no one uses the hotline does it mean there are no problems or that no one trusts it?
Scope of Review
For the internal auditor and compliance professional the main objectives and scope of a compliance hotline are straightforward:
Understand the history and objectives of the company compliance hotline;
Review current hotline policies and procedures to determine if they meet the objectives determined by the company compliance and ethics program;
Provide a comparison of the company hotline to industry common practices and benchmark data where possible;
Provide a “gap” analysis of current to preferred state of the company hotline (for public companies this includes assessing compliance with the Sarbanes-Oxley whistleblower provisions); and
Identify opportunities for process improvement.
Benchmarking
As described in The Network report, companies have struggled to accurately assess hotline performance, since most are unable to compare their results to those of other organizations. That reality can make it difficult to draw reliable conclusions about the quality of the hotline.
To allow for meaningful comparisons, The Network has amassed data over the past five years from employee reports that come in through telephone and Web-based hotlines. Benchmarking hotline practices to a credible external source, such as The Network's benchmarking report, provides a method for auditors to evaluate the consistency of hotline processes with industry practices and can lead to useful insights.
For example, going back to the adage of the usefulness of call volume, benchmarking can help auditors assess if low volume is indicative of particular issues with the hotline process, by comparing call volume to industry averages. A low call volume can instead be due to employees using other methods to report potential wrongdoing. Before benchmarking your hotline, consider aggregating data from each reporting method to allow for such differences.
Distinct approaches and additional steps have emerged for reviewing hotlines. It is now understood that basic measurements, such as call volume, cannot be assessed in a vacuum.
At companies that receive many more hotline reports than industry peers, the hotline may be working well, while others are laboring to raise usage. On the other hand, if the hotline is deluged with calls about minor issues, the company may need to amend employee communications to redirect basic concerns to supervisors and human resources personnel to resolve.
Analysis can show whether variance in hotline report volume is localized or pervasive. Pockets of divergence from reporting norms are common in decentralized organizations. These can reflect the performance of local management in creating an appropriate workplace environment, or can be due to communication challenges, language, and cultural differences in certain locales.
The mix of different incident types should also be scrutinized. If a particular category of reports is missing or under-represented, the auditor should consider if the variance could be caused by a gap in employee training and communications. Alternatively if a particular category of reports represents an unusually large proportion of the total. that could indicate non-compliance with the organization's policy, a lack of sufficient policy guidance for that area, or another reason such as insufficient resources.
The 2012 benchmarking report can also help auditors evaluate whether case investigation and resolution process is producing results in line with industry averages. If the proportion of hotline reports not meriting investigation is higher in the organization than industry peers, employee training may be unclear, hotline staff may not be obtaining sufficient information to allow investigation, or managers may not be judging some types of incidents as seriously as others.
Ethical Climate
The culture of an organization is understood to be driven by the values and behaviors of its leaders and employees. Because a compliance hotline is such a key component in the compliance efforts, essential features of the organization's ethical climate related to operation of the hotline should be examined.
If the organization has a good “tone at the top” and “promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law” presumably employees are generally more likely to communicate openly without fear of reprisal. Alternatively, where employees fear speaking up and rely heavily on anonymity to report concerns, that suggests a more challenging work environment.
Auditors can again draw on The Network report to compare data on the proportion of participants who chose to remain anonymous when reporting their concerns. If the organization's rate of anonymity is lower than the industry average, it's possible that the organization is trusted more to address complaints fairly without reprisal, reflecting a favorable tone at the top. But if the organization's anonymity rate is higher than average, fear of retaliation could be a greater concern. That could undermine the effectiveness of the whistleblower system and weaken any claim to an effective compliance program under the Federal Sentencing Guidelines.
Surveying employee perceptions has similarly emerged as a technique to gauge the overall state of compliance. Ideally the company has been incorporating compliance program questions into an employee survey that is distributed on a regular basis. The survey data can then be benchmarked internally and tracked over time, or externally and compared to data of companies of similar size and industry for trends and observations.
Questions relevant to the hotline process that employees can respond to on a standard five-point Likert scale, strongly agree to strongly disagree, include:
I know about the resources that are available to me for guidance on compliance and ethical issues that may arise in my job.
I know how to report suspected unethical and/or non-compliant business conduct.
I have no fear of retaliation for reporting unethical behavior.
If I report unethical behavior, I am confident the appropriate corrective action will be taken.
When companies use these questions for the first time, they're often surprised by the results. For example, corporate leaders might believe they are saying all the right things, but then realize that employees often look beyond the words and perceive other messages.
Other Audit Steps
In addition to management inquiries and interviewing key individuals on the compliance hotline process, the following steps are recommended:
Obtain documentation from a sample of investigations into breaches of the company's policy or other significant misconduct. Determine whether consistent investigation techniques and protocols were utilized to arrive at a proper disposition of the matter.
Contact a sample of employees who have executed an acknowledgment form or a code of conduct certification, which includes the availability of the hotline, to determine whether they have indeed read and understood the contents of these documents.
Select a sample of substantiated hotline reports to assess whether employees who use the hotline have been subject to retaliation.
Sample personnel files of employees disciplined for a particular offense as a result of a report to the hotline to determine whether discipline was consistently and proportionally applied. Evaluate whether employees in managerial and supervisory positions were subjected to the same disciplinary measures meted out to rank-and-file employees for the same offense.
A comprehensive audit of the compliance hotline process can better ensure employees are aware of how to report concerns and are raising issues in an appropriate manner. The Network report provide several means to benchmark a hotline to assist in evaluating your processes. Ultimately an effective compliance hotline supports a culture of compliance and ethical behavior in the workplace, and in turn is an essential feature of a robust compliance and ethics program.
No comments yet