Thanks to Sarbanes-Oxley, whistleblower hotlines are a hot topic for public companies. But what’s the best way to manage a hotline? And how can a company measure whether its hotline is effective? A coalition of governance experts has taken the first step toward answering those questions.
The non-profit Open Compliance and Ethics Group, which recently documented end-to-end process standards for governance, risk, compliance and ethics management systems, has set its sights on developing a global set of open operating and technical standards around whistleblower hotlines.
Mitchell
“Ultimately, the goal is to help companies to put in place and manage more effective hotlines,” said Scott Mitchell, OCEG chairman and chief executive. Mitchell says the planned guidance aims to make it easier and less expensive to manage, benchmark and evaluate the effectiveness of whistleblower hotlines.
Over two years ago—on April 1, 2003—the Securities and Exchange Commission adopted rules that require the national exchanges to delist any company that is not in compliance with the audit committee requirements of Sarbanes-Oxley. One of those requirements was outlined in Section 301 of SOX, requiring audit committees to establish processes for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
Though most companies have implemented such systems by now—or are well on their way to doing so—the management and benchmarking of those systems have become key issues. That's because some argue that companies have been spending too much time focusing on compliance "processes" instead of the "outcomes" of those processes.
As a result, companies are increasingly looking to find ways to leverage their procedures to understand the ethical tone of their workforce. “Hotlines ceased to be about fraud and abuse, and became a barometer to understand a company’s ethical culture,” says David Childers, CEO of EthicsPoint, one of three hotline vendors co-chairing the OCEG’s newly formed Hotline Working Group.
But the challenge isn’t just for public companies; legislation aimed at strengthening the governance and oversight of nonprofit organizations is expected. Because of the potential impact on the oversight of charitable and nonprofit organizations—which have come under scrutiny by both houses of Congress—Childers said the group feels it’s important to get standards in place sooner, rather than later. “Nonprofits are moving to a new level of governance and compliance,” he said, citing a report presented to the Senate Finance Committee by the Panel on the Nonprofit Sector—an independent panel of leaders from public charities and private foundations—which calls for strengthened governance and greater accountability among nonprofits.
Putting In Structure
In recent years, hotlines have gotten the nod as a company’s first line of defense against fraud. The Association for Certified Fraud Examiner, in its widely read 2004 Report to the Nation, reported that the majority of occupational frauds uncovered are detected by anonymous tips through vehicles such as whistleblower hotlines.
While SOX made establishing confidential reporting mechanisms a requirement for public companies, and revised federal sentencing guidelines offer some guidance related to whistleblower hotlines, the rules don’t prescribe technical or operating standards for those mechanisms.
Ciancio
“Sarbanes-Oxley says companies need an anonymous way for employees to report,” says Nick Ciancio, vice president of marketing and sales for vendor Global Compliance Services. “It says that they need to be able to get the report, to retain it, and to treat it, but it’s left up to the companies to figure out how to do that,” he adds. “We’re trying to put some structure around this.”
The Hotline Working Group will develop a code of conduct for vendors and internal departments; a set of metrics that clients should expect to receive—and by which they can judge vendors; and a set of XML (Extensible Markup Language) data interoperability standards that OCEG says will help organizations knit the systems into their overall enterprise architecture.
Other members of the OCEG Hotline Working Group include Archer Daniels Midland, Ernst & Young, Staples, Wal-Mart Stores, Qwest Communications, and others.
According to Mitchell, the new working group was also sparked in part by OCEG’s June 20 union with The Compliance Consortium. While he said OCEG has focused on developing process standards, The Compliance Consortium focused its efforts on creating technical standards. “The merger afforded us the opportunity to jump start a new aspect of our standards development,” says Mitchell. “The hotline group is the first working group sparked by that merger.”
The standards will address issues Mitchell says OCEG’s member companies have been grappling with, such as deciding which indicators to measure, comparing how they’re doing against their peers, and how to integrate their hotlines with other enterprise systems to make them more valuable.
Mitchell said the working group hopes to create an initial draft of the standards for public comment by the end of the year, while the time frame for final standards will depend largely on the feedback the group receives.
No comments yet