Just about any compliance officer knows that reporting, training, and case management are three indispensable elements of an effective compliance program.
Lately I’ve been ruminating about how those elements combine into one strong ethics & compliance program. In fact, calling them “elements” is particularly apt, since they do behave a lot like elements in chemistry: blend them in the right amounts, and you get a much more complex chemical compound. Blend them in the incorrect amounts, and things go wrong.
So let’s talk about how reporting, training and case management should be combined properly.
Your Base Element: Incident Reporting
When employees mostly report concerns directly to their managers, it means the organization has a strong speak-up culture and an effective Code of Conduct.
The base element here—that is, the material you start with—should be reporting statistics. I say should be because acquiring information about internal reporting is tricky. Too many companies still fall into the trap of relying on hotline reporting statistics alone, or on incomplete reporting statistics. Neither does you much good.
Whenever compliance officers think about internal reporting data, always underline one fact: most internal reporting does not arrive via the hotline.
According to NAVEX Global’s 2016 Hotline Benchmarking Report, companies that collect incident reports beyond web and whistleblower hotline channels capture 72 percent more complaints. Most often, employees report concerns directly to their managers.
Download White Paper: 2016 Ethics & Compliance Hotline Benchmark Report
That’s a good thing. When employees mostly report concerns directly to their managers, it means the organization has a strong speak-up culture and an effective Code of Conduct. Senior executives should want to see this happen.
Still, consider the implications of that good news for the rest of your compliance program. You need to capture as much information as possible about those reports; otherwise, you don’t have a full picture of the concerns within your organization. That can send your training programs down a wrong path or leave the company with risks it doesn’t know about.
You, the compliance officer, need to collect certain facts about every complaint so you can study them in bulk and tap into the benefits of true “big data.”
In other words, a strong speak-up culture increases the need to have an incident reporting system for managers that’s easy to use and fits within their workflow. Their process should involve more than a short email that details the complaint and actions taken or a phone call at the end of the day (or the week) to the compliance team.
Especially for large organizations, incident reporting systems and procedures must be standardized. You, the compliance officer, need to collect certain facts about every complaint so you can study them in bulk and tap into the benefits of true “big data.” What was the issue? Where did the complaint come from? Against whom was the complaint made? What level of employees were involved? (Plus many more questions, potentially.)
Read More: When Managing Whistleblower and Retaliation Risk, Processes and People are Critical
Critically, companies also need a corporate culture that reassures middle managers. Plenty will wonder whether reporting lots of incidents reflects poorly on them. Plenty will have worked hard to get where they are and won’t want to jeopardize their career paths. One message must always be that a speak-up culture is good; another should always be that illuminating problems won’t get you punished.
Compounding With Training and Case Management
Once compliance officers have those base elements of internal reporting data, they can use insights from them to improve training and case management systems.
For example, a high number of complaints about one type of issue (say, harassment) or about one group of managers (those working in the regional office), suggests where training resources might be needed. That differs from complaints about one manager, which might require disciplinary action; or complaints about one transaction, which could prompt an investigation.
Internal reporting data is the raw material that lets compliance officers estimate how effective their case management systems are.
To do this effectively, the compliance team needs to cooperate with members of the HR department. They are the experts on how to plan training, and can map out the best training tactics (in-person versus online; one long session or multiple short ones, etc.) to solve a problem identified from internal reporting data.
Reporting data is also invaluable to help guide your system of case management. For example, one crucial metric for the effectiveness of your compliance program is how quickly you close cases. To track case closure time, you need to know exactly when complaints were made. To estimate probable case closure time, you need to know the nature of the complaint itself and how much time similar cases needed to be resolved in the past.
Benchmarks like those help inform a compliance officer on what the budget for case management should be, and whether the case management systems are up to the challenge at hand. Internal reporting data is the raw material that lets compliance officers estimate how effective their case management systems are. And according to the NAVEX 2016 Hotline Benchmarking Survey, case closure times rose from 32 days in 2011 to 46 days in 2015.
Download White Paper: 2016 Ethics & Compliance Training Benchmark Report
An effective case management system, in turn, can help to improve corporate culture or internal policies. For example, a case management system that ensures timely follow-up when employees raise concerns will also reassure those employees that they are being heard. Or if you see the same complaints leading to the same investigations over and over, you may need to amend policies or internal controls to prevent the infractions from happening in the first place. (In addition to possible disciplinary action for offenders.)
The bottom line is that a robust compliance program uses a blend of internal reporting data, training and case management to create a program stronger than any one of its parts. Yes, that takes careful planning and some experimentation—and yes, the payoff is worth it.
Download Guide: Definitive Guide to Incident Management
