When Managing Whistleblower and Retaliation Risk, Tools are Important – Processes and People are Critical

One collection of terms I hear a lot is “tools, processes and people.” All three need to be successfully deployed to make a compliance program run properly while also creating an organizational culture that supports compliance with policy and the law. This is especially true with one of the largest and perennial challenges facing compliance officers: whistleblower reporting, incident management and retaliation risk. With unprecedented regulatory focus on these issues by numerous agencies and risk getting higher with every headline grabbing agency action, these topics need to become a priority of discussion with your board and C-suite.

The Important Tools for Whistleblower and Retaliation Risk

An organization’s whistleblower hotline (or integrity helpline), along with a robust incident management system, are crucial and are often required tools—but these are still only tools.

An organization’s whistleblower hotline (or integrity helpline), along with a robust incident management system, are crucial and are often required tools—but these are still only tools. The hotline and other designated reporting avenues are conduits for employees to bring suspected misconduct to the attention of managers who are supposed to identify and prevent rising issues. Companies can (and do) implement elaborate hotline systems that offer anonymity and field complaints in multiple countries and languages.  There are even advanced systems that screen for implicated parties before distributing reports to compliance professionals. 

Still, in the end, a hotline is just a hotline and all reporting avenues are only as good as the responses from the people who are given the message. If those who are fielding allegations don’t respond correctly, an organization will have a mess on its hands no matter what reporting tool is used. When it comes to hotlines, I have said many times that the “easy” part is setting up a phone number. The hard part is what the organization does with reports once it receives them.

Processes and People

That’s why processes and people are every bit as important as the tools themselves. In media reports of organizational misconduct, almost inevitably two stories ensue: First, employees insist they did try to raise their concerns to managers. (Note: the SEC Office of the Whistleblower has highlighted that 80 percent of the tips received have first been reported internally.) And second, they suffered some form of retaliation for doing so.

Ignored or delayed complaints—or worse, complaints sparking retaliation—are serious concerns for an organization and for the credibility of the compliance team that manages its program. These issues happen regardless of the hotline tool used because they are triggered by failures of policy, process, training and most importantly – culture.

Let’s put some hard data on this point. Our NAVEX Global annual benchmarking reports review a variety of key metrics related to hotline reports, processes and outcomes. Over the last five years, the time it takes organizations to close a case has risen to risky levels – a median of 46 days in 2015 up from 32 days in 2011. Reasons given for the delays include insufficient resources and complexity of cases in the current regulatory environment. As a compliance officer, I get this, but for the employee who has raised a concern and is waiting for a response, every day can feel like an eternity and an opportunity for retaliation.

There is one other process-related practice that is important to highlight. While the compliance office is not always the team that conducts actual investigations, it is critically important for it to ensure that all issues raised through hotlines are properly investigated and appropriate action is taken in a timely way. I see too many organizations use their reporting systems as a clearing house to farm out reports to other organizations for action and then immediately close cases with no visibility into actions, timing or outcomes. If we abdicate responsibility with no follow-up, we put our credibility on the line and increase the potential for bad outcomes.

If we abdicate responsibility with no follow-up, we put our credibility on the line and increase the potential for bad outcomes.

Furthermore, most employee concerns about misconduct don’t come through the hotline. In most cases, employees bring their issues directly to their managers. When managers turn a deaf ear to those complaints, it is because they either don’t know what to do with a complaint or don’t want to take the necessary steps to address the concern. We as business leaders have an obligation to assist managers with this important responsibility. We need to provide them with training and tools on how to respond, enter and track issues they receive for effective resolution and closure.

Policies and processes deserve the most attention because the stakes are so high when getting that part of a whistleblower program wrong. Failures at this level convey to employees, regulators, investors, customers and the public that your culture is wrong. That, in turn, can lead to steeper regulatory fines, loss of reputation, loss of good employees and even loss of business.

So, what do we do?

10 Steps to Managing Whistleblower and Retaliation Risk

Following are 10 steps for organizations to consider related to processes and people to help avoid the pitfalls related to managing a reporting system.

  1. First and foremost, accept that internal reporting is a good thing; that the majority of reporters do so with good intentions; and take all reports seriously.
  2. Treat your employees as reporters, not as whistleblowers.
  3. Establish strong and consistent investigation and discipline processes and policies.
  4. Train investigators on proper techniques and required reporting.
  5. Communicate with reporters regularly throughout investigation processes.
  6. Train on retaliation at all levels of the organization – including the front line.
  7. Test and assess organizational culture and employee beliefs around speaking up
    and fear of retaliation.
  8. Monitor for retaliation and make retaliation reporting a regular board-level discussion.
  9. Manage or oversee all reports to closure. Don’t abdicate responsibility for reports by forwarding them to another department and closing the report without further review.
  10. Raise issues of resource constraints that are delaying case closure times to the board level if needed.

Schedule a demo of our whistleblower hotline services and see how to get the ethics and compliance data you need to inform your program, spot trends and take corrective action before minor issues become major.

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Green IT: What You Need to Know
The Existential Threat of Fraud

If Things Have to Be Risky for Your Third-Party Risk Management Program to be Valuable, You’re Doing It Wrong

There is clearly risk working with third parties, but what is too often lost in the discussion is the business case for robustly and diligently assessing and monitoring third parties in a risk based manner. We cannot just view third-party management as a contingency plan for potential litigation but as a necessary step for third party selection that is tied to ROI.
Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

ISO 37001: Answers to the 5 Questions We’ve Heard Most About the Standard

It’s been a month since ISO 37001 was published and there are some questions we have heard percolating in the compliance world about what this means. These are answers to the questions we’ve been hearing the most.
Next Post Previous/Next Article Chevron Icon of a previous/next arrow.