In an important ruling on March 4, the Supreme Court expanded the whistleblower protections outlined in the Sarbanes-Oxley Act (SOX). Originally only applied to whistleblowers at public companies, the Justices decided in a 6-3 ruling that the whistleblower protections in SOX apply to private contractors working for public companies as well. Think about it: in the Enron Case, the one which actually gave rise to the SOX act, third-party vendors were privy to the corruption. Under the previous provisions, any employee at Enron Corp’s accounting firm, Arthur Andersen, for example, that blew the whistle on Enron would not have been covered by the SOX whistleblower protections.
Given that any privately owned business that provides services to publicly traded companies or mutual funds are now subject to these provisions, there is some understandable confusion about the ruling. These companies must now look at their compliance programs with fresh eyes. Yes, now they too have to worry about any retaliation against company whistleblowers, which means they are at greater risk for SOX litigation. But is this really a bad thing? I would hope that small businesses can come to recognize this ruling as a blessing. Yes, perhaps in the short term it might create some more work – but the Supreme Court’s ruling can only help small, private businesses become better institutions.
Here at The Network we are firm advocates for a speak up culture. We believe in “See something, say something.” We are a private company, but we recognize how important having a speak up culture is for both employee satisfaction and compliance (in fact, we actually started and still operate the first whistleblower hotline in the United States). Cultures that don’t promote open communication and encourage employees to speak-up, are breeding grounds for misconduct. Those are the places where fear of retaliation prevents employees from blowing the whistle and that is very dangerous… that is how the next Enron will happen and that is what SOX was enacted to prevent.
Creating a “speak-up culture” takes work and quite a few tools: a whistleblower hotline, awareness programs and campaigns, engaging business ethics training that make employees aware of not only their rights, but also their duties to report wrongdoing to the company.
Perhaps this confusion is not because private companies disagree with the ruling but that they just have no idea where to start. They might be asking themselves, ‘Do I have to re-examine our whole compliance program? Our code of conduct? Every single policy? It’s not realistic to completely revamp everything all at once. We as compliance professionals need to have a real, actionable and executable plan to protect ourselves from SOX litigation that might come out of the expanded whistleblower protections. We need to start at the source: our company risk.
I like to think that everything happens for a reason, so I’m going to say it was serendipitous that I sat in on Jeff Kaplan’s webinar today, “Compliance Risk Assessments – New Methods for a Defensible Ethics and Compliance Program” that touched on exactly what we are talking about, company risk. While Jeff wasn’t focused on the specific impact that the SCOTUS ruling has had and will continue to have on small, private businesses, he did lay out a framework we can use to identify our highest risks so that we know where to best allocate our resources.
Jeff spoke to identifying both compliance and ethics risks and provided five tools generally used for assessing those risks:
• Standards (policies)
• Business Ethics Training/Communication
• Internal Controls (required pre-approvals)
• Accountabilities (ie. managing incentives)
These different tools are not always managed by the same people or even the same departments, so communication across all parties is crucial. For that reason, if you have the capability and resources you might want to look into implementing a GRC (governance, risk and compliance) solution that will allow you to house each of these tools in one location and report across all of them. This would allow you to easily assess your greatest risks, as well as see any trends. Jeff went on to say that you probably won’t be able to implement everything – don’t worry about that – but do give identifying the company’s greatest risks your best effort.
If you can make it a goal to continually assess and mitigate your risks of unethical behaviors and non-compliant acts, educate your employees on your expectations of them (you want them to speak up!) and the protections available to them (namely retaliation will not be tolerated), you will have little left to worry about over the SCOTUS ruling on the SOX whistleblower protections.