Ed. Note: Late yesterday afternoon, the Department of Justice (DOJ) released an update to the Evaluation of Corporate Compliance Programs, 2019 Guidance. This 2020 Guidance has been incorporated into this blog post. You can download a copy of the 2020 Guidance here.
What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”
This was expanded in the DOJ’s 2020 Guidance, in the section entitled “D. Confidential Reporting Structure and Investigation Process”, with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.”
Moreover, internal reporting systems are a clear indicia of a working, operationalized compliance program. The 2020 Guidance went on to state, “Confidential reporting mechanisms are highly probative of whether a company has “established corporate governance mechanisms that can effectively detect and prevent misconduct.” (an effectively working compliance program will have in place, and have publicized, “a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation”).”
The 2020 Guidance further refined this basic requirement for a hotline with inquiries into the effectiveness of your corporate hotline, asking “Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?” How would you consider responding to these questions?
Does the company have an anonymous reporting mechanism, and, if not, why not? This would seem like the most basic inquiry that one could have. For if you are a US public company or rather any company listed on the US stock exchanges, you have been required to have an anonymous whistleblower system in place since the passage of the Sarbanes-Oxley Act (SOX) back in 2002. SOX directs the New York Stock Exchange, Nasdaq and other national securities exchanges to require a listed company’s audit committee to establish formal procedures for addressing complaints relating to accounting and auditing matters. Listed companies were required to have these whistleblower procedures in place by the earlier of (a) their first annual meeting after January 15, 2004 or (b) October 31, 2004.
SOX went on to mandate that companies have reporting systems for receiving, retaining and treating complaints that the company receives from external sources regarding accounting, internal accounting controls or auditing matters, as well as providing a means for confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. SOX makes it about as clear as possible that any publicly listed company must have a reporting system. Even if you are a private company, is there some reason you would not want to know about illegal conduct in your organization? Or as the government would ask “If not, why not?”
How is the reporting mechanism publicized to the company’s employees? If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through 360-degree communications, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available through your corporate comms department. Finally, never forget using a creative campaign to publicize and communicate about your internal reporting system. Ronnie Feldman of L&E Creative is one of the best around.
Has it been used? An internal reporting system is obviously of no value if the stakeholders are not aware of it. Even if you have an internal reporting mechanism in place, has every segment of the company been informed. Your internal reporting data can reveal any gaps. You can review data sliced and diced in a variety of ways to test whether the internal reporting system has been used. You can segment your internal reporting by region, department, incident classification, and other criteria. If there is one group, area or some other defined segment which is not using it, it should become obvious in comparison to the rest of the organization.
How has the company assessed the seriousness of the allegations it received? One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way to separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One important area is making an initial determination of whether to bring in outside counsel to head up an investigation and the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make decisions. You can achieve this through a robust triage process.
Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? (This question was newly added in the 2020 Guidance update). This query involves two components: do your employees know about the hotline and do they feel safe in using it? Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain of command or workplace environment, especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a report from the privacy of an off-site computer or telephone. It may seem like a small convenience but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
Has the compliance function had full access to reporting and investigative information? While there will be a desire by your corporate legal department to not give out any information about the investigation until it is complete and there is a final report, the compliance function must resist this at all costs. If the results of the investigation are not made available to you as the Chief Compliance Officer (CCO) or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, you’re just going off suppositions and guesses. There must be a solid line of communication between the people who are doing the investigation and the people leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster.