The dos and don’ts of compliance and employee reporting

Jessica Brown

Jessica Brown

Jessica Brown (jessicabrown@logan.org, linkedin.com/in/jessica-brown-rrt-chc-chpc-580432223/) is a Compliance and Privacy Partner at Logan Health in Libby, Montana, USA.
Ximena Restrepo

Ximena Restrepo

Ximena Restrepo (xrestrepo@logan.org, linkedin.com/in/ximena-restrepo-m-j-chc-chpc-93a9bb14/) is a Compliance and Privacy Partner at Logan Health in Bozeman, Montana, USA.
Listen to article
7 minute read

by Jessica Brown and Ximena Restrepo

Employee reporting is not only a critical element of an effective compliance program but also a core function that demonstrates the organization’s goodwill in corporate and social responsibility. These sources of reporting—such as the compliance hotline/helpline and other integrity-related reporting—permit employees, volunteers, and contractors to report matters or raise concerns safely with no fear of retaliation.

Is your compliance reporting volume up or down? What are the trends you are seeing over time or by season?

If the volume goes up, this may not necessarily imply new concerns. It could also indicate signs of a healthy work environment and the result of trust and a strong speak-up culture. If reporters have a positive outcome, feel their concerns were heard and understood, and believe action was taken in a timely manner, they will likely be more inclined to reach out in the future and also encourage their peers to report.

Leverage your reporting mechanisms

It is important for organizations to offer a choice of multiple reporting mechanisms, including different access points and platforms, as well as an anonymous reporting option. Time management, communication skills, collaboration between key investigating department leaders, and effective reporting structures are needed to ensure the process does not become overwhelming and cumbersome. Compliance should rely on a solid organizational investigation process to identify and address noncompliant activities, reinforce commitment and accountability, and ensure fair, equitable, and consistent enforcement.

Effective reporting structures

To properly triage concerns and/or investigations, consistent communication channels must be established with key operational leaders during the review and mitigation process. Initially, a standard reporting structure must be defined. It is recommended to use existing industry-standard structures and adjust as needed.

Navex, for instance, in their most recent annual Hotline & Incident Management Benchmark Report, provides a baseline of the most common report categories and subcategories.[1] The main categories identified in the 2023 Navex report include:

  • Accounting, Auditing & Financial Reporting

  • Business Integrity (conflicts of interest, fair competition, anti-trust, political activity, data privacy, etc.)

  • Human Resources, Diversity & Workplace Respect (discrimination, harassment, retaliation, substance abuse, workplace civility, etc.)

  • Environment, Health & Safety

  • Misuse or Misappropriation of Assets

  • Other

Ethico, similarly, in their 2023 Hotline & Investigations Benchmark Report, provides the following basic categories:[2]

  • Human resources (discrimination, harassment, retaliation, unfairness, staffing and management issues, etc.)

  • Compliance, regulatory, legal (conflict of interest, code of conduct, other illegal conduct, fraud, etc.)

  • Environment, health and safety

  • Privacy, Infosec

  • Customer relations, business quality

  • Billing, finance, vendors

Defined categories can provide a structure to promote the flow of information. Hierarchical, top-to-bottom, and horizontal (i.e., across team members or leaders with the same authority level) are examples of reporting structures. While hierarchical reporting sets the tone at the top and defines who is responsible for what, when it comes to investigations and development of corrective actions, a horizontal structure may provide greater benefits, allowing all key players in the field to participate in the process. It is the art of cross-collaboration that elevates compliance reporting management.

The goal of well-established reporting structures is to assist in defining the levels of responsibility, specialty, authority, and to whom the information should be directed, while promoting interrelationships between various authorities and operational leaders. These relationships are not only crucial but necessary for the success of the compliance and employee reporting programs. The more compliance professionals interact with key stakeholders within leadership, the more they will identify and learn how these areas operate and intersect with other departments.

Documentation and tracking

In addition to reporting structures, documentation and timely responses—including resolutions—demonstrate that the reports are being investigated and resolved properly. Monitoring and reviewing your case closure time average across all categories is vital. Based on the complexity of some cases or events, they may turn into larger or ongoing projects. You may consider splitting off these larger projects and taking them out of the formula when calculating case closure time averages. This may provide a more accurate average close rate for standard events. Alternatively, you may also choose to mark events as closed once the investigation is complete. These events can then be transitioned to a project-based or workplan-related activity for continued operational improvement and monitoring.

According to Ethico’s 2023 Benchmark Report, the case closure time average rate is a critical metric to assess your program’s health and your investigation process. The benchmark study also revealed that organizations reported a closure time average of 22–44 days, with a 30-day average being considered best practice, and the hotline remained the most used reporting avenue.

Documentation cannot be neglected; at a minimum, it is essential to include:

  • Preliminary investigation findings

  • High-level meeting notes

  • Recommendations, guidance, and resources provided

  • Summary of decisions and/or resolutions

  • Corrective actions taken

  • Future improvement plans and next steps

External reporting to government agencies is on the rise

Post-pandemic, with the increase of remote/hybrid working conditions and nontraditional flexibilities, has sparked whistleblowing and reporting to external audiences and government authorities. The U.S. Securities and Exchange Commission (SEC) announced they saw a record-breaking number of whistleblower tips received in fiscal year 2023 at over 18,000 tips—50% more than in 2022.[3] The U.S. Department of Justice (DOJ) also announced earlier this year the highest number of False Claims Act settlements in history exceeding over $2.68 billion in fiscal year 2023, where over 70% accounted from the healthcare industry alone at $1.8 billion in recoveries.[4]

According to Business Insider, remote workers feel less peer pressure or social intimidation, perhaps due to less loyalty to and/or more distance from their employer.[5] This may encourage workforce members to take risks and report. Nonetheless, most whistleblowers attempt to raise concerns internally as a means of prevention (good faith efforts) or prove retaliation before they decide to report externally or to the authorities. This is imperative for compliance departments to recognize and understand. If the organization fails to initiate timely investigations or take appropriate actions, including prompt voluntary self-disclosure if a violation is identified, the employee can then blow the whistle, looking to obtain justice and financial reward.

DOJ calling out compliance due diligence: Mergers and acquisitions

Both DOJ and SEC have set regulatory due diligence and self-disclosure expectations regarding mergers and acquisitions transactions under the new Mergers & Acquisitions Safe Harbor Policy policy for voluntary self-disclosure.[6] The policy elevates the function of the corporate compliance program and internal controls to fight anti-corruption. DOJ clarified that it expects compliance officers to be on the front line with key stakeholders during pre-/post-acquisition and integration processes and announced it would incentivize companies that timely self-disclose any wrongdoing at the acquired company within six months of the deal closing. Deputy Attorney Lisa O. Monaco stated in her speech delivered at the SCCE 22nd Annual Compliance & Ethics Institute:

“Our goal is simple: good companies—those that invest in strong compliance programs—will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct.”[7]

This is an excellent reminder for acquiring companies to amplify the importance of the compliance program function and the role of an effective internal reporting program, including an anonymous reporting option. This is the first time DOJ has an official program to incentivize whistleblowers and companies that invest in compliance.

The role of compliance during acquisitions includes assistance in identifying any red flags from the buyer during the negotiation or even further into the integration process. Compliance officers have an opportunity to remind executives—including board members—of their roles and duties as leaders.

Best practices to foster nonretaliatory reporting

See Table 1 for a list of best practices and bad habits to keep in mind.

Table 1: The dos and don’ts of reporting

Dos

Don’ts

Track questions (e.g., in addition to concerns/violations).

Do not break anonymity or provide the name of the alleged wrongdoer(s).

Provide access to alternate reporting mechanisms and educate your workforce on reporting options.

Do not stay put when a vendor/third party is responsible for the investigation. Don’t just ignore it. Assess and take action!

Triage carefully (e.g., provide timelines and expectations when applicable, ask for investigation general findings or resolution statements, high-level responses).

Do not investigate outside your parameters/area of expertise (triage accordingly).

For anonymous reports, even if unable to do an interview, investigate to substantiate/unsubstantiate the complaint.

Do not treat reports inconsistently. Act on all reports in the same manner regardless of whether the reporter is known or anonymous.

Document, document, document (including resources provided and legal/regulatory references).

Do not assume employee’s opinions or assessments of the issue brought forward are correct.

Ensure objective investigations and resolution systems to prevent retaliatory behavior.

Do not restrict an employee’s ability to elevate concerns to higher levels if they wish to.

Follow up after interviews (keep it brief but close the loop).

Do not avoid the follow-up or close-out.

Act proactively rather than reactively.

Do not prioritize only legal concerns, possibly missing the opportunity to drive process improvement.

Monitor and report key metrics, such as hotline data and incident closure times.

Do not forget to report major wins/improvements, including to leadership.

At a minimum, acknowledge the report in a timely manner if a response or feedback would take more time to formulate/investigate.

Do not forget to acknowledge or confirm the receipt of a report. Provide a response timeline, and thank the reporter for their cooperation.

Conclusion

Compliance programs are no longer optional; they are necessary to protect employees and the organization. They support a well-informed workforce that feels empowered to speak up—emphasizing the protections of anonymity and confidentiality.

Takeaways

  • An organization’s commitment to compliance starts with accountability, transparency, and justice.

  • A well-structured employee reporting framework enhances the compliance program function.

  • Employee reporting options such as the hotline prove the organization takes confidentiality seriously.

  • Confidentiality is a privilege and a right in the workplace that must always be protected.

  • Compliance professionals must provide ongoing education to employees about their ethical obligation to report noncompliance or suspected violations without fear of retaliation. These guidelines must be clearly outlined in the code of conduct, and a clear process for reporting must be established.

 
1 Navex, 2023 Hotline & Incident Management Benchmark Report, https://www.navex.com/en-us/campaigns/2023-hotline-benchmark-report.
2 Ethico, 2023 Hotline & Investigations Benchmark Report, https://pages.ethico.com/latest-benchmark.
3 U.S. Securities and Exchange Commission, “SEC Announces Enforcement Results for Fiscal Year 2023,” news release, November 14, 2023, https://www.sec.gov/news/press-release/2023-234.
4 U.S. Department of Justice, Office of Public Affairs, “False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023,” news release, February 22, 2024, https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023.
5 Britta Lokting, “The age of the work-from-home whistleblower,” Business Insider, December 20, 2022, https://www.businessinsider.com/remote-work-surge-employees-whistleblowing-complaints-companies-fraud-2022-12.
6 U.S. Department of Justice, Office of Public Affairs, “Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions,” speech, October 4, 2023, https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self.
7 U.S. Department of Justice, Office of Public Affairs, “Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions.”
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

How a code of conduct reflects culture and meets DOJ requirements

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings