Employee reporting is not only a critical element of an effective compliance program but also a core function that demonstrates the organization’s goodwill in corporate and social responsibility. These sources of reporting—such as the compliance hotline/helpline and other integrity-related reporting—permit employees, volunteers, and contractors to report matters or raise concerns safely with no fear of retaliation.
Is your compliance reporting volume up or down? What are the trends you are seeing over time or by season?
If the volume goes up, this may not necessarily imply new concerns. It could also indicate signs of a healthy work environment and the result of trust and a strong speak-up culture. If reporters have a positive outcome, feel their concerns were heard and understood, and believe action was taken in a timely manner, they will likely be more inclined to reach out in the future and also encourage their peers to report.
Leverage your reporting mechanisms
It is important for organizations to offer a choice of multiple reporting mechanisms, including different access points and platforms, as well as an anonymous reporting option. Time management, communication skills, collaboration between key investigating department leaders, and effective reporting structures are needed to ensure the process does not become overwhelming and cumbersome. Compliance should rely on a solid organizational investigation process to identify and address noncompliant activities, reinforce commitment and accountability, and ensure fair, equitable, and consistent enforcement.
Effective reporting structures
To properly triage concerns and/or investigations, consistent communication channels must be established with key operational leaders during the review and mitigation process. Initially, a standard reporting structure must be defined. It is recommended to use existing industry-standard structures and adjust as needed.
Navex, for instance, in their most recent annual Hotline & Incident Management Benchmark Report, provides a baseline of the most common report categories and subcategories.[1] The main categories identified in the 2023 Navex report include:
-
Accounting, Auditing & Financial Reporting
-
Business Integrity (conflicts of interest, fair competition, anti-trust, political activity, data privacy, etc.)
-
Human Resources, Diversity & Workplace Respect (discrimination, harassment, retaliation, substance abuse, workplace civility, etc.)
-
Environment, Health & Safety
-
Misuse or Misappropriation of Assets
-
Other
Ethico, similarly, in their 2023 Hotline & Investigations Benchmark Report, provides the following basic categories:[2]
-
Human resources (discrimination, harassment, retaliation, unfairness, staffing and management issues, etc.)
-
Compliance, regulatory, legal (conflict of interest, code of conduct, other illegal conduct, fraud, etc.)
-
Environment, health and safety
-
Privacy, Infosec
-
Customer relations, business quality
-
Billing, finance, vendors
Defined categories can provide a structure to promote the flow of information. Hierarchical, top-to-bottom, and horizontal (i.e., across team members or leaders with the same authority level) are examples of reporting structures. While hierarchical reporting sets the tone at the top and defines who is responsible for what, when it comes to investigations and development of corrective actions, a horizontal structure may provide greater benefits, allowing all key players in the field to participate in the process. It is the art of cross-collaboration that elevates compliance reporting management.
The goal of well-established reporting structures is to assist in defining the levels of responsibility, specialty, authority, and to whom the information should be directed, while promoting interrelationships between various authorities and operational leaders. These relationships are not only crucial but necessary for the success of the compliance and employee reporting programs. The more compliance professionals interact with key stakeholders within leadership, the more they will identify and learn how these areas operate and intersect with other departments.
Documentation and tracking
In addition to reporting structures, documentation and timely responses—including resolutions—demonstrate that the reports are being investigated and resolved properly. Monitoring and reviewing your case closure time average across all categories is vital. Based on the complexity of some cases or events, they may turn into larger or ongoing projects. You may consider splitting off these larger projects and taking them out of the formula when calculating case closure time averages. This may provide a more accurate average close rate for standard events. Alternatively, you may also choose to mark events as closed once the investigation is complete. These events can then be transitioned to a project-based or workplan-related activity for continued operational improvement and monitoring.
According to Ethico’s 2023 Benchmark Report, the case closure time average rate is a critical metric to assess your program’s health and your investigation process. The benchmark study also revealed that organizations reported a closure time average of 22–44 days, with a 30-day average being considered best practice, and the hotline remained the most used reporting avenue.
Documentation cannot be neglected; at a minimum, it is essential to include:
-
Preliminary investigation findings
-
High-level meeting notes
-
Recommendations, guidance, and resources provided
-
Summary of decisions and/or resolutions
-
Corrective actions taken
-
Future improvement plans and next steps
External reporting to government agencies is on the rise
Post-pandemic, with the increase of remote/hybrid working conditions and nontraditional flexibilities, has sparked whistleblowing and reporting to external audiences and government authorities. The U.S. Securities and Exchange Commission (SEC) announced they saw a record-breaking number of whistleblower tips received in fiscal year 2023 at over 18,000 tips—50% more than in 2022.[3] The U.S. Department of Justice (DOJ) also announced earlier this year the highest number of False Claims Act settlements in history exceeding over $2.68 billion in fiscal year 2023, where over 70% accounted from the healthcare industry alone at $1.8 billion in recoveries.[4]
According to Business Insider, remote workers feel less peer pressure or social intimidation, perhaps due to less loyalty to and/or more distance from their employer.[5] This may encourage workforce members to take risks and report. Nonetheless, most whistleblowers attempt to raise concerns internally as a means of prevention (good faith efforts) or prove retaliation before they decide to report externally or to the authorities. This is imperative for compliance departments to recognize and understand. If the organization fails to initiate timely investigations or take appropriate actions, including prompt voluntary self-disclosure if a violation is identified, the employee can then blow the whistle, looking to obtain justice and financial reward.
DOJ calling out compliance due diligence: Mergers and acquisitions
Both DOJ and SEC have set regulatory due diligence and self-disclosure expectations regarding mergers and acquisitions transactions under the new Mergers & Acquisitions Safe Harbor Policy policy for voluntary self-disclosure.[6] The policy elevates the function of the corporate compliance program and internal controls to fight anti-corruption. DOJ clarified that it expects compliance officers to be on the front line with key stakeholders during pre-/post-acquisition and integration processes and announced it would incentivize companies that timely self-disclose any wrongdoing at the acquired company within six months of the deal closing. Deputy Attorney Lisa O. Monaco stated in her speech delivered at the SCCE 22nd Annual Compliance & Ethics Institute:
“Our goal is simple: good companies—those that invest in strong compliance programs—will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct.”[7]
This is an excellent reminder for acquiring companies to amplify the importance of the compliance program function and the role of an effective internal reporting program, including an anonymous reporting option. This is the first time DOJ has an official program to incentivize whistleblowers and companies that invest in compliance.
The role of compliance during acquisitions includes assistance in identifying any red flags from the buyer during the negotiation or even further into the integration process. Compliance officers have an opportunity to remind executives—including board members—of their roles and duties as leaders.
Best practices to foster nonretaliatory reporting
See Table 1 for a list of best practices and bad habits to keep in mind.
Dos |
Don’ts |
---|---|
Track questions (e.g., in addition to concerns/violations). |
Do not break anonymity or provide the name of the alleged wrongdoer(s). |
Provide access to alternate reporting mechanisms and educate your workforce on reporting options. |
Do not stay put when a vendor/third party is responsible for the investigation. Don’t just ignore it. Assess and take action! |
Triage carefully (e.g., provide timelines and expectations when applicable, ask for investigation general findings or resolution statements, high-level responses). |
Do not investigate outside your parameters/area of expertise (triage accordingly). |
For anonymous reports, even if unable to do an interview, investigate to substantiate/unsubstantiate the complaint. |
Do not treat reports inconsistently. Act on all reports in the same manner regardless of whether the reporter is known or anonymous. |
Document, document, document (including resources provided and legal/regulatory references). |
Do not assume employee’s opinions or assessments of the issue brought forward are correct. |
Ensure objective investigations and resolution systems to prevent retaliatory behavior. |
Do not restrict an employee’s ability to elevate concerns to higher levels if they wish to. |
Follow up after interviews (keep it brief but close the loop). |
Do not avoid the follow-up or close-out. |
Act proactively rather than reactively. |
Do not prioritize only legal concerns, possibly missing the opportunity to drive process improvement. |
Monitor and report key metrics, such as hotline data and incident closure times. |
Do not forget to report major wins/improvements, including to leadership. |
At a minimum, acknowledge the report in a timely manner if a response or feedback would take more time to formulate/investigate. |
Do not forget to acknowledge or confirm the receipt of a report. Provide a response timeline, and thank the reporter for their cooperation. |
Conclusion
Compliance programs are no longer optional; they are necessary to protect employees and the organization. They support a well-informed workforce that feels empowered to speak up—emphasizing the protections of anonymity and confidentiality.
Takeaways
-
An organization’s commitment to compliance starts with accountability, transparency, and justice.
-
A well-structured employee reporting framework enhances the compliance program function.
-
Employee reporting options such as the hotline prove the organization takes confidentiality seriously.
-
Confidentiality is a privilege and a right in the workplace that must always be protected.
-
Compliance professionals must provide ongoing education to employees about their ethical obligation to report noncompliance or suspected violations without fear of retaliation. These guidelines must be clearly outlined in the code of conduct, and a clear process for reporting must be established.