The Complete Compliance and Ethics Manual

Overview

Hotlines are one of the most effective and cost-efficient external mechanisms that a corporation can deploy in their compliance program. This solution has been used by companies for more than 40 years. Depending on the size and complexity of an organization, hotlines also have been adopted by companies in the past decade as a “best practice” for fraud detection and promoting the integrity and compliance of an organization.

Various legislative initiatives have increased the use of hotlines, including the U.S. Sarbanes-Oxley Act of 2002 (SOX) and the United Kingdom’s Public Interest Disclosure Act (PIDA), which came into force in the United Kingdom in 1999. As a response to several high-profile corporate scandals, SOX implemented reporting requirements for accounting and audit matters of public companies (each audit committee shall establish procedures for “the receipt, retention, and treatment of complaints received by the issuer” as well as “confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”).^[3] The establishment of external hotlines satisfied the legislative requirements.

Similarly, the U.S. Securities and Exchange Commission (SEC) adopted rules to create a whistleblower program of its own. As announced by the SEC on May 25, 2011^[4] , the SEC whistleblower program, created under Section 922 of the Dodd-Frank Act, “rewards individuals who provide the agency with high-quality tips that lead to successful enforcement actions”.^[5] Awards are available to individuals who voluntarily provide original information to the SEC that results in a successful enforcement action in which the SEC obtains sanctions totaling more than $1 million.

The SEC issued one award in 2012, and four more in 2013. There were nine awards in 2014, with the largest, single award of $30 million being announced on September 22, 2014.^[6] Similarly, Britain created PIDA after inquiries into several major disasters revealed that dangerous conditions had persisted at certain companies for many years and employees didn’t feel there was a mechanism to address the conditions or that their concerns would be acted upon. PIDA created protections for persons who might disclose such information. British employers, keen to keep such disclosures internal, and to avoid prosecution under PIDA, introduced internal hotlines to receive such reports of dangerous practices. The passage of SOX in the U.S. served as a catalyst for various Federal agencies to assess internal controls and reporting and response consistency to reports of improprieties. This resulted in encouragement to have whistleblower solutions by the Office of Government Ethics internal mandate under OGE 5 C.F.R. – 2635.101(B), and by requirements or encouragements such as the Hatch Act, the Whistleblower Act, the Federal Employee Protection of Disclosures Act, and OMB Circular A-123.

Hotlines have become viewed as cheap “insurance” against fraud, waste and abuse, corporate malfeasance, health and safety, harassment and other human resource related issues and equal employment and affirmative action claims. According to the most recent 2014 Report to the Nations on Occupational Fraud and Abuse (2014 Report) authored by the Association of Corporate Fraud Examiners (ACFE), the median loss in U.S. dollars for U.S. companies was $100,000 and those in Western Europe was approximately $200,000. Obviously the longer a fraud persists, the more financial damage caused to the company. With the average duration of a fraud being 18 months from commencement to detection, the early detection or prevention of a fraud can pay for the hotline and case management operations for many years.

Hotlines should not be viewed as a primary, or even initial, means of prevention or detection of illegal, unsafe or detrimental practices. Within most organizations, reports of malfeasance or misconduct should first be made to the employee’s supervisor or an internal department (HR, Legal, Compliance, etc.) and the hotline should be the final reporting option or a safe haven if anonymity is required. Employees and managers should be trained on a company’s ethics and compliance requirements, usually through a Code of Conduct or similar document. Additional training needs to reinforce a company’s commitment to ethics and compliance while ensuring complaints are not mishandled or downplayed. Furthermore, the training should make clear that attitudes and conduct that undermine a commitment to ethics and compliance are not tolerated and ethics and compliance are strongly backed by senior leaders and the board of directors. Unfortunately, because of the emphasis placed on the hotline by SOX, PIDA and other legislation, a company can place an inordinate amount of emphasis on the existence of a hotline and its ability to prevent and discover ethical and compliance breaches. The hotline is an important tool in an organization’s arsenal of detection and prevention, but it should be designed to support and complement an overall issue awareness strategy.

Establishing an effective issue awareness strategy provides an opportunity to instill confidence in the corporation’s desire to develop and maintain a positive culture of integrity and compliance. This value can be enhanced with transparency of the inquiry as well as an issue awareness and resolution process.

Choosing a Reporting Solution

Defining and developing a reporting solution begins with an analysis of your organizational complexity. Your organization’s size, industry, operational geographies, operational style (centralized–decentralized, union–non-union, weak culture–strong culture, complexity or magnitude of programs, operations, transactions, extent of manual processes or applications, etc.) and historical significance of risk are the primary considerations. Additional consideration should be given to the primary industry(s) you serve. Each industry has a unique set of regulatory requirements and common risk components that should be serviced by the reporting solution. Finally, your organization’s risk tolerance and social responsibility goals should be factored in to ensure the appropriate level of rigor and process complexity is applied.

Hotline reports should not be limited to reports of fraud and abuse. An important aspect of any good reporting solution is the ability for stakeholders to inquire about their potential actions when confronted with an ethical dilemma or to express a concern for something they believe may be occurring. It is also important to provide feedback to the reporting stakeholder as to what they can expect from the reporting process, and if you have other reporting or support vehicles in place, where and how to use them. It is important to structure the hotline system to receive actionable reports and shift frivolous concerns or other such feedback to more appropriate venues.

The most common areas of reporting for a hotline are:

• Corruption, theft and fraud

• Finance and accounting concerns

• Information or asset misuse and access

• Customer/partner/competitor concerns, including the FCPA^[7]

• Equal opportunity/affirmative action matters

• Environmental, health and safety

• Industry-specific regulatory risks

• Harassment and other HR related issues

• General inquiry/questions.

Given the generational dynamics of today’s workforce, a hotline solution should be a combination of Web- and telephony-intake. Regardless of the method of reporting, hotlines must be trustworthy from the potential reporter’s point of view. While it is possible for organizations to consider installing a toll-free line and answer calls within their organization, it is generally not cost- or process-effective. Potential reporters, especially employees who are most likely to witness issues for which the hotline was created, often don’t believe that a company-created and staffed hotline will provide a confidential forum and fear retaliation. Selection of a third-party vendor ensures 24/7/365 access and availability, as well as a degree of stakeholder assurance that only comes from a third-party operator.

Some organizations may desire or choose to employ an ombudsman to receive and respond to certain hotline reports. This choice is often based on the culture and makeup of the organization and can prove very effective.

The choice an individual organization makes on a reporting mechanism will ultimately depend on the culture of the organization. Those organizations with a small, tightly knit employee population may favor an approach that a larger organization would find unworkable. The opposite may also be true. Regardless of how an organization chooses to implement its hotline, its presence, objective and guidelines must be clearly communicated to the stakeholders—employees, vendors, spouses and customers—to ensure the solution’s effectiveness. Nothing is more damaging to employees’ and other stakeholders’ belief in a hotline solution than to see complaints mishandled, downplayed or not followed-up on or attitudes and conduct that undermine a commitment to ethics and compliance. These behaviors cannot be tolerated and senior leaders and the board of directors need to send a strong and consistent message that ethics and compliance are valued throughout the organization.