One primary responsibility for corporate ethics and compliance officers is to oversee their company’s internal reporting hotline. That means compliance officers must also deal with internal reporting’s evil twin—retaliation in the workplace.
For example, Ethisphere published a report in 2019 finding that 92 percent of employees want to report misconduct when they see it, and 84 percent said they would want to report misconduct “because it’s the right thing to do.”
Awesome! This is the culture of compliance that compliance officers want to achieve!
Then came the buzzkill: 54 percent of employees said they wouldn’t report misconduct because “I fear retaliation.” It was the number one reason employees cited for keeping quiet when they see misconduct.
From there, a compliance officer’s problems only get worse. Either employees don’t report their concerns, so the misconduct festers until it explodes into a crisis, or employees do report the misconduct and, if they suffer retaliation, your company now has a second compliance problem in addition to the original issue. In short: a thorough understanding of workplace retaliation is crucial to a successful compliance program.
What is Retaliation in the Workplace?
Workplace retaliation happens when a business somehow punishes an employee for engaging in legally protected activity. For the purposes of a corporate compliance program, interpret that definition as broadly as possible.
First, punishment could include termination, demotion, loss of pay or other fringe benefits, or transfer to a less prestigious role within the company. Punishments could also be rewards that the business withholds: a pay raise, an expected promotion, the opportunity to work on high-profile projects, and so forth.
Second, engaging in legally protected activity can be anything from speaking to others about union organizing; to taking time off that you’re legally entitled to take (such as time under the Family and Medical Leave Act); to refusing to engage in illegal activity (say, the boss pressuring someone to help commit fraud). Above all, legally protected activity also includes raising allegations of misconduct or cooperating in investigations relating to potential misconduct.
Third, an agent of the business has to inflict the retaliation. The foremost example here is an employee’s manager, but retaliation can also come from coworkers, senior executives who don’t directly oversee the employee, or even third parties acting on the company’s behalf.
Regulations with Anti-Retaliation Provisions
Many of them.
The Sarbanes-Oxley Act and the Dodd-Frank Act, for example, prohibit retaliation against an employee who reports allegations of financial misconduct—including misconduct that might violate other laws. So for example, an employee might discover evidence of corporate bribery that violates the Foreign Corrupt Practices Act (FCPA). If he reports those FCPA concerns to law enforcement, and the company then denies him an expected promotion, the employee could file an anti-retaliation complaint under the Sarbanes-Oxley Act or an anti-retaliation civil lawsuit under the Dodd-Frank Act.
The False Claims Act protects employees of government contractors who file reports of their employers over-charging the federal government.
The Americans With Disabilities Act, the Equal Pay Act, and Title VII of the Civil Rights Act all prohibit certain types of discrimination in the workplace; and prohibit retaliation against people bringing discrimination claims under those laws.
Various other federal and state laws also include anti-retaliation protections for any employees trying to report corporate misconduct. Virtually all large organizations are subject to the anti-retaliation provisions of at least one law, and probably many laws.
Both the U.S. Sentencing Guidelines and U.S. Justice Department say that an effective corporate compliance program should include mechanisms to prevent retaliation against employees who submit allegations of misconduct. This means that for a business to be in compliance with any of the laws mentioned above, it must have an anti-retaliation program. That is part and parcel of an effective corporate compliance program.
What Does an Anti-Retaliation Program Include?
Every company needs to develop its own anti-retaliation program, based on its business model, workforce, budgetary resources, and compliance risks. That said, all anti-retaliation programs should include fundamental elements.
- Anti-retaliation policies that explain what retaliation is, why it won’t be tolerated, and how employees can report instances of workplace retaliation.
- Training, for managers and employees alike, to understand the various forms retaliation can take and how they should refrain from retaliating against anyone reporting misconduct.
- Internal reporting mechanisms to let employees submit their allegations of misconduct. Those mechanisms should be available in multiple forms (whistleblower hotlines, online forms, and even paper submissions), and employees should be able to submit reports anonymously.
- Investigation protocols for legal or compliance teams to follow up on misconduct reports. The protocols should also assure that the employee’s identity is protected.
- Disciplinary policies explained to all employees, so they understand the consequences of engaging in retaliation.
- Enforcement of disciplinary action against anyone who engages in workplace retaliation anyway.
How to Measure Anti-Retaliation
First, you want to track data about retaliation complaints in aggregate: how many retaliation complaints you get in absolute terms, the percentage relative to total complaints, and the year-over-year change in both those numbers, for example.
You also want to compare those aggregate numbers to specific parts of your enterprise and your workforce. For example, what is the percentage of retaliation complaints relative to all hotline calls in your North America operations, versus your EMEA or Asia-Pacific regions? How many retaliation complaints come from women versus men? How many complaints are about retaliation from coworkers rather than managers? How many retaliation complaints are about managers new to their roles, versus managers with years of experience?
The more data you can get, the more you can pinpoint the issues most likely to trigger retaliation; the locations where retaliation is most likely to happen; and the people most likely to engage in retaliation.
Metrics like those get you closer to answering the question: “How is our culture? Does it respect ethics, compliance, and internal reporting?”
This is a question that is always worth a Chief Compliance Officer’s time and energy, because it helps you to make strategic changes in your compliance program. For example, you might need to make changes to your training materials, or your disciplinary policies. You might need to enlist senior executives to talk more about the importance of anti-retaliation, or decide to include more discussion of disciplinary actions over workplace retaliation in your company newsletter.
On a practical level, these metrics can also be valuable when reviewing the effectiveness of your compliance program with regulators. Those regulators don’t expect perfection in your compliance program—they only expect progress toward improvement. Metrics tracked over time, tied to program improvements you make, demonstrate that progress.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.