Across several posts this summer, we’ve explored the details that go into building a strong internal whistleblower process. Today let’s look at the larger picture: what are the big, fundamental components of an effective whistleblowing process, and how do you assure that those components work well?
After all (and as we’ve explored in this whistleblower series) effective internal reporting systems aren’t just a regulatory requirement; they can also lead to better corporate performance over time. A strong internal whistleblowing process is integral to a strong corporate culture based in trust — and in modern business, you can’t succeed without that.
So compliance officers must get internal whistleblowing systems right. That means understanding the details of whistleblower policy and procedure; the technology to manage whistleblowing; and the fundamental elements of success. Today we’ll discuss that last part.
Assuring the Whistleblower Hotline Essentials
Every whistleblower program rests on seven basic building blocks. Each block needs to exist not just on paper in corporate memos and policy manuals, but also in practice every day. Let’s take a look.
Support From Leadership
All corporate culture begins with support from leadership, and a culture of internal reporting is no different. Executive management must support a whistleblowing process with proper resources (read: budget) and clear, vocal support for what speaking up means in practice: investigating allegations and holding people accountable.
A compliance officer can push for that support by explaining the importance of whistleblowing to executives. Show them the data tying internal reporting to better business performance. Show them the U.S. Justice Department guidelines explaining what an effective program should accomplish — and the potential penalties for not supporting one. Persuade, cajole, and warn until the message is clear: without executive support, the company sits on a foundation of sand.
Education and Awareness
Employees won’t use your whistleblowing process if they don’t know that it exists, that they’re encouraged to use it, or how to use it. So education and training, as well as a larger awareness campaign, are crucial.
Good whistleblower training should build on your Code of Conduct and related compliance policies, so employees first understand how to recognize an instance of misconduct. Then explain how employees can submit a complaint — and all that training should be in languages that your workforce can understand. Then follow up with posters in the office, as well as messages from senior leaders or in corporate newsletters, to build overall awareness that the hotline is there whenever employees need it.
Response Process
If you want a culture where employees speak up about misconduct, employees need to feel that their complaints have been heard and taken seriously. This means you should have a formal process to respond to each complaint, so the whistleblower can feel (as much as practically possible) that he or she is involved in getting the issue addressed.
For example, every submission should get a prompt “thank you, we’ll look into this” reply. Your whistleblower program should also include procedures to keep the whistleblower informed from time to time (“we’re still investigating”) or even to ask the whistleblower for help collecting evidence. When an incident is resolved, ideally your program should at least tell the person that the case is closed (even if you can’t share further details for confidentiality reasons).
But if whistleblowers feel like they’re shouting into a void, with no response ever received — they’ll stop shouting, and your program will moulder.
Proper Assessment Protocols
Every complaint should be taken seriously upon first receiving it. Draft a set of investigation protocols so that each type of complaint goes to its proper place. That is, complaints about harassment go to HR; complaints about fraud go to accounting; complaints about corruption go to legal or outside counsel; and so forth.
Whistleblower Support
The foremost reason employees don’t report episodes of misconduct is fear of retaliation. So anti-retaliation policies — policies that are enforced, vigorously — are indispensable to the success of your whistleblower program.
Such policies should be clear, and include examples of retaliation that won’t be tolerated. Train managers on anti-retaliation so that they know not to do it themselves, and that they should intercept employees retaliating against coworkers. (You might even consider a policy for managers that all allegations of retaliation they hear should be reported directly to the compliance team.)
Then, when retaliation does happen, follow through with accountability and disciplinary action. Employees need to see that support of whistleblowers to believe it.
Keep Historical Records
Large organizations could easily receive thousands of whistleblower reports every year, on all manner of issues. Tracking the details of those reports is important. The compliance team needs records to better understand what types of misconduct are surfacing in which parts of the organization. The legal team needs them in case of litigation stemming from a complaint. HR needs them to understand proper disciplinary actions.
Ideally, keep all your records in one central repository for a “single source of truth.” Index them diligently, so you can always pull up single records or information in bulk, whenever you need it.
Reporting
Reporting is the final phase of your whistleblower program. Per our previous point about historical records, you should be able to summon specific complaints in case they’re needed for a regulatory review or litigation. You should also be able to review whistleblower data at a holistic level for data analytics. That allows you to glean more insights about how misconduct is happening within your enterprise; then you can reallocate resources, or retool policies and procedures, to address those issues more strategically.
Addressing Gaps in Your Whistleblower Program
No whistleblower program is perfect. Complaints might be misunderstood, records lost, reporting incomplete — and instances of retaliation are endemic to all large businesses, no matter how strong the leadership or comprehensive your training.
Such gaps are to be expected, and to a certain extent are even tolerable — so long as the compliance function works to find and address those gaps. The Justice Department, in its guidance about effective compliance programs, makes this point emphatically. Compliance officers should periodically audit their whistleblower program to assess its effectiveness, and then remediate any shortcomings.
The audit itself could be done by an internal audit team or an outside expert. It could consist of data analysis, tests of whistleblower procedures, focus groups with employees, and other measures. Remediation plans would then flow from whatever results you find.
An ineffective whistleblower program would be one where compliance officers know of specific weaknesses, and take no action to remedy those problems. The remedies themselves could be better training, disciplinary action against retaliators, new policies, new technology, or some a blend of steps. But known weaknesses cannot be ignored, unless the company wants to risk more severe monetary penalties if an enforcement action comes along.
Use the Right Software to Support Your Whistleblowing Process
One significant challenge for large organizations is managing their internal whistleblower program at scale: multiple intake methods (phone, email, web submissions) in multiple countries, with potentially thousands of complaints per year, each one generating numerous points of data worth tracking — and also subject to a thicket of privacy laws around the world. If you want to improve your program over time, you also need to collate and analyze all that data at regular intervals.
Hence the importance of technology for a successful whistleblower program. Outside vendors can manage your hotline itself, and then provide necessary data for case management, investigations, analytics, audits, and program remediation. That software should ideally be cloud-based for easy implementation, and be able to integrate well with any other dedicated compliance technology tools you already have.
Then, with the right technology and all the other fundamentals in place, you can get to work listening to your employees’ concerns and helping them to achieve a corporate culture of high ethical standards — and high performance!
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.