Tag: internal reporting

Categories
Blog

Internal Reporting and Triaging of Claims

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Internal reporting. The 2020 FCPA Resource Guide, 2nd edition, has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states:

An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

The Evaluation reinforced this language with the following found under Reporting and Investigation:

How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

The reason is that a business’s own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.

What are some of the best practices for a hotline? Start with the following:

Availability. Your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.

Anonymity. There must be a manner to make reports anonymously if the reporter so desires.

Escalation. You must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.

Follow-up. There must be a sufficient follow up protocol to make sure any reported events receive the warranted attention. There should also be a way to keep the incident reporter informed as to the progress of the matter within your investigative protocol.

Oversight. There should be multiple levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

After your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.

Marks’ five-stage process for early assessments are as follows:

Stage 1. These consist of allegations that have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team.

Stage 5. These are serious allegations that involve one or more members of the senior management team or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually places the company into crisis management mode and could result in the restatement of audited financial statements or added regulatory scrutiny.

Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Internal Reporting and Whistleblowers During Layoffs

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming, it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for various complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

These actions allow you to demonstrate that any laid-off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However, it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you lay off the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also, demonstrating that you are sincerely interested in a meritorious hotline complaint may keep this person from becoming an SEC whistleblower.

Three Key Takeaways:

  1. An employment separation is critical if an internal report has been made.
  2. Have appropriate language in your separation agreement.
  3. Treat terminated employees with dignity and respect.
Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – Internal Reporting System Best Practices

What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The 2019 Guidance further refined this basic requirement for a hotline with inquiries into the effectiveness of your corporate hotline, asking, “Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not?  How is the reporting mechanism publicized to the company’s employees?  Has it been used?  How has the company assessed the seriousness of the allegations it received?  Has the compliance function had full access to reporting and investigative information?” In this podcast, we detail some of the key best practices.

Three key takeaways:

  1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
  2. Train your employees on the use of the hotline.
  3. Use data from your hotline to continually update and improve your compliance program.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Advantages of an Internal Reporting System

While it is clear that the government expects companies to have an internal reporting system, there are benefits far beyond putting you in the government’s good graces. Companies with a more robust internal reporting system generated more reports. Dr. Welch found a group of companies he termed “power users”, which were high-level users of whistleblower reporting systems who had more activity than the average entity. These “power user” companies have several interesting characteristics. First, they are typically firms with higher quality earnings reporting. They are more profitable entities. Finally, these “power user” companies were firms with higher quality governance, as rated by the Entrenchment Index, which is used to measure how entrenched management is in a company.

Conversely, companies which were observed to be a more limited user of whistleblower reporting systems are companies that were seen to have poor governance. They are more prone to financial accounting issues, such as discretionary accruals, which could prove problematic. These tend to be smaller and less mature firms. Their overall compliance programs were generally not seen as robust or as effective as those in larger, more mature organizations. Finally, these firms, probably because they were smaller and less mature, are more prone to extreme growth and the problems associated with trying to scale up quickly.
All of this points to one unmistakable conclusion, a robust whistleblower reporting system facilitates a company’s resolution of problems before they become major problems or legal violations bringing the Securities and Exchange Commission (SEC) or DOJ calling.

Three Key Takeaways

  1. Companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets.
  2. There were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur.
  3. There were fewer external whistleblower reports to regulatory agencies and other authorities.
Categories
Principled Podcast

Principled Podcast – S9 E13 – Is Your Hotline Running Cold? How To Get Meaningful Data from Internal Reporting.

What you’ll learn on this podcast episode

Do hotlines really work? According to the 2019 Global Business Survey conducted by the Ethics and Compliance Initiative, only 6% of E&C complaints went to hotlines, compared to 51% to direct supervisors and the remainder to higher management or human resources. So why are so many E&C programs—not to mention boards of directors—relying principally on hotline data to assess company culture and compliance? In this episode of LRN’s Principled Podcast, Susan Divers talks about reimagining hotlines with Scott Sullivan, the chief integrity and compliance officer at Newmont Corporation. Listen in as Scott shares how his team reinvented Newmont’s hotline channel and reporting process to separate the wheat from the chaff and gain meaningful information.

Guest: Scott Sullivan

Headshot_Scott_S7E18

Scott Sullivan is the Chief Integrity & Compliance Officer of Newmont Corporation, the world’s leading gold company. Newmont has approximately 15,000 employees and 15,000 contractors and has 12 operating mines and 2 non-operated JVs in 9 countries. Mr. Sullivan oversees, develops, implements, and manages Newmont’s integrity and compliance program including ethics, anti-bribery, corporate investigations, and global trade compliance. Previously, Mr. Sullivan was the Chief Ethics & Compliance Officer of a global manufacturer of fluid motion and control products with approximately 17,000 employees operating in 55 countries. Mr. Sullivan has written and contributed numerous articles on compliance programs, anti-bribery/FCPA, export controls, economic sanctions, and other ethics and compliance topics to a variety of publications. Mr. Sullivan is also a frequent local, national, and international speaker, moderator, and conference organizer on compliance, anti-bribery/FCPA, export controls, and economic sanctions.

Host: Susan Divers

Headshot_Susan_Divers_S7E18_Principled_Podcast

Susan Divers is a senior advisor with LRN Corporation. In that capacity, Ms. Divers brings her 30+ years’ accomplishments and experience in the ethics and compliance area to LRN partners and colleagues. This expertise includes building state-of-the-art compliance programs infused with values, designing user-friendly means of engaging and informing employees, fostering an embedded culture of compliance and substantial subject matter expertise in anti-corruption, export controls, sanctions, and other key areas of compliance.

Prior to joining LRN, Mrs. Divers served as AECOM’s Assistant General for Global Ethics & Compliance and Chief Ethics & Compliance Officer. Under her leadership, AECOM’s ethics and compliance program garnered six external awards in recognition of its effectiveness and Mrs. Divers’ thought leadership in the ethics field. In 2011, Mrs. Divers received the AECOM CEO Award of Excellence, which recognized her work in advancing the company’s ethics and compliance program.

Mrs. Divers’ background includes more than thirty years’ experience practicing law in these areas. Before joining AECOM, she worked at SAIC and Lockheed Martin in the international compliance area. Prior to that, she was a partner with the DC office of Sonnenschein, Nath & Rosenthal. She also spent four years in London and is qualified as a Solicitor to the High Court of England and Wales, practicing in the international arena with the law firms of Theodore Goddard & Co. and Herbert Smith & Co. She also served as an attorney in the Office of the Legal Advisor at the Department of State and was a member of the U.S. delegation to the UN working on the first anti-corruption multilateral treaty initiative.

Mrs. Divers is a member of the DC Bar and a graduate of Trinity College, Washington D.C. and of the National Law Center of George Washington University. In 2011, 2012, 2013 and 2014 Ethisphere Magazine listed her as one the “Attorneys Who Matter” in the ethics & compliance area. She is a member of the Advisory Boards of the Rutgers University Center for Ethical Behavior and served as a member of the Board of Directors for the Institute for Practical Training from 2005-2008.

She resides in Northern Virginia and is a frequent speaker, writer and commentator on ethics and compliance topics. Mrs. Divers’ most recent publication is “Balancing Best Practices and Reality in Compliance,” published by Compliance Week in February 2015. In her spare time, she mentors veteran and university students and enjoys outdoor activities.

Categories
31 Days to More Effective Compliance Programs

Day 22 – Internal Reporting and Triaging Claims

The call, email, or tip comes into your office; an employee reports suspicious activity across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers trained on handling employee concerns; they must be incentivized to take on this compliance responsibility, and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns. The Monaco Memo’s emphasis on internally detecting such actions and self-reporting makes this more important.

The reason is that a business’s employees are the company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also heed the implementation of a hotline.

Given the number of ways that information about violations or potential violations can be communicated to government regulators, a robust triage system is an important way for a company to determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process that allows for an early assessment of any allegations and a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including forensic and human, to complete the investigation.

 Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline regularly to make sure it is working.

3. Every claim should be triaged before starting an investigation.

Categories
Innovation in Compliance

Corporate Case Management in the Era of the DoJ’s Monaco Memo: Episode 1-A Speak-Up Culture

Welcome to a special podcast series, Corporate Case Management in the Era of the DoJ’s Monaco Memo, sponsored by i-Sight Software Solutions. Over this series, we detail the changes wrought by the Monaco Memo and how compliance professionals can respond to these new challenges. In this Part 1, we look at the role of a speak-up culture in responding to the DOJ changes set out in the Monaco Memo. Highlights include:

  • What did the Monaco Memo say about corporate culture?
  • What is a ‘speak-up culture?
  • How do we encourage and foster a speak-up culture?  
  • Why is setting expectations critical to creating and maintaining a speak-up culture?
  • How a speak-up culture can provide valuable compliance and business operations information.

For more information, check out i-Sight here.

Categories
Blog

Ethical Conduct Through Psychological Safety: Part 2 – Safety in the Middle

According to Juan Toribio, writing in MLB.com, Blake Grice waited patiently with his right hand raised for about two minutes to hear his name called inside the Dodgers’ interview room. When he was finally noticed, LA Dodgers star pitcher Clayton Kershaw asked “Whatcha got?” The 10-year-old related that his dying grandfather, Graham, had created a bucket list of things he still wanted to do, one of which was to meet Kershaw. Blake was credentialed by MLB to attend the Post-Game Press Conference and when he did, he dedicated the moment to his now deceased  grandfather.
As reported by Toribio, Blake told Kershaw ““My grandpa loved you. He watched the 1988 [World] Series and he wanted to meet you and Vin Scully one day. So this moment is important to me because I’m meeting you for him.” Before he finished telling Kershaw the story, Blake began to cry” and Kershaw responded by going over to Blake and consoling him with a hug. Kershaw the said to him, “Come here, dude, great to meet you. Thanks for telling me. That took a lot of courage to tell me that. Great to meet you. Your granddad sounded like an awesome guy. Thanks for coming up.””
With a nod of the (St. Louis Cardinals) hat to Tim Erblich for sending me this story, I thought it was a very good way to introduce Part 2 of my series on advancing ethical culture through psychological safety. This series is based on a recent article in the MIT Sloan Management Review, Summer edition, entitled “Fostering Ethical Conduct Through Psychological Safety” by Antoine Ferrère, Chris Rider, Baiba Renerte, and Amy Edmondson. The authors believe “there are a number of things organizations can do to make it more likely that people will speak up when they observe unethical behaviors.” But one key is psychological safety, defined by co-author Edmondson as “a shared belief held by members of a team that the team is safe for interpersonal risk-taking” — or, put another way, that “we can say what we think” or “be ourselves around here.” Today, we look at how to determine the state of psychological safety in your organization.
The authors’ research concluded that while many employees “said that they spoke up after witnessing perceived unethical behavior, a substantial minority said that they did not speak up.” The authors found that “those who felt less psychologically safe were significantly less likely to report those behaviors via channels where organizational leaders might act on them.” Conversely, employees “who felt the most psychologically safe were most likely to have reported the misconduct they observed. This held true even after taking into account a range of other psychological factors that could influence incident reporting, such as perceived levels of organizational justice, fairness, and trust. Psychological safety is therefore important for more than just team effectiveness and well-being; it may also be critical for forming strong ethical cultures where employees feel comfortable speaking up.”
Interestingly, the authors realize the non-siloed nature of psychologically safety at the workplace. They note that ethics, risk management, legal and compliance functions, plus Human Resources (HR) all share an interest in fostering such an environment. This mandates a cross-functional approach as an essential requirement of molding an organization’s culture to include psychological safety. The authors believe, “Managers throughout a company must become aware of the blind spots created by a psychologically unsafe environment, along with the associated risk of underreported misconduct.” They also caution that a formal program such as a reporting hotline “may capture only a fraction of the problematic behaviors that occur.” This leads the authors to posit that gauging psychological safety “may help companies determine whether misconduct is being reported and, in turn, enhance the effectiveness of their formal speak-up programs.”
After 15 years of the Department of Justice (DOJ) and other regulators talking about “tone at the top”; the authors credit that most organizations appear to have senior leadership that talks about ethics positively. They believe “CEOs emphasize that integrity is a core value of their organizations, and that point is reiterated in calls with shareholders and during employee town hall meetings.” Unfortunately, while this messaging is important, the research indicated “it is not sufficient to prevent the derailers of ethical conduct that occur deep within an organization.”
The authors recognize what compliance professionals have known for some time, that it is middle managers, and “not just official speak-up channels are often on the front lines when it comes to hearing about unethical behavior.” They found that 80% of employees who did report internally, went to their direct managers, who are almost always in middle management. This is because middle managers are the company leaders play who play the critical role in ensuring that an employee speaking up feels supported and heard. The authors noted, “Our data shows that how line managers act has a disproportionate impact on the way potentially unethical behavior is addressed within organizations.”
Unfortunately, simply because a middle manager may feel psychologically safe you must not assume that their direct reports feel the same way. Confirming the findings from the ECI Report of its 2021 Global Business Ethics Survey, “managers and senior leaders tend to feel more psychologically safe than their employees and have a more positive perception of their organization’s ethical climate than the rest of the workforce. When you put these two findings together it makes clear that the higher up in the organization you go, there may well be “an ethical blind spot. That makes the role of team managers even more important when it comes to fostering an environment conducive to both engaging in ethical behavior and talking about ethics in an open, constructive way.”
The authors also confirmed a greater problem which is that “in a global context, psychological safety is not uniform across nations.” Survey respondents from “the Americas and Europe tended to score higher on psychological safety than respondents from Asia.” This suggests to the authors that “the potential effectiveness of tailoring interventions that promote speaking up in order to address the specific circumstances of different groups of employees.” Moreover, “global organizations that seek to build psychological safety must assess its various region-specific drivers and derailers to adjust their activities to specific seniorities and cultures.”
Join us tomorrow in Part 3 where we consider why a company that does not have psychological safety throughout it can not only be so toxic but in serious danger as well.

Categories
31 Days to More Effective Compliance Programs

Day 22 | Internal reporting and triaging claims


The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.
This scenario was driven home by the SEC in a 2015 FCPA enforcement action involving Mead Johnson Nutrition Company. In this enforcement action, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations.
Internal reporting. The 2020 FCPA Resource Guide has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states: “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”
Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.
Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.
Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.
Three key takeaways:

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.
Categories
Innovation in Compliance

A Conversation with Convercent and StoneTurn: Asha Palmer on Internal Reporting


Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn Group. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this second episode, we take a deep dive with Palmer into internal reporting.

Join us tomorrow, as Michele Edwards, Partner at StoneTurn details how to create an inventory of compliance metrics.

Resources

For more information on StoneTurn, check out their website, here.
For more information on Convercent, check out their website, here.

To download a copy of the  Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.