Because of worldwide laws, hotline-reporting programs are ubiquitous. But many fail because employees don't trust them. Here's how to ensure you have a quality system that concerned employees will use without fear of retribution.
James Nordgaard, head trader at Paradigm Capital Management, was concerned. He saw some potential securities law violations at the company, and he couldn't chalk it up to mistakes. On March 28, 2012, he made a whistleblower submission to the U.S. Securities and Exchange Commission (SEC) under the Dodd-Frank Act. And then on July 16, he notified the firm's founder and president plus the COO that he'd reported the violations to the SEC. That's when Nordgaard's troubles began.
On July 17, Paradigm told Nordgaard that it was temporarily relieving him of his day-to-day trading and supervisory responsibilities. The firm later reassigned him as a "compliance assistant" to investigate the very conduct he reported as a whistleblower to the SEC.
After the firm demoted Nordgaard, he worked some from home; Paradigm agreed to his request to use his personal email address for work business. But when he later sent a business report from his personal email account to Paradigm's CCO, the company told him that he'd violated the terms of his confidentiality agreement.
Nordgaard had had enough. He resigned on Aug. 17, 2012. On June 16, 2014, the SEC charged Paradigm and its owner with engaging in prohibited principal transactions and then retaliating against Nordgaard. The company agreed to pay $2.2 million to settle the charges. On April 28, 2015, the SEC announced a maximum whistleblower award payment of $600,000 to Nordgaard in the agency's first retaliation case.
(See
SEC Announces Award to Whistleblower in First Retaliation Case, April 28, 2015;
S.E.C. Fines Hedge Fund in Demotion of Whistle-Blowing Employee, by Alexandra Stevenson, The New York Times, June 16, 2014, ;
SEC Gives More Than $600,000 to Whistleblower in Retaliation Case, by Rachel Louise Ensign, The Wall Street Journal, April 28, 2015; and the
SEC's charges.)
When winning is losing
From the beginning of recorded history, whistleblowers have been subject to false allegations, retribution from management and supervisors, and even dismissal. Retaliation cases such as Nordgaard's give life to corporate phrases that haunt potential whistleblowers: "kill the messenger," "pick your battles" and "career-limiting moves." Still, whistleblowers are often driven by the motivation to do the right thing so they can sleep at night. And in the case of Paradigm, the law not only provided the whistleblower with support but also provided him with financial compensation.
Bribes, payoffs and kickbacks are often parts of doing business when corporate cultures are focused more on winning and hitting targets than operating ethically. Even more alarming is that organizations' cultures of silent complacency will often dissuade ethical employees who aren't directly involved in misconduct to not report problems.
Employees often ignore company hotlines because they witness top management's indifference to ethical business conduct. When employees see management retaliating against would-be whistleblowers, the message at the operational level is clear: Mind your own business, don't ask questions and keep your head down if you want to keep your job.
So when government investigations ensue and significant fines and penalties are later levied, executive management and the board ask, "Why didn't anyone report this sooner?" The answer is simple: The focus on "winning at all costs" locally results in a culture of noncompliance at all levels. An ethics hotline reporting system becomes meaningless when employees can't trust that local management will take appropriate action.
Today's guidance
The guidance and mandates for companies on hotline reporting programs are numerous, overlapping and broad. The U.S. Federal Sentencing Guidelines and Sarbanes-Oxley Act, plus international guidelines from the European Union, stock exchanges and even the United Nations deem reporting hotlines a necessary, good business practice.
The U.S. Dodd-Frank Act, enacted in July 2010, attempts to strengthen accountability specifically by providing protections for those who come forward as whistleblowers but also allows regulators to respond to misconduct through fines and legal actions.
While the goal of whistleblowing hotlines might be to identify and correct wrongdoing, they don't guarantee successful, effective and trustful programs.
Trust is the primary determining factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more hotline posters or ask the CEO to use the word "compliance" in every presentation or meeting. But employees often view these ploys as mere window dressing.
Organizations can use hotline-reporting program metrics and call volumes to measure the overall usage, but the numbers don't always tell the full story. Low call volumes might indicate a lack of overall trust in the program and not that employees have few problems to report.
Why is trust so important?
Employees might view the reporting of concern via hotlines as potential "lose-lose" scenarios. If an employee chooses not to report, and an outside source later discovers misconduct, the organization might face both financial losses and reputational damage that it could have avoided.
However, if the employee does report, and the organization's culture of trust is lacking, he or she might face retaliation, including termination. The employee weighs these possibilities and decides that remaining gainfully employed is the better option.
According to the ACFE's 2016 Report to the Nations on Occupational Fraud and Abuse, 39.5 percent of identified frauds are initially reported by tips. This suggests that organizations operating ineffective hotline reporting programs risk failing to identify ongoing frauds. If employees don't feel comfortable reporting fraud and corruption concerns to the organization they simply won't.
Some whistleblowers have said they wished they'd never come forward. "Hell, no, I wouldn't do it again," said William Bush, an aerospace engineer in the National Aeronautics and Space Administration (NASA). "I ruined my life, my wife's life. And I wouldn't do it anonymously, either. There is no protection whatsoever," he said, referring to continual harassment and retaliation he received after whistleblowing on a private NASA directive.
(See
Whistleblowers: Who's the Real Bad Guy? by Barbara Ettorre, American Management Association, May 1, 1994.)
Employees' lack of trust in the reporting process also can create an unhealthy work environment and eventually result in organizational issues such as poor employee performance and motivation, employment lawsuits, legal and regulatory actions, loss of assets, external whistleblower complaints, poor customer perception or brand reputation, and high employee-turnover costs.
Top 10 factors leading to distrust
Organizations can try to purchase or fabricate employees' trust by deploying catchy phrases or slogans. However, from the time an employee reports a concern until the case is closed, an organization's reporting program must demonstrate confidentiality, professionalism and fairness. If an organization is continuously faced with external whistleblower reports or a lack of internal reporting by employees, management must consider where the process might be broken and why employees believe the hotline reporting process isn't trustworthy.
These factors often cause a hotline reporting process to be ineffective:
1. Employees don't understand the system
"Who answers the hotline number?" "Will they know that I filed a complaint if I file anonymously?" "Will they tell my boss that I reported a concern?" and "Where does my complaint go? And who reviews it?" These are just some of the questions employees might have. Doubt and uncertainty can impede an employee's decision to report a concern. The more information an organization can share about the program to increase transparency, the more likely an employee might be to come forward.
2. Inadequate resources and poor program design
Organizations demonstrate they value the reporting of concerns by spending money on well-designed hotline programs with professionally trained efficient responders and investigators, fully integrated case management systems and all of the necessary support tools and resources. Anything less will engender employee mistrust.
3. Lack of personalization of an employee's concern
Reporting a concern can be a very personal experience for an employee. The whistleblower might be a victim, have witnessed significant wrongdoing or be taking a personal chance by coming forward and doing the right thing. So if a concerned employee only hears a recorded message or an automated response (press "1" for …) on the first call, he or she (and colleagues) might view the whole program as machine-like and indifferent.
Qualified and experienced compliance or investigative professionals must immediately follow up on reported concerns. Concerned employees need support and reassurance that they've done the right thing, the organization will address their concerns and they'll be protected from retaliation. An organization can achieve this through a code of conduct that articulates the expectation of behavior, including ethics and compliance policies that communicate anti-retaliation commitments.
4. Improper handling and lack of training
Mishandling of complaints and poor training of hotline call takers and investigators can cause a (1) Type I reporting error, in which the organization conducts an inadequate investigation and rules that wrongdoing occurred when it didn't or a (2) Type II reporting error in which the organization fails to act or investigate when the concerned employee has credible information.
An example of a Type I error could be a human resources professional ruling that sexual harassment had taken place when it didn't. A Type II error could be an investigator who wasn't knowledgeable enough to understand a complaint of financial statement fraud and corruption yet ultimately closes the case for "insufficient information."
An organization can significantly reduce both of these error types and the associated risks when it includes skilled investigators early in the reporting process. Employees who experience mishandled complaints might share their dissatisfaction with colleagues.
5. Management involved in hotline
Because local frontline management are rarely trained as investigators, they shouldn't help determine if an employee concern has merit, is factual or warrants a full-fledged investigation. Local management might be the problem or — at the very least — might be complicit in allowing the concerns to occur or go unaddressed.
Local human resources professionals might also appear to employees to be closely aligned with management. They also might be inadequately trained and show bias or favoritism.
To ensure transparency, independence and objectivity, often it's most effective to use a third party to administer the hotline. (See "Six tips for building a trusted hotline reporting program and culture" below for more on outsourced programs.)
At the point when a concern becomes part of an investigation the organization can involve management, including internal audit, compliance/legal and human resources — depending on the type of complaint.
6. Too many reporting mechanisms
Hotlines should be the primary entry point for all concerns regardless of who reports them or how organizations identify them. Unfortunately, organizations who want to ease the process encourage employees to also alternatively report through email, web portal, in writing or in person to such departments or individuals as compliance, internal audit, legal, employee relations, safety, environmental, human resources, ombudsmen, ethics officers, supervisors and union steward. Confusing messages!
"Companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organizations," write Dan Torpey, CPA; and Mike Sherrod, CFE, CPA, in "Who owns fraud?" in the
January/February 2011 issue of Fraud Magazine. "Confusion can reign, causing a lack of trust in the proactive anti-fraud program for management and employees, a dangerous deficiency in sharing of knowledge, and inefficient responses to fraud," Torpey and Sherrod write.
Anybody but trained hotline department personnel might not understand detailed, multiple-risk elements ranging from a human resources issue to a potential financial statement fraud. While organizations may offer reporting mechanisms beyond just the centralized hotline — such as a web-based reporting platform for anonymous reporting — regardless of how concerns are submitted, a professional, centralized, clearly articulated program helps streamline reporting, increase communication and awareness, decrease confusion and build trust.
7. Too much emphasis on "credible" complaints
Employees file fictitious and malicious complaints against organizations and colleagues to fend off pending terminations, get others into trouble or retaliate for some perceived personal sleights. Unfortunately, hotline program workers have to respond to erroneous or malicious complaints.
Some organizations might attempt to reduce meritless complaints by communicating that employees should only report "credible" or "good faith" complaints. Other organizations might go a step further by saying that employees could be subject to disciplinary action for filing complaints that aren't credible. However, tactics like these — regardless of the trust level — might dissuade employees from reporting any concerns. "Credible" and "good faith" are subjective terms that management will evaluate.
Organizations' best approach is to encourage employees to report all issues with no hint of the risk of disciplinary action. If an organization feels a complaint is without merit, it can document and dismiss it after it performs limited diligence.
8. Obstacles of negative incidents and retaliation
When an employee is mistreated for following the organization's reporting policy, the hotline program can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals — immortalized on the internet, in court records or public documents — can create a devastating silent "do not report" culture.
Organizations should communicate they have a zero tolerance policy for retaliation and will deal with it swiftly and publicly. They might need to conduct ongoing communications and awareness campaigns to make programs as transparent and trustworthy as possible especially if employees know about previous retaliations.
9. Inconsistent outcomes
Organizations must demonstrate that consistent and fair outcomes are routine regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair and consistent discipline, regardless of how confidential the organization hides investigation outcomes. Of course, if employees view outcomes as fair, they'll feel more compelled to report concerns. (And the emphasis is on feel; these are emotional decisions for employees.) Employees know that inconsistency equals personal risk.
10. Actions speak louder than words
Employees critique, judge and evaluate what an organization says about its hotline- reporting program by what it does rather than what it says. Does it follow policies and procedures as designed? Does it really have a zero tolerance policy on retaliation? Are outcomes really consistent, fair and proportionate? Does it truly allow employees to report concerns anonymously?
Six tips for building a trusted hotline reporting program and culture
Organizations implement and maintain trusted hotline reporting programs differently depending on their sizes, cultures, geography and several other factors. And they must decide if they'll construct their hotlines in-house or outsource them.
Organizations find many benefits to outsourcing, from experience and expertise to the appearance of independence, which can increase employees' trust. Hotline providers' built-in frameworks allow 24/7 accessibility. And they normally offer services in many languages.
Smaller organizations might believe that insourcing is the lower-cost option. However, establishing an insourced program requires investment in hardware, software and personnel, among other costs.
As we say in factor No. 5 on page 35, whether an organization's hotline-reporting system is in-house or outsourced, management must remain independent and only should become involved if it begins an investigation.
Outside consultants, including fraud examiners, can help an organization devise a fraud examination plan and help implement continuous improvements from lessons learned as cases are resolved.
These tips, which build on the previous top 10 factors, can help:
- Training and awareness. Increased awareness of the program will help build employees' confidence in it. An organization should continually strive to help employees know how the hotline-reporting program works, why the organization believes in it, who operates it and why it's a critical part of the compliance culture. Organizations should include hotline frequently asked questions (FAQs) and answers in all employee new-hire and supervisor training.
- Ongoing communication. Communication about a hotline-reporting program, recent compliance issues and messages from management should be routine and commonplace.
- Accessibility. Information on a hotline program and how to report a concern should be within one click of the organization's intranet or external website. An organization should communicate program information in as many languages as necessary to provide coverage. Web-based reporting platforms should be available to facilitate anonymous reporting and allow for the inclusion of attachments.
- Transparency. Prominently display your organization's hotline-reporting and investigation process including the expertise and contact information of your trained investigators, what employees should expect, plus the organization's responsibilities to cooperate and protect against retaliation.
- Proficiency and objectivity. As we've written above in the top distrust factors, those who manage the hotline and investigation processes should be technically proficient, professional, well trained and experienced in handling reporting of concerns. The organization should also install adequate systems, processes and technologies to support the investigators and, ultimately, the employees. This includes conducting an in-depth and routine annual training program for the organization's investigative, legal, human resources and compliance staff.
- Assessment. Ongoing assessments should answer these questions:
- How do employees currently view the hotline-reporting program and corporate culture?
- Are the organization's investigation program and reporting structures properly designed?
- Are the ethics hotline policies, procedures and technology meeting the needs of the organization and the employees?
- Are investigations and the resulting disciplinary actions consistent with the organization's desired culture of compliance?
- Are independent reviews conducted by internal audit or external professionals with oversight by an audit committee?
- Are all complaints and resolutions disclosed to and discussed with the external auditors?
Trust, trust, trust
The Dodd-Frank Act pays awards to eligible whistleblowers who voluntarily provide the Securities and Exchange Commission (SEC) with original information that leads to a successful enforcement action yielding monetary sanctions of more than $1 million. The award amount is required to be between 10 percent and 30 percent of the total monetary sanctions collected in the SEC's action or any related action such as in a criminal case.
The table below shows the number of whistleblower tips received by the SEC's Office of the Whistleblower since the inception of the whistleblower program in 2011. (See the
2015 Annual Report to Congress on the Dodd-Frank Whistleblower Program.) As we can see, Dodd-Frank might encourage employees to bypass internal reporting processes.
FY11* |
FY12 |
FY13 |
FY14 |
FY15 |
334 |
3,001 |
2,328 |
3,620 |
3,923 |
* Because the whistleblower rules became effective Aug. 12, 2011, only seven weeks of whistleblower data is available for fiscal year 2011.
During fiscal year 2015, the SEC's Office of the Whistleblower received almost 4,000 concerns — the most since the program's introduction. From fiscal year 2012 — the first year for which full-year data was available — to fiscal year 2015 the number of whistleblower tips received by the SEC has grown by more than 30 percent. So it's in an organization's best interests for employees to first report internally within quality whistleblowing programs they can trust.
Most employees want to do the right thing, and organizations need to do what they can to help support and encourage employees to report. Failures in employee reporting today can result in significant operational and reputational hurdles tomorrow. If you use these recommended tips to strengthen your program they could help place your organization in a position where it never has to ask itself the question, "Why didn't anyone call before?"
The views expressed here are those of the authors and aren't necessarily the views of Ernst & Young LLP, EY or other EY member firms.
Ryan C. Hubbs, CFE, CIA, CCEP, PHR, CCSA, is a senior manager, fraud investigation and dispute services at Ernst & Young LLP. He has more than 15 years of experience, has conducted hundreds of corporate investigations and thousands of employee interviews in cases involving human resources concerns; health, safety and environmental events; compliance violations; and fraud and corruption. His email address is: Ryan.Hubbs@ey.com.
Julia B. Kniesche, CFE, CPA, ACAMS, is a senior manager, fraud investigation and dispute services at Ernst & Young LLP. She has more than nine years of experience advising clients on complex issues related to financial, economic and accounting matters. Kniesche has served large corporations, special committees, law firms and governmental entities in conducting forensic accounting investigations and risk assessments and advising on dispute matters relating to fraud and corruption. Her email address is: Julia.Kniesche@ey.com.