As the saying goes, an ounce of prevention’s worth a pound of cure. Whether statutorily mandated or not, whistleblower programs can help companies prevent major ethical or legal breaches before they occur. LRN’s Susan Divers shares insights about building or strengthening whistleblower programs in light of the SEC’s eye-popping $268 million award.
Organizations talk a lot about corporate culture — and rightly so. They often showcase their appealing working environment, nurturing approach to career progression, commitment to DEI or their green credentials as part of their values and ethos. All of this is commendable, but it’s equally important how they root out and deal with serious problems that might occur.
What happens if fraud or other misconduct is committed internally? How easy is it to report bad behavior and how is it investigated and resolved? What about retaliation against employees or others who raise issues? Failing to fully and adequately investigate and remediate misconduct can be costly as such problems typically don’t resolve themselves — and usually grow worse. The answers to these questions are the critical measure of an organization’s character and demonstrate the robustness of its governance as well as determine its compliance with regulatory requirements in many instances.
In the wake of the Enron scandal and subsequent banking crisis, whistleblower programs became requirements in many regulated industries. The Sarbanes-Oxley Act of 2002 (SOX) requires publicly traded companies to establish whistleblower programs for accounting and auditing matters that allow for anonymous, confidential reporting and prohibit retaliation.
Other laws and regulations, particularly in the government contracting and healthcare sectors, can also require fraud and abuse reporting mechanisms. And some European countries prohibit anonymous reporting channels — a legacy of WWII collaboration — so check with local law requirements as well.
Following SOX, the Dodd-Frank Act of 2010 required the SEC to establish a whistleblower program that rewards those who bring forward valid and previously unreported allegations about violations of the securities laws. Successful whistleblowers can recover from 10% to 30% of the money collected when the SEC and other agencies impose sanctions of more than $1 million.
In May 2023, the highest award in the SEC’s whistleblower program history — nearly $279 million — was paid to a single whistleblower. This award was reportedly related to Ericsson’s $1.1 billion FCPA settlement with the DOJ and the SEC in 2019. Though the SEC did not provide substantive information about the case or the whistleblower, the SEC noted, “While the whistleblower’s information did not prompt the opening of the Commission’s investigation, their information expanded the scope of misconduct charged.”
Despite its passage nearly four years ago, the EU’s whistleblower directive has yet to be adopted by many European Union member nations. Despite this, many organizations — and their compliance teams — have worked to revise their whistleblower policies or implement fresh ones in accordance with the EU’s guidance.Read more
Companies that are not specifically required by regulation to have a whistleblower program nonetheless frequently implement one in the form of a confidential, anonymous hotline as part of their ethics and compliance program.
Misconduct scandals undermine the trust of key stakeholders such as staff or customers, potentially leading to an exodus of talent or a loss of business. Identifying red flags at the earliest possible opportunity and dealing effectively with them can prevent major compliance scandals later.
Many problems can start off as mistakes, such as inaccurate record-keeping or accidental breaches of process. These can turn into something much more serious over time if left unattended. A good hotline/reporting system can act as a supplement to internal audit assurance activities and, if used creatively, provide insight into the issues that employees on the front lines are encountering, even if they do not amount to misconduct per se.
So, what does good look like?
- Broad approach: In the wake of the pandemic, companies with high-performing ethics and compliance programs have expanded their internal hotlines into helplines that welcome questions, queries or observations that don’t rise to the level of misconduct but may be an indication that something is amiss at an early stage or that an employee needs guidance. For example, suggestions or pressure from a client to fudge health and safety testing conducted on their products could lead to serious misconduct if not addressed. Encouraging employees or third parties to come forward with concerns is a best practice, as not everyone can conclusively identify misconduct. LRN’s annual E&C program effectiveness report found that 42% of the E&C professionals we surveyed had either expanded their hotlines into helplines or set up a separate one.
- Broad inputs: Data from the Ethisphere Institute in 2019 and from the Ethics and Compliance Initiative in the past three years indicates that hotlines capture 5% or less of misconduct allegations, with the majority of such reports being made to managers or human resource professionals. This means that hotline data can be seriously incomplete and not reflective of the main concerns of employees. Many companies have incorporated concerns and complaints raised to managers or others in the company into hotline data and obtained significantly more meaningful analytics as a result.
- Ease of access: Hotlines or helplines should invite employees to share their concerns and be multi-channel to ensure they are easily accessible, including dedicated phone numbers, email addresses, translation capability, webpages or an online reporting tool for 24/7 accessibility. Instructions and training on how to use these should be simple and easy to follow and in local languages.
- Transparency: It’s important to demystify the hotline and other E&C programs as much as possible so everyone knows what to expect. It is important to communicate details of how to report — what the process entails, retaliation protections, and timelines for investigation and resolution of complaints — to staff regularly. “Speak Up, Listen Up and Resolve” campaigns are a good way to get the message across that it is part of an employee’s duty to report issues of concern, even if they don’t have all the facts or a clear picture.
- Training: Training is essential at all levels. Staff need to know how to spot misconduct as well as how to report it and be aware of how important tackling it is to the company’s culture and compliance requirements. Managers need to know how to encourage their team to speak up, what their obligations are if someone reports an issue to them, what steps to take next, what an investigation might look like and how to support whistleblowers.
The reality is that organizations that operate successful whistleblower programs detect fraudulent activities far more quickly: in a year on average, compared to 18 months for those that don’t. Having such a program in place underpins a culture of ethics and trust, which is central to sustainable business success. Indeed, the LRN “Benchmark of Ethical Culture” study found that companies with the strongest ethical cultures outperform by around 40% across all measures of business performance, including customer satisfaction, staff loyalty, innovation and growth.
Creating a robust response to fraud and misconduct through well-thought-out whistleblower programs demonstrates a clear commitment to organizational justice and good corporate governance. Everyone has a part to play and, if done well, people, profits and brand reputation will all be better protected.