Keeping Your Whistleblower Hotline Alive

Ideas to Maximize Hotline Effectiveness

It could be a good sign if the phones aren’t ringing at your organization’s hotline – or it could be indicative of a failing ethics and compliance program. Ron Kral discusses how to maintain a successful hotline program.

Is your whistleblower hotline alive or dying a slow death? Whether it’s an effort to jumpstart your hotline program or simply to harvest ideas for continuous improvement, you will want to keep reading.

It’s been 15 years since Rule 10A-3 of the Exchange Act directed the NYSE, Nasdaq and other national securities exchanges and associations to require a listed company’s audit committee to establish formal procedures for addressing complaints thanks to the Sarbanes-Oxley Act. Specifically, listed public company audit committees were required to establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters on a confidential and anonymous basis. Thus, the whistleblower hotline trend was born.

Of course, many other organizations voluntarily jumped on the whistleblower hotline trend, and rightfully so. Surveys by the Association of Certified Fraud Examiners have historically concluded that tips are by far the leading detection method of occupational fraud.[1] While hotlines have long proved to be effective, too many organizations put this effort on cruise control rather than looking for opportunities to maximize value of their hotline investment.

Necessary Ingredients

A worthy organizational objective is to position the hotline so that people use it upon seeing or suspecting inappropriate or fraudulent activity, such as asset misappropriation, corruption or financial statement fraud. While there are many components to a successful hotline program, here are some key ones:

Scope

Clearly define the intended uses of the hotline. Do you want tips on just accounting, internal accounting controls or auditing matters? Or do you also want tips on other types of occupational fraud, such as asset misappropriation and corruption? Will you encourage tips on ethical violations, noncompliance issues, safety matters or sexual harassment claims through the hotline? Clearly defining the desired scope of the hotline is essential in providing potential tipsters a sound understanding of its use and a basis for promoting it. The scope should align with organizational objectives and risks.

Hotline Name

Do not underestimate the power of a name. Simply defaulting in calling your hotline a whistleblower, ethics, compliance or fraud hotline without giving it some serious thought can hurt efforts. Naming conventions are important and will vary depending on the industry, organizational culture and hotline scope. Pick a name that will resonate with the audience and reflect well on your hotline objectives. For example, if the hotline scope centers on occupational fraud, calling it a “fraud hotline” reinforces this intention. Otherwise, referring to it as a “whistleblower hotline” has a wider connotation of reporting any kind of information or activity that is deemed illegal, unethical or not correct per organizational policies and procedures.

Training and Awareness

Ongoing education, messaging and marketing efforts are critical to help ensure that people understand the purpose of the hotline, as well as when and how to use it. It all begins with a well-crafted hotline policy conveying the purpose, scope, policy statements and reporting procedures. The hotline policy then serves as a basis for training and awareness efforts.

Internal training efforts should cover the hotline scope and process for new employees, as well as for continuing employees through refresher training. Oftentimes this training can be folded in with other periodic training on conflict of interest, confidentiality, ethics, fraud, cybersecurity awareness, social media, sexual harassment policy, etc. It is important that potential callers understand the hotline objectives, what constitutes an appropriate call and the process. Without this clear understanding, the hotline can quickly morph into a “gripe line” as people use it for purposes well beyond intended uses. For many hotline programs a majority of calls received are not on target with the hotline scope, thus suggesting that additional training is needed.

Executives, managers and supervisors need to take advantage of opportunities to promote the correct usage of the hotline through all-staff meetings, written communications, business meetings and supervisory interactions. Do not fall into the mindset that it only needs to be included in the code of conduct to be effective. Instead, organizations should design and implement an awareness campaign from multiple sources and mediums.

Consider Inviting Third Parties to Use the Hotline

Inviting customers, vendors and other stakeholder groups to use the hotline can be beneficial. They can be in a unique position to report potential employee fraud as they may be solicited by an employee for ill intent. While extending the hotline to non-employee groups often makes sense, you also need to be careful that your awareness campaign differentiates the hotline purpose from routine customer service and vendor relation communications.

Instill Trust into the Process

There is a tendency for people not to come forward due to a fear of retaliation or concern that they may look uninformed or have a bias. If tipsters don’t feel that the organization offers a safe place to raise concerns, they may forego reporting the potential fraud or seek alternatives to reporting the fraud internally, such as reporting the fraud to a federal government whistleblower program that provides monetary incentives.

As a result, having an anonymous reporting component – coupled with a strong no-retaliation policy that is enforced – is essential. In addition, utilizing a third-party hotline provider to administer the reporting program should enhance the trust level. Entrusting the report follow-up process to an independent department, such as internal audit, will also help bolster trust. Finally, for complaints involving senior management, it is prudent to also route them to independent directors.

Timely Investigations and Follow Up

Any hotline process is doomed to failure if there is not timely follow up. Callers need to be comfortable that their concerns will be heard and acted upon in a confidential manner. A responsive hotline process must have a clear escalation and dissemination plan, followed by a robust decision-making process for potential further investigation. In all cases, follow-up is suggested with the tipster to either apprise them of next steps for an investigation or educate them on the proper use of the hotline if the tip is found not to be consistent with its scope. Of course, this can be difficult for the anonymous caller. Anonymous tipsters can either opt for no follow-up contact or subsequently contact the hotline to check in on status using a unique identification number of their original complaint. Response protocol and timeliness often determines the overall success of the hotline program.

Integrate the Hotline Process with a Compliance Program

Keep in mind that a hotline process is simply one important element to an effective corporate compliance and ethics program as defined by U.S. Federal Sentencing Guidelines. Refer to Integrating a Compliance & Ethics Program with a Control Framework for a previous article on these Guidelines.

Metrics, Benchmarking and Resources

Like any business process, the hotline program needs to be periodically assessed. Once clear hotline objectives are defined, harvest hotline metrics to gauge performance, such as:

• Complaints per period
• Average number of complaints per employee
• Complaints by location or division
• Complaints by claim type
• Percent of anonymous complaints
• Reports of retaliation
• Average cost per complaint
• Percent of complaints substantiated
• Percent of complaints investigated
• Length of time to investigate and close reports
• Changes in complaints received after new awareness efforts

These metrics can then be compared to benchmarking data obtained from your third-party hotline vendor or other industry sources. A high volume of hotline calls compared to industry peers may indicate that the organization is experiencing significant fraud and potentially has an ineffective compliance and ethics program. Or, it could suggest that:

• the hotline is working as planned,
• the compliance and ethics training program is effective,
• there is greater awareness and increased trust in the organization’s hotline program and
• the board of directors and management are setting the proper tone in reinforcing internal reporting mechanisms (including the hotline) and ethical culture.

Conversely, hotline silence (i.e., a low volume of calls as compared to peers) may not necessarily imply that unethical or unlawful conduct is not occurring but, to the contrary, may be indicative of inadequate hotline awareness and an overall ineffective corporate compliance and ethics program.

As ethics and compliance programs mature, hotline metrics should be part of an organization’s scorecard to demonstrate performance. Hotline data can also be an important consideration for allocating resources, including for investigations. An organization’s metrics and benchmarking data should assist in combating fraud more proactively. When done correctly, the hotline, in conjunction with a comprehensive compliance and ethics program, will strengthen the organization’s culture.

Conclusion

Don’t simply assume that your hotline is working as intended, especially if you have a low volume of activity. Evaluate it, measure it, compare it and bring it to life!

---

This is an article from the Governance Issues™ Newsletter, Volume 2018, Number 3, published on November 1, 2018

[1] For the latest study refer to page 17 of the Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners. Go to http://www.acfe.com/report-to-the-nations/2018/ to download report.