Tuesday, January 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Keeping Your Whistleblower Hotline Alive

by Ron Kral
November 16, 2018
in Compliance, Fraud
red landline phone hanging on dark background

Ideas to Maximize Hotline Effectiveness

It could be a good sign if the phones aren’t ringing at your organization’s hotline – or it could be indicative of a failing ethics and compliance program. Ron Kral discusses how to maintain a successful hotline program.

Is your whistleblower hotline alive or dying a slow death? Whether it’s an effort to jumpstart your hotline program or simply to harvest ideas for continuous improvement, you will want to keep reading.

It’s been 15 years since Rule 10A-3 of the Exchange Act directed the NYSE, Nasdaq and other national securities exchanges and associations to require a listed company’s audit committee to establish formal procedures for addressing complaints thanks to the Sarbanes-Oxley Act. Specifically, listed public company audit committees were required to establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters on a confidential and anonymous basis. Thus, the whistleblower hotline trend was born.

Of course, many other organizations voluntarily jumped on the whistleblower hotline trend, and rightfully so. Surveys by the Association of Certified Fraud Examiners have historically concluded that tips are by far the leading detection method of occupational fraud.[1] While hotlines have long proved to be effective, too many organizations put this effort on cruise control rather than looking for opportunities to maximize value of their hotline investment.

Necessary Ingredients

A worthy organizational objective is to position the hotline so that people use it upon seeing or suspecting inappropriate or fraudulent activity, such as asset misappropriation, corruption or financial statement fraud. While there are many components to a successful hotline program, here are some key ones:

Scope

Clearly define the intended uses of the hotline. Do you want tips on just accounting, internal accounting controls or auditing matters? Or do you also want tips on other types of occupational fraud, such as asset misappropriation and corruption? Will you encourage tips on ethical violations, noncompliance issues, safety matters or sexual harassment claims through the hotline? Clearly defining the desired scope of the hotline is essential in providing potential tipsters a sound understanding of its use and a basis for promoting it. The scope should align with organizational objectives and risks.

See More Articles About Whistleblowing

Hotline Name

Do not underestimate the power of a name. Simply defaulting in calling your hotline a whistleblower, ethics, compliance or fraud hotline without giving it some serious thought can hurt efforts. Naming conventions are important and will vary depending on the industry, organizational culture and hotline scope. Pick a name that will resonate with the audience and reflect well on your hotline objectives. For example, if the hotline scope centers on occupational fraud, calling it a “fraud hotline” reinforces this intention. Otherwise, referring to it as a “whistleblower hotline” has a wider connotation of reporting any kind of information or activity that is deemed illegal, unethical or not correct per organizational policies and procedures.

Training and Awareness

Ongoing education, messaging and marketing efforts are critical to help ensure that people understand the purpose of the hotline, as well as when and how to use it. It all begins with a well-crafted hotline policy conveying the purpose, scope, policy statements and reporting procedures. The hotline policy then serves as a basis for training and awareness efforts.

Internal training efforts should cover the hotline scope and process for new employees, as well as for continuing employees through refresher training. Oftentimes this training can be folded in with other periodic training on conflict of interest, confidentiality, ethics, fraud, cybersecurity awareness, social media, sexual harassment policy, etc. It is important that potential callers understand the hotline objectives, what constitutes an appropriate call and the process. Without this clear understanding, the hotline can quickly morph into a “gripe line” as people use it for purposes well beyond intended uses. For many hotline programs a majority of calls received are not on target with the hotline scope, thus suggesting that additional training is needed.

Executives, managers and supervisors need to take advantage of opportunities to promote the correct usage of the hotline through all-staff meetings, written communications, business meetings and supervisory interactions. Do not fall into the mindset that it only needs to be included in the code of conduct to be effective. Instead, organizations should design and implement an awareness campaign from multiple sources and mediums.

Consider Inviting Third Parties to Use the Hotline

Inviting customers, vendors and other stakeholder groups to use the hotline can be beneficial. They can be in a unique position to report potential employee fraud as they may be solicited by an employee for ill intent. While extending the hotline to non-employee groups often makes sense, you also need to be careful that your awareness campaign differentiates the hotline purpose from routine customer service and vendor relation communications.

Instill Trust into the Process

There is a tendency for people not to come forward due to a fear of retaliation or concern that they may look uninformed or have a bias. If tipsters don’t feel that the organization offers a safe place to raise concerns, they may forego reporting the potential fraud or seek alternatives to reporting the fraud internally, such as reporting the fraud to a federal government whistleblower program that provides monetary incentives.

As a result, having an anonymous reporting component – coupled with a strong no-retaliation policy that is enforced – is essential. In addition, utilizing a third-party hotline provider to administer the reporting program should enhance the trust level. Entrusting the report follow-up process to an independent department, such as internal audit, will also help bolster trust. Finally, for complaints involving senior management, it is prudent to also route them to independent directors.

Timely Investigations and Follow Up

Any hotline process is doomed to failure if there is not timely follow up. Callers need to be comfortable that their concerns will be heard and acted upon in a confidential manner. A responsive hotline process must have a clear escalation and dissemination plan, followed by a robust decision-making process for potential further investigation. In all cases, follow-up is suggested with the tipster to either apprise them of next steps for an investigation or educate them on the proper use of the hotline if the tip is found not to be consistent with its scope. Of course, this can be difficult for the anonymous caller. Anonymous tipsters can either opt for no follow-up contact or subsequently contact the hotline to check in on status using a unique identification number of their original complaint. Response protocol and timeliness often determines the overall success of the hotline program.

Integrate the Hotline Process with a Compliance Program

Keep in mind that a hotline process is simply one important element to an effective corporate compliance and ethics program as defined by U.S. Federal Sentencing Guidelines. Refer to Integrating a Compliance & Ethics Program with a Control Framework for a previous article on these Guidelines.

Metrics, Benchmarking and Resources

Like any business process, the hotline program needs to be periodically assessed. Once clear hotline objectives are defined, harvest hotline metrics to gauge performance, such as:

  • Complaints per period
  • Average number of complaints per employee
  • Complaints by location or division
  • Complaints by claim type
  • Percent of anonymous complaints
  • Reports of retaliation
  • Average cost per complaint
  • Percent of complaints substantiated
  • Percent of complaints investigated
  • Length of time to investigate and close reports
  • Changes in complaints received after new awareness efforts

These metrics can then be compared to benchmarking data obtained from your third-party hotline vendor or other industry sources. A high volume of hotline calls compared to industry peers may indicate that the organization is experiencing significant fraud and potentially has an ineffective compliance and ethics program. Or, it could suggest that:

  • the hotline is working as planned,
  • the compliance and ethics training program is effective,
  • there is greater awareness and increased trust in the organization’s hotline program and
  • the board of directors and management are setting the proper tone in reinforcing internal reporting mechanisms (including the hotline) and ethical culture.

Conversely, hotline silence (i.e., a low volume of calls as compared to peers) may not necessarily imply that unethical or unlawful conduct is not occurring but, to the contrary, may be indicative of inadequate hotline awareness and an overall ineffective corporate compliance and ethics program.

As ethics and compliance programs mature, hotline metrics should be part of an organization’s scorecard to demonstrate performance. Hotline data can also be an important consideration for allocating resources, including for investigations. An organization’s metrics and benchmarking data should assist in combating fraud more proactively. When done correctly, the hotline, in conjunction with a comprehensive compliance and ethics program, will strengthen the organization’s culture.

Conclusion

Don’t simply assume that your hotline is working as intended, especially if you have a low volume of activity. Evaluate it, measure it, compare it and bring it to life!


This is an article from the Governance Issues™ Newsletter, Volume 2018, Number 3, published on November 1, 2018

[1] For the latest study refer to page 17 of the Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners. Go to http://www.acfe.com/report-to-the-nations/2018/ to download report.


Tags: whistleblowing
Previous Post

RPA: First Steps to Greater Internal Audit Efficiency

Next Post

FDA Regulation of Medical Device Advertising and Promotion

Ron Kral

Ron Kral (CPA, CMA, CGMA) is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. He serves public and private companies to protect and grow shareholder value, as well as nonprofits and governments on internal controls to combat errors and fraud. Ron has worked with hundreds of clients as a public accountant offering robust solutions on accounting, auditing, controls, ethics, anti-fraud programs, governance and SEC regulatory matters. Prior to forming a predecessor firm to KU in 2003, he was a general manager for a large technology company traded on the NYSE. Ron was also a principal consultant with PwC leading operational audits and internal control projects. He began his public accounting career with a California CPA firm as a financial auditor and was responsible for signing audit opinions upon becoming managing director of the firm’s Orange County office. Ron launched his career as a performance auditor with the California State Auditor. Ron is a highly rated speaker and facilitator, including for COSO’s Internal Control Certification Program for the AICPA. He also served on FEI’s working group for the development of COSO’s 2013 control framework and is a member of four of the five COSO-sponsoring organizations: the AICPA, FEI, IIA and IMA. Ron holds an MBA from Arizona State University and a BBA from the University of Wisconsin-Madison. He can be reached at www.linkedin.com/in/ronkral.    

Related Posts

illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
hand showing three fingers on gray background

A Culture of Compliance: The 3 R’s

January 19, 2021
2021 with light bulb in place of zero on orange background

Why 2021 is a Fresh Start for Compliance Training

January 18, 2021
Next Post
FDA Regulation of Medical Device Advertising and Promotion

FDA Regulation of Medical Device Advertising and Promotion

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights