Corporate compliance officers already know that retaliation against whistleblowers is a significant problem, and violation of anti-retaliation statutes is a significant risk. The magnitude of the retaliation problem is outlined ECI’s Global Business Ethics Survey. It finds that 44 percent of employees experienced retaliation after reporting wrongdoing of some kind — up from 22 percent in 2013.
At the same time, however, employees typically don’t report retaliation via internal hotlines. According to the upcoming 2019 Hotline and Incident Management Benchmark Report, only 1.18 percent of internal reports were complaints about retaliation.
44% of employees experienced retaliation after reporting wrongdoing of some kind — but only 1.18% of internal reports were complaints about retaliation.
The specific reasons why employees don’t report retaliation via internal hotlines might vary, but we can draw one broad conclusion: employees don’t trust that system. They are afraid to raise retaliation concerns with the ethics & compliance function.
Well, why? And what could compliance officers do to strengthen that trust, so that employees are more comfortable reporting retaliation concerns through the internal hotline?
Lessons from the Department of Defense on Anti-Retaliation Protocols & Procedures
Luckily the Government Accountability Office (GAO) just published a report on whistleblower operations at the largest organization of all: the Defense Department (DoD).
The DoD has more than 3.3 million employees in total (civilians and armed services), with five separate inspector general offices that field more than 12,000 whistleblower concerns every year. So whatever whistleblower challenges your compliance function might have, the DoD has more.
What did the GAO find? Consider these excerpts from the summary:
- “DoD guidance for protecting whistleblowers who report internal misconduct does not specify key steps investigators should take to protect confidentiality, such as not identifying complainants during interviews with case subjects.”
- “[T]he Air Force IG’s application did not restrict users from other DoD components from viewing Air Force IG case descriptions and complainant identities.”
- “Employees in Marine Corps IG offices were able to see whistleblower cases assigned to other IG offices without a need to know.”
- “Additional steps are needed to restrict access to case information in order to mitigate ongoing risks to whistleblower confidentiality.”
These findings tell us that many obstacles to internal reporting of retaliation aren’t about tone at the top or executive messaging. Plenty of obstacles are weaknesses in the nuts-and-bolts handling of internal complaints.
For any complaint at all, his or her biggest fear is losing anonymity, therefore exposing the whistleblower to retaliation.
More precisely, these are weaknesses “at the border,” where an internal report might be handed off from one person to another: from triage team to investigator, from investigator to outside counsel, and so forth. That is a moment where weaknesses in policy, procedure, access control, or training might leave a whistleblower’s identity exposed to people who don’t need to know it.
Consider things from the whistleblower’s perspective. For any complaint at all, his or her biggest fear is losing anonymity, therefore exposing the whistleblower to retaliation. When the complaint is about retaliation itself, that fear is all the larger, because discovery will make the offender retaliate even more.
Cracks in Your System Often Form Around Middle Management
So let’s be honest. Your most pressing problem probably isn’t a CEO who sets a terrible, “pro-retaliation” tone at the top. Those executives are rare. The true problem — the thing whistleblowers fear — is a mid-level executive who hears a company’s lofty anti-retaliation message and then disregards it anyway, because he or she wants to stifle that pesky whistleblower.
In that case, the questions become: What safeguards do you have in place to keep whistleblower identity confidential? What are your investigation protocols to assure reporter confidentiality as complaints “cross the border” from one compliance, audit, or investigations employee to another? How do you shield a whistleblower’s identity from those who might want to use that knowledge for retaliation purposes?
The ideal would be a closed-loop process, where reports of retaliation work their way through an investigation on a need-to-know basis.
Of course that’s easy to say in the abstract. Here in the real world, compliance officers need to think long and hard about their internal reporting procedures — probing them, gaming out scenarios of how information could leak, reviewing policy and training so everyone involved in handling complaints understands the “exposure risk” and what steps to take to reduce it.
(As an aside, this is yet another example of why internal audit should be the compliance officer’s best friend, since they know how to do this. That’s one reason why the GAO audited the DoD systems.)
The closer we can get to that closed-loop ideal, the more whistleblowers will trust that the system works. The risk of exposure and retaliation will fall, so the fear of retaliation will (eventually, but perhaps not immediately) recede.
And then, maybe, we can tackle retaliation more skillfully, and start pushing those retaliation survey numbers back down.