Section 2

Building Your Foundation

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Implement What You Know with Confidence

Discover action-based tools that provide simple steps for program improvement or robust plans for new ways of doing business. 

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Your ethics and compliance program is an ecosystem of moving parts. New laws and regulations, new lines of business, new geographies, mergers and acquisitions become part of a growing enterprise that your compliance ecosystem must support. 

Effective compliance programs are able to deftly navigate these complexities because they have built strong foundations that were developed with the nature of the compliance industry in mind.

This section will give you the expert advice and programmatic best practices to ensure the first steps you take to develop your program are in the right direction. Or if your program is more mature, these resources and insights will give you the necessary guidance to course correct and improve your program’s foundation at whichever stage it is in. 

 

How to Survive Internal Reporting System Scrutiny

Chapter 10 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Ensure your internal reporting system passes the scrutiny of both regulators and employees. Review the 7 key requirements for a robust internal incident management system with Tom Fox. 

Tom Fox 05/03/2018

Chapter 10 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Ensure your internal reporting system passes the scrutiny of both regulators and employees. Review the 7 key requirements for a robust internal incident management system with Tom Fox. 

Your internal reporting system is a key mechanism to fully operationalize your compliance program and meet regulatory requirements. It is essential for obtaining information from employees about potential issues before they become full-blown culture issues or legal violations. An effective reporting mechanism also goes a long way toward engendering trust in your compliance program. This trust is what helps protect a company by motivating employees to use internal channels to report misconduct instead of approaching regulators such as the SEC.

Does your current internal reporting system pass the scrutiny of both regulators and employees? Let’s review some of the key requirements for a robust internal whistleblower hotline and incident management system.

How to Survive

1. Know the Bottom-line

The clearest statement on the requirement for an internal reporting mechanism is found in the 2012 FCPA Guidance, released jointly by the Justice Department and SEC. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” But it’s much more than simply meeting this legal requirement. A proactive reporting mechanism can help protect the company, as employees will use it to report issues.

An effective internal reporting system is a key best practice that benefits the credibility of your compliance program.

 

2. Honor Anonymity

Internal reporting must be truly anonymous for those who wish to remain unknown. You can still contact and speak directly with any whistleblower, but you must respect their confidentiality and not attempt to identify them. Attempts to determine the names of whistleblowers will be met with regulatory sanction and weaken your credibility as a compliance function.

Do not, I repeat, do not, allow your CEO or anyone else to investigate the identities of anonymous whistleblowers.   

 

3. Publicize Your Hotline

Take concrete steps to publicize your hotline. These steps require documentation so you can show the regulators first-hand when they come knocking. Moreover, clearly delineate the results of your publicity campaign. Are you getting hotline reports, anonymous reports or no reports at all? If issues are not being reported, this could be a key indicator that you need to publicize your internal reporting mechanism more aggressively. Make sure all the phone numbers work and that a mechanism exists for employees who may not have access to a phone or computer.

Get the word out and make absolutely sure the phone numbers work.