EFFECTIVE WHISTLEBLOWER PROGRAMMES AND THEIR IMPACT ON ETHICS, CULTURE AND CONDUCT
RISK & COMPLIANCE MAGAZINE
OCT-DEC 2017 ISSUE
RC: Could you provide an insight into why it is important for companies to include a whistleblower programme as part of their corporate governance efforts? Has it become a key part of promoting good ethics, culture and conduct?
Qureshi: A whistleblower programme is best practice and regulators expect companies to have one. Moreover, it is in the company’s interest to encourage staff, by providing them with a clear mechanism and promise of safe harbour, to raise issues internally first, before going to a regulator or the press. It is an important element of a well-rounded compliance programme. Getting good intelligence from staff who are trained to spot issues and encouraged to be the company’s eyes and ears allows the board to address issues internally at an early stage before they escalate, or turn into external investigations, and also to plug gaps in the corporate compliance programme that may be identified by the issues in question.
Stone: Establishing well-functioning whistleblower procedures is critical to creating a record of issues that are raised and a process for the organisation to involve counsel and compliance teams, as well as internal or outside investigators to establish the facts, and understand the gravity of the issue. External counsel can also help advise on how to respond once the fact-gathering process is complete. Without a proper procedure in place, organisations often do not have internal resources familiar with dealing with a whistleblower issue. Those who do respond are often not trained in reacting to complaints, managing and investigating complaints, particularly where the issue involves allegations of fraud or corruption, and effectively addressing the issues raised.
Penman: Whistleblower programmes are no longer just a best practice for effective corporate governance – they are a standard practice. Ultimately, your whistleblower programme is the last internal stop for reporters before they take their issue outside the organisation to a regulator or attorney. Aside from protecting organisations from the financial and reputational cost of external reports, effective whistleblower programmes encourage and nurture a true ‘speak-up’ culture. They provide a confidential place for employees to clarify policy or discuss concerns. This gives compliance professionals a chance to provide guidance before a poor decision is made. With a healthy speak-up culture, a whistleblower programme can provide early warning signs of problem areas percolating within an organisation.
Kolster: Promoting an ethical culture in a company requires implementing a programme with several key elements. Some of these elements include: clear, simple and widely communicated company values, policies and procedures; promoting the right message at all levels of the organisation, as well as providing appropriate training for employees, suppliers and partners in order to set clear expectations; establishing an independent team to conduct investigations; application of consistent discipline in cases of a violation of the law or the company’s policies and procedures; and establishing appropriate channels to report any wrongdoing. A company’s whistleblower programme plays a key role in ensuring reporters feel confident they may report wrongdoing without the fear of retaliation. A company’s ethics programme relies on its employees trusting this process, that the issues they report will be investigated and that the company will apply appropriate discipline at all levels of the organisation.
Harned: The biggest risk an organisation faces is the perpetuation of an environment where employees do not come forward to make management aware of wrongdoing that is taking place. Employees are often aware when violations occur, yet they will be hesitant to report if they do not feel both encouraged and protected for doing so. A whistleblower programme is critical if employees are going to report. A good programme consists of a well-published ‘help line’, adequate training for managers to receive and respond to reports, systems for fair and timely investigations and protection against retaliation for employees who report. Taken together, these efforts help to build a ‘speak up culture’ in an organisation, which is a central part of promoting good ethics and conduct.
RC: To what extent has there been an uptick in the number of employees reporting wrongdoing in recent years? What does this tell us about corporate culture today?
Stone: The US Securities and Exchange Commission (SEC) monetary awards to whistleblowers in 2016 were greater than several previous years put together. Similarly, IRS awards increased substantially in 2016. Numerous countries’ authorities, for example, the Financial Conduct Authority (FCA) in the UK, are increasingly regulating and enforcing compliance obligations. Such increases in awards in the US and regulatory activity in other countries are clear indications of the importance of effective internal compliance programmes and how companies respond to complaints. The information and assistance whistleblowers provide the regulatory authorities have a material impact on the enforcement initiatives. For the organisation, data obtained from the system itself can also be an early warning system if there is systemic weakness in the compliance programme.
Penman: Globally, the rate of reporting has been rising steadily over the last five to seven years. In EMEA and APAC specifically, internal reporting doubled from 2015 to 2016, establishing a new median of 0.4 reports per 100 employees, according our Global 2017 EMEA & APAC Whistleblower Hotline Benchmark Report. While this is a significant increase, it is still far below the global median of 1.4 reports per 100 employees. This increase, however, suggests that EMEA and APAC based organisations will likely continue to see an increase in reporting volumes similar to what we are seeing globally. Both internal and external factors will continue to influence EMEA and APAC reporting rates and corporate cultures.
Kolster: If an employee does something wrong, whether it is illegal or unethical, it is desirable for a company to discover it through its own internal channels. This allows the organisation to conduct an internal investigation and take appropriate remedial actions, including the implementation of additional controls to prevent future misconduct. Doing so promotes good ethics and a positive corporate culture. Many companies have strengthened their internal ethics procedures over the last few years. As a result, these companies encourage their employees to report wrongdoing through internal channels. It is difficult to generalise whether there has been an uptick in the number of employees blowing the whistle because the number may vary, depending on the company, industry and culture. The legal framework reinforced by the Dodd-Frank Act in the US provides incentives to whistleblowers in certain cases.
Harned: In the US, employee reporting has increased over time. But so, too, has retaliation against the employees who came forward to management to raise concerns. The good news is that reporting has increased because managers are doing a better job of encouraging reporting, and ethical cultures are strengthening as a result. Where there is a strong culture, employees are more likely to feel safe raising concerns. The bad news is that retaliation and reporting tend to rise and fall together. That is why we have seen an increase with regard to that metric, too.
Qureshi: In the UK, there are laws in place to protect whistleblowers to encourage issues to be brought to light. As firms have established more sophisticated internal procedures and compliance programmes to meet legal risks – under the UK Bribery Act – and regulatory requirements, these have equipped employees to spot issues and encouraged them to report concerns, which is exactly what is supposed to happen. Many cases arise from internal reporting of concerns. In my experience, there is more internal reporting than ever before. As a result, there has been an increase in whistleblower issues and some high-profile cases generated by whistleblower reporting. This, in turn, has created a virtuous circle where corporates are increasingly aware of the risks, and cost, of weak compliance systems and are, within resource limitations, seeking regularly to update and improve their controls.
RC: What do you consider to be among the most significant legal and regulatory developments associated with whistleblowing in recent years? What impact has the US Securities and Exchange Commission’s (SEC) Whistleblower Programme, for example, had on the nature and frequency of corporate whistleblowing?
Penman: The SEC Whistleblower Programme has had a significant influence on the nature and frequency of corporate whistleblowing on accounting and fraud matters. While paying a bounty for tips on governmental fraud, waste and abuse of government funds has been around for decades in the US, the SEC programme has captured the attention of employees, business partners and plaintiff attorneys looking to represent whistleblowers in these lawsuits. The publication of large pay-outs – in the millions of dollars – is bringing in tips to the SEC from around the globe. This programme has also allowed exceptions for compliance officers and audit professionals to collect bounties.
Kolster: The Dodd-Frank Act and the US Department of Justice’s efforts to promote self-disclosure of potential Foreign Corrupt Practices Act (FCPA) violations have both been significant. The Dodd-Frank Act created reporting incentives in the form of a whistleblower bounty programme, which may entitle a whistleblower to a percentage of the total collected by the SEC related to a violation. There has been coverage in the news about activity in that area. The US Sentencing Guidelines have long provided that self-disclosure, among other actions, has a mitigating impact on penalties imposed for FCPA, and other criminal, violations. The recent FCPA Enforcement Pilot Programme, established by the Criminal Division of the US Department of Justice, provides greater transparency about what is required from companies who seek to mitigate the effects of an FCPA violation: voluntary self-disclosure, full cooperation and remediation.
Qureshi: Many jurisdictions are increasingly active. A key development is the creation of statutory protections for whistleblowers and, of course, new criminal laws like the UK Bribery Act and Criminal Finances Act that place greater risk on corporates where they do not have effective compliance controls in place to prevent wrongdoing in the first place. Taken together, these changes have driven real change in corporate culture. FCA-regulated firms are subject to additional requirements to ensure the protection of whistleblowers, including the need to have a senior level whistleblower champion. These protections have now been extended to UK branches of foreign banks. There have also been various recent cases in the English courts, upholding legal protections for whistleblowers, including a recent case finding non-executive directors jointly and severally liable for significant damages for wrongful dismissal of a whistleblower.
Harned: Without question, the most influential legal and regulatory effort that influenced whistleblowing was the Sarbanes-Oxley Act (SOX). SOX mandated that all public companies have a confidential and anonymous methodology for the receipt, review and resolution of issues of misconduct. There have been other follow-on regulations and requirements, including SEC, Dodd-Frank, PIDA, J-SOX and others, that have made important contributions as well, mostly for their efforts to refine, or in some cases expand, the initial requirements set forth in SOX. SABIN II was recently passed in France which dramatically expanded the availability of ‘help line’ reporting, including strict penalties for retaliation.
Stone: US regulators, through various legislation and programmes, and the SEC is just one example, combined with extraterritorial assertions of US jurisdiction and enforcement of US legislation, have had a material impact on international practice. In response, regulators in certain countries have become increasingly aggressive in promulgating and enforcing compliance legislation. This means that regulatory authorities are working in tandem and investigations and issues often involve multiple jurisdictions. Whether it is fraud regulators in the UK, securities regulators in France or new legislation in the UAE and South Africa, corporates now need to be able to respond to issues on a global basis.
RC: What legal obligations might companies need to meet in regard to whistleblowing? What penalties might they face in the event of non-compliance?
Kolster: Avoiding retaliation and maintaining requisite standards for anonymous reporting channels are among the most critical aspects of a whistleblower programme. Companies must ensure they have robust protections in place to avoid retaliation against reporters. Accordingly, adverse employment actions must not be taken against employees engaged in what are defined as protected activities. Companies should ensure they fully understand the scope of protected activities and what is considered adverse employment actions, and review their training programmes for adequacy in this area. Additionally, corporations that fail to maintain established standards to allow anonymous reporting channels may be subject to serious consequences. Companies should regularly review their reporting programmes to ensure they are meeting these requirements.
Harned: The primary requirements for a whistleblower system are quite simple. A programme must be readily accessible 24 hours a day, 365 days a week. It must be localised as appropriate, secure and designed to protect the identity of the reporter. It must also provide for reporter feedback even if they are anonymous and the retention of the data received retained in accordance with policy or regulatory guidelines. The most dangerous areas of penalty remain related to retaliation and qui tam awards. Retaliation claims continue to rise in America via the US Equal Employment Opportunity Commission (EEOC). According to EEOC statistics, 2016 retaliation claims resulted in monetary payouts totalling $180m. Qui tam awards are available to individuals who voluntarily provide original information to the SEC that results in a successful enforcement action in which the SEC obtains sanctions totalling more than $1m. According to the SEC’s Annual Report to Congress, qui tam awards to whistleblowers exceeded $57m in 2016.
Stone: In addition to legal obligations relating to compliance and whistleblower programmes which vary by country and by business sector, an organisation faced with allegations of misconduct should carefully investigate the matter to determine all relevant facts. By doing so, a proper analysis of other obligations can be made, for example under contracts, internal policies or applicable regulations. Failing to understand the facts can cause the organisation to respond in violation of its obligations or to take actions which increase the risk of liability. If appropriately structured, for example considering legal issues specifically applicable to the investigation itself, such as labour law, data protection and blocking statues, an internal investigation by inside or outside professionals can be critical, not only to addressing the issue but also in establishing the organisation’s good faith response, from both a legal and reputation perspective.
Qureshi: The legal obligations vary by country and fall into at least three categories: disclosure, procedures and protections. In the UK, while there is no general duty to report issues, senior managers may have fiduciary obligations that require disclosure. There may also be obligations imposed by contract on employees. Further, if the company is in a regulated sector, there are internal reporting obligations and duties to report to regulatory authorities in certain circumstances. With respect to procedures, in the regulated sectors there are often specific requirements regarding whistleblower procedures and wider obligations to have effective internal controls. Various legislation includes actual or quasi-obligations as well. Finally, protection: UK law protects whistleblowers who act in accordance with the legislation, which now includes that they must act in the public interest. An organisation or senior managers can face significant claims for failing to protect whistleblowers.
RC: To what extent is there a risk that individuals will bypass internal whistleblower programmes and report their concerns directly to regulators? How can companies avoid this scenario, and ensure that their own whistleblowing programmes are seen to be effective and usable?
Stone: Avoiding reporting to third-party regulators by whistleblowers and preserving the opportunity to self-report has material advantages from a legal perspective. Establishing what has happened, including whether the whistleblower’s allegation has merit, as there often are frivolous claims, and what to self-report, is critical. Misrepresentations when self-reporting can create a new set of issues. Further, there are time constraints on when self-reporting should occur to gain maximum benefit. Delaying the investigation and therefore self-reporting could result in a whistleblower reporting directly to the regulator. The voluntary nature and advantage of the self-report then might be lost. Once the decision to self-report has been made, it is essential to ensure that any report provided to regulators has sufficient information and is accurate. Managing a good whistleblower procedure and conducting a prompt and proper investigation allows the organisation to determine if there is an issue at all, and if so, allowing the opportunity to self-report, which can go a long way to avoiding a damaging and costly investigation.
Qureshi: There is always a risk that staff will report externally instead of, or in addition to, internal reporting. Where there is a US nexus, the risk posed by the SEC rewards programme for reporting wrongdoing, for example, clearly may impact on what an individual may do. However, the more the company can show its commitment to dealing with reported concerns appropriately through policies and actions, the more likely that staff will follow the internal mechanisms. It is not my experience generally that staff who report concerns want to harm the company, quite the opposite – they report matters because they care about the company and want to see issues dealt with. Having clear procedures that give staff comfort that their concerns will be listened to and that they will not face recrimination for reporting in good faith are a key driver for encouraging internal reporting.
Harned: There is always a risk that an employee will go outside of an organisation to report violations; however, that risk is small. The leading reason that employees go to an outside source, such as an enforcement agency, is that the problem has been allowed to persist, and employees feel they need to get help. They will also report externally if they have experienced retaliation for having raised concerns to management. Importantly, the vast majority of employees who report outside of their organisation have reported the concern internally first. They become frustrated because their report was either ignored, or no action was taken. The potential for financial reward is the last reason that employees report externally. Employees are often aware that it is a difficult process to receive a qui tam reward. As a result, if an organisation works to establish a strong ethical culture that is supported by the executive management team, they will encourage more internal reporting.
Penman: Whether or not an employee reports internally depends heavily on organisational culture. Has an organisation put in the time and resources necessary to drive a speak-up culture? Does leadership really want employees to raise issues or do they consider these concerns to be a nuisance? Avoiding external reporting requires not only an effective internal whistleblower programme, but also a positive view of that programme from the perspective of the employee base. First, fears of retaliation need to be addressed head-on. Retaliation includes formal removal from a position, of course, but also more subtle retaliation, such as reduced responsibilities, heightened quotas or any other detrimental job alterations.
Kolster: Bypassing the internal reporting mechanisms and reporting concerns to regulators may happen in all organisations and at all levels. This may be more common in companies that have not been able to show an authentic willingness to act ethically and demonstrate a consistent approach to how internal investigations are conducted, and how discipline is applied. A quick response to the concerns raised through the whistleblowing programme, by acknowledging the allegation and communicating the fact that the matter is being reviewed, is key to ensuring a sense of corporate justice. Collecting as many details as possible from the reporter about the alleged wrongdoing is important to understand the allegation clearly and helps to demonstrate the honest intention to investigate the concern. Finally, the company should ensure there is a method whereby the reporter is able to communicate additional facts that may surface later.
RC: What overall advice would you give to companies on implementing an effective whistleblowing programme? What considerations should be made to enhance company ethics, culture and conduct? Further, what role should the board and C-suite play in this context?
Harned: We recently concluded research to learn more about ways companies can develop a ‘speak up’ culture. There are third-party vendors that will support companies in their efforts to establish whistleblower programmes, and most are very cost-effective. But a help line system is not enough. We also learned that visibility of executive management and their encouragement to employees to ‘speak up’ is critical. Additionally, supervisors must be well-versed in recognising and responding to reports of wrongdoing. Boards and executives must recognise that the whistleblowing system results in less than 7 percent of all incidents reported. All too often, boards and senior leaders only ask about statistics around reports that come in through this channel. They do not press management to provide insight into all areas of concerns that are brought forward. Senior leaders and directors should be briefed on all reports that are made, through formal systems and through more informal mechanisms of reports made to management.
Qureshi: Companies should seek out and listen to the concerns of staff around reporting issues, as part of the risk assessment process, so that these can be taken into account when developing the programme. This may indicate that certain approaches will be more or less effective in some business units or countries than others. For the programme itself, key elements will include: clear, short and non-legal drafting of the policy; committing to protecting those who report in good faith, but not otherwise – you do not want to promise protection to those who misuse it for some other purpose; allowing staff to report anonymously and outside normal line management, or even to a third-party reporting provider; effective embedding through training; and through management championing the approach. Beyond the policy, management need to ensure, through regular review of management information, that the programme is working, that people are using it and that concerns are being investigated and addressed.
Penman: Strong incident management programmes offer multiple reporting channels conducive to the various reporting preferences of employees. The best programmes track and document all reports in a centralised system. Helpline and web intake forms are essential, and should be automated. But programmes also need to track and manage reports made via email, mail, fax, and especially, in person. These in-person reports offer the best opportunity for organisations to manage incidents and spot trends of brewing problems. When in person, employees can be asked clarifying questions to provide more context for reports. In these situations, the employee has also identified themselves and can therefore be followed up with in confidentiality if necessary.
Kolster: There are a number of critical elements that need to be present in order for a whistleblower programme to be effective. Everything starts with the right tone and actions from the company’s leaders, including the board and the C-suite, which will shape the culture and promote trust in the company’s internal disciplinary system. Employees at all levels should have easy access to multiple reporting mechanisms, allowing them the possibility to make anonymous reports. Reporters expect immediate feedback to acknowledge receipt of their concerns, and the organisation must assure them that there will be no retaliation against them. They may also benefit from having the possibility to communicate additional information, if it becomes available in the future. The investigation process should be conducted independently, avoiding any appearance of conflict. A consistent approach to disciplinary actions, no matter who is involved in the wrongdoing, will foster trust in the process.
Stone: In addition to following good international practice, with respect to a whistleblower programme, the ‘tone from the top’ – a company should foster a culture of compliance and one where employees are not fearful of retaliation if they report issues or concerns, conducting a proper investigation of the conduct reported by the whistleblower is critical. All reports of misconduct do not necessarily require a comprehensive investigation and reporting to authorities, but each complaint must be taken seriously and the whistleblower should know that. The approach will depend on the relevant countries, the individuals involved and the type of business. However, once an investigation is to be conducted, by an internal team or an external investigator, the investigators should be experienced and relevant internal employees must be properly trained. The information obtained should be carefully handled and described to allow its use by management. The team should be sufficiently large to handle the workload and allegations should be carefully diligenced for accuracy.
RC: How do you expect whistleblowing practices to evolve in the months and years to come? Will companies continue to build their programmes with an eye on ethics, culture and conduct?
Qureshi: Legal protections for whistleblowers will almost certainly continue developing and being strengthened. It is hard to predict whether reward programmes like those in the US will gain wider traction – certainly many countries will not be attracted to this approach. The FCA has recently indicated it has no plans to introduce any incentive programme for whistleblowers. However, compliance is an ongoing process and so one can expect that, like all compliance initiatives, whistleblower programmes will become more sophisticated in well-run companies, through constant learning and evaluation of incidents and real-life examples, as well as from publicly disclosed issues in other businesses from which all can learn. This will likely trickle-down to smaller businesses and those in jurisdictions with less developed compliance climates, to help bring up the base level of protection and practice in this area.
Penman: There are many aspects of corporate governance that are built on compliance – whistleblowing is one that leans heavily on ethics. This includes the ethics we embody as an organisation and the ethics we ask our employees to bring to their jobs. We expect, and hope, that whistleblower programmes will continue to focus on the human element of the reporting process; that is, the employee. We would encourage all organisations to think about the employees who raise issues as employee reporters and not brand them with the label ‘whistleblower’, which we all know has a very negative connotation. Further, strong reporting systems and processes protect both the accused and the accuser equally. All parties deserve to be treated with dignity and respect.
Kolster: We see whistleblowing practices evolving with technology. Companies want to allow employees and partners to communicate concerns and report wrongdoing in an easy way, and advancements in technology and communication should play an important role, related to ease of reporting. Channels such as internal social networks, company ‘chats’ and other e-groups, intranets and so on, should be designed to promote internal reporting and communication of ethical concerns. Additionally, we expect board members and C-suite leaders to continue to focus on actively speaking up to promote an ethical culture. They will likely be delivering messages about achieving good financial results, while making it very clear that they need to be achieved legally and ethically.
Stone: Whistleblowing practices have evolved quickly in recent years and the trend should continue as more countries introduce legislation and pursue enforcement. Various factors could materially impact such an increase, such as an increase in awards or other tools to promote whistleblowing by regulatory authorities in jurisdictions other than the US. For example, in addition to the leniency programme in competition matters in the EU, which makes a prompt and thorough investigation of misconduct essential, this year the EU launched a new encrypted tool to allow individuals to anonymously report competition violations. The EU’s introduction of this tool was followed by the UK launching an advertising campaign on its competition whistleblower programme which offers up to £100,000 awards.
Harned: Given the increased use of smart phones and other devices, it is likely that whistleblower programmes will increasingly evolve to make use of these and other artificial intelligence devices to receive reports. At the same time, however, we know from research and also from real world examples that a focus on ethics and culture is essential if employees are going to raise concerns, regardless of the mechanism that is available for them to utilise. The challenge of technology is that while it connects people together, it also changes the way we relate to each other. Ethics and culture require leadership, communication and a direct personal connection between employees and management. Therefore, the need for leaders to bolster their efforts to build and sustain a strong ethical culture will only increase over time, especially as technology makes it easier and easier for people to feel less of a sense of connectedness, in a personal way, with their company.
Chief Compliance Officer and Senior Vice President, Advisory Services
T: +1 (971) 250 4100
Carrie Penman is the chief compliance officer of NAVEX Global and senior vice president, Advisory Services. She has been with NAVEX Global since 2003 after serving four years as deputy director of the Ethics and Compliance Officer Association (ECOA). Ms Penman was one of the earliest ethics officers in the US. She is a scientist who developed and directed the first corporate-wide global ethics programme at Westinghouse Electric Corporation.
T: +44 (0) 20 7367 2573
Omar Qureshi is a partner in the disputes group at CMS in London. He advises clients on corporate investigations, compliance and commercial disputes, often involving allegations of fraud, money laundering and corruption. He also assists clients in handling investigations by, and negotiating resolutions with, authorities and multilateral development banks. His current caseload includes defending a corporate in criminal proceedings under the Bribery Act and investigating allegations of insider dealing related to a listed company.
Dr Patricia Harned
Chief Executive Officer
Ethics & Compliance Initiative (ECI)
T: +1 (571) 480 4422
Dr Patricia Harned is chief executive officer of the Ethics & Compliance Initiative (ECI). Dr Harned oversees all of ECI’s strategy and operations and also directs outreach efforts to policymakers and federal enforcement agencies in Washington, DC. Additionally, Dr Harned speaks and writes frequently as an expert on ethics in the workplace, corporate governance and global integrity, and advises senior leaders on effective ways to build an ethical culture and promote integrity in organisational activities.
Managing Director EMEA
Nardello & Co.
T: +44 (0) 20 7079 5900
Martin Stone is an experienced investigator, political analyst, author and fluent Arabic speaker. Mr Stone directs the firm’s anti-corruption, due diligence and asset searching projects in Europe and the Middle East. He also brings more than 20 years of expertise managing complex multi-jurisdictional investigations and conducting political and country risk analysis for law firms, financial companies and corporations.
Vice President, Chief Ethics & Compliance Officer - Latin America and Africa
T: +1 (479) 268 8634
Luis Kolster is the chief ethics & compliance officer for Latin America and Africa for Walmart International. In his role, he leads the implementation and execution of Walmart’s ethics & compliance programme, including anti-corruption, ethics and other compliance subject matter areas, in 22 of countries outside the US. Prior to Walmart, Mr Kolster spent over 12 years with Schlumberger, a leading supplier of technology and services for customers in the oil and gas industry.
About NAVEX Global, Inc.
NAVEX Global’s comprehensive suite of ethics and compliance software, content and services helps organizations protect their people, reputation and bottom line. Trusted by 95 of the FORTUNE 100 and more than 12,500 clients, our solutions are informed by the largest ethics and compliance community in the world.