By: Carrie Penman
Chief Risk & Compliance Officer, NAVEX Global
Many compliance officers over the years have wished for the day when what we do is at the forefront of public conversation — a day when people everywhere were eager to talk about the importance of rooting out misconduct and how to do that job well.
Well, thanks to an anonymous whistleblower report regarding a phone call between the White House and the president of the Ukraine, we now have that moment. Every news channel is scrolling the word “whistleblower” at the bottom of their screen. It’s not quite what I expected, but compliance officers would be remiss not to contemplate what’s happening here, and the consequences for whistleblowing generally.
No matter your politics, we are witnessing the whistleblower process (or as I prefer to call it, internal reporting process) at the highest level of public scrutiny. Everywhere we turn, conversations are happening about the value of anonymous reporting, disclosing the name of the reporter, approaches to investigations, and protection from retaliation.
These conversations are bound to make an impression on would-be internal reporters and we as compliance officers should expect that what is already a frightening situation for internal reporters to cause even more angst.
There is no doubt that many potential reporters are thinking more carefully about if, when and how they would report misconduct. They will seek to protect their interests — career mobility, personal reputation, financial assets — more fully. Some might decide to report anonymously; others might go to the other extreme and take their concerns to the biggest public platform they can find. Some won’t report at all and will just quietly leave our organizations. This is the time to review and strengthen our own processes.
Preserve & Protect
Now more than ever, compliance officers, executive teams and boards of directors must think more about how to support an internal reporter, even at the “mechanical” level of protecting their identity. After all, for most reporters, that will be the most important thing. I have often said that just because the reporter gives you their name, doesn’t mean you should share it beyond the investigator. More care needs to be taken here.
I can’t help but recall a report from the Government Accountability Office published earlier this year that reviewed whistleblower protections within the Department of Defense. That report talked extensively about missteps in restricting access to reports — who could see what information, hand-offs of reports from one branch of the military to another that exposed reporters’ identities, and so forth.
And as with many things that organizations don’t do well, governments step in with more regulations. The changes to the Corporations Act in Australia for example, enhanced requirements to protect a whistleblower’s identity during and following a disclosure AND increased penalties for corporations (up to $1 million) for disclosing a whistleblower’s identity or causing detriment to a whistleblower.
Compliance officers need to seal up those cracks in the internal reporting system. We also need to remember the larger objective in doing that: to make internal reporting systems more resilient to management pressure, and therefore more trusted by would-be reporters.
In fact, if there’s any one word that keeps coming to my mind, it’s that: resilient. Compliance officers need to nurture systems that are resilient to pressure, since internal reporters can face enormous pressure to stay silent, recant, or take their concerns elsewhere. It’s our job to thwart that pressure.
Another way to look at this might be to ask how we can keep the moment for internal reporting moving forward, because it has moved forward over the years, even if sometimes at a slow pace. (Then again, when you consider the #MeToo movement, some types of internal reporting have moved forward rapidly.)
Compliance officers have no idea how this Ukraine whistleblower case will be resolved. But we can do two things: watch the forces that this case unleashes on whistleblowing overall; and work to protect our own internal reporting efforts from any potential damage.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Trusted by more than 14,500 customers, our solutions help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.