The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe through your internal reporting mechanism. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.
The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”
The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting Mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?
But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.
What are some of the best practices for a hotline? I would suggest that you start with at least the following:
- Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
- Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
- Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
- Follow-Up-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.
- Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.
In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.
Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.
Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.
Three Key Takeaways
- The DOJ and SEC put special emphasis on internal reporting lines.
- Test your hotline on a regular basis to make sure it is working.
- Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.
Having both a robust internal reporting system and triage of such reports is critical in a best practices compliance program.Click to tweet
As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.