The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.
This scenario was driven home by the SEC in a 2015 FCPA enforcement action involving Mead Johnson Nutrition Company. In this enforcement action, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations.
Internal reporting. The 2012 FCPA Guidance has as clear and concise a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated: An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.
In the Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance), it stated:
Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers. Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.
The 2019 Guidance then poses the following questions: Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?
All of this means more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.
The reason is that a business’s own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.
What are some of the best practices for a hotline? Start with the following:
- Your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
- There must be a manner to make reports anonymously if the reporter so desires.
- You must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
- There must be a sufficient follow up protocol to make sure any reported events receive the warranted attention. There should also be a way to keep the incident reporter informed as to the progress of the matter within your investigative protocol.
- There should be multiple levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.
In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.
After your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.
Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.
Jonathan Marks, a partner at Baker & Tilly, has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to consider going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.
Marks’ five-stage process for early assessments are as follows:
- Stage 1. These consist of allegations that have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.
- Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.
- Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.
- Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. These reports do not involve any member of the senior management team.
- Stage 5. These are serious allegations that involve one or more members of the senior management team or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode and could result in the restatement of audited financial statements or added regulatory scrutiny.
Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.
Three key takeaways:
- The DOJ and SEC put special emphasis on internal reporting lines.
- Test your hotline on a regular basis to make sure it is working.
- Have a triage protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.