The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond. This chapter will provide you with the steps you will need to consider going forward.

This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

The 2012 FCPA Guidance stated the following on internal reporting, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” That was it. This simple introduction was expanded upon in the 2019 Guidance, in the section entitled, “D. Confidential Reporting Structure and Investigation Process” with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.

Moreover, internal reporting systems are clear indicia of a working, operationalized compliance program. The 2019 Guidance went on to state, “Confidential reporting mechanisms are highly probative of whether a company has “established corporate governance mechanisms that can effectively detect and prevent misconduct.”  (an effectively working compliance program will have in place, and have publicized, “a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation”).

Effectiveness of the Reporting Mechanism How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

Many of the largest corporate scandals, such as Enron and WorldCom in the first decade of this century on to Wells Fargo and others in this decade, had instances of whistleblowers who came forward. Yet for reasons still not fully clear, these companies did not investigation these allegations which would have information both senior management and the Board of Directors that something was seriously amiss. Dr. Kyle Welch, Assistant Professor at George Washington University (GWU), in his paper entitled “Evidence on the Use and Efficacy of Internal Whistleblowing Systems” he noted that while individual whistleblower reports can help on one issue, when they are aggregated a compliance professional can garner insight into both larger and broader issues. He stated, “what the whistleblower system does is give you a sense of your visibility to those problems. It enables managers to get a window into the problems.” Put another way, “Is this indicative of a firm that actually or just discovering more about things that they don’t know?”

It is well recognized that zero whistleblower reports are not necessarily a good thing or even indicative that there are no problems. Conversely, because there are multiple or even a plethora of reports, it does not mean the company is in legal, ethical or reputational trouble. Most interestingly, Dr. Welch tied a robust whistleblower reporting system to leadership. He stated, “There’s a huge amount of management research and gurus spending time on how to lead, how to be the right leader of an organization. There is a continual search for the silver bullet of finding the right team and finding the right manager that makes you inoculated from problems.” Yet he believes there is also another way of thinking about it, which is that your own employees can get information into the hands of an appropriate level of decision makers and this is the power of robust whistleblower reporting system.

It is incumbent to understand this is not simply about having a whistleblower phone line. It is about an entire whistleblower reporting system. This means someone must intake the call and route it to an appropriate person or function to triage. From there, it should be given an appropriate ranking for investigation. The investigation should be concluded in timely manner and then remediated or reported if appropriate. Finally, the whistleblower should have been contacted to acknowledge the initial report, for any additional information and follow up and then if there is a resolution.  All of this leads to what Dr. Welch called “visibility to problems”. These data points can be powerful for a company in a variety of ways that we will explore. So sit back and listen to this month’s offering on 31 Days to a More Effective Compliance Program on internal reporting and investigations.

31 Days to a More Effective Compliance Program posts daily at noon CDT and is available on the following sites:

FCPA Compliance Report

Compliance Podcast Network