Today I consider some best practices regarding a compliance hotline.

  1.  The hotline should be developed and maintained externally. It seems axiomatic that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. Through the submitting of reports via an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
  2. The hotline supports the collection of detailed infor­mation. As with most everything else, information is power. If a CCO can gather and re­cord information throughout a complaint life cycle, the company will have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All reported materials should be consolidated in one comprehensive, chronologi­cally organized file, so a CCO can monitor ongoing progress and make better, more informed decisions.
  3. The hotline must meet your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. A hotline should offer a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
  4. The hotline should be designed to inspire employee confidence. Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
  5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. One of the biggest mistakes you can make is to sit on a hotline complaint and let the employee reporting it fester. Additionally, with the short time frames set out in the Dodd-Frank Whistleblower timelines for resolution before an employee can go the SEC to seek a bounty, the clock is literally clicking.
  6. The hotline provides inbuilt litigation support and avoidance tools. A company must make certain that its hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney-client privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
  7. The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

Three Key Takeaways

  1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
  2. Train your employees on the use of the hotline.
  3. Use data from your hotline to continually update and improve your compliance program.

As you might suppose I read quite a bit. One of the pleasures I receive each month is when the copy of the MIT Sloan Management Review arrives. I also find the articles highly topical and present ways to consider new compliance strategies and technologies, together with insights on leadership. The 2017 Summer edition arrived on Friday so I am going to dedicate this week to considering an article the issue, each day this week, as it relates to the Chief Compliance Officer (CCO), compliance practitioner, compliance profession or a corporate compliance practice. Today I consider an article by Renée Richardson Gosline, Jeffery Lee and Glenn Urban, entitled “The Power of Consumer Stories in Digital Marketing”.

As I often note the customer for a CCO, compliance practitioner, or a corporate compliance practice is your employee. So why not use them to help you market the message of compliance. I can point to one current successful example of using the employee base and that is Louis Sapirman at Dun & Bradstreet, Inc. (D&B), who regularly connects with employees through in-company tweet-ups and other innovative techniques to tell stories around compliance identified using the internal hashtag #DoTheRightThing.

The authors consider a broader use and begin with the basic premise that “When consumers prepare to make purchase decisions, stories can deliver important information and shape the decision and the overall brand experience. With the advent of consumer-to-consumer social media platforms such as Facebook and Twitter, stories can be powerful tools for shaping cognitive processing, recall, brand image, and choice.” The authors found a statistically significant increase of product purchases, “when consumer-based storytelling was employed.” So why not use those same techniques around internal marketing of your compliance function and training on your compliance program?

From their research which led to the article the authors found that customers responded to a story about a brand, when certain factors were present. These included trust in the brand; that consumers saw themselves in the stories and there was a “self-connection” to the brand. Every corporate compliance program should have the employees trust and they should feel connected to the notion of doing business ethically and in compliance, if not the compliance function should fold up the tent and go home. The power of telling stories that resonate with the experiences of employees in the real world is also a well-known and used standard in compliance training. Here you can think of the RESIST training scenarios.

The authors proposed four steps which they advised a company to engage in to implement such a strategy. I found it quite use for the CCO or compliance practitioner to think through when considering this approach. I have adapted the authors’ consumer approach for the compliance practitioner and their employee base.

1.Work with consumers to generate believable and compelling stories. The authors found that by examining “comments on Facebook, Twitter, YouTube, and other social media sites, you should be able to find leads to consumer stories about your brand that you can follow up on. It’s a little like curating an art show: You need to find the best examples and work with storytellers to deliver the right message.”

For the CCO or compliance profession you should mine your data sources to find stories. Even if you are not as tech savvy as the compliance team at D&B, there should be a wealth of other compliance information and data available to you. You can consider hotline reports, remembering that not all hotline reports are of illegal, unethical or fraudulent conduct. It may only be the perception of unfairness or favoritism. Dispelling such faulty acuities can go a long way towards directly improving employee morale. This can be a powerful story and useful to utilize when marketing your hotline.

2.Convert stories into high-quality presentations. A great example here is a video CenterPoint Energy released in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, that managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

3.Embed stories in your social media mix. The authors related, “Posting videos of customer stories on your brand website means they will be perceived as coauthored by the consumer and the brand. Use true consumer stories and present them through your branded social media channels to maximize impact.” Another way to consider this concept is that short videos are good videos. You can have a series of short videos communicating different aspects of your compliance program. It can range from short messages from your CEO, to videos of your CCO to videos of employees. Employees always tune in when senior management speaks to them internally through a video. Employees want to hear from the President and a message of commitment to the culture values of doing business ethically and in compliance is always a message that will resonate with employees. Finally, employees want to hear stories from and about their co-workers who faced compliance challenges and #DoTheRightThing.

4.Integrate paid media strategies with voluntary sharing of stories on social media. Here the authors focus on the overlap and intersection of professional media strategies with “story-based consumer content generated for social media.” For the compliance practitioner, this translates into an opportunity around training. You can use traditional methods of compliance training, interspersed with videos and other social media uses of your employee base with real world examples of how compliance not only helped them do business ethically and in compliance but also how it made your organization more efficient together with being more profitable.

The authors conclude by noting, “Throughout history, storytelling has been an integral way to convey attitudes and values, and it will remain a key source of information and influence in the digital world. As new technologies such as virtual reality evolve and improve, brands can expect to continue to have new opportunities to use consumer storytelling in their communication strategy.” You should incorporate these concepts and employee-told stories into your compliance message as well.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

In this episode, I visit with James Gellert, CEO of RapidRatings, a company which uses a financial dialogue to determine third party supplier health and viability. Gellert explains what supply chain resilience is and how can examining financial health of your suppliers can lead to a more financially efficient supply chain. We then discuss the company’s third party risk management tools. We consider how a company might evaluate a potential purchaser, partner or someone buying a part of a business. Finally we have a lengthy discussion of how a corporate compliance function use the health of a third party as a tool to determine third party compliance risk?

For more information on RapidRatings, check out their website by clicking here.

Who to suspend during any Foreign Corrupt Practices Act (FCPA) investigation is always a delicate question to answer. Unfortunately there is never an easy answer. As the Volkswagen (VW) emission-testing scandal continues to reverberate, it continues to bring up some very knotty questions, which have bedeviled the Chief Compliance Officer (CCO) or compliance practitioner in many areas. De-confliction has also recently arisen as a bedeviling issue.

In an article in the Wall Street Journal (WSJ) entitled “Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam – from high level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence”.

This final statement emphasizes a key consideration in a FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government’s perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering you may have a bigger problem on your hands.

Pointing up the difficulties in making such a blanket sweep an un-named source, who provided this information to Boston, was quoted in the WSJ piece as saying “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s really hard for us because we are now missing their professional knowledge and experience.”

This issue brings up another point that Senn has discussed, around when to suspend or discipline an employee during an internal investigation. Senn related, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you may need them. Once they’ve been fired or otherwise disciplined, really, even if you keep them around, they’re going to be less cooperative with you and possibly, if you fire them, not cooperative at all. You can require them to be cooperative in the termination agreement, but obviously in practice, cooperation can mean a lot of different things.”

In view of the Schrems decision by the European Court of Justice (ECJ), I also wonder how the investigation will fair with the German based employees? Obviously there will be data that in the US would be deemed company-owned but in Europe it may well be private to the employee being investigated. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the ECJ’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.”

Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP, raised an interesting concern in the context of the Justice Department’s FCPA Pilot Program. It is around what Breuer terms “de-confliction”. This involves the government asking a company to halt its own investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or to shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.”

Breuer raised four questions during his presentation which every investigator must consider in the area of de-confliction. (1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; (2) How can a company make decisions without speaking with its employees?; (3) How will a delay affect the company’s other regulatory obligations?; and (4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult if not impossible to accomplish where external counsel have their hands tied behind their backs.

Clearly the DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again.

Three Key Takeaways

  1. The decision on whom to discipline and when are critical decisions during any investigation.
  2. You should take a case-by-case approach.
  3. The de-confliction question can be quite troubling during an internal investigation.

 

 

 

 

 

 

 

 

 

Prior to the Schrems decision by the European Court of Justice, US based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question.

In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be around personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available.

I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?”

With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information; I believe there will be additional pressure put on the compliance function. Obviously any US company with EU based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.

Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company which is seeking cooperation credit because such company is required to turn over any and all information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use.

Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it very improbable that anyone, European or otherwise, would give such a consent but in the unlikely event such consent is given, you have told the target, they are the target and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] have already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.”

How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard; it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through the use of internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to proscription of any FCPA violations.

Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel and the VW emissions-testing scandal; the Schrems decision will change the need for a more robust compliance program going forward to help protect a company.

Three Key Takeaways

  1. The Schrems decision significantly impacted US based internal investigations.
  2. Study the privacy laws of the country where you are performing your investigation.
  3. Informed consent is difficult to obtain but it may be critical for your investigation.