Support your local whistle-blower

When Section 301 of Sarbanes-Oxley mandated that publicly traded companies have whistle-blower systems in place, interest in hotline systems for reporting policy violations or employee misconduct received a big push. Prior to that, most companies considered having a hotline number a check-box kind of item, without giving it much thought.

Many companies still have a fragmented approach to corporate GRC (governance, risk, and compliance), according to David Childers, CEO of EthicsPoint, provider of a SaaS (software as a service) GRC platform. They maintain separate bins for governance, human resources, internal audit, corporate security, and loss prevention.

But although a company might pass an outside audit by offering a hotline phone number, woe unto any organization if a case of employee fraud comes back as a case of company malfeasance. According to the U.S. Organizational Sentencing Guidelines, “an entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees’ illegal actions.”

Fortunately, the same sentencing guidelines offer a way out. The U.S. Sentencing Commission has stated in certain cases that the courts can reduce fines by as much as 95 percent “if an organization can demonstrate that it had put in place an effective compliance program.”

Such a system not only offers protection but can actually reduce costs. Insurance companies such as the Redwoods Group are also pushing hard on GRC, offering clients a discount of 1 percent to 2 percent on general liability premiums if the company is using a reporting system. If you’re a large organization such as the YMCA, which pays $47 million in insurance premiums, that can be a substantial savings.

We are seeing the evolution of a technology. It started out as a notice stuck to a bulletin board in the employee lunchroom, offering a number to report any wrongdoing. Now companies such as EthicsPoint and The Network use a full lifecycle case management model with an integrated application, whereby client users can document what they have done to investigate and resolve each incident, from notification to closure.

What is required, says Gerry Halphen, vice president of product development at The Network, is a centralized repository of ethics and reporting information. That repository has to be robust enough to meet HR users’ needs, as well as the needs of the loss prevention manager. It must also be capable of running ethics and compliance information from numerous data sources against a BI application. For example, a company might want to know how many ethics and compliance issues had arisen per employee for every new product rolled out.

“It helps you understand the ethical risk with other business activities you have going on,” Halphen says.

Michael Rasmussen, senior analyst at Forrester, says a GRC platform must include “documentation, assessment, analysis, and loss information from every part of the business.” To pull that off, an organization will need content management, business process management, and workflow.

Although all of this can be built and managed in-house, third-party providers have one other clear advantage. Let’s face it: A hotline number managed by an outside call center or accessible through a third-party Web site will make employees far more comfortable than having to send a note to their local HR representative.