Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Security Education & Training

Creating an Effective Whistleblower Program

August 1, 2012
Trans

Whistleblower tips are the most common method of detecting occupational fraud. Research by the Association of Certified Fraud Examiners shows that more than 60 percent of frauds are uncovered by tips (see figure 1); in organizations with a hotline in place, tips expose more than half of all frauds. Further, nearly 40 percent  of tips are received from internal employees (see figure 2). 

The Ethics & Action Survey conducted by law firm Labaton Sucharow shows that fraud detection could be bolstered by a well-designed whistleblower program. Specifically, 34 percent of employees have observed or have firsthand knowledge of workplace misconduct, and more than three-quarters would report known misconduct if they could: 1) remain anonymous, 2) do so without retaliation and 3) receive a financial reward for the tip. 

These findings illustrate the need to encourage employees to report suspected wrongdoing. In addition, many organizations face regulatory or legislative mandates governing the receipt of and response to whistleblower claims, and having a reporting system in place is a requirement for an effective compliance program under the U.S. Organizational Corporate Sentencing Guidelines.

Consequently, whistleblower mechanisms are among the most vital components of an organization’s anti-fraud and loss prevention programs; yet implementation requires much more than setting up a toll-free number and hanging posters in break rooms. For a program to be effective, it should include the following components.

Reporting Mechanism

The whistleblower program should provide individuals with every possible means to report information, ideally through a variety of channels that are easily and cheaply accessible 24 hours a day, 365 days a year (most incoming reports are made during non-business hours). The mechanisms should accept tips from employees and outside parties, such as vendors and customers, and provide assurances of anonymity for whistleblowers.

Possible communication methods include:

  • A telephone hotline
  • In-person reporting
  • Online forms
  • A dedicated email address
  • A dedicated fax number
  •  A dedicated mail address (e.g., P.O. Box)

Telephone and in-person mechanisms involve interactions with whistleblowers and allow for better information gathering, but they raise additional considerations. Specifically, intake operators must be trained to handle sensitive reports and appropriately communicate with whistleblowers – including those who are hesitant, anxious or emotional – to collect sufficient, relevant information.

If management doubts whether in-house staff can adequately handle this function, using a third-party hotline provider is strongly recommended. Other considerations when determining whether to employ an internal or external hotline include the costs of training, operations and technology; the perception of trustworthiness; and the effect of the arrangement on organizational processes.

When whistleblowers make a report, they should be given a case number for subsequent inquires and a means to continue communicating. If they desire anonymity, callers can be given a pre-determined time and/or specific phone number to use to contact the operator.

           

Education and Awareness

For a program to be effective, potential whistleblowers must understand how it works, why it’s important, and how they will be supported for coming forward. Raising awareness is an ongoing task; many companies discuss hotlines during new-hire orientation, but that is only a start. Most new employees don’t anticipate using the hotline during their employment, meaning continued awareness training for existing employees is crucial. Additionally, as many whistleblowers are company outsiders, efforts to inform vendors, contractors, customers and other third-parties are recommended.

Information that should be conveyed includes:

  • The organization’s overall stance on fraud
  • Examples of fraud and of the behavior expected of employees
  • How fraud harms the organization and employees
  • Red flags of fraud
  • The importance of reporting suspected improprieties
  • How to make a report
  • Guarantees that reports will remain anonymous, if desired (and where legally permissible)
  • The types of reports the mechanisms accept
  • What happens when a report is made
  • What to do if a supervisor or member of management is suspected
  • Assurance that all reports will be considered seriously and acted on appropriately

 

Support for Whistleblowers

As reflected in the Ethics & Action Survey, providing whistleblower support is arguably the most important aspect of a whistleblower program; doing so can greatly increase the number of individuals willing to report wrongdoings. Management must recognize that whistleblowers face numerous risks – real or perceived – including being ostracized, losing their job, losing friends, hurting their professional reputation and even suffering physical harm.

Anonymity is the foundation of whistleblower support; even individuals who identify themselves often value the potential for anonymity. Additionally, an openly communicated and fully enforced anti-retaliation policy provides security to whistleblowers who fear the repercussions of reporting. Laws such as Sarbanes-Oxley offer some protection, but they should be reinforced by management’s intrinsic support of whistleblowers. 

Fears of losing their livelihood coupled with some companies’ avoidance of hiring past whistleblowers leaves a potential tipster with a difficult choice. Offering financial awards can mitigate these fears and incentivize reports, and publicly recognizing known whistleblowers (when they consent) can illustrate a commitment to acknowledging and supporting whistleblowers.

 

Leadership Efforts

Like most initiatives, a whistleblower program is most effective when supported by the organization’s leadership. If the company has cohesive whistleblower and ethics policies – and if both are adhered to by management – then individuals will be more willing to report suspicious activities.

A senior-level “hotline champion” who owns and oversees the program also reinforces its significance. The champion should be someone with authority to make decisions and act on tips; if the organization has an Ethics or Compliance Officer, that individual is an ideal candidate.

 

Response Mechanism

Even in an organization with an ethical culture, many tips are, at best, without merit; others are intentionally incorrect or misleading. Consequently, the response to reports often determines the overall success of the whistleblower program.

The first step is assigning responsibility for all incoming tips to an individual or team. Depending on the nature of tips, this might be appropriate for human resources, legal, internal audit, security or some other function. In addition, incoming reports should be sent to at least two parties (with attention to confidentiality concerns) to ensure that no tips are overlooked – erroneously or intentionally. Preferably, the reports should be sent to the party responsible for tips and to the hotline champion for a layer of oversight.

Reports should be preliminarily screened to assess the:

  • Merit of the facts and source
  • Relevance and type of issue involved

Meritless allegations should be noted as such and set aside to focus on legitimate claims. High-risk reports – those of a particularly sensitive or material nature, such as fraud by senior executives – should be escalated directly to the audit committee or another oversight body.

Investigation procedures should be dictated by the issues involved. For example, harassment claims should be referred to human resources; employee theft to loss prevention or internal audit; and external fraud to internal audit, loss prevention or risk management. Each of these functions might operate differently, but the investigation and reporting protocols should be formalized.

Management should also consider enacting policies to address abuses of the reporting system by, for example, sanctioning individuals who file intentionally false or frivolous reports to avoid wasting resources on unnecessary investigations.

 

Record Retention

Record-keeping processes are essential to easily retrieve information, reinforce the credibility of the investigation processes and track the program’s effectiveness. The record of each tip should include:

A unique identifying number

  • The report date
  • The source, if provided
  • If anonymity is desired or waived
  • Contact information, if provided
  • Details of the allegation, including the suspect(s) involved
  • Any additional information provided, such as the location of evidence
  • Recommended action based on the initial assessment of the report

A formal case management system can be used to standardize records, but file security should also be considered. A centralized database of whistleblower tips is clearly a hotbed of sensitive information; access to the system should be tightly restricted, and data security measures should be stringent.

 

Assessment Measures

Formal assessments should be conducted to evaluate program effectiveness, but management must remember that a low-volume of reports is not the target; in fact, a low number of total reports typically indicates employees’ discomfort or hesitancy to report, rather than a lack of wrongdoing.

Employee surveys are particularly useful in gauging how staff perceives the program. Additionally, certain metrics can be calculated and benchmarked across time or against similar organizations, such as:

  • Complaints per period
  • Average number of complaints per employee
  • Complaints by location, division or claim type
  • Percentage of anonymous complaints
  • Average cost per complaint
  • Percentage of complaints investigated
  • Changes in reports received after new awareness efforts

 

International Issues

For organizations operating outside the United States, several additional issues must be carefully considered. Some countries have legislation or regulations governing data privacy and prohibiting anonymous complaints. Consequently, reporting programs in all jurisdictions should be established with close guidance from legal counsel to ensure compliance with relevant laws.

Multinational organizations also need to address language barriers. Individuals must be able to make reports in their native language, so professional interpreters might be needed to appropriately handle incoming tips. Management will also need to determine how to best raise awareness of the whistleblower program in multiple languages.

Similarly, cultural differences, such as communication styles and expectations, vary across regions. Managers and other program stakeholders in each operating area should be involved early in the development of the whistleblower program to address culture-specific issues.

Limited ability to make reports is another concern; Internet access might not be available or reliable in some locations, which hinders online reporting. Likewise, placing international phone calls can be cost-prohibitive or logistically impossible for some individuals. Management must ensure that all potential whistleblowers have easy, cheap access to one or more reporting mechanisms.

Effectively capturing tips is vital to protecting an organization’s assets and investigating losses; consequently, no company can afford to be without an effective whistleblower program. Such programs must take a holistic view of the whistleblowing process – from understanding what motivates individuals to come forward through assessing how reports are handled – and should incorporate elements to support the flow of information at each step.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jim Ratley

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.