Reporting for whistleblower programmes

June 3, 2014

Reporting when a case has just been opened

This step daunts many people because they often do not know where to start. This stage relates to when you are collecting the information you need from the whistleblower or other source before you can start an investigation. The below steps give you some guidance on how to begin classifying the incident and on the elements that you would need to be able to report on it.

1. Determine the “standard routing” for when a whistleblower case comes in

Reporting procedures for whistleblower cases vary depending on the nature of each case. Most companies receive allegations centrally before assigning each allegation to a specific responsible person to conduct a review and an investigation. The company should set out guidelines as to which people should receive the assignments and who needs to be made aware when a whistleblower has made a report. Certain factors should be considered that might adjust the “standard routing” which is done by a business unit or region. Make sure this “standard routing” is documented and clearly communicated across business units and regions.

2. Special routing for exceptional cases

In the standard routing, it is often only compliance that is made aware of cases as they have visibility to the case-management system. There are situations, however, where compliance (or the automated system) will need to report a case to other people across the company. This should occur within hours of an issue arising if the matter:

  • has been declared extremely urgent
  • involves a senior executive or board member
  • has been declared “material”, where, for example, the amount involved is greater than $1 million (or the loss to the company would be greater than $1 million) and involves:
    • the manipulation, falsification, forgery or alteration of records or documents
    • the suppression or omission of the effects of transactions from records or documents
    • the recording of transactions without substance
    • intentional false accounting
    • the misappropriation of assets.

3. Consider the severity of the case when working out who to notify

Some companies classify issues into different classes of risk or effect, and will therefore know the severity of the issue and whether it falls into the “material” assessment outlined above. They will then use this information to determine who should receive the details of the case. At all times, however, you need to think about who is entitled to receive the information and whether there is any chance that certain people will “tip off” the accused.

4. Reserve money for investigation expenses or losses

It should be remembered that certain members of the finance department might need to place reserves on investigation expenses or losses if the claim turns out to be correct and substantiated. In some cases, the company might need to make preliminary disclosures under the relevant stock-exchange rules if the outcome of the claim is likely to have a significant impact on financials.

Use the following tables to help work out the likelihood of the incident occurring, the severity of the consequence and the resulting risk

Step 1: Work out the likelihood of the incident occurring

By working out the likelihood of incidents that might occur, you can plan ahead for resources and be prepared when they do arise. Such tables can be used for particular incident types, and be unique to different business units and regions. This will help you prioritise the relevant focus areas.

 

Likelihood of incident

Very unlikely

Unlikely

Probable

Highly likely

Descriptive

Almost impossible

Low chance of incident occurring

Isolated incidents

Repeated incidents

Frequency of incidents

Less than one incident every ten years

One incident per year to one incident every ten years

One to two incidents per year

More than two incidents per year

Step 2: Work out the severity of the economic and non-economic consequences

Calculate (or estimate) the severity of the impact if the incident were to materialise. The possible consequences can be separated into economic consequences and non-economic consequences.

 

Severity of economic consequences

 

Very Low

Low

Moderate

High

Percentage of annual operation and maintenance costs

<0.5

0.5–2.5

2.5–7.5

>7.5

Percentage of annual production costs

<0.5

0.5–2.5

2.5–7.5

>7.5

Cost to react and/or defend (in US dollars)

<$150,000

$150,000–$500,000

$500,000–$1,000,000

>$1,000,000

Step 3: Work out the risk of the incident

Now that you have calculated or estimated the likelihood and severity of the incident if it were to materialise, you can assign a risk category to the incident. This will help you prioritise resources and plan your communication strategy. All of these are critical in reporting.

 

Severity of non-economic consequences

 

Very low

Low

Moderate

High

Health impact

Reversible health effects of little concern, requiring first-aid treatment.

Reversible health effects of concern. Medical treatment.

Irreversible health effects of concern.
Severe reversible health effects of concern.
Lost-time illness.

Life-threatening or disabling illness.

Personnel safety

Less than minor injury.
First-aid treatment.

Minor injury.
Medical treatment.

Serious injury.
Lost time injury.

Death.

Environmental impact

Single on-site event causing negligible harm.

Immediately recoverable on-site harm.
Systematic on-site events with potential for localised harm.
Off-site event causing negligible harm.

Recoverable off-site localised harm.
Not immediately recoverable on-site harm.

On-site harm leaving residual damage.
Severe localised or chronic widespread off-site harm.
Potential long-term off-site harm from on-site impact.
Significant area impacted.

Community and cultural impact

Isolated social or community impact.

Unresolved low-level community dissatisfaction occurs or is avoided.

Community dissatisfaction or approval and/or social harm or benefit with business implications.
Repairable damage to site or item of cultural significance occurs or is avoided.

Significant social harm or benefit with group implications.
Irreparable damage to site or item of cultural significance occurs or is avoided.
Long-term protection of site or item of international cultural significance implemented.

Compliance impact

Non-conformance with internal requirement with very low potential for impact.

Non-compliance with external or internal requirement with low potential for impact.

Non-compliance with internal or external requirement with moderate potential for impact.
Moderate penalties for breach of legislation, contract, permit or licence.

Breach of licences, legislation, regulation or repeated non-compliance with high potential for prosecution.
Breach of contract with significant penalty clauses imposed.
Systemic non-conformance with corporate or product group work cycles or standards with high potential for impact.

Company reputation

Community complaint resolved via existing site procedures.
Impact on reputation of several work areas within an operation.
One-off public exposure in local media, word of mouth or local mythologies

Impact on reputation of business unit.
Significant public exposure in local media.

Impact on reputation of the company.
Comment from national NGO which impacts credibility with neighbours and/or regional government.
Public exposure in national media.

Severe impact on reputation of the company.
Severe prolonged comment from international NGO which impacts credibility with neighbours and/or regional government.
Greater than three years’ public exposure in international media.

Corporate knowledge impact

Negligible. Loss of easily recoverable information.

Minimal business impact. Loss of key individual and/or role records.

Significant business impact. Loss of complete functional team and/or records.

Severe business impact. Total loss of critical company records and backup systems.

 

 

 

Most serious consequence

 

Very low

Low

Moderate

High

Highly likely

Class II

Class III

Class IV

Class IV

Probable

Class II

Class III

Class III

Class IV

Unlikely

Class I

Class II

Class III

Class IV

Very unlikely

Class I

Class I

Class II

Class III

Reporting on cases that are open

The second category relates to the activation process of the investigation. This often takes a few weeks and might involve briefing outside counsel and investigation consultants, building an internal team, building an investigation plan and obtaining access to documents and laptops. This status is not to be underestimated and often takes the most time.

It is also common practice to report any current whistleblower claims to the management and audit committee. These reports should include all cases that have been raised – not just those that have been raised through the (anonymous) hotline. The company should report on all details that have been collected from all sources, which often involves having some manual recording systems to capture those issues that are raised directly to management, legal or HR. It is important that these informal investigations are also captured into the case-management system, as often only the hotline information is captured and reported. Decisions also need to be made about the definitions of “complete”, “not complete” etc., and how issues will be reported.

Follow these general steps for investigations

A good rule of thumb is using the following methodology for open cases:

  • acquiring additional information from the whistleblower or other source before being able to start an investigation
  • activating an investigation by briefing outside counsel, hiring investigation consultants, building an internal team, creating an investigation plan and obtaining access to documents and laptops etc. – this part of the process often takes the most time (usually a few weeks)
  • proceeding through the investigation
  • wrapping up the investigation and determining the outcome
  • implementing the remediation steps.

Ensure that remediation steps are properly implemented

The final two “open” statuses are similar; however, they are not to be confused. The penultimate stage involves the wrap up of the investigation but falls short of implementing the remediation steps. The final stage involves activating the actual remediation steps. Many people would categorise that stage as being ”closed”; however, it is advised to keep it open to appreciate the significance of remediation and actually go through the step of implementing the remediation. Too many companies keep this separate and never get around to fixing the causes that gave rise to the issue. These remediation steps might include re-drafting policies, implementing new internal controls, or re-training staff.

Reporting on cases that are closed

Reporting on closed cases is probably more important from a board and executive perspective. They want to see how many cases have been closed, what the company can learn from the cases, and whether there are any trends.

In order to manage that, closed cases also need to be categorised. Classifications may include:

  • No action – frivolous or insufficient information provided
  • Examined but no action – no grounds or not an appropriate matter for investigation
  • Examined and a full investigation ensued but no action taken – insufficient evidence, no grounds for complaint etc.
  • Investigation and action taken – disciplinary actions, internal controls changed, employee communications improved or other remedial actions taken
  • Caller elected to utilise alternative internal process (e.g. fair treatment process)
  • Clarified (e.g. where a caller asks about benefits or policies or procedures).

Remember that some outcomes are considered so confidential that the cases cannot be reported on. Caution should always be exercised when reporting on actions taken so as to not identify any anonymous whistleblowers. It is imperative that the company sticks to its non-retaliation policy and protects any whistleblowers that wish to remain anonymous.

Previous Article
Automating due diligence
Automating due diligence

An interview with Peter Connor, the Senior Director of Global Compliance at Citrix. It has taken a long tim...

Next Article
How to conduct due diligence to establish if minerals are DRC conflict free
How to conduct due diligence to establish if minerals are DRC conflict free

Before you answer the above question, you need to determine whether a preliminary review and, possibly, a m...

Looking to build a perfect due diligence programme for your business?

Contact us