So there we were, about 70 of us, sitting in rows last week in a conference room at the Cosmopolitan Hotel in Las Vegas. We had come to attend the Society of Corporate Compliance & Ethics' annual conference, and at that exact moment were listening to a superb analysis of whistleblower hotlines by Stephen Epstein, the chief ethics counsel at Microsoft.
Epstein was exploring how corporate compliance hotlines can remain a viable tool for compliance officers, when employees could just as easily ignore the hotline in favor of running straight to regulators with their tips so they can collect whistleblower rewards. He had projected a PowerPoint slide onto the screen listing the most common reasons why an employee chooses not to report misconduct:
- “I'm afraid I'll get fired.”
- “I don't want to feel isolated from my friends at work.”
- “Management will never listen to me anyway.”
- “The person I'd be reporting to is the person committing the fraud.”
- “I'll be branded a trouble-maker and miss that next promotion.”
I stared at that list for a moment. All those reasons are very valid, and very real causes for alarm to a chief compliance officer if they exist in your company. But suddenly I noticed what reason was not on that list, and its absence underlines a huge problem for compliance departments.
“I don't report misconduct at my company because I don't care.”
In fairness to Epstein, the reasons he cited in his presentation all came from the National Business Ethics Survey, which doesn't have any hard data on what I'll call the “Don't Care” response. We weren't even sure how you could capture that data point, since anyone who doesn't care enough to report misconduct probably won't care enough to respond to a survey about it either. But two thoughts immediately come to mind.
First, I suspect the Don't Care response is a significant reason why misconduct goes unreported in many parts of the world. I mean, if you were toiling away in the heat of the Middle East or the humidity of Southeast Asia, working for a few dollars a day, constantly worried about how you'll feed your family—would you begrudge a coworker who figured out how to skim a few extra dollars from some transaction, that will only impinge on rich American investors thousands of miles away?
I won't even broach the subject of cultural differences, where some workers may not perceive something as misconduct the way Western managers would. Even when we focus on something universally considered misconduct, most people on this planet have a long list of worries that need their attention every single day. Too often, I fear, corporate misconduct is not on their list, and doesn't get reported. Corporate compliance officers overlook that reason at your peril.
That brings me to my second point. Let's say your company is under investigation for corporate misconduct, and regulators discover that employees did indeed know what was happening, but didn't care enough to report it to you. Yikes—that sounds an awful lot like a problem with tone at the top or corporate culture to me, and suddenly your company has a much bigger problem than whether the ethics hotline works well. Problems with a hotline get you a nasty-gram from the Justice Department listing improvements it wants to see; problems with tone or culture get you a compliance monitor and penalties large enough to end up in the news and a shareholder lawsuit.
The obvious question, then, is how you can make employees care enough to report misconduct. Specifically, can you require them to report misconduct when they see it?
I asked that question several times at the SCCE conference, and boy, did that open a can of worms. Epstein and others in his presentation recoiled at that idea, because punishing an employee for not reporting misconduct is dangerously close to employer retaliation. But in another session the next day, former federal prosecutor Mark Mendelsohn—the man who almost single-handedly brought enforcement of the Foreign Corrupt Practices Act into being in the 2000s—said companies can impose a duty to report, although he'd counsel them to think long and hard before firing anybody for keeping his mouth shut. One compliance officer in the crowd bravely admitted that her company does require reporting, although she hastened to add that her corporation is headquartered and operates outside the United States.
Amar Sarwal, associate general counsel at the Association of Corporate Counsel, said this question of required reporting was the sticking point for the ACC when it submitted comments to the Securities and Exchange Commission last year about its new whistleblower reward program. Sarwal also said that imposing a duty to report misconduct flat-out violates anti-retaliation law, but agreed with my fundamental point that compliance departments are in an untenable situation: The Don't Care response exposes a company to severe regulatory risk, but efforts to end the Don't Care response expose the company to anti-retaliation lawsuits. Something has to give.
Thankfully, the House Financial Services Committee is considering a bill to address the situation. A gaggle of Republicans have proposed the “Whistleblower Improvement Act of 2011,” which most notably would require employees to report misconduct through internal compliance channels first. Only if companies then continued to ignore the misconduct could they submit their concerns to the SEC or other regulators and stand to win a whistleblower reward. Expect a hearing on that bill later this fall—the next step in a reasonable solution to a serious compliance problem.