Executive coach and former Chief Compliance Officer Amii Barnard-Bahn responds to your anonymous questions on some of the grayer areas compliance officers face, such as culture, hiring, training, and ethics. Click here to submit your own for inclusion in our next edition.

Q: Between Trump calling out a White House whistleblower and reports that the SEC wants to ease its own whistleblower protections, I can see where potential whistleblowers might be more skittish than ever about coming forward. That said, they’ve never been more important. What can a company do to demonstrate that there will be no retaliation for whistleblowing? It’s one thing to say it, but without something more tangible it just feels like lip service. Are there any best practices I can show people that whistleblowers really will be protected at my company.

Mailbag text

Amii: Protections for whistleblowers—people who are willing to risk their careers to come forward with concerns of illegal or unethical conduct—are critical to the health of thriving, sustainable organizations. In support of your point, even the term “whistleblower” has been questioned recently as a derogatory and intimidating label. “Reporter” seems to be a less loaded and more welcoming term (See NAVEX Global’s Carrie Penman’s article.)

Retaliation is a big concern for employees who are otherwise inclined to come forward—it has been the No. 1 complaint of the Equal Employment Opportunity Commission (EEOC) since 2009 and, starting in 2018, over 50 percent of EEOC charges include retaliation.

With regard to best practices to encourage reporters in coming forward and demonstrating they can do so with a certain level of protection, companies should have robust written non-retaliatory policies, mandatory training, and tone-from-the-top messaging. In addition, consider the following:

  1. Prevent retaliation. This may seem obvious, but retaliation can take many forms, from the more obvious negative actions such as terminations and demotions to subtle exclusionary behaviors such as project assignments and workplace social events. Add to this the natural human response of being uncomfortable or angry when a complaint is made in our direction, and we can understand why this is an uncomfortable situation for everyone involved. It’s important to check in regularly with reporters to monitor how they’re doing. HR and compliance should partner on providing appropriate training and support for conflict management so that employees can move forward productively during the time of a complaint. Further, compliance should ensure safeguards for reporters. At my companies, my compliance team kept a confidential spreadsheet of employees who had raised concerns. We personally checked in with each employee on a regular basis and partnered with the employee’s HR representative to confirm their role as a monitor for all employment actions. HR was required to notify compliance prior to the consideration of any employment action, and compliance actively partnered with HR during performance review and compensation season. We kept tabs on all employees through their lifespan with the company, and sometimes conducted our own exit interviews to determine whether their departure was related to any retaliatory or “freezing out” behaviors.
  2. Examine your reward and incentive programs. Be careful not to reward “error-free workplaces” (which can deter honest reporting), and look for ways to actively encourage truth-telling and a focus on improvements (such as safety and prevention-related projects).
  3. Communicate data regarding concerns raised and investigations completed. The number-one reason employees give for not reporting is their concern that “nothing will be done”—so we need to prove this is not the case in our companies. On an annual basis, share the types of allegations and some level of data regarding corrective actions taken to demonstrate to employees that their concerns will be acted upon.
  4. Consider focus groups. If you have concerns about low (below 1 percent of your employee population) reporting rates or other cultural red flags, conduct focus groups to gather information about the behaviors and factors in your company that may be inhibiting a speak-up culture. This will help you determine how to address the root cause issues.
  5. Eliminate any “Zero Tolerance” policies. As cautioned by the EEOC, “the use of the term “zero tolerance” may inappropriately convey a one-size-fits-all approach, in which every instance of harassment brings the same level of discipline.” This can unintentionally discourage employees from bringing a concern, for fear that the company will over-discipline for minor infractions. Most employees don’t want someone fired—they just want the behavior to stop. If they believe their report will cause a termination, they may tolerate the situation in the hope it will improve, or try to handle the matter on their own in lieu of reporting.
  6. Use “reporter”—not “whistleblower”—when speaking about this issue (see my opening note above).

Q: Not a strictly compliance question but more a culture question. I attend live events all the time and the collaboration between me and my peers in compliance is absolutely amazing. Then I get back to my office and find that we don’t have nearly the same culture of collaboration there. I want to change that, but I don’t feel like I am empowered to do so. What are some things I can do to give us more of the energizing, collaborative experiences I get when I go off-site to discuss topics and problems with people outside my organization? - Anonymous

Amii: Let’s face it, one of the reasons conferences are more fun and energizing is because you’re not actually at work. You’re not stuck at your desk or running to meetings all day. You’re with professional colleagues, but usually not coworkers, who have carved out time and made it a priority to focus on growth, so you have tremendous freedom to follow your own personal learning agenda. You’re out of your routine, reconnecting with old colleagues or meeting new ones, who “get you” and share the same passion for compliance and ethics. All of the political complexities of projects, performance, pay, and promotion are removed.

So—realistically, how can you bring that collaborative feeling back to the workplace? Think about what you are doing now to encourage it. Like all relationships, it starts with respect, owning your mistakes, active listening, and supporting people’s ideas. Ultimately, collaboration in the workplace requires the cultivation of good conflict resolution skills. Some companies, recognizing the immense productivity benefits, have adopted a conflict resolution model and driven it through their entire organization. If yours hasn’t done so, here are two excellent resources to equip yourself with helpful tools and techniques: “Crucial Conversations: Tools for Talking When the Stakes Are High” and “The Good Fight.” Good luck, and let us know how it goes!

Q: I’m tasked with making sure all data collected and used by my company is used ethically, according to all laws and regulations and is properly protected from outside hackers. Problem is, we’re big enough to have a ton of data coming in from a variety of sources, but small enough that it’s all being managed piecemeal and by different departments, all using their same standards. What are some good initial steps I can take to first understand what’s coming in and from where and then how to best protect it? I’m told IT is on my side here in helping me with this, but it doesn’t feel like it … I’m never a top priority. - Chris

Amii: Start with the end in mind: a comprehensive map of end state data collection, storage, disposal, and use and an interconnected network of relationships to effectively govern and manage it. Next, break this vision down into a strategic plan comprised of small steps that: (1) get you the data you need, and (2) initiate the cross-functional relationship infrastructure you will need to make your data program successful in the long run.

A first step is to engage your business partners (and IT) in creating an initial data inventory. A simple survey can be a great place to start. Pull together a cross-functional work team, collect survey data for all known major data sources and, from those, consider choosing one high-value, high-risk data stream (e.g. for healthcare companies, consider a valuable business process that utilizes PHI). This can be your pilot project to conduct an information lifecycle inventory. Ideally, you will find improvement opportunities in both risk reduction as well as operational efficiency savings, which are incredibly effective in engaging the attention and engagement of the CFO and CIO. Done well, this type of pilot is often the key to getting a nascent data management program off the ground.