One of the ongoing debates in the compliance world has been over the Whistleblower Provision of Dodd-Frank and whether this provision will aid or diminish a company's overall compliance program. One of the points in this debate is whether or not a whistleblower should be required to go through an internal hotline, or other reporting mechanism, before going to the Securities and Exchange Commission (SEC) and reporting alleged violations of the Foreign Corrupt Practices Act (FCPA) or other US Securities laws which may apply to the company in question.
Many compliance professionals argue that the entire purpose of an internal reporting structure will be destroyed if a whistleblower can report to the SEC, receive anti-discriminatory employment protections and a potential monetary bonus for any fines and penalties collected by the SEC. Whistleblower proponents point to examples of employees who reported violations or made complaints and were terminated or in other ways discriminated against in their continued employment with the company.
Even without the above debate, one of the ongoing discussions in any compliance department is how much of any compliance investigation to share within the company and the attendant question of whom to share the results of any investigation with inside the company. I can attest to this debate from personal experience. In my last corporate position, I was sent to investigate an alleged compliance violation in a South American country. After completing the investigation, the Compliance Department determined that the remedy was that the employee be reprimanded; receive additional training and a Letter of Reprimand was placed in their file. However, there was no indication to the business unit where the hotline complaint was initiated that any action had been taken and the person who made the compliant was never told of the resolution. Needless to say this led to some very hard feelings by the employees who had jointly reported the compliance allegation and loss of credibility for the Compliance Department.
All of the above came to mind when I was reading an article entitled ">When Unhappy Customers Strike Back on the Internet" in the MIT Sloan Management Review, Spring 2011 Issue. In the article authors Thomas Tripp and Yany Grégorie explored the topic of "How should companies respond to, or prevent, irate customers' online public complaints?" The authors began their article with the very omnipresent example of musician Dave Carroll and his experiences with United Airlines. After traveling on a United flight, Carroll found that his $3,500 guitar had been damaged during baggage handling. He initially attempted to resolve the issue with United personnel at the arrival airport who could not or would not provide any assistance to Carroll. He then spent "nine months of running the company's customer service gauntlet" to eventually be told "that he was ineligible for compensation."
Perhaps treating a professional musician in such a manner in the YouTube age is not the best PR move as Carroll wrote a song and created a music video, entitled "United Breaks Guitars" about his experiences; as of the writing of the article the video has had over 9 million viewings. Eventually United conceded that perhaps compensation was appropriate by "offering to compensate Carroll for the damage" and promised to re-evaluate its policies.
Tripp and Grégorie provide suggestions for the understanding and managing of online public complaints. However, their points have application for the compliance practitioner in the context of the Dodd-Frank Whistleblower issues identified above. So the question becomes, what can a company do to manage its internal whistleblower process so that an employee does not become so dissatisfied that he or she subsequently runs to the SEC?
The authors break their analysis down into two components, which I believe relate to the compliance context. The first is to understand what would drive an employee to go outside the internal reporting process? It is usually due to what the employee feels is a sense of betrayal. That is the employee has made a compliant in good faith but either nothing happens or nothing seems to happen. After the internal compliant has been initiated it must be triaged based on its severity. Just as a battlefield or hospital triage, the more serious a complaint, the quicker it should be investigated and resolved.
In my experience the initial compliant was made in October and I was not sent to investigate until early of the following year. So just as customer complaints should be dealt with expeditiously and efficiently, internal employee hotline complaints must also be dealt with in such a manner and the issue should not be allowed to fester.
The second component is that the employee must understand the internal reporting system and expectations should be set. This can begin through overall compliance training but it must also be specifically tailored to the report. At a recent conference I attended, a member of the audience asked a Department of Justice (DOJ) representative why 6 years after making a complaint regarding an export control violation at his company, there was no DOJ resolution. The audience member asking the question had recognized the DOJ representative as the person who had initially interviewed him after he made his complaint. The DOJ representative replied that the investigation was ongoing so he could not make any formal comments, but he then proceeded the time and difficulty it took to develop evidence across many different US and foreign jurisdictions and coordinate an investigation with several US agencies. Perhaps if all of that had been explained at the beginning, or at some point throughout the process, it would have set a more realistic expectation of the whistleblower. The key is that the company must strive for fairness in the entire process.
The authors end their article with what I believe to be the key component to resolve the issue and that is "that process matters more than outcomes." They point to the "fair process effect" from the labor-management context in which employees are willing to tolerate disappointing outcomes as long as they believe the 'decision making processes surrounding the outcomes to be fair." This drives home the point that a best practices compliance program is about process; having the right process in place is an important starting point for any compliance program, moreover, the process should be communicated throughout the company and administered in a fair and equitable manner.
While I do not believe that most Compliance Departments will face the PR disaster that United has had to endure over "United Breaks Guitars", the failure to have a fair and equitable process for managing employee compliance complaints, which are reported internally, can lead to very serious financial consequences. One need only to look at the recent example of GlaxcoClineSmith which agreed to pay a $750 million fine to the US Food and Drug Administration based on a whistleblowing employee who had tried to internally alert the company to the issues which led to the fine. Now whistleblowing employees can go directly to the SEC and if there is a monetary fine, they get a piece of the action.
Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.
The FCPA as it relates to the securities laws is discussed in greater detail in 6 A.A. Sommer Jr., Securities Law Techniques, Ch. 82 (Matthew Bender Rev. Ed.), " Complying with the Foreign Corrupt Practices Act," which can be accessed online by subscribers of lexis.com. This treatise is also available on the LexisNexis online store.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.