Keeping whistleblowing in-house
Whistleblowing. The very term conjures up the image of a brave government bureaucrat who reveals malfeasance, corruption or ineptitude at a federal or state agency. But increasingly – guided by provisions in the Dodd-Frank Wall Street Reform and Protection Act – the highest-profile whistleblowing cases are those involving corporate executives and managers who reveal securities fraud and other misdeeds, leading to multi-million dollar fines imposed on their companies and to significant monetary rewards and protection from the U.S. Securities and Exchange Commission (SEC).
When it was enacted in 2010, Dodd-Frank included a whistleblower incentive program, begun two years later, which encouraged corporate employees to submit tips and information related to violations of the law. It has three integral components: monetary rewards, retaliation protection and confidentiality protection – each of which, according to the SEC, is equally important to the program’s success.
Over the last couple of years, the SEC has reported a 65% increase in the number of corporate whistleblowing tips received. In its most significant program action to date, the agency in March, 2014, announced that a whistleblower would be paid nearly $64 million for providing tips that led to JPMorgan Chase’s agreement to pay $614 million and tighten oversight to resolve charges that it had defrauded the government into insuring flawed home loans.
Here are several interrelated strategies that we recommend for banks to put in place to ensure that they comply with all laws and regulations while also protecting their corporate reputations and bottom lines:
Encourage potential whistleblowers or anyone with concerns about activity within or in relation to the company to present the information first through company reporting channels set up specifically within the compliance program to prompt further investigation. Companies are obliged to act on this information so that individual employees do not seek recourse via external channels. The penalties for failing to act on internally reported matters are severe, with the SEC noting that 80% of whistleblowers who turned to it for help last year had first attempted to report concerns to their company but were ignored.
To illustrate its support for in-house whistleblowers, in March, 2015, the SEC awarded an individual between $475,000 and $575,000 for reporting malfeasance to the SEC after having reported it internally and becoming frustrated that nothing was done. This payout was unique in that it was the first to go to an employee who performed a control function within a company.
Carry out regularly updated risk assessments and put into place whistleblower procedures. It is important for organizations to develop and make widely available a policy document that describes how they will manage financial malfeasance, bribery and other corruption risks. The document should be a living one, subject to regular review. Its presence, importance and availability should be widely publicized to all staff. Finally, like all risk framework-related activities, longer-term success will be achieved with board-level sponsorship and an effort to embed awareness from the top down, inspiring the company culture.
Consider installing risk management software to help manage an incident and recover rapidly. Risk management software enables companies to confidently manage remedial action and regulatory reporting following an incident. Should an incident occur, it is vital for an organization to track and link that incident back to the risk for better understanding and future mitigation. Risk management software should provide organizations with comprehensive incident management tools including automatic alerts, tracking of key risk indicators and logical workflows which can be implemented to ensure incidents are managed as fast as possible.
Put in place business continuity plans to ensure rapid recovery following a disruptive event. In today’s business environment, the ability to return to maximum productivity following a major incident within the shortest timeframe is critically important to preventing competitors from encroaching on clients and market share. Risk management software provides businesses with clear and structured workflow plans that can be followed to ensure recovery is achieved rapidly.
As financial services companies consider their options, they should make sure their risk management system can:
- consolidate the full spectrum of operational risk to give a comprehensive overview of enterprise-wide risks;
- document and visualize operational risks, asses controls and monitor risk mitigation plans;
- empower users to manage their own risk management system; and
- ensure that not only are the right processes being followed and frequently reviewed but also that outcomes provide the critical audit trail/system of record.
For all of this to happen, those employees expected to help assess, monitor and review progress need to be empowered to provide open communication. A system that works with them can enhance the likelihood of regular usage and improved clarity in terms of the current status of all risks and threats to compliance objectives.