Más contenido relacionado
Similar a Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know? (20)
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know?
- 1. © 2015 Baker & McKenzie LLP
GOOD. SMART. BUSINESS. PROFIT.
TM
- 2. © 2015 Baker & McKenzie LLP
Whistleblower Best Practices: What Do
Compliance and Business Leaders
Need to Know?
May 15, 2015
- 3. © 2015 Baker & McKenzie LLP
Chelsie Chmela
Global Events Manager
Chelsie.chmela@ethisphere.com
847.293.8806
We encourage you to engage during the Q&A portion
of today’s webcast by using the chat function located
within your viewing experience.
HOST
QUESTIONS
RECORDING The event recording and PowerPoint presentation will
be provided post event.
3
- 4. © 2015 Baker & McKenzie LLP
4
SPEAKING TODAY
Greg Radinsky
Vice President & Chief Corporate Compliance Officer, North
Shore -LIJ Health System
Cynthia Jackson
Partner, Baker & McKenzie, Palo Alto, CA
Joan Meyer
Partner, Chair of Compliance & Investigations Practice
Group, Baker & McKenzie, Washington, DC
- 5. Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common
terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an
"office" means an office of any such law firm.
© 2015 Baker & McKenzie LLP
Greg Radinsky, Vice President & Chief Corporate Compliance Officer, North Shore -
LIJ Health System
Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA
Joan Meyer, Partner, Chair of Compliance & Investigations Practice Group, Baker &
McKenzie, Washington, DC
May 15, 2014
Radinsky, Vice President & Ch
Whistleblower Best Practices: What Do
Compliance and Business Leaders Need
to Know?
- 7. © 2015 Baker & McKenzie LLP 7
Agenda
‒ Key Themes
‒ U.S. Government Expectations on Whistleblower Programs
‒ Building an Effective Whistleblower Program at Your Company
‒ Whistleblower Programs in Global Context: Local Law Challenges
‒ Questions
- 8. © 2015 Baker & McKenzie LLP 8
Key Themes
‒ The goal of an effective whistleblower program is to promptly
uncover misconduct within a company in order to remediate
unethical or illegal conduct
‒ Enforcement of whistleblower program requirements is driven by
anti-corruption laws and laws designed to prevent and detect
corporate fraud
‒ An effective whistleblower program encourages individuals with
knowledge of potential wrongdoing to report it to those within a
company in a position to address the conduct
‒ Anonymity and confidentiality are key considerations, though
these principles conflict with laws in a number of countries
‒ An effective whistleblower program must be accompanied by a
robust investigations procedure
- 10. © 2015 Baker & McKenzie LLP 10
Overview
‒ An effective whistleblower program is a key component of an
effective compliance program that, when successfully
implemented, allows a company to:
Quickly uncover possible misconduct
Immediately suspend any potential or actual criminal activity
Discipline and, if necessary, remove from its employ
individuals who have engaged in, or otherwise condoned,
criminal activity or other unethical conduct
Ensure its compliance training addresses those areas where
the risk of misconduct is high
Enhance its compliance program to better address such high-
risk areas
- 11. © 2015 Baker & McKenzie LLP 11
FCPA and Whistleblower Programs
‒ The U.S. Department of Justice (“DOJ”) and U.S. Securities and
Exchange Commission (“SEC”) joint 2012 Resource Guide to the
U.S. Foreign Corruption Practices Act (“FCPA Resource Guide”)
includes confidential reporting and internal investigations as a
“hallmark” of an “effective compliance program”
‒ The DOJ and SEC recommend the following practices:
Consider implementing “anonymous hotlines or ombudsmen”
Upon receipt of an allegation “companies should have in place an
efficient, reliable, and properly funded process for investigating the
allegation and documenting the company’s response, including any
disciplinary or remediation measures taken”
Companies should “consider taking ‘lessons learned’ from any
reported violations and the outcome of any resulting investigation to
update their internal controls and compliance program and focus
future training on such issues, as appropriate”
- 12. © 2015 Baker & McKenzie LLP 12
U.S. Sentencing Guidelines
‒ The FCPA Resource Guide’s recommendations reflect the U.S.
Sentencing Guidelines which reward companies that respond
quickly to allegations of misconduct and modify their programs as
needed
‒ In particular, the Sentencing Guidelines advise that
“[A]fter criminal conduct has been detected, the organization
shall take reasonable steps to respond appropriately to the
criminal conduct and to prevent further similar criminal
conduct, including making any necessary modifications to the
organization’s compliance and ethics program”
Companies should take “appropriate disciplinary measures”
against individuals engaging in criminal conduct
- 13. © 2015 Baker & McKenzie LLP 13
Whistleblower Programs and Corporate
Fraud Statutes
‒ In addition to global compliance program expectations, in which
an effective whistleblower program is a standard component,
corporate fraud statutes provide certain minimum operational
standards for these programs and mandate protections for
individuals making reports through a whistleblower program
‒ These protections may come into conflict with the data privacy
and protection laws and regulations of some countries
- 14. © 2015 Baker & McKenzie LLP 14
Sarbanes Oxley Whistleblower Program
‒ Corporate and Criminal Fraud Accountability Act of 2002
(“Sarbanes Oxley”)
Enacted following the corporate accounting fraud scandals in
early 2000s
As a result of the treatment whistleblowers in these scandals
received, the law Includes minimum standards for
whistleblower programs and protections for whistleblowers
Requires publicly traded companies to create internal and
independent “audit committees” which are then required to
establish procedures for employees to file internal
whistleblower complaints and procedures that protect the
confidentiality of employees who report alleged misconduct
Prohibits retaliation against whistleblowers who provide
truthful information to a law enforcement officer about the
commission or possible commission of any federal offense
- 15. © 2015 Baker & McKenzie LLP 15
Dodd-Frank Whistleblower Incentives
‒ Enacted in 2010, the Dodd-Frank Wall Street Reform and
Consumer Protection Act (“Dodd-Frank”) builds on the Sarbanes
Oxley whistleblower requirements and allows whistleblowers who
provide the SEC with original information about securities
violations to obtain between 10% to 30% of any monetary
sanctions in excess of $1 million recovered against a company
Reports may be anonymous
Does not require internal reporting prior to going to the SEC
Includes anti-retaliation protections for whistleblowers who report
possible securities laws violations
Also prohibits actions that impede whistleblower communications
with the SEC including “enforcing, or threatening to enforce, a
confidentiality agreement” with respect to such communications
- 16. © 2015 Baker & McKenzie LLP 16
Effective Whistleblower Programs:
Elements
‒ Building an effective whistleblower program involves:
Ensuring your standards of conduct are published, widely
disseminated, and the subject of regular training
Building the reporting structure and apparatus
Developing intake and screening protocols
Communicating and training personnel on the program
Establishing monitoring and auditing procedures to continually
assess the program’s performance
Creating a culture of trust in which voluntary, good faith
reports are encouraged
- 17. © 2015 Baker & McKenzie LLP 17
Ensure Code of Conduct and Related
Policies and Procedures are in Place
‒ A Code of Conduct, its related policies, and supporting procedures
are the foundation of a whistleblower program as they establish
the standards of conduct that govern employee behavior
Companies should require good faith reports of possible
violations of:
o The Code of Conduct
o Company policies and procedures
o Applicable laws and regulations
The opportunity to report should be open to officers, directors,
employees and any third parties, including customers, with
knowledge of potential wrongdoing
Key policies such as the anti-corruption policy should include
obligation to report potential violations of said policy and set
forth all whistleblower reporting channels
- 18. © 2015 Baker & McKenzie LLP 18
Build the Reporting Process Structure
‒ An effective whistleblower program will provide multiple means of
reporting potential misconduct, such as e-mail; telephone; ground
mail; fax; and Internet or website links
‒ These should be checked, and reports processed, on a daily basis
‒ If possible, the telephone should be staffed (a number of reputable
vendors offer such services)
‒ Each report should be logged and tracked, and promptly
addressed in accordance with investigation procedures
‒ It is important that technology and staff are able to receive reports
in multiple languages (e.g., the primary countries of operation for
the company)
‒ A best practice is to designate at least one compliance
professional within the company to serve as a dedicated manager
of the whistleblower reporting program
- 19. © 2015 Baker & McKenzie LLP 19
Establish a Process for Screening Reports
‒ Reports should be received directly by the lead compliance professional;
Compliance department should classify concerns and allegations
according to their risk level
‒ High-risk allegations should be given priority:
Corruption (kickbacks and other corruption-related fraud and crimes) and
money laundering
Release of proprietary information
Cyber intrusions and other computer network crimes
Financial crimes perpetrated against the company by third parties
Financial crimes against the company committed by company employees
Misconduct involving company directors, officers, or senior management
‒ Report should be then submitted to the appropriate company department
for conducting inquiry or investigation (e.g., HR, Internal Audit, Legal)
‒ Keep documentation for all follow up on reports, including explanations as
to why follow up was not necessary in some cases
- 20. © 2015 Baker & McKenzie LLP 20
Training on Program and Related Processes
‒ All employees should received training on how to submit reports
using the whistleblower hotline, the company’s process for
responding to such reports, and how the company manages the
whistleblower program
‒ Business partners and other third parties should be included in the
whistleblower training if possible
‒ Have in place a forceful non-retaliation policy that accompanies
your whistleblower reporting program and ensure that all company
personnel receive training on it
‒ Specialized training should be provided to managers and
supervisors on how to respond to whistleblower complaints,
including how to prevent retaliation and how to identify and
respond to any attempts at harassment or retaliation targeted at a
perceived or known whistleblower
- 21. © 2015 Baker & McKenzie LLP 21
Conduct Awareness Campaign
‒ Raise awareness of the whistleblowing program and related
procedures through an internal awareness campaign utilizing
company-wide communications such as emails, videos, and
banners
‒ Post public notices providing whistleblower reporting mechanisms
‒ Prominently display the whistleblower hotline information on the
company’s external website and on Intranet
‒ Include a statement on the whistleblower program and contact
information prominently in the Code of Conduct
‒ Include the whistleblower program information in contracts with
business partners and other third parties
- 22. © 2015 Baker & McKenzie LLP 22
Monitor Program’s Performance
‒ Track and regularly review statistics on the program in order to
monitor its effectiveness and identify compliance program
enhancement needs
‒ Recommended tracking statistics:
Number of matters opened on an annual basis and/or
monthly (misconduct categories; outcome)
Average length of time matters remain outstanding
‒ Test and audit the reporting system to make sure it works;
continuously improve the system based on findings (e.g.,
additional training or enhancements to compliance policies)
‒ Regularly, at least annually, report to the board of directors and/or
audit committee on audit findings and subsequent enhancements
to the program
- 23. © 2015 Baker & McKenzie LLP 23
Encourage Voluntary Reporting
‒ Encourage whistleblowers to report internally and early
Make sure that reporting is easy and user-friendly, but secure
and confidential; limit access to reported information
Various alternative reporting channels should be available
Consider incentives for whistleblowers who come forward
Promptly respond to credible allegations
When possible, return to the impacted parties with the results
of the inquiry and thank whistleblowers for utilizing the
company reporting channels
Discreetly check in with individuals making allegations and
individuals involved in allegations, if appropriate, and monitor
compliance with company policies to ensure no retaliation has
occurred
- 25. © 2015 Baker & McKenzie LLP
What is a Healthy Compliance Hotline Trend?
0
200
400
600
800
1000
1200
2012
2008
2009
2010
2011
2013
2014
25
- 26. © 2015 Baker & McKenzie LLP
Compliance Hotline Benchmarking
1.1-1.4 Reports (Median) per 100 Employees Annually
http://www.navexglobal.com/file-
download?file=uploads/NAVEXGlobal_2014HotlineBenc
hmarkingReport_031114.pdf&file-
name=NAVEXGlobal_2014HotlineBenchmarkingReport_
031114.pdf
26
- 27. © 2015 Baker & McKenzie LLP
Important Related Hotline Policies
Hotline Policy
Whistleblower Policy
Investigatory Policy
Non-Intimidation and Non-Retaliation Policy
Disciplinary Policy
Code of Conduct
27
- 28. © 2015 Baker & McKenzie LLP
What All Companies Can Learn from the
Health Care Industry and Non-Profit Law
Non-Intimidation and Non-Retaliation Policy
Annual Notification to Employees and Vendors
Volume Matters
Speed Matters
Board Oversight Matters
Training and Awareness Matters
Survey/Audit/Test Functions
28
- 29. © 2015 Baker & McKenzie LLP
Sample Hotline Awareness Cartoon
29
- 32. © 2015 Baker & McKenzie LLP 32
Global Codes Of Conduct
‒ U.S. drive for complete reporting of
any and all wrongdoing, safety of
anonymity and abhorrence for
destruction of
documents/obstruction of justice;
at-will employment
vs.
‒ EU drive for data privacy, fear of
malicious and anonymous
reporting, desire for prompt
destruction of outdated or
unfounded documentation and
more restrictive labor and
employment laws
- 33. © 2015 Baker & McKenzie LLP
33
Global Roll-Outs
Needs to satisfy:
‒ U.S. compliance obligations
‒ Not offend local laws
‒ Satisfy local employment
requirements and procedures
‒ Satisfy local data privacy laws
- 34. © 2015 Baker & McKenzie LLP
34
Data Privacy Art. 29 Working Party –
Hotlines
1. Anonymity cannot be preferred reporting method
(promote “confidential” reporting)
2. Limited to accounting, internal accounting
controls, audit matters, anti-bribery, banking,
securities, and financial crimes (business
transparency) “vital interests” and “moral
integrity”
3. Data collected and processed must be
“proportionate” to purpose
- 35. © 2015 Baker & McKenzie LLP
35
And More Guidelines…
4. Separate from other personal data
5. “Substantiated reporting” deleted
within 2 months after investigation,
proceeding or disciplinary action
6. “Unsubstantiated reports” deleted
immediately – caveat: US obstruction
of justice
7. Incriminated person must be informed
as soon as practicable
8. Data privacy compliant
- 36. © 2015 Baker & McKenzie LLP 36
Other Reporting Divergences
Austria – prefers local hotline
Belgium – only matters that cannot be handled in
Belgium: case-by-case
France – hotline cannot be extended to non-
employees; employee reports limited to financial,
accounting, banking, corruption, anti-trust,
discrimination, harassment, workplace health,
hygiene and safety and environmental protection
India – prefers issued by Indian entity
Netherlands – only matters that are substantial
abuses that exceed the national level of the
company: case-by-case law
Portugal – forbids anonymity
Russia - difficulty with non-Russian legal references
or Codes issued by non-Russian entity
Spain – forbids anonymity
Sweden – hotline reports limited to managers and
above
Switzerland – prefers local hotline
- 37. © 2015 Baker & McKenzie LLP 37
Data Privacy Considerations Checklist
‒ Is the whistleblower program data privacy compliant
‒ Are employee notices or consents required and, if yes, when and
where
Is labor consultation required
Have governmental filings, addressing both inbound and
outbound countries, been completed
Are the Code of Conduct and its associated policies (internal
regulations/work rules) required to give the Code disciplinary
“teeth”
‒ Is email monitoring permitted
Do IT security policies address monitoring issues
Are personal use restrictions required
Have necessary labor consultations occurred
Are any government filings necessary
‒ When developing document retention and access policies be sure to
address deletion and archiving requirements
- 38. © 2015 Baker & McKenzie LLP 38
Lost in Translation
‒ Provisions That Don’t Translate
Malfeasance v. Non-Feasance
Monitoring and Surveillance /
Use of Company Property
“Cause”
Discrimination and Harassment
in Muslim Countries
Export Controls and Anti-boycott
laws
Not a Contract
Reporting of Suspected
Violations
- 39. © 2015 Baker & McKenzie LLP 39
The Global Code Burger
Internal Regulations
Works Councils /
Consultation /
Acknowledgment
Data Privacy
The Code
- 40. © 2015 Baker & McKenzie LLP 40
Baker & McKenzie - Additional Resources
Follow ongoing developments in global anti-
corruption enforcement and compliance via:
http://globalcompliancenews.com/
Baker & McKenzie’s “Inside the FCPA” Newsletter
http://www.bakermckenzie.com/insidethefcpa/
- 42. © 2015 Baker & McKenzie LLP 42
Our Presenters and Contact Information
.
Greg Radinsky, Vice President & Chief Corporate
Compliance Officer, North Shore - LIJ Health System
Tel: +1 516 465 8327
gradinsk@nshs.edu
Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA
Tel: +1 650 856 5572
Cynthia.jackson@bakermckenzie.com
Joan Meyer, Partner, Chair of Compliance & Investigations Practice
Group, Baker & McKenzie, Washington, DC
Tel: +1 202 835 6119
joan.meyer@bakermckenzie.com
- 43. © 2015 Baker & McKenzie LLP
This webcast and all future Ethisphere webcasts are
available complimentary and on demand for BELA
members. BELA members are also offered
complimentary registration to Ethisphere’s Global
Ethics Summit and other Summits around the world.
For more information on BELA contact:
Laara van Loben Sels
Senior Director, Engagement Services
laara.vanlobensels@ethisphere.com
480.397.2663
Business Ethics Leadership
Alliance (BELA)
- 44. © 2015 Baker & McKenzie LLP
Wednesday, May 27 at 1:00 p.m. ET
Building on the Foundation of Ethics and Compliance
to Achieve Sustainability
All upcoming Ethisphere events can be found at:
http://ethisphere.com/events/
PLEASE JOIN US FOR
- 45. © 2015 Baker & McKenzie LLP
www.latinamericaethicssummit.com
Early Bird Pricing Ends May 22!
15% off Discount Code: WEBCAST15