Post on 17-Aug-2015
© 2015 Baker & McKenzie LLP
GOOD. SMART. BUSINESS. PROFIT.TM
© 2015 Baker & McKenzie LLP
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know?
May 15, 2015
© 2015 Baker & McKenzie LLP
Chelsie ChmelaGlobal Events ManagerChelsie.chmela@ethisphere.com847.293.8806
We encourage you to engage during the Q&A portion of today’s webcast by using the chat function located within your viewing experience.
HOST
QUESTIONS
RECORDING The event recording and PowerPoint presentation will be provided post event.
3
© 2015 Baker & McKenzie LLP
4
SPEAKING TODAY
Greg RadinskyVice President & Chief Corporate Compliance Officer, North Shore -LIJ Health System
Cynthia JacksonPartner, Baker & McKenzie, Palo Alto, CA
Joan MeyerPartner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC
Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.© 2015 Baker & McKenzie LLP
Greg Radinsky, Vice President & Chief Corporate Compliance Officer, North Shore -LIJ Health System
Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA
Joan Meyer, Partner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC
May 15, 2014
Radinsky, Vice President & Ch
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know?
Agenda
© 2015 Baker & McKenzie LLP 7
Agenda
‒ Key Themes‒ U.S. Government Expectations on Whistleblower Programs‒ Building an Effective Whistleblower Program at Your Company‒ Whistleblower Programs in Global Context: Local Law Challenges‒ Questions
© 2015 Baker & McKenzie LLP 8
Key Themes
‒ The goal of an effective whistleblower program is to promptly uncover misconduct within a company in order to remediate unethical or illegal conduct
‒ Enforcement of whistleblower program requirements is driven by anti-corruption laws and laws designed to prevent and detect corporate fraud
‒ An effective whistleblower program encourages individuals with knowledge of potential wrongdoing to report it to those within a company in a position to address the conduct
‒ Anonymity and confidentiality are key considerations, though these principles conflict with laws in a number of countries
‒ An effective whistleblower program must be accompanied by a robust investigations procedure
U.S. Government Expectations on Whistleblower Programs
© 2015 Baker & McKenzie LLP 10
Overview‒ An effective whistleblower program is a key component of an
effective compliance program that, when successfully implemented, allows a company to: Quickly uncover possible misconduct Immediately suspend any potential or actual criminal activity Discipline and, if necessary, remove from its employ
individuals who have engaged in, or otherwise condoned, criminal activity or other unethical conduct
Ensure its compliance training addresses those areas where the risk of misconduct is high
Enhance its compliance program to better address such high-risk areas
© 2015 Baker & McKenzie LLP 11
FCPA and Whistleblower Programs‒ The U.S. Department of Justice (“DOJ”) and U.S. Securities and
Exchange Commission (“SEC”) joint 2012 Resource Guide to the U.S. Foreign Corruption Practices Act (“FCPA Resource Guide”) includes confidential reporting and internal investigations as a “hallmark” of an “effective compliance program”
‒ The DOJ and SEC recommend the following practices: Consider implementing “anonymous hotlines or ombudsmen” Upon receipt of an allegation “companies should have in place an
efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken”
Companies should “consider taking ‘lessons learned’ from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate”
© 2015 Baker & McKenzie LLP 12
U.S. Sentencing Guidelines
‒ The FCPA Resource Guide’s recommendations reflect the U.S. Sentencing Guidelines which reward companies that respond quickly to allegations of misconduct and modify their programs as needed
‒ In particular, the Sentencing Guidelines advise that “[A]fter criminal conduct has been detected, the organization
shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program”
Companies should take “appropriate disciplinary measures” against individuals engaging in criminal conduct
© 2015 Baker & McKenzie LLP 13
Whistleblower Programs and Corporate Fraud Statutes
‒ In addition to global compliance program expectations, in which an effective whistleblower program is a standard component, corporate fraud statutes provide certain minimum operational standards for these programs and mandate protections for individuals making reports through a whistleblower program
‒ These protections may come into conflict with the data privacy and protection laws and regulations of some countries
© 2015 Baker & McKenzie LLP 14
Sarbanes Oxley Whistleblower Program‒ Corporate and Criminal Fraud Accountability Act of 2002
(“Sarbanes Oxley”) Enacted following the corporate accounting fraud scandals in
early 2000s As a result of the treatment whistleblowers in these scandals
received, the law Includes minimum standards for whistleblower programs and protections for whistleblowers
Requires publicly traded companies to create internal and independent “audit committees” which are then required to establish procedures for employees to file internal whistleblower complaints and procedures that protect the confidentiality of employees who report alleged misconduct
Prohibits retaliation against whistleblowers who provide truthful information to a law enforcement officer about the commission or possible commission of any federal offense
© 2015 Baker & McKenzie LLP 15
Dodd-Frank Whistleblower Incentives‒ Enacted in 2010, the Dodd-Frank Wall Street Reform and
Consumer Protection Act (“Dodd-Frank”) builds on the Sarbanes Oxley whistleblower requirements and allows whistleblowers who provide the SEC with original information about securities violations to obtain between 10% to 30% of any monetary sanctions in excess of $1 million recovered against a company Reports may be anonymous Does not require internal reporting prior to going to the SEC Includes anti-retaliation protections for whistleblowers who report
possible securities laws violations Also prohibits actions that impede whistleblower communications
with the SEC including “enforcing, or threatening to enforce, a confidentiality agreement” with respect to such communications
© 2015 Baker & McKenzie LLP 16
Effective Whistleblower Programs: Elements
‒ Building an effective whistleblower program involves: Ensuring your standards of conduct are published, widely
disseminated, and the subject of regular training Building the reporting structure and apparatus Developing intake and screening protocols Communicating and training personnel on the program Establishing monitoring and auditing procedures to continually
assess the program’s performance Creating a culture of trust in which voluntary, good faith
reports are encouraged
© 2015 Baker & McKenzie LLP 17
Ensure Code of Conduct and Related Policies and Procedures are in Place‒ A Code of Conduct, its related policies, and supporting
procedures are the foundation of a whistleblower program as they establish the standards of conduct that govern employee behavior Companies should require good faith reports of possible
violations of: o The Code of Conducto Company policies and procedureso Applicable laws and regulations
The opportunity to report should be open to officers, directors, employees and any third parties, including customers, with knowledge of potential wrongdoing
Key policies such as the anti-corruption policy should include obligation to report potential violations of said policy and set forth all whistleblower reporting channels
© 2015 Baker & McKenzie LLP 18
Build the Reporting Process Structure‒ An effective whistleblower program will provide multiple means of
reporting potential misconduct, such as e-mail; telephone; ground mail; fax; and Internet or website links
‒ These should be checked, and reports processed, on a daily basis
‒ If possible, the telephone should be staffed (a number of reputable vendors offer such services)
‒ Each report should be logged and tracked, and promptly addressed in accordance with investigation procedures
‒ It is important that technology and staff are able to receive reports in multiple languages (e.g., the primary countries of operation for the company)
‒ A best practice is to designate at least one compliance professional within the company to serve as a dedicated manager of the whistleblower reporting program
© 2015 Baker & McKenzie LLP 19
Establish a Process for Screening Reports‒ Reports should be received directly by the lead compliance professional;
Compliance department should classify concerns and allegations according to their risk level
‒ High-risk allegations should be given priority: Corruption (kickbacks and other corruption-related fraud and crimes) and
money laundering Release of proprietary information Cyber intrusions and other computer network crimes Financial crimes perpetrated against the company by third parties Financial crimes against the company committed by company
employees Misconduct involving company directors, officers, or senior
management
‒ Report should be then submitted to the appropriate company department for conducting inquiry or investigation (e.g., HR, Internal Audit, Legal)
‒ Keep documentation for all follow up on reports, including explanations as to why follow up was not necessary in some cases
© 2015 Baker & McKenzie LLP 20
Training on Program and Related Processes‒ All employees should received training on how to submit reports
using the whistleblower hotline, the company’s process for responding to such reports, and how the company manages the whistleblower program
‒ Business partners and other third parties should be included in the whistleblower training if possible
‒ Have in place a forceful non-retaliation policy that accompanies your whistleblower reporting program and ensure that all company personnel receive training on it
‒ Specialized training should be provided to managers and supervisors on how to respond to whistleblower complaints, including how to prevent retaliation and how to identify and respond to any attempts at harassment or retaliation targeted at a perceived or known whistleblower
© 2015 Baker & McKenzie LLP 21
Conduct Awareness Campaign
‒ Raise awareness of the whistleblowing program and related procedures through an internal awareness campaign utilizing company-wide communications such as emails, videos, and banners
‒ Post public notices providing whistleblower reporting mechanisms ‒ Prominently display the whistleblower hotline information on the
company’s external website and on Intranet‒ Include a statement on the whistleblower program and contact
information prominently in the Code of Conduct‒ Include the whistleblower program information in contracts with
business partners and other third parties
© 2015 Baker & McKenzie LLP 22
Monitor Program’s Performance‒ Track and regularly review statistics on the program in order to
monitor its effectiveness and identify compliance program enhancement needs
‒ Recommended tracking statistics: Number of matters opened on an annual basis and/or
monthly (misconduct categories; outcome) Average length of time matters remain outstanding
‒ Test and audit the reporting system to make sure it works; continuously improve the system based on findings (e.g., additional training or enhancements to compliance policies)
‒ Regularly, at least annually, report to the board of directors and/or audit committee on audit findings and subsequent enhancements to the program
© 2015 Baker & McKenzie LLP 23
Encourage Voluntary Reporting‒ Encourage whistleblowers to report internally and early
Make sure that reporting is easy and user-friendly, but secure and confidential; limit access to reported information
Various alternative reporting channels should be available Consider incentives for whistleblowers who come forward Promptly respond to credible allegations When possible, return to the impacted parties with the results
of the inquiry and thank whistleblowers for utilizing the company reporting channels
Discreetly check in with individuals making allegations and individuals involved in allegations, if appropriate, and monitor compliance with company policies to ensure no retaliation has occurred
Building an Effective Whistleblower Program at Your Company
© 2015 Baker & McKenzie LLP
What is a Healthy Compliance Hotline Trend?
0
200
400
600
800
1000
1200
2012
2008
2009
2010
2011
20132014
25
© 2015 Baker & McKenzie LLP
Compliance Hotline Benchmarking 1.1-1.4 Reports (Median) per 100 Employees Annually
http://www.navexglobal.com/file-download?file=uploads/NAVEXGlobal_2014HotlineBenchmarkingReport_031114.pdf&file-name=NAVEXGlobal_2014HotlineBenchmarkingReport_031114.pdf
26
© 2015 Baker & McKenzie LLP
Important Related Hotline Policies Hotline Policy
Whistleblower Policy
Investigatory Policy
Non-Intimidation and Non-Retaliation Policy
Disciplinary Policy
Code of Conduct
27
© 2015 Baker & McKenzie LLP
What All Companies Can Learn from the Health Care Industry and Non-Profit Law
Non-Intimidation and Non-Retaliation Policy
Annual Notification to Employees and Vendors
Volume Matters
Speed Matters
Board Oversight Matters
Training and Awareness Matters
Survey/Audit/Test Functions
28
© 2015 Baker & McKenzie LLP
Sample Hotline Awareness Cartoon
29
© 2015 Baker & McKenzie LLP 30
Whistleblower Programs in Global Context: Local Law Challenges
© 2015 Baker & McKenzie LLP 32
Global Codes Of Conduct
‒ U.S. drive for complete reporting of any and all wrongdoing, safety of anonymity and abhorrence for destruction of documents/obstruction of justice; at-will employment
vs.
‒ EU drive for data privacy, fear of malicious and anonymous reporting, desire for prompt destruction of outdated or unfounded documentation and more restrictive labor and employment laws
© 2015 Baker & McKenzie LLP
33
Global Roll-Outs
Needs to satisfy:‒ U.S. compliance obligations‒ Not offend local laws‒ Satisfy local employment
requirements and procedures‒ Satisfy local data privacy laws
© 2015 Baker & McKenzie LLP
34
Data Privacy Art. 29 Working Party – Hotlines
1. Anonymity cannot be preferred reporting method (promote “confidential” reporting)
2. Limited to accounting, internal accounting controls, audit matters, anti-bribery, banking, securities, and financial crimes (business transparency) “vital interests” and “moral integrity”
3. Data collected and processed must be “proportionate” to purpose
© 2015 Baker & McKenzie LLP
35
And More Guidelines…
4. Separate from other personal data5. “Substantiated reporting” deleted
within 2 months after investigation, proceeding or disciplinary action
6. “Unsubstantiated reports” deleted immediately – caveat: US obstruction of justice
7. Incriminated person must be informed as soon as practicable
8. Data privacy compliant
© 2015 Baker & McKenzie LLP 36
Other Reporting DivergencesAustria – prefers local hotline
Belgium – only matters that cannot be handled in Belgium: case-by-case
France – hotline cannot be extended to non-employees; employee reports limited to financial, accounting, banking, corruption, anti-trust, discrimination, harassment, workplace health, hygiene and safety and environmental protection
India – prefers issued by Indian entity
Netherlands – only matters that are substantial abuses that exceed the national level of the company: case-by-case law
Portugal – forbids anonymity
Russia - difficulty with non-Russian legal references or Codes issued by non-Russian entity
Spain – forbids anonymity
Sweden – hotline reports limited to managers and above
Switzerland – prefers local hotline
© 2015 Baker & McKenzie LLP 37
Data Privacy Considerations Checklist‒ Is the whistleblower program data privacy compliant‒ Are employee notices or consents required and, if yes, when and
where Is labor consultation required Have governmental filings, addressing both inbound and
outbound countries, been completed Are the Code of Conduct and its associated policies (internal
regulations/work rules) required to give the Code disciplinary “teeth”
‒ Is email monitoring permitted Do IT security policies address monitoring issues Are personal use restrictions required Have necessary labor consultations occurred Are any government filings necessary
‒ When developing document retention and access policies be sure to address deletion and archiving requirements
© 2015 Baker & McKenzie LLP 38
Lost in Translation
‒ Provisions That Don’t Translate Malfeasance v. Non-Feasance Monitoring and Surveillance /
Use of Company Property “Cause” Discrimination and Harassment
in Muslim Countries Export Controls and Anti-boycott
laws Not a Contract Reporting of Suspected
Violations
© 2015 Baker & McKenzie LLP 39
The Global Code Burger
Internal Regulations
Works Councils / Consultation / Acknowledgment
Data Privacy
The Code
© 2015 Baker & McKenzie LLP 40
Baker & McKenzie - Additional Resources
Follow ongoing developments in global anti-corruption enforcement and compliance via:
http://globalcompliancenews.com/
Baker & McKenzie’s “Inside the FCPA” Newsletter http://www.bakermckenzie.com/insidethefcpa/
Thank you! Questions?
41
© 2015 Baker & McKenzie LLP 42
Our Presenters and Contact Information
.
Greg Radinsky, Vice President & Chief Corporate Compliance Officer, North Shore - LIJ Health System
Tel: +1 516 465 8327
gradinsk@nshs.edu
Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA
Tel: +1 650 856 5572
Cynthia.jackson@bakermckenzie.com
Joan Meyer, Partner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC
Tel: +1 202 835 6119
joan.meyer@bakermckenzie.com
© 2015 Baker & McKenzie LLP
This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.
For more information on BELA contact:
Laara van Loben SelsSenior Director, Engagement Serviceslaara.vanlobensels@ethisphere.com480.397.2663
Business Ethics Leadership Alliance (BELA)
© 2015 Baker & McKenzie LLP
Wednesday, May 27 at 1:00 p.m. ET
Building on the Foundation of Ethics and Compliance to Achieve Sustainability
All upcoming Ethisphere events can be found at:http://ethisphere.com/events/
PLEASE JOIN US FOR
© 2015 Baker & McKenzie LLP
www.latinamericaethicssummit.com
Early Bird Pricing Ends May 22!15% off Discount Code: WEBCAST15
© 2015 Baker & McKenzie LLP
THANK YOU