Best Practice Advice for Improving Employee Awareness of Your GRC Program

This post gathers my notes from a webinar entitled Best Practice Advice for Improving Employee Awareness of Your GRC Program which was presented by EthicsPoint.

Barbara Upton-Garvin from the Boys & Girls Club of Greater Kansas City started off with a discussion of their awareness programs. They highlighted their ethics policies and their whistleblower’s policy.

Francine Obregon of Eisai handed out schwag with the whistleblower hotline information. The awareness program was in part designed to advise the employees know that the hotline is part of a larger compliance program. They had recently changed the principles of corporate conduct. She thought it was important to let peopel know that the person answering the hotline would not be answering the questions. The hotline was merely an anonymous conduit.

Barry Elmore from the Majestic Star Casino wanted a program to educate their employees and marketing of the reporting process. They have a broad range of education and knowledge for their employees. They found that the education process was over the heads of many front line employees so they stuck to the basics. They also educated their vendors as part of the program. They conduct new hire training and annual training. They also advertise the hotline in employee break areas and employee newsletters. They sent a copy of the code of conduct to each vendor. Some of his challenges include the 24 hour operations of the business, lots of turnover and confusion between HR issues and code of conduct violations.

Francine pointed out that Eisai focused on branding issues so that all of the compliance materials and schwag all had a similar look and feel.

Barry emphasized that you cannot be boring in delivering the message and training. The examples need to be on the “lighter side.”

Julie Rivera of Red Robin put up posters and handed out wallet cards. “Honest ro Goodness. It’s not just about gourmet burgers. It’s about treating people respectfully.” Red Robin started out with a top-down approach of getting buy-in from corporate in its push out to the individual restaurants. There was some confusion between the open-door policy and hotline. They do get a fair number of low level HR issues on the hotline.

The panel had some trouble answering a question about the effectiveness of the awareness program. Barry and Barbara both see an increase in the number of reports shortly after a training session.

Whistleblower Hotlines for Home Builders

In running through the Compliance Week database, I ran across a few Whistleblower sites and related information for construction companies.

Beazor Homes Confidential Ethics Hotline

Through the Ethics Hotline, you can report evidence of known or suspected fraud, theft, accounting or auditing improprieties, other financial misconduct, or any other type of misconduct involving the assets, operations or employees of Beazer Homes.

Toll Brothers Ethics Reporting

Toll Brothers, Inc. has a simple way for anyone to confidentially report activities that may involve unethical or otherwise inappropriate behavior relating to conflicts of interest, financial reporting, employee misconduct, safety, or other potential violations of the Toll Brothers, Inc. Code of Ethics and Business Conduct.

Pulte Homes Speak Up (.pdf)

HOW WE DO BUSINESS IS AS IMPORTANT AS THE BUSINESS WE DO.
If you have a concern regarding unethical activity, don’t keep it to yourself. Discuss it with your manager.
Or, if you prefer to remain anonymous, call: The Network.

D.R. Horton Complaint Procedures for Accounting, Internal Control, Auditing and Financial Matters. (.pdf)

Any person may submit a good faith complaint regarding accounting, internal accounting control, auditing or financial matters (collectively, “Accounting Matters”) to the management of D.R. Horton. D.R. Horton is committed to achieving compliance with all applicable securities laws and regulations, accounting and financial standards, accounting controls and audit practices. D.R. Horton’s Audit Committee will oversee treatment of concerns in this area.

KB Home Ethics Policy (.pdf)

DOING THE RIGHT THING FOR THE RIGHT REASON
At KB Home, our commitment to doing the right thing for the right reason is the foundation of our homebuilding success and 100% Complete/100% Satisfied culture. Legal obligations and public expectations regarding appropriate business conduct make it more important than ever that we continue to follow the highest ethical standards in everything that we do. Our failure to do so can have serious consequences, including civil and criminal penalties and significant damage to our reputation in the eyes of our customers, business partners and investors. The KB Home Ethics Policy reflects our commitment to operate in an ethical manner, with integrity and in compliance with applicable laws and regulations, and it establishes principles to guide actions and decisions that can be applied in everyday situations.

If you have any questions or concerns, please report them to an immediate supervisor, to one of the designated Ethics Officers, to the Ethics Policy Hotline or to the Ethics Policy Reporting Website.

What are WIFs?

My notes from the EthicsPoint webinar on intake models and the value of web intake forms.  The presenter was Erin Watkinson a business solutions consultant at EthicsPoint.

A custom web intake form is a replacement for paper based forms. You can use the web to report on issues.

Reporting should encourage employees to first go to a supervisor and not go anonymously right away.

A custom WIF is a case intake mechanism for non-licensed users. Its a custom report form that you can brand and format as needed or desired. The WIF can eliminate the re-keying of data. The form dumps the information into a central database.  in a WIF you can have explanatory text, images, fields and/or links to other documentation. The WIF is mapped to fields in the EthicsPoint Event Manager. You can create custom print forms to match the look and feel of the WIF. All of the data elements are available for reporting and analytics. There is also branching logic available depending on how questions are answered.

Erin then showed an example of an HR Management report. This highlighted the branching features. Another demo was the Hospira HR system. They used the system for people to ask questions. The system tracks the questions and the answers given.

Update to the Federal Acquisition Regulations

The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to amplify the requirements for a contractor code of business ethics and conduct, an internal control system, and disclosure to the Government of certain violations of criminal law, violations of the civil False Claims Act, or significant overpayments.

On November 12, 2008 the Department of Defense published amendments to the Federal Acquisition Regulation: Federal Register Volume 73, No.219 page 67064 -67093. Key is the amendment to 52.203-13 that enlarges the requirements for a contractor’s code of business ethics and conduct.

Under 52.203-13(c)(2)(F) requires:

Timely disclosure, in writing, to the agency OIG, with a copy to the Contracting Officer, whenever, in connection with the award, performance, or closeout of any Government contract performed by the Contractor or a subcontractor thereunder, the Contractor has credible evidence that a principal, employee, agent, or subcontractor of the Contractor has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations found in Title 18 U.S.C. or a violation of the civil False Claims Act (31 U.S.C. 3729-3733).

These amendments go into effect on December 12, 2008.

Military Whistleblowers Get Little Help

The AP released a story describing the poor performance of the Department of Defense Inspector General’s Office: Whistle-blowers get little help if punished.

The inspector general’s office rejected claims of retaliation and stood by the military in more than 90 percent of nearly 3,000 cases during the past six years. More than 73 percent were closed after only a preliminary review that relied on available documents and sources — often from the military itself — to determine whether a full inquiry was warranted.

The Military Reprisal Investigations, or MRI, handles reprisal cases for military whstleblower reprisal cases.

The Directorate for Military Reprisal Investigations fulfills the statutory requirements to conduct and oversee allegations of whistleblower reprisal made by DoD Military Service members, Nonappropriated Fund (NAF) employees, and Contractor Employees. The Directorate also investigates alleged violations of DoD Directive 6490.1, “Mental Health Evaluations of Members of the Armed Forces.”

CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

  • Accounting and account auditing disorders,
  • False entries,
  • Tax evasion,
  • Fictitious personnel employment,
  • Bribery of public agents …

Specific examples in the banking area:

  • Terrorism funding,
  • Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

  • Threat to the safety of another employee,
  • Moral harassment,
  • Sexual harassment,
  • Discrimination,
  • Insider trading,
  • Conflict of interests,
  • Serious environmental breaches or threats to public health,
  • Disclosure of a manufacturing secret,
  • Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not.  CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

French Data Protection Authority Blocks SOX Whistleblower Programs

As a follow-up to the Whistleblowers in France, John B. Reynolds, III and Amy E. Worlton of Wiley Rein LLP offer more insight to the programs and decisions.

CNIL found that employees’ ability to lodge anonymous complaints would increase the likelihood of malicious false reports. CNIL also found that the two companies’ plans would not provide implicated individuals with sufficient access to the records generated by the anonymous tips. Thus, these individuals would not have a sufficient opportunity to challenge accusations. Finally, CNIL held that neither of the companies’ proposals was the least restrictive means of ensuring a responsible corporate culture: employee education or improved auditing standards could achieve the same results without creating and processing personal data about company executives.

See newsletter from Wiley Rein LLP: French Data Protection Authority Blocks SOX Whistleblower Programs.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?

Sarbanes-Oxley Act Whistleblower Digest

The U.S. Department of Labor assembled a digest of whistleblower law under the Sarbanes-Oxley Act.

On July 30, 2002, the Sarbanes-Oxley Act of 2002, P.L. 107-204 was signed into law by President Bush. Section 806 of the Act, to be codified at 18 U.S.C. § 1514A, is a whistleblower provision that provides protection for employees of publicly traded companies who provide “information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders….” Complaints under this provision are filed with the Secretary of Labor, who is to investigate and adjudicate the matter under the rules and procedures found in the statutory AIR21 whistleblower provision. The Sarbanes-Oxley whistleblower procedure is somewhat different than AIR21 and all other whistleblower cases administered by the DOL in that if the Secretary has not issued a final decision within 180 days of the filing of the complaint, and there is no showing that such delay is due to the bad faith of the claimant, the claimant may bring an action at law or equity for de novo review in the appropriate district court of the United States.

Whistleblower Policies

I ran across a few examples of whistleblower policies and whistleblower protection policies and some material on developing a whistleblower policy.

Developing a Policy

Developing a Whistleblower Policy (.pdf) by the Delaware Valley Grantmakers.

Whistleblower Policies: Lessons For Associations by Julia E. Judish of Pillsbury Winthrop Shaw Pittman LLP

National Whistleblowers Center

Whistleblower Policy Safeguards Company (.pdf) by Jennifer Gallop, Esq., of Krokidas & Bluestein, Boston

Example Policies:

University of California Whistleblower Policy and Whistleblower Protection Policy.

Dave & Buster’s Whistleblower policy