Federal agencies charged with investigating whistleblower claims—and in some cases, bringing enforcement actions—are looking hard at what companies are doing to create a “culture of compliance.” Failing to cultivate a culture of compliance can have extremely negative consequences, financial and otherwise, for a company. It simply will not suffice merely to have a policy on the shelf or pay lip service to compliance obligations. A culture of compliance starts at the beginning: the company’s orientation toward the whistleblower.
All too often, the instinctual reaction to a whistleblower report is either to ignore it or to circle the wagons and go into full defense mode, but there is great risk in either approach. Certainly, reports with no basis in fact, and particularly those made with an ulterior or even destructive purpose, can—and are often intended to— provoke a negative reaction. Companies with a culture of compliance, however, cannot indulge the impulse to punish the whistleblower first and ask questions later or to ignore the latest report from a regular-but-always-wrong-before whistleblower. The courts are full of cases where an employee with a worthless claim of corporate wrongdoing wins his retaliation case and even of cases where the whistleblower who cried wolf eventually ended up being right. Baseless complaints and malevolent whistleblowers can—and should—be addressed properly in due course, but failing to take the whistleblower at his word initially will always hurt the company: either the whistleblower is right and something needs to be investigated, but it isn’t, resulting in serious harm to the company; or the whistleblower is wrong, but by its reaction the company has sent the message that its commitment to proper business practices is occasional at best. Institutional patience and meticulous adherence to best practices are critical to a culture of compliance.
After all, when the whistleblowing report is true, or at least leads to discovery of some compliance issue that needs to be addressed, a company should, as a matter of culture, listen to and embrace the whistleblower. And so, the only way to maintain a culture of compliance is to take every whistleblower at his or her word every time and thereby send the message to officers, directors, employees, stockholders—and not least of all, enforcement agencies—that the company is committed to compliance.
Some of the actions that a company can and should take to ensure that it has a robust culture of compliance that will pass muster with, for example, the U.S. Securities and Exchange Commission (SEC)—and that works to the benefit of all stakeholders—include the following:
- Identify all covered entities, and roll policies and processes out to them.
- Make sure that document retention policies—including electronically stored information (ESI) protocols—address the longest applicable limitations periods.
- Review existing policies and procedures. Make sure that they are accessible and that they work.
- Simplify and publicize reporting procedures.
- Ensure appropriate and prompt handling of reports.
- Involve Legal and Compliance upon receipt of reports.
- Involve outside counsel and experts promptly.
- Document everything under appropriate privileges.
- Implement protocol for deciding whether to self-report.
- Communicate to all employees the company’s commitment to compliance and their own obligations through regular training and reminders.
- Designate clearly high-level executive(s) responsible for implementation and oversight.
- Define responsibilities specifically, and ensure that compliance duties take top priority.
- Implement and publicize processes that encourage and reward internal reporting.
- Reiterate an unequivocal commitment to an anti-retaliation policy.
- Innovate continuous improvements.