Wal-Mart Cover Up- Would a Hot-Line Have Helped?

Ed. Note-we continue our series of guest posts from our colleague Mary Shaddock Jones, who today draws some lessons from the Wal-Mart matter.

On November 8, 2006 Wal-Mart entered the Canadian Market opening three supercenters in Ancaster, London and Stouffville in Ontario, Canada.  On April 21, 2012, the New York Times published an article which included the following statements:

“In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country.   The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico.   Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”   The lead investigator recommended that Wal-Mart expand the investigation.   Instead, an examination by The New York Times found, Wal-Mart’s leaders shut it down.”

This is not the type of news that the Board of Directors of U.S. public company wants to learn about through a newspaper headline. Section 301(4) of the Sarbanes-Oxley Act requires the audit committee of every United States based  publicly traded company to establish procedures for “the confidential, anonymous submission by employees….of concerns regarding questionable accounting or auditing matters” (emphasis supplied). To comply with § 301(4), many employers have designed whistle blowing systems, such as telephone “hotlines”, enabling employees to report potential violations anonymously.

I do not know if Wal-Mart had a “hotline” in 2005, but in order to give employees and/ or third parties the tools necessary to alert executives or members of the Board of Directors to potential illegal or questionable activity- the existence and promotion of an anonymous hotline system is invaluable.

The practical pointer for today’s blog is this- one essential element of a compliance program is an anonymous hotline. Companies do have to be careful when implementing a hotline to understand and abide by European data privacy laws.  However, in the United States,  under most of the recent “Schedule C’s” attached to Deferred Prosecution Agreements, the Department of Justice clearly outlines anonymous reporting systems as one of the required “best practices” for a compliance program: “The Company should establish or maintain an effective system for: a) Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company’s anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates; b) Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and c) Responding to such requests and undertaking appropriate action in response to such reports.”

 Consider the following policy language on reporting questions and concerns, along with a clear statement regarding non-retaliation for such reporting:

 Reporting Obligations of Company Personnel, Agents, and Partners

All Company Personnel, Agents, and Partners are required to report any knowledge, awareness or suspicion of a potential violation of: (i) the FCPA, the UKBA, or any other anti-corruption and/or anti-bribery laws applicable to the Company; (ii) the Policy; or (iii) the Compliance Manual by the Company or any of its Personnel, Agents, or Partners.

• Company Personnel are required to report such information to the Company Compliance Officer or his or her designee, or to the hotline described below.
• Company Agents and Partners are required to report such information to a Company representative, the Company Compliance Officer or his or her designee, or to the hotline described below.  Any Company representative that receives such a report from an Agent or Partner must report that information to the Company Compliance Officer or his or her designee, or to the hotline described below.

Non-Retaliation Policy

The Company has zero tolerance for any retaliation of any kind against any individual who in good faith makes inquiries, reports concerns, or participates in external or internal investigations.  This policy extends to any whistleblower or individual who makes a report to government authorities outside of the procedures described in this Manual.  Any individual who is concerned about retaliation or feels he or she has been subjected to such retaliation should immediately contact your Human Resources representative, the Vice President of Human Resources, the Company Compliance Officer or his or her designee, or through XYZ Hotline .

Retaliation against any individual for making a report as described in this Section in good faith can result in serious disciplinary action up to and including termination.

On a final note, it is not sufficient to just have an anonymous reporting system/hotline number tucked away in a Code of Conduct or a company’s Anti-Corruption policy.  The existence of the hotline should be prominently displayed through the use of posters or wallet cards, preferably in the native language of the employees at each particular location.  Periodic reminders should also be sent out to employees and to third party business agents encouraging them to use the anonymous reporting system if they have questions or concerns that they want answered or reported.

 Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor.

 

What is Your Magic Number? Creation, Implementation and Administration of a Hotline

For the Astros, it is not this season’s ignominious record of 107 losses, which they achieved yesterday with a season ending loss to the Chicago Cubs, but the magic number of 186; which is the number of days until the Astros open the 2013 season and the next time they will be tied for first place in the American League (AL) West Division.

For the compliance practitioner, the same might be asked of your company’s hotline. However apocryphal the story might be it is too good to pass up so here we go: When, in final negotiations with a company to resolve a Foreign Corrupt Practices Act (FCPA) violation, the Department of Justice (DOJ) attorney asked for the phone number of the company’s hotline. Counsel representing the company dutifully provided the number and the DOJ attorney called the hotline only to find it was “not a working number.” Oops.

I thought about the above story in the context of the maxim that not all hotlines are created, or more importantly, administered equally. In an article entitled “Hotline Report Reveals Compliance Concerns” author Karen Kroll looked at the “2012 Corporate Governance and Compliance Hotline Benchmarking Report” and found what she termed “troubling findings”, which are that not only are instances of fraud increasing but that retaliation against whistleblowers is increasing as well. Kroll noted that “despite greater protection for whistleblowers in the Dodd-Frank Act, calls concerning potential retaliation against an employee who has made an inquiry through a hotline increased to 2.9 percent of overall incidents, up from just 2.1 percent in 2010.” But as bad as these figures are they seem to only presage Kroll’s penultimate conclusion, which is that internal reporting will slowly wither away with the protections offered by whistleblowers under the Dodd-Frank Act and the attendant bounties that can be paid to a whistleblower in the event a violation is uncovered and an enforcement action results in a fine or penalty paid to the US government.

I recently saw a White Paper by Business Controls, Inc., released through Compliance Week, where an un-named author posited that there are seven essential features to create an effective hotline. I found this article to be useful in that it provided information by which a compliance practitioner could quickly review how his or her company might set up a hotline. The seven criteria are as follows.

1.  The hotline is developed and maintained externally. The author believes that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
2. The hotline supports the collection of detailed infor­mation. If information can be gathered and re­corded at every point during the complaint life cycle, then compli­ance officers should have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All report materials should be consolidated in one comprehensive, chronologi­cally organized file, so that you can monitor ongoing progress and make better, more informed decisions.
3. The hotline meets your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. Make sure your hotline offers a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
4. The hotline is designed to inspire employee confidence. Kroll’s article discussed above cites the fear of retaliation as strong but also increasing among potential whis­tleblowers. This can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that “feels safe” can make a huge difference to participation rates.
5.  The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner.
6.  The hotline provides inbuilt litigation support and avoidance tools. Ascertain that your hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
7.  The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees don’t know about the hotline, they won’t use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And don’t think of the promotional initiative as a one-time effort. It’s important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

 Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As with the management of third party representatives, your real work begins are the contract is signed. You simply cannot set up a hotline without managing it. A fairly administered hotline and investigation protocol is a key component of fair process in your compliance regime. So take a look at your hotline based upon the above concepts. It may be that your magic number needs to change.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

What Are Some of the Benefits of a Compliance Hotline?

Is your hotline working for you? The Securities and Exchange (SEC) Whistleblower line certainly appears to be working according to an article in the August issue of Compliance Week Magazine, entitled “Promoting Effective Us of the Compliance Hotline” by Columnist José Tabuena. In the article, Tabuena quotes SEC Deputy Director of Enforcement George Canellos, who related at a recent conference that “What’s really clear is quality of those tips has greatly improved and that market manipulation, dishonest accounting and potential violations of the Foreign Corrupt Practices Act (FCPA) are the most popular topics of whistleblower reports.”

In his article Tabuena gave an excellent example of the power of a hotline. He wrote about the case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by employees from the IT department. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT department employees where there were two major areas of complaints. The first general area was that there were conflicts of interests between IT department managers, family members who were hired and perceptions of favoritism. The second generally revolved around allegations that certain company managers were manipulating data to maximize their bonuses.

The Favoritism Problem

The Human Resources (HR) department led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. To remedy this all IT managers received training on appropriate employment practices, communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members. Most satisfyingly, Tabuena noted that during follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.

Manipulation of Data for Bonuses

The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. Following interviews with the key individual and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager’s bonus compensation was inflated. He was subsequently terminated.

Basic Tenets of an Effective Hotline

Tabuena provided three lessons which he felt were demonstrated in his article.

• First, a helpline is of no value if the workforce is not aware of it. Although a helpline was in place, it became apparent that a segment of the company had not been informed. It was hotline data that revealed this gap. By reviewing data segmented by region, department, incident classification, and other criteria, it became obvious in comparison to the rest of the organization that the IT department had not used the helpline.
• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) for making IT part of the helpline community and for designating a  liaison within the IT function. The support of department leadership likely influenced the success of the training and communications delivered by the ethics and compliance staff.
• Third, the awareness of the helpline is not sufficient to ensure success. The company made sure that issues and allegations were addressed and investigated, as needed. Employees who choose not to report wrongdoing indicate a belief that nothing will be done anyway, so why take the risk? Employees also cite fear of retaliation as a reason for not reporting.

Tabuena’s article showed the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale.

============================================================================================

Interested in learning more about continuous monitoring in compliance. Join myself and Jeff Herfenest, Director of the Berkeley Research Group for a free webinar today at 1 PM CDT entitled, “Continuous Analysis:A Real-Time Solution to Managing Fraud and Corruption Risk” . Information and registration can be found by clicking here. 

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012