Cultivating a Reporting Culture

While many organizations view whistleblowers as disgruntled employees looking for revenge and monetary rewards from the SEC, this is generally not the case, according to a recent study.

According to “Embracing Whistleblowers: Understand the Real Risk and Cultivate a Culture of Reporting,” by The Network, whistleblowers most often turn to the U.S. Securities and Exchange Commission only after they have tried reporting internally, or if they are concerned about retaliation by their company. In fact, only 20% ever reported to someone outside their company.

Organizations can do much to protect themselves, while also looking after employees. Since the majority of employees go to the company first with their concerns, organizations have an opportunity to address issues before regulatory involvement.

According to the report:

The fact that whistleblowers may prefer to keep things in the company doesn’t mean they won’t turn to the government or media if they think it necessary. Sixty-five percent of surveyed employees would be willing to report externally, “if my company didn’t do anything with my internal report.” An even higher percentage would report externally, “if keeping quiet would cause possible harm to people” or “if it was a big enough crime.”

How can companies manage this risk? By encouraging a strong “reporting culture,” they can learn about, and take care of potential problems through quality hotline reporting programs, The Network said.

Hotline programs have been around for years, but are more important than ever in today’s regulatory and business environment. Compliance teams should stop thinking of hotlines as purely telephonic; they’ve grown to include mobile and Web-based reporting solutions that give employees and others a safe and reliable way to raise their concerns internally via whichever method is most comfortable for them. They also give the compliance team important insight into what is going on inside the company.


RMORSA Part 4: Risk Monitoring, Control & Action Plans

The fourth step of ORSA implementation, risk monitoring, control, and action plans illustrates the importance of adhering to best practices when executing risk culture and governance, identification and prioritization, and risk appetite and tolerances.

With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, boards of directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. Having a demonstrable plan for improvement, however, can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.

The Right Way to Monitor Control Activities

Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: testing or business metrics.

Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.

Here’s an example: an insurance organization with an online customer service system is experiencing unacceptable downtimes, and the appropriate staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity, by insisting that every member of the support team be trained to refresh the system. The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.

In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, however, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.

Developing the Action Plan

To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.

As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.

Interested in the best way to monitor or audit your risk management program? Check out the RIMS Risk Maturity Model Audit Guide, also available through the RIMS Risk Maturity Model.

Officer Requirements When Blowing the Whistle on SEC Violations

Over at Risk Management, we have a new article on some of the considerations corporate officers must consider before blowing the whistle on their own companies. With the new SEC Whistleblower Program, there are some new nuances but the core advice remains the same as common sense would suggest: officers should first try to report the problem internally but if that isn’t possible (for example, because the violations are occurring at the very top or the officer fears retribution) then they should by all means inform the SEC.

Here is more from article authors Lawrence A. Hamermesh and Jordan A. Thomas.

It is when the internal reporting system breaks down that the most serious problem for officers arises: the officer reports misconduct through the appropriate channels, but the report is ignored or the response is otherwise inadequate. In that situation – and also when the officer has a reasonable belief that reporting internally will be inappropriate or futile — the officer must determine whether to report the matter to an outside party, such as the SEC or another law enforcement authority. It is here that the officer’s fiduciary duty of loyalty intersects with the potential for an SEC whistleblower award. Would the officer’s duty of loyalty prohibit him or her from reporting the misconduct to the SEC, where such reporting is at least partly motivated by the hope of receiving a monetary award?

For several reasons, the most likely answer is “no.”

The duty of loyalty does not prohibit self-interested conduct by officers; it simply prohibits such conduct if it unfairly affects the corporation. Yet, in at least some cases, external reporting will actually be in the best interest of the corporation: while a whistleblower submission could lead to an eventual enforcement action against the corporation, it might result in substantially smaller sanctions and related private settlements than if the officer remained silent and the illegal conduct was allowed to continue and grow larger.

Related to that, adverse effects on the corporation’s reputation might be minimized by limiting the reach of corporate misconduct.

How Conflicts of Interest Hinder Offshore Drilling Regulation

Business will never embrace regulation. The market yearns to be free and regulation, most of the time, places restrictions on unbridled capitalism. Some rules improve the competitive landscape for nearly all stakeholders, but that is the rare case.

One constant problem regarding regulation is the question of who does the regulating.

In order to provide proper oversight of something, you naturally must know a good deal about it. For example, if you have never traded securities on Wall Street, it is very difficult to have enough knowledge of all the nuanced realities that take place in that arena. This is just common sense. You can study, research and inquire as much as you want, but there will always be something lacking in your understanding if you have no first-hand experience.

Generally, the ideal person to oversee something, particularly when it is a complex, specialized marketplace, is a person from that marketplace.

Of course, the rub is that anyone who has existed within that marketplace long enough to learn all these complexities will also have developed relationships and biases. If Steve the securities trader worked in a trading room for 20 years, he likely was passed over for jobs by some companies and had a bi-weekly steak dinner with peers from various firms. He developed affinity for some companies and colleagues while developing resentment for other industry players and practices. So if he is to later become a watchdog of those people, it is hard to believe he will not bring those biases with him — intentionally or not — in his rule enforcement.

The SEC and Treasury departments have long been criticized for this.

The offshore drilling regulation world is similar. And a new report by AP shows just how pervasive the concern is among industry players and regulators with interests in the Gulf of Mexico.

Documents obtained by The Associated Press show that about 1 of every 5 employees of 109 involved in inspections in the Gulf has been recused from some duties because of the risk of coming into contact with a family member or friend working for a company the inspector regulates. Ten people hired since mid-August 2008 were barred for two years from performing work where they could be in a position of policing their previous employer—a company or contractor operating offshore.

In the Lafayette, La., office of the Bureau of Ocean Energy Management, Enforcement and Regulation nearly 35 percent of inspectors have been disqualified because a friend or relative works for a company they could interact with on the job. In Lake Charles, La., nearly 30 percent of inspectors held their last job with an oil and gas company, meaning they can’t perform any duties involving their former employer for two years.

The numbers come from recusal forms under a new ethics policy instituted last year by the Obama administration to identify and prevent possible conflicts of interest before they arise.

Offshore drilling regulation does not have the resources or manpower of the SEC. So it is important that the smaller number of people regulating this segment of the energy sector do so well. And who else but industry vets could know all the ins and outs surrounding practices like ensuring proper anchoring standards for various types of oil rigs, installing blowout preventers and determining safe levels for gas releases?

Then again, if so many of the public servants (at least in name) transitioning from industry to the regulation side of things, how can you trust them to leave their biases at the door? (Especially when there is, like Wall Street, a revolving door practice of people who go from industry to regulation and then back to industry?)

In an ideal world, you would hope that a person who becomes a regulator could take that responsibility seriously enough that their conflicts of interest, while real, do not impede them from creating and enforcing good rules to govern the industry.

And I’m sure that in many instances, that would be the case. But these recusal policies are understandably necessary. And the degree to which they are being issued perhaps highlights a larger question.

How can a regulatory body properly operate when up to 35% of its inspectors are deemed to have conflicts of interest?