By Steven G. Blum, CPA, CFE

An effective compliance program requires an effective whistleblower policy. Whether it’s guidance issued by the Department of Justice, Securities and Exchange Commission, or the International Organization of Standardization, there is a common thread that involves incentivizing and enabling people, both internal and external to the organization, to report to the organization in good faith any illegal or risky behavior. Whistleblowing, in fact, is the most typical way companies become aware of wrong-doing.¹ Encouraging people to report improper behavior is in a company’s best interest. And incentivizing the reporting of problems allows the company to fix them before more damage is done or the misdeeds become public.

Most companies I work with enthusiastically proclaim they have an effective whistleblower policy. But how effective is it, really?

The existence of whistleblowers is not a new phenomenon. They have been around well before the existence of regulations that provide whistleblower protections.² A recurring problem, which occurs with uncanny regularity, is that whistleblowers come forward only to be ignored, dismissed, ostracized, or retaliated against. Often, history proves these whistleblowers were correct in their concerns. Here are a few notable examples:

• Sherron Watkins, an Enron executive, reported her concerns of pending financial doom to both company founder Kenneth Lay and chief executive Jeffrey Skilling. She had concerns over Enron’s potentially disastrous accounting practices, and her concerns were not brought to the board’s attention. Months later, Enron’s shares were worthless.
• Eugene Park, an AIG executive, shared his concerns about the insuring of New Century CDOs with a deputy of Joseph Cassano (a founding member of AIG’s financial products unit), but not the audit committee. Park’s concerns were disregarded, which ultimately cost AIG hundreds of billions of dollars in losses.
• Matthew Lee, a Lehman Brothers whistleblower, wrote a letter to management before his company’s bankruptcy that alleged various accounting improprieties. The allegations in the letter were never brought to the board’s attention.
• A Volkswagen AG engineer and a supplier, as early as 2011 and 2007 respectively, warned the company about the diesel emissions scandal, but these warnings never made it to the independent directors of the board. This ultimately cost the company billions of dollars and scathing negative publicity toward the brand.

How could such important information not be delivered to the people who could ensure that the company responded appropriately?

These are organizations that, if asked, would surely have told you that they had an effective whistleblower program. Well, while they may have had a mechanism for someone to express concerns, they fell short in adequately addressing those concerns and funneling them to the right decision makers. But failing to properly respond to concerns is only part of the problem.

It is not enough that a process exists for reporting concerns; people must be encouraged to report. Then those reports must be properly handled.

An effective whistleblower policy requires, at a minimum, the following:

• Independent directors are in charge of the whistleblower program.
• Complaints are investigated by personnel without any perceived bias. This could be an independent ombudsman or independent counsel.
• All complaints are triaged in a consistent manner.
• Supervisors are required to report complaints they receive from subordinates to the independent company personnel responsible for investigating claims.
• Companies consider monetary rewards to incentivize people to come forward. After all, companies are competing against various regulators that provide monetary incentives.
• Companies must strive for the preservation of anonymity of those reporting concerns.
• Companies must investigate claims of whistleblower retaliation.
• Mechanisms are needed to report back to the whistleblower on the status of the investigation so there is an understanding that the company takes claims seriously.
• Companies need to effectively communicate the whistleblower policy throughout the organization.
• The actions a company takes to correct and penalize those found to have engaged in illegal or risky behavior must be effectively communicated companywide.

Each of these points could be a stand-alone topic of discussion in a future column. Actual implementation may often be a challenge.

An effectual policy results in a set of desired behaviors. One litmus test as to the effectiveness of a whistleblower policy rests with each potential whistleblower. Do people, both within and outside an organization, feel comfortable reporting their concerns? Do they believe the company will treat their good-faith concerns respectfully? People’s beliefs will be shaped by a company’s actions. Companies must consistently demonstrate that allegations of illegality or impropriety are taken seriously. Words on paper are not enough.

¹ According to numerous annual surveys conducted by the Association of Certified Fraud Examiners, the majority of illegal activity is identified by employees, suppliers, or customers of an organization.

² Ralph Nader is said to have coined the term in the 1970s as a way to put a positive spin on the more negative terms such as “snitch” or “informant.”

Steven G. Blum, CPA, CFE, is a partner with Control Risks Group in Washington, D.C., and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at steven.blum@controlrisks.com.