With what seems to be an ever-growing focus on corporate governance, companies in any industry are under increased pressure to not only follow the letter of the law, but also the spirit of industry rules and regulations. In addition to serving end clients or corporate shareholders, companies need to satisfy auditors and regulators alike.
In a perfect world, everyone would do everything right, all the time. Of course, as long as companies still have human beings involved in any capacity, there will be errors. However, in that ideal world, errors would be just that: mistakes, and there wouldn’t be intentional wrongdoing. Unfortunately, we don’t live in that perfect world, and all of the pre-screening, training and supervision in the world may not stop an employee bent on intentionally doing something wrong. So, it isn’t enough for organizations to just focus on preventing rule violations; they need to be equipped to deal with violations swiftly and effectively.
A company cannot handle a problem it doesn’t know about, of course. Unfortunately, employees may feel uncomfortable blowing the whistle on co-workers or managers, especially if they don’t feel like their allegation will be reviewed or taken seriously. There may also be a reluctance to speak up because of a fear of retaliation.
To address this, many organizations have established ethics hotlines or have implemented automated workflows employees can use to report violations. Doing so is a smart move on a couple of fronts. First, those companies are creating a mechanism for issues to be brought out into the open where they can be addressed. Second, creating a mechanism for reporting issues provides a certain measure of accountability for employees and an expectation that employees will speak up if something isn’t right.
The case for automated workflows
An automated workflow has certain advantages over a manned ethics hotline. First, the workflow reporting form can be customized with required and optional fields to be completed when a report is made. This creates consistency, making both reporting and reviewing reports easier.
Second, with automated workflows, companies can structure and control who can see reports and what information they can view, and can direct the steps in the process with more ease and less human intervention (and potential for errors) along the way.
Furthermore, for a company that has already implemented other workflow solutions such as tools for reporting cyber-attacks, high-risk patients, etc.), implementing a reporting tool for non-compliance should be a seamless addition for users who are already know how the system works. Employees won’t have to hunt for a phone number or feel anxious about talking to a live person; they can fill out a reporting form on their own time and really give the questions the time and attention they might not get through a person-to-person phone report. Employees can also add attachments right to the report, giving the first-line reviewer a more complete picture of the reported activity.
Finally, workflows allow for built-in recordkeeping and reporting on issues, eliminating what might otherwise be clumsy paper records or labor-intensive spreadsheets.
What information should be captured?
When implementing a workflow for ethics or compliance issues, companies will need to decide for themselves whether to allow employees to report issues anonymously. There are pros and cons to doing so; employees may feel more comfortable about making reports if they can remain anonymous, however the usefulness of an anonymous report might also be limiting in certain circumstances.
Beyond the question of whether or not a name should be required, it is important to create fields that are meaningful and provide enough information for a reviewer to start an investigation if necessary without having to go back to the employee multiple times to ask more questions. At a threshold level, reports should include:
- Date (or date range) of the activity being reported
- Employee(s) involved
- Description of the incident or issue.
- Was the issue previously reported to a supervisor or manager? If so, to whom, and what actions, if any, were taken?
Beyond these questions, every company will want to tailor their reporting tool and workflows to match industry and company rules
How should review processes function?
The exact steps in the workflow will largely depend on the organization itself, but there are some best practices that transcend industry or organizational structures:
- Guarantee confidentiality. Anyone involved in the review process needs to be able to uphold this promise; employees need to know that information they report will be reviewed only by those individuals who truly need to know that information. If this promise is broken, use of the reporting tool will decline because employees won’t feel safe making reports.
- Build “smart” workflows. Put thought and effort into creating the fields for reporting incidents or issues on the front end so those fields can be used to send different types of issue reports to different reviewers. For example, you may have a different reviewer for reports about accounting problems than for reports about HR issues. The fields on the report themselves might include “branching” logic that will change based on the information entered. Make the reports as useful as possible.
- Make reviewers accountable. If someone is assigned to review a report, make sure they are held accountable to do that, and to take action as necessary. If the review process fails because the person assigned to review reports of non-compliance wasn’t doing his or her job, those reports can easily become organizational liabilities. It’s important to set expectations and to properly train everyone involved at any step of the process.
- Revisit and adjust as needed. Look at your workflows frequently after implementing them, and make adjustments as needed so your company is getting the most value out of reported issues.
A note about positioning your new compliance workflow
You want your employees to use your new automated workflow, but they aren’t as likely to do that if it feels like it’s just a tool for “snitching” on their fellow employees. Instead, make it clear that it’s a tool for elevating the integrity of the organization.
Whether or not you allow anonymous reporting, be crystal clear from the start that there will be no retaliatory actions taken against an employee who self-reports or who reports on others’ activities.
No matter how tight the company ship is, there’s always potential for errors or outright malfeasance. Giving employees the means to safely document and report compliance or ethics violations, and acting on those reports appropriately and in a timely manner, will help everyone understand the company’s commitment to doing things the right way.
More on the Compliance Topic