Case Management Governance, Risk, Compliance (GRC) Presentations

Convercent Case Management Guide

Description

Do you ever feel confused, worried or overwhelmed about where to begin when looking at improving your compliance program? Do you wish that you had a resource to help you organize and create better processes to address your most pressing needs? If so, you need this guide. Compliance issues can surface any minute and change the company’s course in a matter of seconds, don’t wait to get started.

Transcript

CASE MANAGEMENT:
THE DEFINITIVE GUIDE
Comprehensive guidance and templates for the intake,
management, handling and reporting of issues from your
hotline, web and open door processes
2
CASE MANAGEMENT:
THE DEFINITIVE GUIDE
INTRODUCTION & FOREWORD………………………………………..PAGE 3
PART I: REPORTING CHANNELS……………………………………….PAGE 9
PART II: CASE MANAGEMENT…………………………………………PAGE 29
PART III: SETTING THE CULTURE……………………………………PAGE 38
PART IV: ANALYTICS AND BOARD REPORTING…………PAGE 50
PART V: HOW TO GET STARTED…………………………………….PAGE 58
CONCLUSION……………………………………………………………………….PAGE 61
TABLE OF
CONTENTS
INTRODUCTION 3
Imagine you are sitting in your office looking at the
number of incidents reported over the course of one
year. You start to see patterns: employee position, tenure,
number of incidents reported by said employee, etc.
You think to yourself, “There has to be a correlation here,” but
you’re left wondering how to draw an actionable conclusion,
not to mention, you need more data to fill in gaps. Where do
you start? How do you bring this to your Board?
INTRODUCTION
Using this guide will help you:
• Find new ways to gather data across your organization;
• Spot check your reporting channels;
• Uncover ways to standardize incident intake,
monitoring and reporting;
• Address issue drivers instead of just the
issues themselves;
• Be proactive and predictive versus reactionary;
• Dig into trends that could signal retaliation;
• Ensure consistent responses; and
• Deliver thoughtful analysis on your incident data to
senior leadership.
This guide includes:
• Interactive exercises and worksheets to help identify
trends and draw insights you can act on;
• Conversation framework to bring your findings
to the Board; and
• Expert insights from industry professionals.
INTRODUCTION 4
We created this guide to help compare the traditional with a
new-age way of running full steam ahead with a best-in-class
compliance program. From legal requirements to the
changing technology landscape, it can be overwhelming
to be a compliance executive now more than ever.
Compliance was barely a role 10 years ago. While a lot of
compliance tactics were handled by other departments,
it was not a dedicated or centralized function. Today, the
chief compliance officer and the ethics and compliance
team are responsible for more oversight and controls with
inadequate resources and staff. Given the new status quo, it
is key to supplement your efforts with technology that can
streamline your processes while giving insight into all areas
of compliance.
FULL STEAM AHEAD – THE HORSEPOWER YOU NEED
TO BUILD A COMPREHENSIVE, ALL-ENCOMPASSING
COMPLIANCE PROGRAM
Walking away from the conversations I have with compliance
officers, I notice time and time again that employee hotlines
are viewed by a CCO as a purely tactical, not strategic,
compliance function that’s often co-managed by other
departments such as internal audit. A surface-level
understanding and “check the box” mentality around
your hotline can cause a huge pothole to only grow wider
and deeper. Antiquated systems coupled with manual
processes wreaks havoc on compliance effectiveness and
efficiency, to say nothing of the opportunities missed for
floor-to-ceiling company culture analysis.
BY AUTUMN SANELLI
CONVERCENT
FOREWORD
INTRODUCTION 5
While the compliance department is certainly not looking
to add more work to their plate, they do need to have
insight into:
• What kinds of matters are being raised through which
reporting channels;
• How effective compliance and management are at
responding to issues that are raised; and
• The outcomes and sanctions tied to different cases.
It’s nearly impossible not to mention how time consuming
it can be to manually pull together this data. The CCO
will spend more time pulling it than actually analyzing, let
alone executing, on it to mitigate risk areas. Compliance
executives today are too busy putting out fires on a
reactive basis, when they should be anticipating issues
before they happen and putting controls in place to
minimize their likelihood and impact—or prevent them
from occurring altogether.
Apart from the data, there is true advantage in centralizing
your internal investigation process, regardless of the type
of issue or department responsible for investigations.
Employment Law, as well as Tort Law, supports a company
who acknowledges wrongdoing. A company is given
credit for recognizing when there is an issue, appropri-
ately responding to the situation and making a reasonable
attempt to decrease the likelihood of similar events
occurring in the future. Furthermore, showing that your
team members follow a consistent investigative process
and apply consistent responses can aide in establishing
an affirmative defense in the event of a breakdown.
If all those elements are in place, but you don’t have the
systems or documentation of those efforts readily avail-
able, you’ll be hard-pressed to earn confidence—or credit—
from the government.
On the employee side, having an anonymous and secure way
to report concerns ensures they have somewhere to turn
when they don’t feel comfortable making reports in person.
How easily they can make reports and how confident they
are in your channels’ security and confidentiality will directly
drive how likely they are to use those channels. It’s important
to remember that a sparsely used hotline is not necessarily
an indication that all is well.
My advice, in short, is this: Don’t be complacent. You can’t
afford it. And recognize the opportunity you have to drive
drastic change and improvement with even the most minimal
extra effort. But I can assure you that the cost-benefit (or, at
a minimum, the cost-cost avoidance) will be well worth it.
Yours in compliance,
Autumn Sanelli
Convercent
INTRODUCTION 6
What you’re about to embark on is truly definitive,
meaning it’s highly-detailed and not intended to be
digested over a single cup of coffee. Feel free to dig
deeper into the following contents as your time allows,
but we invite you to read the CliffsNotes version here.
THE DEFINITIVE GUIDE:
CLIFFSNOTES
• Encourage employee participation by remembering
the PEAR approach:
»» Publicize your hotline channels across your
organization (posters, emails, meetings)
»» Educate employees how to use the system
»» Analyze data to identify trends or issues
»» Respond quickly, appropriately and
consistently to incident reports
• Track each incident and investigation process with
a detailed paper trail.
• Consider your global employees and account for
cross-cultural nuances in communication, anonymity, etc.
PART I: REPORTING CHANNELS
• There are three common reporting channels:
telephone hotline, web intake, proxy.
• Choose a hotline system that fits all parts of your
company domestically and globally.
• Offer multi-language capabilities; ensure consistent
company branding on landing pages/intake forms/
messaging; constantly raise awareness of any/all
available channels; regularly extract hotline data.
• Publicize anonymity options and set up an offsite
computer or telephone to foster privacy.
• QA the hotline often using the secret shopper method.
INTRODUCTION 7
PART II: CASE MANAGEMENT
• Once a report is received, it’s time to move onto
managing the case. Case management is easiest if you
think of the process as having three stages: organization,
handling and post-case analysis.
• Are there multiple allegations to consider?
• Route case to the appropriate parties and escalate
the incident in a timely manner.
• Remember to keep the process iterative. Leave room
for review, improvements and adaptations to your
organization’s culture and compliance program.
• Document, document, document!
PART III: DIAGNOSING CULTURE
• Identify the root cause of any incident to help under-
stand the people, attitudes or environments driving
your issues. Doing this will not only help address the
problem at hand, but help prevent the issue from recur-
ring in the future.
• Set and fortify tone from the middle up.
• No one—including your executive peers, your CEO and
Board—live and breathe this stuff like you do, as much
as we would like them to. Exercise patience and drive
participation through education.
• Lean, and lean hard, on tone in the middle.
You shouldn’t let a potentially disengaged board affect
the rest of the program (and all of your hard work).
Strive to continuously communicate about compliance
and engage mid-level and regional managers to jump
on the bandwagon. Building and maintaining a strong
compliance commitment on the front lines can lend
itself to preventing noncompliance, regardless of what
tone is coming—or absent—from the top.
• So you’ve got an anti-retaliation policy…but does
it work? Don’t take face value data that gives you the
answer you want to hear. Dig deep. Gather employee
performance data from other departments such as HR
to help understand the reality of retaliation, and send
the message to your company that it is being monitored.
INTRODUCTION 8
PART IV: ANALYTICS AND BOARD REPORTING
• The data you extract from your incident reports and
cases are a clear window into potential compliance
program weaknesses. Thoroughly document all parties,
issues type and program components to uncover
trends or identify compliance hotspots.
• Bring these findings to your board to help them under-
stand your company’s compliance program at the same
level of detail as other business functions. Deliver a
regular, insightful report and be consistent and efficient
with your findings and follow-up actions.
PART V: HOW TO GET STARTED
• Don’t try and boil the ocean. But don’t be complacent
or resistant to changing “the way it’s always been
done.” There are some easy ways to get some “quick
wins” in the way you take in, manage and analyze
issues. Develop a plan with short and long-term
goals in mind.
PART II: EXAMPLE EXAMPLE 9
PART I:
REPORTING CHANNELS
PART I: REPORTING CHANNELS 10
Many compliance executives use data from their hotline
and investigations to judge the effectiveness of their
compliance program, hence the recent impetus to keep
these aspects of your program centralized, your efforts
well-documented and awareness of such consistently high
throughout your organization.
With the growing trend among third-party regulators to
appeal directly to employees for information, it’s more
important than ever to create a corporate culture of
openness, trust and communication. A well-planned,
well-executed hotline can help you discover and resolve
internal issues before they escalate into very public and
very costly situations.
of compliance executives use hotline
statistics to measure compliance
program effectiveness
use investigation statistics
–Compliance Strategy and Performance report
2016, Ethisphere and Convercent
81%
74%
DATA DOWNLOAD
PART I: REPORTING CHANNELS 11
Employees call into your dedicated hotline and report incidents
over the phone to a trained compliance operator.
Extract data from finding out the following
information from your telephony statistics:
»» Number of rings before pickup – how long does it
take to get an answer when someone calls?
»» Call abandonment rate – the number of times a
caller gives up and hangs the phone up.
»» Distribution of incoming calls during the day –
the volume of incoming calls and when they occur
most (i.e. you see a surge in the morning and
late in the afternoon).
Employees may submit incidents using a web form that
is distributed through the compliance department, who
then monitors, prioritizes and assesses the incident.
Make sure your intake forms are branded, language is
consistent, provides contact phone numbers and
consistent messaging. This will increase trust among
your organization and encourage employees to report
incidents using this channel.
REPORTING CHANNELS
Allegations of misconduct may be reported through
one of the following channels:
A TELEPHONE HOTLINE B WEB INTAKE
PART I: REPORTING CHANNELS 12
Employees reach out to a proxy, someone from
compliance, legal or HR – for example. The proxy
then enters whistleblowing reports on behalf of the
reporting employee(s) that may have been received
through email, in-person, phone, SMS, etc.
DO YOU HAVE A GLOBAL ORGANIZATION?
If you manage compliance for a global workplace,
make sure the hotline you choose is designed to
meet your special requirements. Look for a system
that can be customized to accommodate cultural
differences and that offers multi-language capabilities
for both online submission and phone support.
C PROXY
GOING GLOBAL: A NOTE ON
ANONYMITY, PRIVACY AND
DATA COMPLIANCE
For a whistleblowing channel to be effective, it needs to be
consistently used by employees. Use requires trust, which relies
in no small part on the protection you afford your whistleblowers
through various mechanisms, processes and procedures to
protect confidentiality, anonymity and sensitive data.  
Any multinational organization will encounter varying standards
and stringency around data protection and privacy related to
incident intake. The European Union, for example, prioritizes
privacy over free speech, while the US does the reverse; other
countries fall somewhere on the spectrum in between the two. 
This can complicate things when your hotline spans across
different countries that have nuanced—and sometimes divergent—
standards. Here we outline some of the most common challenges
organizations face when configuring a global hotline.
PART I: REPORTING CHANNELS 13
TELEPHONY
Configuring international telephony is a complicated
and time-consuming process. That said, it’s critical that
someone (if only a vendor) do this thoroughly and
correctly on behalf of your company. Employees should
have an easily accessible number to call where they can
report issues in their native language. The more complicated
you make it for employees to get to your hotline, the less
likely they are to report issues. 
ANONYMITY
In countries where anonymous reports are prohibited or
strongly discouraged, encourage “confidential” rather than
“anonymous” reporting to make it clear that reporting is
confidential, but on a named basis. If you allow reporters
to remain anonymous in countries where it’s permitted,
be sure your call center and web intake are configured to
handle the different scenarios. 
Note: our goal isn’t to rundown a laundry list of
country-by-country standards for your hotline.
For that, we recommend working with an
attorney well-versed in the requirements for
the jurisdiction you’re looking to deploy in.
Our aim is simply to provide a list of key
considerations to account for when deploying
an international hotline.
ISSUE TYPES
Many countries restrict the type of matters that can be
reported via a hotline. Complaints that fall outside that
scope should be filtered out at as early as possible. 
DATA COLLECTION
Only collect the minimum amount of data necessary, as
companies are held to a very high standard regarding the
type of information they gain throughout the course of
doing business. 
REPORT SUBJECTS
Some areas restrict the types of reports you can take in
based on the accused individual, with varying standards
for management and non-management employees. 
RIGHT OF CORRECTION
Any employee who is the subject of the report should be:
(1) informed that the report has been made; (2) provided
access to the report; and (3) given a chance to correct,
clarify and/or respond to the allegations. 
TO BUILD OR BUY A HOTLINE
Many organizations first implement a hotline
internally (‘build’) and then – for a range of reasons –
may move to an external third-party provider (‘buy’);
thereafter, they may move to another provider or,
indeed, return to internal implementation.
These decisions can be driven by a wide range of
considerations, including, but not limited to:
• Cost comparisons
• Overall whistle-blower hotline performance
• External third-party provider relationship
• Data protection performance and issues
• Case/report management capability and
performance
• Translation practice and performance
• Telephony infrastructure costs and
configuration/change challenges
• Infrastructure issues – communications,
policies, posters et. al.
PART I: REPORTING CHANNELS 15
DATA RETENTION
Many countries, particularly in the EU, have strict stan-
dards on what type of data can be stored, how it can be
stored, where and how it can be transferred and how long
you can legally retain that information. For these reasons,
processed data should not be retained for any longer than
is strictly necessary. 
REGISTRATION REQUIREMENTS
Companies operating in the EU are generally required to
notify the applicable Data Protection Authority (DPA)
to communicate the purpose and intended use of the
hotline. Before implementing a hotline, contact the DPA
that oversees each country or territory where you have
an employee presence to gather requirements and under-
stand information which may exempt your company from
participating (e.g., number of employees).
COMMUNICATIONS
Promote and explain the hotline in communications
tailored to local employee populations. Account for local
issues (like anonymity or issue types) and cultural nuances
and, above all, make your hotline and communications
available in employees’ native language.
SUCCESS TIP
Remember: The name of the game is to collect,
analyze and share data while protecting personal
privacy and adhering to local privacy standards.
Your hotline and case management systems
should be configured through geography rules
or other mechanisms to handle these various
scenarios, consider training call center agents,
managers and any other employees who could
potentially field reports from employees.
They’ll need to know what can be reported and
captured, how to offer guidance to reporting parties
for issues they can’t assist with and how to notify the
compliance or legal teams if needed.
Establish a schedule to periodically review and audit
your policies, procedures and compliance related
to these global requirements as they tend to be
moving targets.
1
2
3
PART I: REPORTING CHANNELS 16
PRIVACY
Each channel should enable employees to submit their report
from the privacy of an off-site computer or telephone. It may
seem like a small convenience, but giving employees the
freedom to enter a compliant from a location that “feels safe”
can make a huge difference to participation rates.
OFFER ANONYMITY
Develop and maintain your hotline externally. Employees
tend to trust hotlines maintained by third parties more than
they do internally maintained systems. Submitting reports
through an external hotline is perceived to offer an extra
layer of anonymity and impartiality compared to an in-house
developed system. A third-party provider is more likely to
bring in specialist expertise that’s difficult to match within
the organization.
THE CHANGING WORKFORCE AND HOW TO
KEEP IT COMPLIANT
Since 2000, the population has grown faster than jobs
can be created with millennials (15-35 years-old) entering
the workforce in swaths, according to the Bureau of Labor
Statistics. Baby boomers are working longer in life as
pensions are now a luxury of the past and retirement funds
are the sole responsibility of the employee.
PART I: REPORTING CHANNELS 17
More and more companies are doing business or working
with operations in other countries, increasing the need
to understand the risks of emerging global markets,
cross-cultural understanding and diversity management.
The U.S. Census indicates by the year 2050, half of the
country will be composed of people of color — a quarter
of whom will be Hispanic.
Across the board, there is extreme shortage for skilled
workers as the older generations exit the workforce,
companies are struggling to find qualified replacements.
Companies are seeking freelance workers on a contingency
basis to fill the need, however, liability increases trying
to determine which restrictive covenants make sense
for the business, such as restricting the freelancer from
using customer information, IP and ability to work within
the same industry. The legal ramifications behind these
workers remain unclear, according to a study by employment
and labor law firm Littler Mendelson.
The concern of a diverse workforce is real and gets
complex quickly, alongside the treatment and future of
older workers, contingent employees, outsourcing and
the varying impetus for effective education and training.
PART I: REPORTING CHANNELS 18
If you haven’t already, take the time to build an operational
framework that sets the stage for changing workforce
guidelines. You can always add to it and treat the frame-
work as a working document as the workforce evolves
over the years. Topics to consider examining deeper
when building out the framework:
• Hiring process
• Performance appraisal and promotion
• Discipline and termination
• Investigations and their performance
• Leaves of absence/FMLA
• Americans with Disabilities Act
• Discrimination
• Harassment
• Wage and Hour Law
• Workplace violence
• Affirmative action
• Reductions in force
• Independent contractors
• Establishment of policies and training
• Selection of technology
• Use and management of external vendors
Amid the changes you need to ensure your organization
is meeting its compliance obligations. By building a
responsive program you can anticipate and comply with
legal requirements.
TRACKING ALL INCIDENTS IN ONE PLACE IS KEY
TO EFFECTIVE INVESTIGATIONS
Regardless of which channel an incident is reported, best
practice is to have all incidents recorded and managed in
a single, streamlined and central location for accessibility,
comprehensive reporting capabilities and to ensure consistent
investigation and response procedures across all incident
types. All information, no matter which channel, should be
entered precisely as it was reported.
It’s essential to offer reporting
processes, training codes of conduct,
and policies and procedures in the
native language of your international
employees. When a company goes
before the Department of Justice and
the SEC, that’s one of the first things
they look for.
– Mary Shaddock Jones
Attorney at Law, formerly AGC
and Director of Compliance for
Global Industries, Ltd.


PART I: REPORTING CHANNELS 19
PART I: REPORTING CHANNELS 20
To encourage employee participation, follow these four
best practices for incident-reporting management:
1 PUBLICIZE
If employees don’t know about the hotline, they
won’t use it. Allocate a portion of your time and
budget to promoting the hotline through multiple
channels. Put up posters, deliver in-person presenta-
tions and remind employees regularly through email,
newsletters or intranet sites.
2 EDUCATE
Ensure your employees know how to use the system.
Make sure they understand the types of activities or
observations are appropriate for reporting and which
are not. HR, compliance staff and even leadership
will need training, too, to help them understand how
hotline impacts their day-to-day activities. Face-to-
face works best and is more effective than leaving
training materials that sit on a shelf unused.
Respond promptly and appropriately to hotline
complaints – this will ensure robust participation and
ongoing success. When people see their concerns
are heard clearly and addressed fairly, they will learn
to view the hotline as a valuable conduit.
4 RESPOND
3 ANALYZE
Use the data from the hotline to identify unexpected
trends or issues. Overtime, your hotline will become the
most powerful analytical tool in your compliance toolbox.
SUCCESS TIP
PART I: REPORTING CHANNELS 21
SECRET SHOPPING TEMPLATE
Most of these metrics are straightforward: the requirements
are either clearly met or they’re not. With that in mind,
we recommend using a simple pass/fail scoring system.
The key here is to identify your performance requirements,
particularly in the Connection category. We’ve put in some
standard metrics as recommendations.
CONTINUED ON NEXT PAGE
SECRET SHOPPING TEST SCENARIO VARIABLES
No two companies are the same, and each company
has their own philosophy, processes and procedures for
handling issue reports. That said, we recommend creating
scenarios that test key attributes and requirements of
your hotline and case management process, in addition to
one or two straightforward scenarios that can establish a
performance benchmark. Here are some recommendations
to get you started.
VARIABLE DESCRIPTION FOCUS METRICS
International locations Place the call from one of your
international locations in that
locations’ native language.
Accessibility; Connection; Introduction
Issue routing and escalation Create scenarios of varying
severity that would be routed/
handled differently.
Report Dispatch; Written Report
Anonymity Ensure you’re complying with local
data privacy standards.
Information Gathering; Written Report
Security and confidentiality Name one of your issue recipients as
a subject to ensure they don’t receive
or see the issue.
Report Dispatch
PART I: REPORTING CHANNELS 22
CONTINUED ON NEXT PAGE
EVALUATION CRITERIA SCENARIO 1 SCENARIO 2 SCENARIO 3 SCENARIO 4 SCENARIO 5 SCENARIO 6 SCENARIO 7 SCENARIO 8
ACCESSIBILITY
Local hotline number is easy to find for employees
Local hotline number works when dialed
CONNECTION
24/7/365 availability of live agent
Hold time < 20 seconds*
Availability of interpreter
Hold time for interpreter < 2 minutes*
Total call time < 10 minutes**
< 5% call abandonment rate**
INTRODUCTION
Call opened with correct greeting, in correct language
INFORMATION GATHERING
Agent properly determined the reporter’s needs
Agent gave appropriate explanation of service
Agent read the terms and conditions verbatim
Agent offered an appropriate incident type and provided description
The agent listed and described anonymity options (where allowed)
Agent used probing questions to gather more information
Agent verified how to spell names of involved parties
Agent read information back to reporter and it was accurate
Agent did not adversely influence reporter’s decision to file the report
(by giving opinions/advice or inaccurate/biased information)
Agent provided instructions on how to check the status of the report
Agent provided instructions on how to check the status of the report
SECRET SHOPPING TEMPLATE
ACCESSIBILITY
CONNECTION
INTRODUCTION
INFORMATION GATHERING
PART I: REPORTING CHANNELS 23
EVALUATION CRITERIA SCENARIO 1 SCENARIO 2 SCENARIO 3 SCENARIO 4 SCENARIO 5 SCENARIO 6 SCENARIO 7 SCENARIO 8
CALL CONTROL
Agent controlled call length and did not allow the caller to repeat information
Agent controlled content by focusing on relevant facts and details
(not on reporter’s emotions)
QUALITY
Agent did not sympathize with the reporter (empathy, not sympathy, is OK)
Agent spoke to the reporter with respect
Agent avoided inappropriate use of hold or excessive periods of silence
Agent spoke clearly and professionally
CONTINUED ON NEXT PAGE
Click here to print.
SECRET SHOPPING TEMPLATE
CALL CONTROL
QUALITY
PART I: REPORTING CHANNELS 24
EVALUATION CRITERIA SCENARIO 1 SCENARIO 2 SCENARIO 3 SCENARIO 4 SCENARIO 5 SCENARIO 6 SCENARIO 7 SCENARIO 8
REPORT DISPATCH
Report was dispatched immediately upon completion*
Report was received by the correct individuals based on
company routing rules
Agent read the terms and conditions verbatim
WRITTEN REPORT
Agent captured correct location
Agent captured correct issue type
Agent accurately reflected reporter’s anonymity preferences
Agent wrote report description, responses to questions and additional
thoughts in the ‘first person’
Agent accurately captured reporter’s responses to all incident detail
questions
Agent entered suspected individual names
Agent indicates specific terminology or slang appropriately by using paren-
theses or quotation marks
Report length is controlled by focusing on facts and description
Report contains correct capitalization, grammar, punctuation, sentence
structure and is professional
Reports accurately filed as “complete” or “incomplete”
The report only contains information related to the report
SECRET SHOPPING TEMPLATE
REPORT DISPATCH
WRITTEN REPORT
PART I: REPORTING CHANNELS 25
SECRET SHOPPING – A BEST PRACTICE
Despite the level of training or trust you may have with
your call center, mystery shopping is a best practice
approach used across the industry, however, it is rarely
used in a non-financial context. When you conduct a
secret shop, that is, by calling into your own call center
and posing as an employee presenting a problem they
should be able to solve – you can identify gaps, areas to
re-train, and gather data to test and measure performance.
To improve your hotline effectiveness, consider regular
check-in’s. Secret shopping your hotline is a fast assess-
ment that can easily derive useful data and identify gaps
in your program.
– Keith Read
“Mystery Shopping – How Far Would
You Go?”, Convercent (2016)

Put simply, the mystery shopping
program was a revelation; we found that
despite all our blood, sweat and tears
invested in training, there were often
common compliance failures across
whole swathes of operators; we also
found that certain call centers were
consistently, and significantly, worse
than others, which enabled us to under-
take root-cause analysis; some of those
failures were traced to high employee
‘churn’ levels, which resulted in us then
focusing on employee retention.

PART I: REPORTING CHANNELS 26
SIMPLE VS. GUIDED INTAKE
There are two ways to configure
intake processes that are based
on differing compliance philos-
ophies: whether the employee
should classify the issue type, or
that responsibility is best left to
an administrator.
Guided Intake: Employees
submit issues by first classifying
the issue type, then answer
incident-specific questions.
The issue is routed according to
their classification and the
organization’s routing rules.
(This is the more widely-used
method.)
Simple Intake: Reporters
are asked to first explain the
incident and provide details.
When a report is submitted,
administrators categorize
the issue based on the
provided information and
route it accordingly.
– Peter Jaffe
CECO, AES Corporation
Whenever I travel to one of the countries where we have a business,
I test our Helpline telephone number. I ask a random person who works
at our local business to make the call. I ask the caller to make up
whatever story he or she would like to use in making the report – either
an allegation of wrongdoing or a question about policy. Because I
don’t give the caller any other information, including the telephone
number to call, it allows me to test whether the person can figure
out how to call the Helpline on their own (is the Helpline effectively
advertised internally?) as well as to test whether the telephone number
is easy to use and actually works (in some countries for example, some
toll free process, including speaking in the local language, it helps us
test not only the connection but also how well the translator translates
the caller’s story, how polite and friendly the operator is, whether the
report is transcribed accurately, and how quickly it gets to the right
people in our ethics and compliance team. Experiences from this
process have helped us greatly improve the user experience for our
Helpline around the globe.
EXPERT INSIGHT
PART I: REPORTING CHANNELS 28
Recommended steps in gathering the right information
For more information on hotline:
Download the 7 Essential Hotline Features
GUIDED INTAKE CHECKLIST
Step 1: Select the location and where the
incident occurred.
Step 7: Provide your information and set
anonymity preferences.
Step 8: Review and verify report accuracy.
Step 9: Create a complex password (8-20
characters, including upper and lower case letters,
numbers and special characters such as !, @, #, $,
etc.) and security question to access the case.
Step 10: Receive and record the case number.
Step 2: Acknowledge the terms and conditions,
which usually include a notification that the intake
channel is not an emergency service.
Step 3: Select the issue category and a series of
related questions.
Step 4: Describe what happened and provide
information about the involved parties (subject,
witnesses or victims).
Step 5: Provide the date, time and located where
the issue occurred.
Step 6: Upload any supporting files, photos or
documents relating to the allegation. If creating a
report through the call center, reporters can access
their report and submit files online.
PART II: EXAMPLE EXAMPLE 29
PART II:
CASE MANAGEMENT
PART II: CASE MANAGEMENT 30
Once a report is received, it’s time to move onto managing
the case. Case management is easiest if you think of the
process as having three stages: organization, handling and
post-case analysis.
While consistency, approachability and accessibility are key
during report intake, efficiency is the name of the game
once the report’s been filed. If efficiency can be extended
throughout the processes related to routing, communication,
investigating and analysis, your team will have more time to
spend in the field and conduct a better analysis on incident
handling and trends. Not to mention this can and will lead
to swifter and more consistent case resolutions, which will
foster and fortify accountability, transparency and confidence
in organizational justice within your company.
Being able to identify and resolve issues before they escalate
to an external investigation or litigation is one of the most
well-known benefits of a hotline, but the reality is that
not every issue can be caught internally. What’s less well-
known is that an effective hotline system can help an
organization prepare for these challenges more effectively
and achieve a better outcome.
PART II: CASE MANAGEMENT 31
COMPLEX CASES
Compliance incident reports are rarely simple and straight-
forward—they often involve multiple parties and multiple
types of allegations. According to the 2013 National Business
Ethics Survey from the Ethics Resource Center, two thirds
of misconduct either occurs over multiple incidents or is an
ongoing pattern. Misconduct also usually involves more than
one person, as the survey reported 41 percent of observed
misconduct was committed by multiple individuals, with
12 percent committed company-wide.
It makes little sense, then, to oversimplify the reporting
process by requiring separate reporting and tracking of each
issue and forcing reporting parties to choose one allegation
type to focus on, or to file multiple complaints. Reporting
parties should have the ability to report multiple allegations
involving multiple parties in a single case. Each allegation
can then be managed to closure by tracking substantiation,
action taken and key findings involving a variety of involved
parties, including subject, witnesses and reporting parties.
This approach accounts for the complexity of the reports
compliance teams usually receive and the granularity they
need to have insight into and report on to effectively
manage these cases to close. The company benefits from
more insightful data analysis such as commonly related
issue types and trends in involved parties across issues, to
name a couple.
PART II: CASE MANAGEMENT 32
INVESTIGATIONS
Half the battle of tracking an incident is documenting
an easily accessible paper trail. With the complications
of differing intake methods and use cases, and varying
reporting channels, establishing a standardized process
to plan, conduct, and report on findings from internal
investigations is imperative. If an incident is elevated to the
court level or the regulators come knocking, you must be
able to provide documentation on-demand.
Additionally, a standard investigation process allows you to
gain insights to become proactive and predictive rather than
reacting to incidents one-by-one. Your case management
system can and should support this investigation process.
PART II: CASE MANAGEMENT 33
Here are the fundamentals for establishing an investigation
process foundation. These are the elements that – if you
are not already doing these – will bring you on par to a
basic investigation process.
CONTINUED ON NEXT PAGE
Has any potential violation taken place? [YES NO]
If yes, which?
What company policies were broken? [YES NO]
If yes, which?
What laws were broken? [YES NO]
If yes, which?
What are you trying to achieve?
What will it take to get there?
What is the standard of proof you will need for each
investigation’s findings?
THE BASICS
1 2ASSESS THE ISSUE PLAN AND DEFINE OBJECTIVES
PART II: CASE MANAGEMENT 34
What information will you need to meet your
objectives? (Who, what, why, when, where, how?)
Which members of your team will be involved
with each investigation?
Who will actually conduct the investigation?
Who are the decision-makers who have the authority
to make the final call on any disciplinary action?
3 GATHER THE INFORMATION
Leverage a variety of investigation methods
including: interviews, research and audit, physical
or electronic surveillance, forensic analysis or
undercover research.
• Record all tasks and activities, who performed
them and when and where they took place.
• Record all evidence, including digital files or a
description of physical evidence and its location.
• Log descriptive notes for all tasks or evidence,
such as a summary of an interview.
• Identify all parties involved, including reporters,
witnesses, affected parties, subjects, interviewees
and investigators.
• Log all email communications related to
the investigation.
• Provide limited access for managers or other
non-investigators who need to check on the status.
CONTINUED ON NEXT PAGE
THE BASICS
PART II: CASE MANAGEMENT 35
CONTINUED ON NEXT PAGE
THE BASICS
Conduct interviews with the subjects in a neutral
location and always have a third person in the room
to act as witness. Start the interview by explaining
how you learned of the allegation and describing all
the methods you used to investigate the incident.
Then, let the employee know that this his or her
chance to share their side.
Your goal is not just to resolve this case, but prevent
similar incidents from happening again. To do this,
you should get the person to:
• Admit to the offense
• Tell you how and why they did it
• Find out who else was involved or if other
offenses occurred
Don’t forget: Record this all in your case management
system. Document when the interview took place,
where it occurred, who was there, and provide a
summary that describes the details.
4 5VERIFY AND ANALYZE PRESENT RESULTS AND MAKE A DECISION
Within your case management system, compile
all the information you need to write a report.
This should include:
• An executive summary outlining the basic
facts of the investigation, including the original
allegations, the outcome of the fact-finding
process and who was involved with the offense.
• Detailed account of the investigation that
describes all the methods you used, the
evidence you uncovered and which claims
you’ve substantiated and which you haven’t.
• List of evidence supporting your conclusions,
including interview summaries and other
corroborating documents.
• Copies of the signed admissions of the people
involved with the offense.
PART II: CASE MANAGEMENT 36
THE BASICS
• Final summary reiterating the investigation’s
findings of fact, including which policies or laws
were violated and what controls were in place to
prevent, uncover and address these violations.
Avoid making recommendations for disciplinary
actions and take the ‘just the facts’ approach.
Leave the rest up to the decision-making team.
6
7
DETERMINE DISCIPLINARY AND
CORRECTIVE ACTION
CLOSE THE LOOP
Circle back to the impacted employees after an
investigation concludes to let them know you’ve
resolved the issue. This will increase their perception
and confidence in organizational justice and cultural
transparency.
The opportunity is ripe to find and correct any root
causes of bad behavior (see Root Cause in this
guide). Whether operational problems like weak
controls or cultural issues like management pressure,
understanding the drivers and influencers of bad
behavior better equips you to anticipate and prevent
similar issues from occurring in the future.
The baton now passes to the decision-making team
who will use your findings from the investigation
report to determine appropriate disciplinary action.
It’s important that this team is separate from the
investigative team, has the authority to enforce
disciplinary action and can affect change to
compliance controls to prevent a reoccurrence of
the issue. You can create a follow-up plan to ensure
any corrective actions do take place. Don’t forget
to change the status of the incident in your case
management system.
PART II: CASE MANAGEMENT 37
CASE ROUTING & ESCALATIONS
No matter how a report is made, it should be dispatched
immediately. Configuring routing rules, escalation
procedures, notification settings and access controls
so issues are immediately forwarded to the appropriate
“need to know” people and privilege, confidentiality,
security and non-retaliation are protected. Email, SMS,
or phone call notifications to specific executives may
also be activated in some severe cases.
We talk a lot about being proactive rather than reactive,
but the reality is, you’re never going to be a fortune teller.
There will be incidents that you will have to bring out
your firefighting gear for, and that’s ok. However, having
an escalation process in place can help you smother the
flames faster. A formalized process can ensure that open
incidents don’t remain open and are properly addressed.
It also helps senior leaders to stay adequately informed
about and actively engaged in compliance issues that
warrant their attention.
Bring order, structure and laser-focused attention to
lingering incidents, not to mention, by having a formal
escalation process in place you will close more incidents,
which sends the message to your employees that incidents
undergo thorough follow-up and encourages them to
report misconduct.
Remember to keep the process iterative and leave room
to review, learn and adapt to your organization culture
and compliance program. By getting the entire company
involved, you can allow anyone to escalate an incident.
WHAT IS YOUR CASE MANAGEMENT MISSING?
DOWNLOAD OUR INFOGRAPHIC TO FIND OUT.
PART II: EXAMPLE EXAMPLE 38
PART III:
SETTING THE CULTURE
PART III: SETTING THE CULTURE 39
You may look at some issues that come across your desk and
wonder, “what were they thinking?!” Ask that question of every
issue, no matter how insignificant it may seem, and document the
answer. While, for most compliance executives, preventing issues
is top-of-mind; an uncommon attempt to document and address
what actually causes the misconduct in question.
HOW ROOT CAUSE HELPS
When you identify the true influencing factors behind misconduct,
it can help you determine and address program weaknesses.
Examining root cause can shine a light on problems within your
organization down to the employee level. Oftentimes, even
comprehensive program and culture assessments may not uncover
the true problems behind the problems quite like tracking root
cause information as you investigate each and every case.
Additionally, identifying root cause allows you and your compliance
team to evolve from short-term, reactive incident triage to proactive
issue mitigation. By identifying the root cause, you will have the
chance to get ahead of issues.
ROOT CAUSE
PART III: SETTING THE CULTURE 40
DIGGING DEEP MATTERS
Identifying a root cause can feel like playing a game
of operation – trying to pinpoint the true cause can be
difficult, surgical, and require a steady, persistent hand.
In many cases, the root cause is about the nuances, with
several factors, both internal and external, frequently
contributing to the noncompliance.
For example, an employee may be up-to-date with
policies, have near-perfect training scores, but a poor
or misguided decision can lead to a slippery slope of
noncompliance. Once one deed has gone unnoticed
and unpunished, it is easy then to rationalize additional
missteps, especially if the employee perceives it as not
hurting anyone or the company.
This is where digging deep to find the root cause really
matters. Without understanding what happened and what
specific influences factored in, it is hard to correctly address
the problem. Simply adding a new policy or training course
may not cut it, and ultimately, not improve your program –
leaving the weakness open for repeat offenses.
WHAT TO LOOK FOR
Keep in mind these two main factors that help
influence noncompliance:
• The mind set of the individual committing the
misconduct (behavioral factors); and
• Outside influencers that helped promote, encourage
or justify that behavior (environmental factors).
PART III: SETTING THE CULTURE 41
BEHAVIORAL FACTORS
Blatant disregard for company policies, rationalized
behavior, or ignorance to a policy or rule. There may
be more than one influence from each category.
Insubordination: an act of willful disobedience.
Lack of sensitivity: the employee was not aware of the
conduct would have an effect on others, or, the employee
knew their conduct would have a negative effect on
others, but rationalized it by saying it’s the way they are.
Lack of awareness: the employee did not realize their
misconduct was wrong and/or didn’t realize they needed
to abide by the rule.
Company loyalty rationalization: “I was generating profits
for the company.”
Legitimate action rationalization: the employee rational-
ized their actions claiming the rule is outdated and that
every other employee was doing it.
No harm rationalization: employee rationalizes action
because it caused no harm to anyone.
PART III: SETTING THE CULTURE 42
ENVIRONMENTAL FACTORS
Pressure from organizational or managerial expectations –
either expressed or implied. There may be more than one
influence from each category.
Culture influences: culture differences from inside
or outside the organization.
Financial or performance incentives: incentive compensation
or a performance reward drove the violation.
Operational burden: undue operational burden left
insufficient time to perform in a compliant matter.
Pressure from management or peers: pressure to conform
or complete tasks at all costs driven by a superior or peers
contributed to the violation.
Process design: a poorly designed process created
conditions that facilitated misconduct.
Remote or inadequate supervision: conduct occurred in a
remote affiliate and/or under insufficient supervision.
Weak controls: there were weak controls over the employee
or third-party activity that allowed for a violation.
Analyzing the root cause of compliance misconduct
will not lead to a fully predictive program, but can be a
factoring variable to spot holes or cultural breakdowns.
It’s not as cut and dry as it seems – the causes behind
misconduct aren’t simple and are unlikely to be quick
(or easy) fixes. Take your time to understand the factors,
which will help your program go from good to great and
get one step closer to a predictive program that can stop
noncompliance before it ever happens.
PART II: EXAMPLE EXAMPLE 43
Employees at any organization tend to judge leadership
on three contributing factors, according to the National
Business Ethics Survey (NBES) from the Ethics and
Compliance Institute (ECI).
• The overall character of their leaders as experience
through personal interactions;
• How senior management handles crises; and
• The policies and procedures adopted by senior
leaders to manage the organization.
Supervisors can impact the organization’s ethics just as
much as the executive team. “When it comes to modeling
good behavior, keeping promises, or upholding organization
standards, direct supervisors may matter just as much
or more than CEOs and other senior executives,” stated
the NBES.
SETTING THE TONE
DATA DOWNLOAD
workers pointed to their immediate
supervisor when asked who they
consider senior leadership. Workplaces
which leaders display ethical leadership
tend to have lower rates of misconduct,
less pressure to break rules and greater
employee engagement.
– Ethics and Compliance Research Initiative (ECI)
2 in 5
PART III: SETTING THE CULTURE 44
DATA DOWNLOAD
TONE FROM ALL LEVELS
How your senior leaders demonstrate their commitment
to compliance – not just through what they preach, but
what they practice – will have a direct affect on employees’
perception of your company’s ethical culture. At a minimum,
keep your leaders well-informed about your program; in
best cases, they can be program advocates and stewards by
endorsing and practicing ethical conduct.
Surveys continuously show that upwards of 80 percent of
misconduct reports are reported in person, with a majority of
the reports being made to direct supervisors. It’s important
then, that you ensure:
• Your employees know and trust they can report
issues to their supervisor;
• Those supervisors are prepared to receive and
document those reports; and
• Managers understand your company’s stance
on retaliation.
Supervisors that provide positive feedback for ethical
conduct and who employees perceive to be ethical and fair
are more likely to implicitly encourage employees to come
forward with misconduct reports.
of middle managers report that they’re
only “somewhat active” in ensuring that
daily decisions and behavior are in line
with company values
report that ethics and compliance
aren’t considered during their
performance reviews
Mintzer, Rebekah. “’Tone From the Middle’
for Better Ethics and Compliance.” Corporate
Counsel. 2015.
48%
31%
All this and more is why you must lean, and lean hard, on
tone in the middle. You shouldn’t let a very busy – and
potentially disengaged – Board affect the rest of the
program (and all of your hard work). Strive to continuously
communicate about compliance and engage mid-level and
regional managers to jump on the bandwagon. Building
and maintaining a strong compliance commitment on
the front lines can lend itself to preventing noncompliance,
regardless of what tone is coming – or absent – from the top.
PART III: SETTING THE CULTURE 45
Break out of the compliance silo and reach out to middle
managers and the HR department that employees deal
with most frequently. Directly engage the people most
likely to be setting employee goals and receiving issue
reports. They’re the most visible and effectual members of
the compliance team you’ve got!
DEDICATION TO COMPLIANCE
Unless the tone is reiterated and strengthened at every
level, compliance programs still will not be successful. A
Board that is committed to ethical and compliant behavior
will help the company as a whole make ethical strategic
decisions – but it’s the middle managers committed to
compliance who are going to influence ethical decisions on
the daily and support a company-wide tone.
Amy Much, Director of Global Compliance at Under
Armour sets the tone in the middle rather than the adage
of setting it at the top. As a compliance professional,
you’re no stranger to the fact that “tone at the top” is a key
component of a successful compliance program. However,
often times when you look for tone at the top, it is easy to
forget that:
• It is difficult to find what truly influences others.
If you’re relying on the actions of others for the success
of your compliance program, you’re taking a big risk.
• The tone in the middle (compliance directors, front line
managers) are just as important to the day-to-day success
of your compliance program as those at the c-level.
Don’t get us wrong, we are not diminishing tone at the top,
rather, we are emphasizing the importance for compliance
executives, directors and managers to encourage tone in
concert from the top while they actively work to set the
right tone in the middle.
Amy Much, Director of Global Compliance at Under Armour
prioritizes tone in the middle rather than the at the top.
As a compliance professional, you’re no stranger to
the fact that “tone at the top” is a key component of a
successful compliance program. However, when you look
for tone at the top, it is easy to forget that:
• It is difficult to find what truly influences others.
If you’re relying on the actions of others for the success
of your compliance program, you’re taking a big risk.
• The tone in the middle (compliance directors, front line
managers) is more important and wide-reaching to the
day-to-day success of your compliance program as
those at the c-level or in the boardroom.
PART II: EXAMPLE EXAMPLE 46
“More than half of
respondents believe
that top leadership
values ethics and
integrity over
short-term business
goals. Almost half of
employees surveyed
believed that the top
leaders within their
organization were
unaware of the behavior
that exists throughout
the organization.”
KPMG, Integrity Survey, 2013, p. 14
PART III: SETTING THE CULTURE 47
– Amy Much
Director of Global Compliance,
Under Armour
WATCH:
AMY MUCH’S TAKE ON
TONE IN THE MIDDLE
Everyone preaches tone at the
top. You go to a lot of seminars
about how to tackle various
compliance issues and they all say
tone at the top is very important,
but you can’t find something that
says how you infuse the tone at
the top, how you change it, how
you affect it. I do feel a little bit
like I’m flying blind when it comes
to how to answer that question.
I’m attacking the tone at the
middle and hoping to push up.


PART III: SETTING THE CULTURE 48
In ECI’s latest National Business Ethics Survey (NBES®),
more than one in five workers who reported misconduct
said they experienced retaliation in return.
Most organizations have a “no retaliation” policy, but have
you ever sat down and asked how genuine it is? That is,
do your employees know about it or does it just sit on a
shelf and have little impact on what happens day-to-day
in your organization. Here is Keith Read’s take on the topic,
and a sample analysis you can conduct to determine
policy effectiveness.
RETALIATION
Ask yourself, “How do I know our anti-retaliation
policy is working?” If the answer is, “I don’t know”
consider going through Keith’s analysis that you
can undertake within your organization. Gather data
from your HR department and see what findings can
help you improve your retaliation policy.
SUCCESS TIP
PART III: SETTING THE CULTURE 49
Retaliation can take many forms: at the organiza-
tional, manager and peer level, and involve both
“hard” and “soft” retaliation ranging from disci-
pline, dismissal and harassment through the more
implicit loss of a whistleblower’s career trajectory and
advancement opportunities. Whatever form, retaliation
impacts the individual reporter and means that
other people will think twice about blowing the
whistle in the future.
When I examined whistleblower data as a CECO,
I was looking for indicators of retaliation included:
• Annual performance reviews
• Raises
• Bonuses
• Disciplinary actions
• Career progression
I compared this data to the employee’s peers
and it was immediately clear that retaliation was
happening, albeit not everywhere and not affecting
every whistleblower. Some individuals had been
high performers prior to blowing of the whistle; but
their performance sharply declined afterwards, and,
in some cases, never recovered. Based on my data,
retaliation was linked most to managers and
senior managers.
This analysis enabled me to discuss the reality of
retaliation within our organization, and to heighten
awareness of our monitoring of the issue. There is
some evidence to show that retaliation lessened once
that message had been circulated, though it admittedly
can take years for a cultural pattern to emerge.”
– Keith Read
Convercent
EXPERT INSIGHT
PART II: EXAMPLE EXAMPLE 50
PART IV: ANALYTICS AND
BOARD REPORTING
PART IV: ANALYTICS AND BOARD REPORTING 51
Post case analysis: hotline reports and cases are a
clear window into potential compliance program
weaknesses – what don’t you know that you don’t
know? By thoroughly documenting all parties
involved, issue types and the program components, you can
more easily uncover trends or identify compliance hotspots
based on issue type, risk area, business unit, office location or
any number of other variables.
Examine the impact, or lack thereof, of the following on
your issues and cases:
• Policies
• Training courses
• Initiative engagement, completion, certification
and/or attestation rates
• Risk areas
• Disclosures
• Compliance resources and staff
• Office locations
• Job titles
• Communication frequency
ANALYTICS
The most robust form of reporting is when you combine
your compliance tools and data together to address
risks, achieve your objective and measure your progress.
Organizing data and performance metrics by your risk
areas, gives all the information from the first three parts
of this guide to provide critical context you need to truly
understand and improve effectiveness.
By this point, your case management program is in place.
You’re armed with the necessary data and metrics. You’re
continuously making adjustments and improvements.
Now it’s time to tell the Board how it’s all going. Are you
panicking now or do you think you have it handled? How
are you going to distill all that excellent compliance infor-
mation you obtained in just a few slides?
To start, use our checklist, The Essential Presentation
Planning Checklist, which highlights importance features
of a compliance report and helps you focus on what to say
and how to deliver the information. Download here.
52
DATA DOWNLOAD
REPORTING TO THE BOARD
In our recent study with Ethisphere, we found that every
company we spoke with delivered some variation of
compliance reporting on at least an annual basis.
Overall, we found inconsistencies in the frequency of
reporting, the information included in the report and the
format in which the report is presented. It seems that
nearly every compliance executive has his or her own idea
of how to report on key compliance metrics, seemingly
influenced by the politics of the Board and the leadership
of his or her company.
HOW FREQUENTLY DO YOU DELIVER
A FORMAL REPORT?
use Board communications to report
compliance program statistics, but only
said the full Board receives the report.
–Compliance Strategy and Performance report
2016, Ethisphere and Convercent 
67%
29%
–Compliance Strategy and Performance report 2016,
Ethisphere and Convercent 
50% Quarterly
25% Annually
18% Monthly
5% Less than two years
2% Semi-annually
PART IV: ANALYTICS AND BOARD REPORTING
53
Leadership: What top management is doing to foster a
culture of compliance and how the company is leveraging
middle management – who, being near the front lines, are
invaluable resources. (See: Setting the Culture)
Training: What training programs are available for
different types of employees and what internal
communication strategies and vehicles are being
used to keep ethics and compliance top-of-mind
across the organization.
Assessment: The ongoing monitoring and auditing
processes that assess the program’s effectiveness,
including how periodic program reviews are done and how the
program has been validated by an independent third party.
• Remind your Board about why they care.
• Coach your Board on what to look for.
• Deliver a regular and thorough report to the Board.
• Be prepared, be consistent and be efficient.
SUCCESS TIP
Don’t leave your Board guessing. They need to understand
your company’s compliance program at the same level of
detail they any other departments.
WHAT TO COVER
Key players: The key compliance actors within the
company, as well as the reporting chain. If the compliance
lead has direct access to the CEO and Board, say so (if not,
you should arrange for such access and then say so).
Incentives: How compliance plays into executive and
management compensation and incentives.
Risk: How the program covers the company’s high-risk
areas at home and abroad. Make clear how these initiatives
apply not only to employees, but also to business partners,
vendors, subcontractors and third parties.
Culture: How the company is fostering an ethical culture
and how leadership supports those efforts.
Resources: What you spend on the compliance program,
whether that number is rising or falling, and why.
PART IV: ANALYTICS AND BOARD REPORTING
54
After completing the following exercise, you will be able
to present the Board with actionable and insightful data.
You will be able to complete this paragraph:
“Over the course of (time),
we identified the following trends
.
(trend 1, trend 2, trend 3, etc.). There were
(amount) of risk areas. This is how
we are addressing the risks:
(policies)
and (train-
ings). These are how many issues related to
these risks . Here is what we are doing
to solve them: ,
and .”
Example: Over the course of 10 years,
we identified….
Response: The processes and communication lines the
company has established to review compliance violations,
how responses are calibrated and what measures have
been put into place to stop it from happening again.
Open door: How you encourage employees to come
forward with reports of misconduct (See: Reporting
Channels) and how you disseminate your non-retalia-
tion policy (See: Case Management). Tell the Board how
your managers are trained to field employee reports,
document alleged misconduct and move reports up the
reporting chain (See: Escalation).
Planning: To wrap up, describe your plans for the
compliance program during the year and beyond.
PART IV: ANALYTICS AND BOARD REPORTING
55
RETALIATION VERIFICATION EXCERCISE
Mining this data will require you to gather intel from other
departments in your organization – an emerging best prac-
tice for reconciling useful compliance data.
At hire:
After blowing the whistle:
Current:
Schedule a meeting with your HR department to
walk through this exercise.
HR meeting is scheduled for
.
Number of Direct Reports:
Overall Employee Review (Circle One):
Positive -or- Negative
Immediate Supervisor:
Number of Promotions/Demotions:
Compensation History Trend:
Number of Disciplinary Reports:
• We recommend sampling 7-10 reporting parties who
blew the whistle at least a year (preferable two or
more) ago to allow for enough time for changes in
position, salary, etc.
• Compare the whistleblowers’ data to 5-10 peers who
share their career path (position, tenure, experience, etc.)
PART IV: ANALYTICS AND BOARD REPORTING
56
When planning for the future, apply what you’ve
learned from trend analysis of your case history to
your organization’s strategic objectives below.
Strategic Opportunities & Threats: New risk severity (impact + likelihood):
Top Risk Profile Changes:
PART IV: ANALYTICS AND BOARD REPORTING
57
Proposed plan of action and resources needed:
HAVING A STRATEGIC, FORWARD-LOOKING
CONVERSATION WITH YOUR BOARD
• How much will it cost to make the
recommended improvements?
»» What’s the bare minimum cost for
“checking the box,” and what’s the cost
of meeting current industry
best practice?
• What will happen if we don’t make the
adjustments now?
• What does success look like?
• What do you need from senior leaders and
management for this to work?
• What are other factors that could affect
these plans (market, enforcement, etc.)?
Top 5 Trends Facing Your Company:
1.
2.
3.
4.
5.
PART IV: ANALYTICS AND BOARD REPORTING
PART II: EXAMPLE EXAMPLE 58
PART V:
HOW TO GET STARTED
PART V: HOW TO GET STARTED 59
We’ve covered a lot. And there are some things in this
guide that can certainly take longer to address than
others because they involve a fundamental shift in
organizational culture or processes. It’s understandable
to be overwhelmed, or tempting to be dismissive.
Change is rarely easy, and it never happens all at once.
Here are some easy ways to get some early momentum,
along with some tips for success:
PUT IT INTO PERSPECTIVE
This is one of the only direct lines your employees have to
tell you about things that are going wrong. Invest in it.
And remind your senior leaders and boards that if they
expect you to keep their names out of the headlines, that
you’re going to need a way to find out about the things
that could put them there.
DON’T BOIL THE OCEAN
Start with your short- and long-term goals in mind and work
all the way back to the tactical minutiae you can influence
now. Want fewer anonymous reports? Look at known versus
anonymous percentages to date, and set a goal for six
months, one year then two years down the road.
PART V: HOW TO GET STARTED 60
Then look at the tactical things you need to do to make
that happen, from the way you communicate about
your hotline, to how you train your managers to handle
in-person reports; and from secret shopping the experience
an employee has with the hotline, to digging deep into
employee data that could signal implicit retaliation.
BE OPEN AND BE CURIOUS
Hotlines are one of the most fundamental mainstays of
corporate compliance programs, and it can be easy and
all too tempting to dismiss any changes as too difficult or
unnecessary. Today’s business environment, legal
landscape and global workforce are incredibly dynamic—
you can’t afford to rely on tools that are anything less than
that. So ask questions about why things are the way they
are and push back on resistance to change.
CATER TO YOUR AUDIENCES EQUITABLY
Evaluate your reporting channels, case management and
analytics from the perspective of each of your stakeholders:
employees, third parties (if they’re using the hotline),
compliance/legal/HR admins and investigators, your
executive team and your Board. What does each group
need or want? And how do you make it easy for them to
achieve their goals? The easier you make this for everyone,
the more likely they are to do what you need them to.
ASK AROUND
The thing about hotlines is that (most) everyone has them.
So give yourself a “support group” and find out what’s
working and what’s not for everyone else.
CALL IN REINFORCEMENTS
There are people and companies that stand up and
maintain hotlines for companies all over the world,
on a daily basis (ahem). Use them and tap into the
tried and true experience and results they’ve amassed by
working with companies just like yours. It’s a heck of a lot
faster, cheaper and painless than learning those lessons
on your own.
61
There you have it – the steps to take to bring your
compliance program from good to great. You are now
armed with checklists, how to’s, reporting tips and
conversation templates to start integrating into your
program. We hope these resources serve you well as
you begin to centralize and standardize incident intake,
investigation and management at your organization.
CONCLUSION
Convercent’s risk-based global compliance solution
enables the design, implementation and measurement of an
effective compliance program. Delivering an intuitive user
experience with actionable executive reporting, Convercent
integrates the management of corporate compliance risks,
cases, disclosures, training and policies. With hundreds
of customers in more than 130 countries – including
Philip Morris International, CH2M Hill and Under Armour –
Convercent’s award-winning GRC solution safeguards the
financial and reputational health of your company. Backed by
Azure Capital, Sapphire Ventures (formerly SAP Ventures),
Mantucket Capital and Rho Capital Partners, and based in
Denver, Colorado, Convercent will revolutionize your
company’s compliance program.
Convercent.com
Convercent © 2016. All Rights Reserved.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="https://www.businessprocessincubator.com/content/convercent-case-management-guide/?feed=html" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples

BPMN.org

XPDL.org

×