One of the most slippery tasks for any compliance officer is measuring the effectiveness of your program. And we all know one of the go-to metrics that compliance officers use, even if many secretly wonder how informative that metric really is.
We speak, of course, about “hotline statistics.”
Just last month, Convercent and Ethisphere published a compliance benchmarking report covering all manner of issues, including which specific metrics compliance officers use to gauge effectiveness. Right at the top: hotline statistics, cited by 81 percent of respondents. The Convercent report is only the latest in a long line of CCO surveys that have said as much; three years ago, in the Deloitte Compliance Trends Report of 2013, the figure was 65 percent.
The question is how to put real insight into “calls to the hotline” so that metric is actually useful, rather than just something easy to quantify and present to the board. Veteran compliance officers know the conundrum here: plenty of calls to your whistleblower hotline is not necessarily a bad thing; it can indicate a strong speak-up culture, which is what you want. Conversely, no calls to your hotline might suggest the (really bad) possibility that employees are terrified to report misconduct.
Think about the implications of that conundrum, however, and you start to get closer to compliance metrics you do want. Clearly no calls at all is alarming, because you have an absence of any information at all. If information is what you need, then lots of reports to your internal reporting system (which should include calls to the hotline, reports filed to managers or HR, and similar channels) is a good thing.
The volume of activity isn’t information, however; it’s just noise. It only tells you your program is busy, not whether it’s effective. To get to useful indicators of effectiveness, you need information about the reports themselves—and that’s where some compliance programs come up short.
For example, truly good metrics of effectiveness are complaints specifically about retaliation: the number of retaliation complaints you get in absolute terms, the percentage relative to total complaints, the year over year change, the number of managers against whom retaliation complaints are filed, and so forth. Metrics like those get you closer to answering the question, “How is our culture? Does it respect ethics & compliance?”
That is a question worth chief compliance officers’ time—because if your firm ever does run into regulatory trouble, rest assured that those regulators will be asking it.
On a practical level, the challenge is to ensure that your compliance program can actually track metrics like the ones above. Maybe your hotline doesn’t collect data at that granular a level and it can’t be reported to you. Maybe your hotline does, but your HR department does not. Maybe both do, but you lack a control to be sure the same bad manager isn’t counted twice because an employee complained via two channels.
So even when you do have a solid grasp of the hotline metrics you want, you still have lots of homework on policies and procedures to ensure you collect that data smartly.
While we’re in the neighborhood of whistleblower hotlines…
If you have not yet heard, the Occupational Safety & Health Administration is working on guidance for whistleblower anti-retaliation programs; its initial plan was published for public comment in November (the comment period closed last month) and we could see a final version later this year.
The headlines of that proposed guidance won’t surprise compliance officers too much: ensure leadership commitment, foster an anti-retaliation culture, implement a reporting system, conduct training—nothing you haven’t heard before, or that any self-respecting compliance program doesn’t already try to do. (Although please note, no compliance officers serve on OSHA’s Whistleblower Protection Advisory Committee. Tsk.)
The question is how prescriptive OSHA’s guidance might be, or more specifically, how granular regulators will get as they compare your program to OSHA guidance when a retaliation compliant eventually comes along. In training, for example, the proposed guidance lists 10 points that your training program should include “at minimum.” (My favorite: “how to separate annoying or inappropriate behavior from the complaint itself.”) Will all companies be expected to include all 10 points? That’s what “at minimum” means to most people; we’ll see what OSHA thinks of it.
Some of the 58 public comments OSHA received also wondered about what special accommodations the guidance might allow for smaller businesses, where formal anti-retaliation systems and controls might be difficult to implement. Along similar lines, lobbyists for the railroad and oil & gas industries asked OSHA to be sure that its anti-retaliation guidelines don’t undermine vigorous workplace safety rules, where firing an employee for serious safety violations is a tool employers want to keep.