An interesting question cropped up this week on a corporate compliance chat board I often visit: How should a compliance officer test his or her external hotline provider?
In respect for the commenters’ privacy, I won’t identify the chat board here; suffice to say, many of you probably already know the group that operates the boards, and they are a valuable resource for peer advice and inspiration. In this case, the original poster hails from a global company, and wants to take a hotline provider’s services (we don’t know which vendor) for a field test. So what should that test entail?
It’s a good question. Let me pass along here some of the advice posted there.
First, I’ve been surprised at how difficult setting up a compliance hotline can be. Another compliance officer I know (not the one mentioned above) once described to me the painstaking challenge simply of getting local phone numbers established in various parts of the world, which would then forward local employees’ phone calls to a handful of call centers across the globe.
That issue lingered unresolved for weeks. It involved complaints to the vendor, escalation, conference calls, and ultimately the company either dumped or never signed with the vendor, all because nobody could get employee complaints from Indonesia to the vendor’s call center without reinventing the telephone.
So when those unacquainted with external hotlines wonder, “How hard can this be, really?” — rest assured, it can be really hard.
Test the Logs and Workflows
One compliance professional with a background in software testing said that before you even get to testing the hotline with actual calls, you should test the configuration of your hotline system to be sure incidents called into the hotline follow your desired workflows.
For example, a call about accounting fraud is a high-priority matter that should go directly to the CFO, general counsel, compliance officer, and possibly even the audit committee chairman. So create temporary email addresses for those roles, and then see whether an incident logged as accounting fraud does reach those destination email addresses as intended.
Ideally, you should run this test for every type of incident you want to track: accounting fraud, FCPA trouble, sexual harassment, fair labor standards, and so forth. The content of the actual complaint is irrelevant at this point. You only want to confirm that the automatic assignment and forwarding of complaints works as intended; and that complaints are also logged correctly so you can perform data analytics by category type, date received, country of origin, and so forth. (Which means that you should submit multiple reports per category, to achieve enough critical mass to confirm that, yep, the data logs are working.)
Then, our QA guru said, you or your vendor can delete those test records so they won’t count in future reports and analytics.
Test Hotline Calls Themselves
Another line of discussion was about how employees will use the hotline on a daily basis. This is especially important for global businesses because you’re going to have employees calling in different countries around the world, which means you need a reporting hotline that can overcome the language barrier.
So for starters, have volunteers around the world test the hotline by calling their local hotline number to submit a predetermined complaint. You want to see if they can reach a hotline call center rep without any difficulty; and when that rep does answer the phone, he or she can speak whatever language the employee is using.
- Does the phone number actually work?
- Can the call center rep speak fluently in whatever language the employee is using?
- Is the allegation recorded correctly?
- Does the call center rep follow any other triaging procedures you might have?
I know one compliance officer from Britain who tested his hotline provider by having staff place seven calls to the hotline — including one he placed himself, in broken French. In theory, all seven of those reports should have gone to the CCO directly. Only two reached him with all the information the volunteers had provided on their test calls. The call he made himself was not among them.
One point raised in the chat boards was the importance of “out of country” language tests for regions such as Europe, Africa, or Southeast Asia, where multiple small countries are in close proximity to each other. It wouldn’t be unusual for a German employee to call a French hotline number, or a Vietnamese employee to call a number for the Philippines. Your hotline vendor would need to anticipate that possibility.
Yet another tip: test your vendor with calls that mention the primary hotline contacts themselves, to see whether the complaint is then routed to someone else at your company.
For example, if an allegation of invoicing fraud would typically go to the head of internal audit, test your vendor with a complaint about invoicing fraud that names your head of internal audit as a suspect. Assuming your workflows have been designed properly, with backup recipients named for just such a scenario, then your vendor should send that complaint to the backup investigator (say, the general counsel).
And for whatever it’s worth, one of the first Radical Compliance posts ever (from February 2016!) was an exploration of whistleblower hotline statistics you might want to track about retaliation. Possible companion reading after you get your hotline tested, implemented, and running strong.