Lessons in Whistleblower Protection
One last dispatch from the HCCA conference this week: I dropped into a discussion led by a whistleblower, who discovered a $2 million embezzlement fraud while working as a university professor. Her story was gripping and vivid — and raised several powerful points about how people, compliance functions, and large enterprises should all work together.
The whistleblower was Amy Joy, who ran a federally funded anti-hunger program for the University of California-Davis in the 1990s and 2000s. By 2006, Joy’s program received $14 million in federal funds annually, serving more than 150,000 families across California. Then she discovered the embezzlement.
Joy has written several books about her experience, so I won’t steal all her thunder here. Suffice to say: Joy first discovered that a trusted administrative assistant had been embezzling money from the program to buy electronics equipment and then sell that gear on eBay. When the feds finally raided the admin’s home later that year, they found $160,000 worth of goods in her garage. The admin did this by submitting false records for travel reimbursement.
It gets worse. Joy approached her department head to alert him about the admin’s fraud, and eventually approached the dean as well. They both turned their fire back on Joy, saying she had been the fraudster — because the department head, the dean, and others were all committing their own misappropriation of funds at the same time.
So the admin was embezzling some funds, to run a side business selling goods on eBay. She had her false records approved by Joy’s supervisors, and they had the admin forge Joy’s signature so they could embezzle funds to buy luxurious office equipment. Multiple fraudsters, supporting each other, with Joy in the middle.
Eventually Joy connected to the UC-Davis internal audit team. That led to a federal investigation, criminal charges, news reports in the media, and so forth. The admin served a prison sentence. Joy won a whistleblower award, and now speaks at compliance events talking about her lessons learned.
So let’s consider those lessons, and how your organization can put them to good use.
She Didn’t Know About Compliance
Joy minces no words how she mishandled her embezzlement suspicions. Rather than approach someone in the university administration with her concerns, she approached her managers on the academic side. “That was my mistake,” she said. “At the time, I didn’t know anything about compliance.”
We can’t blame Joy for that mistake. This misconduct happened in 2006, when whistleblower programs were far less developed and embedded into corporate culture than they are today. The obstacles in front of her then were symptomatic of the time.
Regardless, her point is still worth considering today because it’s so important: employees should always know that they can raise misconduct concerns to the compliance or audit function. So compliance officers need to keep hammering away at that message, ad nauseam.
I fear that sometimes compliance professionals lose sight of that priority, because we live and breathe compliance practices every day. What might seem natural to us — and to other senior managers who support good business conduct — isn’t natural to lower-level employees.
We need to deliver constant messaging to employees that the compliance program and whistleblower hotline are there to help them; and then follow up with regular surveys to see how well employees actually hear and understand that message.
That said — I’m not entirely comfortable with Joy’s implication that one should never report misconduct up the management chain of command, either. In her particular circumstance, that might have been the best move. But compliance officers do themselves no favors by telling employees “you should always report to compliance” because that ends up pitting compliance against management. Management can often be a wealth of information about possible misconduct.
The ideal arrangement is where the compliance function is a highly visible, always available complement to management — but not a rival to management. The message to employees should be something like, “Always feel free to start by bringing concerns to your manager. But if that seems not to work, or the manager is the problem, then call us on the hotline any time, and we’ll be here for you.”
Policies and Procedures for Mid-Level Execs
My ideal scenario above only works when managers take internal reports of misconduct seriously. That brings up another point about whistleblower programs and a speak-up culture: the compliance program needs to develop policies and procedures for mid-level managers so they’re compelled to take allegations seriously.
For example, organizations should have clear policy for middle managers: when an employee raises allegations of financial fraud, bring that allegation to internal auditor compliance immediately; if you don’t, and we later discover that you knew about the allegation and kept quiet, you’re fired. Meanwhile, organizations should plaster the employee break room with signs telling them: if you suspect fraud and fear talking to your manager, call our hotline.
That doubled-barreled strategy of whistleblower tools available to employees, coupled with mandatory reporting policies for middle managers — that’s what compliance officers need to develop. That’s what gives you much more assurance that when employees suspect something is amiss, the matter will reach your radar screen quickly.
Either managers will rely the allegation to you, or employees will use the hotline as a back channel. Regardless, you get word of the allegation, which is what you want. Then compliance can work closely with managers to address the specific issue, and to foster a more ethical culture generally. (I’ve written previously about how Texas Health Resources does this with harassment issues. The approach is brilliant, because it can work with any form of misconduct.)
Again, in Joy’s particular case, strong policy for middle managers might not have helped, because her managers were committing misconduct, too. That happens. Hence it’s so important to use both approaches: policy for managers, plus lots of outreach for employees. One won’t work well without the other.