Compliance Programs and Leaks
This week I’m in Portugal at the Society of Corporate Compliance & Ethics’ annual European conference, where I attended an excellent discussion on the ethics and compliance challenges of employees leaking confidential matters outside the business. So in the spirit of leaks, I took lots of notes and now pass them along to you.
Compliance officers need to think about leaks along two dimensions. First is the practical headache of how leaks might complicate (or even ruin) an ongoing investigation. To combat that threat, you need to consider steps such as encryption and data access controls, monitoring systems to log who does access which data at what times, and non-disclosure agreements to help focus the employee mind on the need to keep quiet.
OK, that’s all great, and we can return to those tips later. I was more intrigued by the other way compliance officers need to think about leaks — as a reflection of a dysfunctional corporate culture.
More precisely: if employees believe your organization has a strong culture of integrity, you’ll have fewer leaks. If they don’t believe that, you’ll have more.
One recent example of this is Facebook, which recently fired 20 employees for leaking gossip about the company to the media. That kerfuffle began when employees started leaking to the media about CEO Mark Zuckerberg’s decision to dump diversity and fact-checking efforts at Facebook and to inject more “masculine energy” into the business — decisions that were not popular with a significant number of Facebook employees. Management then warned employees to stop leaking, and of course employees immediately leaked that too. Now the company has fired the 20 leakers and “we expect there will be more,” spokesmen readily say.
Does that sound like a healthy culture with strong employee support to you? Or does it sound like beatings will continue until morale improves?
Leaks as Reflection of Speakup Culture
Snicker about the leaks from Facebook if you want (lord knows I did), but mind the bigger picture here. When management tells employees not to leak something, and those employees then (a) leak the thing itself; and (b) leak that management told them not to leak — that’s the sign of a deeply dysfunctional corporate culture. It’s a sign that employees do not trust management to do the right thing, so they are taking matters into their own hands.
Well, we’ve said many times before in these pages that a corporate culture riddled with distrust is one with a deeply flawed speakup culture. So if you want to create an environment where employees don’t leak sensitive information, start by cultivating a corporate culture based on trust, where employees don’t feel the need to take sensitive information or allegations outside the organization.
Your internal hotline system is critical to all this, because the hotline is supposed to be an outlet for employees to report their concerns and frustrations. They suspect some wrongdoing at the business and want it addressed, so they call the hotline — expecting that management will act on their report.
If you have an effective hotline system, where employees “feel heard,” they will feel like they and the company are on the same side and in pursuit of the same goal: to get the allegation resolved and do the right thing. Conversely, if your hotline is terrible and employees don’t feel heard, they’ll come to believe that management doesn’t care about them or their issue, and they’re more likely to leak.
None of this is to say that a strong internal reporting culture will prevent all leaks. It won’t. Rather, a strong internal reporting culture — one rooted in trust, where employees believe that management is on their side — serves as a prophylactic measure, to reduce the number of leaks you suffer. You’ll never win the battle against leaks without that strong culture.
Practical Tips to Fight Leaks
Now back to those practical tips to fight leaks, which are also important steps to take.
First, you can implement some technical measures to keep investigation files and other confidential data secure. For example, you can encrypt all such data, so that any unauthorized people who somehow come into possession of the data can’t read it. You can employ strict access controls to keep unauthorized people away from confidential files or systems. (My favorite such control: an automated alert to senior investigators whenever someone tries to access files from an unusual location, akin to fraud alerts that get triggered when you try to access your bank account from another country.) You can keep detailed logs of who accessed what information at what time, in case you need to match access records to sudden leaks.
Second, consider weaknesses in your investigation processes that might drive an employee to leak. For example, the longer an investigation takes, the more likely it is that the employee who first raised the matter might leak. Why? Because he or she believes nothing is happening, so the employee decides to take matters into their own hands and leak. So be sure that your investigation process includes lots of communication to that reporting employee, even if that communication is only a simple, “This takes time and we’re still working on it, but we haven’t forgotten you.” If you simply leave employees to wonder what’s going on, they are more likely to distrust the process (there’s that phrase again!) and leak.
Training and policy attestations are other processes that can be refined to quell leaks. All employees should receive at least some training on keeping confidential matters secret; but managers and others with more access to confidential data (lookin’ at you, HR staffers) should receive more training. And when investigations do arise, having employees sign non-disclosure agreements is a wonderful way to remind them that they do have a legal duty to keep quiet.
Lastly, consider one important communications angle: the very phrase “leak” can be a loaded term, and you should strive to avoid the freighted connotations it carries.
That is, “leak” carries a sense of secrecy and betrayal; it’s an act the employee should avoid. That’s all true, but ethics and compliance teams would be better served by stressing the importance of confidentiality to protect the integrity of an investigation. You the compliance or investigation team are trying to achieve an important end— the correct resolution to some allegation of misconduct— and keeping matters confidential serves that ethical goal.
Of course, that only works if the employee believes the company is trying to do the right thing; it only works if you have a culture of trust. Funny how things keep coming back to that fundamental point, isn’t it?
(Thank you to Ann Sultan, partner at Miller & Chevalier, and Ian Moolman, ethics leader at Emirates Global Aluminum, for leading a great session on this subject at the SCCE conference!)