IN THIS ISSUE
Six Key Elements of an Effective Hotline
Before implementing or modifying a hotline, examine these key elements to make sure your organization not only complies with federal statutes, but also provides an effective mechanism for detecting fraud.
There are more than 60 federal statutes, including the U.S. Sarbanes-Oxley Act of 2002, supporting or requiring a methodology for anonymous reporting and whistleblower protections. Against this regulatory backdrop, and further bolstered by Federal Sentencing Guidelines, ethics and compliance hotlines have become key components of enterprise risk management and a form of self-assessment because employees are reporting on and helping to evaluate an organization's culture. Studies such as the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse have indicated that hotlines are the most prevalent method of detecting fraud, and by extrapolation, other risk events that may impede an organization's strategic objectives.
Hotlines should not be viewed as simply a whistleblowing mechanism, but rather a means to identify and resolve sensitive issues, encourage compliance across multiple disciplines, and minimize financial, legal, and reputational risk. Today’s hotlines must provide a methodology for reports to be triaged and managed toward resolution in a manner that can be measured and audited. The following six key elements have emerged from organizations that use hotline systems as an indicator of the organization's health and as a catalyst to strengthen their cultural underpinnings.
1. ASSESS AND TAILOR YOUR HOTLINE TO MEET YOUR ORGANIZATION'S INHERENT RISK FACTORS AND CULTURAL MAKEUP
Each organization is unique in its risk assessment and risk response strategies. Hotlines must be tailored accordingly. An example includes tailoring hotline incident categories to meet company-specific risk factors head-on. Multiple intake methods, including telephone- and Web-based reporting, should be provided to best match stakeholder communication preferences. Companies with global operations should consider localizing hotline communication into local languages and must take into account international data privacy standards.
2. PLAN FOR ORGANIZATIONAL READINESS
Before rushing to implement a hotline, spend time in the planning phase to lay the groundwork for a successful system. It is essential to create an environment where employees, vendors, and customers understand the organization's commitment to ethics and compliance and are knowledgeable about the guidelines established for the way the organization does business. Awareness for the hotline must be established, and a culture of transparency encouraged, from the top down. Many organizations implement ongoing, multifaceted communications programs that not only introduce the hotline, but also position it within an overall program of compliance, ethics, and risk management.
Organizational readiness also means being prepared to handle hotline reports. For instance, who will review the reports and who will investigate? The ability to immediately assign reports based on skills or roles will eliminate bottlenecks and allow reports to be reviewed faster. Also consider how management is involved and determine the process for the escalation of issues.
3. PROVIDE FAST AND EFFECTIVE RESOLUTION FOR HOTLINE CALLS
Because a trusted hotline supports the tone at the top and a company's open-door policy, make sure the reporting system encompasses a wide range of risk and violation categories so that stakeholders don't feel as if management only wants to hear about a narrow set of issues. It also is critical to be able to handle complex issues that touch on multiple categories. For example, a suspected case of embezzlement could include the threat of violence and drug use. The ability to handle complex issues reinforces to stakeholders and those charged with review and resolution that the hotline is more than a "check-the-box" system —it is also an important resource that can handle the complexities of the real world.
Furthermore, it is critical to follow up immediately with hotline users, even those who've chosen to remain anonymous. Giving acknowledgement of receipt and updates on progress and resolution are instrumental in reinforcing the organization's commitment to transparency. An effective reporting system facilitates such interaction and makes it easy to probe for more information while maintaining anonymity and confidentiality (e.g., through the use of unique report password protections). This gives the organization better insight into the issue being raised and also can help identify frivolous or unsubstantiated reports.
4. IMMEDIATELY ASSESS AND RESOLVE ISSUES THAT ARE RAISED
This is where the rubber meets the road. Assuming you've laid the groundwork, your organization now should be prepared to handle reports. During report intake, make sure that issues are categorized correctly and that sufficient information is gathered using collaborative interviewing and data-gathering techniques. Assign issues for assessment to the right personnel using automatic assignments predetermined by the organization — when possible — to eliminate bottlenecks. Prepare for and know how to select the appropriate analysis approach, such as internal analysis, special investigations sometimes involving external agencies like the Securities Exchange Commission, or external investigations.
5. PERIODICALLY ASSESS AND REVIEW ALL REPORTS TO IDENTIFY "HOT SPOTS" OR NEW RISK AREAS
The hotline reporting environment should provide the statistics and analytics needed to understand more about the patterns of behavior and establish benchmarks for trending and review. This review should look for breakdowns of internal controls, geographical or departmental "hot spots," the need for additional training, or the need to adjust policy. This should include information received from hotline reports, in addition to information obtained through an organization's open door policy or through performance reviews, internal audits, or investigations. All of this data should be warehoused in a central location that can be reviewed to formulate an overall risk assessment review. This evolving data source then should be used to create a primary risk summary or as an ongoing comparison against the organization's established risk profile.
Additionally, tracking the outcome and post-corrective action for each incident provides the ability to review these actions so that your pending corrective actions are balanced and appropriate. This is critical when demonstrating that a system provides consistent and fair treatment for all types of reports. With the recent changes in the Federal Sentencing Guidelines, the ability to track resolution activity and steps taken to prevent future similar misconduct has never been more important.
6. REVIEW AND IMPROVE THE PROCESS
Adopting the motto "what gets measured gets done" can help organizations remain focused on reviewing and improving the hotline process. Create a schedule for reviewing how the hotline is working, especially regarding communication, operational efficacy, and cultural assessment. Reviewing the process will help determine whether or not there is a need for additional training or new or updated policies within the organization.
IN THE END
Today's ethics and compliance incident awareness and hotline reporting systems should be much more than check-the-box solutions. Integrated Web- and telephony-based systems, coupled with powerful incident management and analytic tools, are proving instrumental in helping organizations manage enterprise risk. Fortunately, many organizations are already well down this road, reaping the benefits of consistent risk management, improved operational performance, reduced operational surprises, and transparent cultures.
If you have a "quick tip" that you'd like to share, please e-mail the editor.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.