whistleblower best practices: what do compliance and business leaders need to know?

© 2015 Baker & McKenzie LLP

GOOD. SMART. BUSINESS. PROFIT.TM


Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know?

May 15, 2015


Chelsie ChmelaGlobal Events [email protected]

We encourage you to engage during the Q&A portion of today’s webcast by using the chat function located within your viewing experience.

HOST

QUESTIONS

RECORDING The event recording and PowerPoint presentation will be provided post event.

3


4

SPEAKING TODAY

Greg RadinskyVice President & Chief Corporate Compliance Officer, North Shore -LIJ Health System

Cynthia JacksonPartner, Baker & McKenzie, Palo Alto, CA

Joan MeyerPartner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC

Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.© 2015 Baker & McKenzie LLP

Greg Radinsky, Vice President & Chief Corporate Compliance Officer, North Shore -LIJ Health System

Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA

Joan Meyer, Partner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC

May 15, 2014

Radinsky, Vice President & Ch

Whistleblower Best Practices: What Do Compliance and Business Leaders Need to Know?

Agenda

© 2015 Baker & McKenzie LLP 7

Agenda

‒ Key Themes‒ U.S. Government Expectations on Whistleblower Programs‒ Building an Effective Whistleblower Program at Your Company‒ Whistleblower Programs in Global Context: Local Law Challenges‒ Questions


Key Themes

‒ The goal of an effective whistleblower program is to promptly uncover misconduct within a company in order to remediate unethical or illegal conduct

‒ Enforcement of whistleblower program requirements is driven by anti-corruption laws and laws designed to prevent and detect corporate fraud

‒ An effective whistleblower program encourages individuals with knowledge of potential wrongdoing to report it to those within a company in a position to address the conduct

‒ Anonymity and confidentiality are key considerations, though these principles conflict with laws in a number of countries

‒ An effective whistleblower program must be accompanied by a robust investigations procedure

U.S. Government Expectations on Whistleblower Programs


Overview‒ An effective whistleblower program is a key component of an

effective compliance program that, when successfully implemented, allows a company to: Quickly uncover possible misconduct Immediately suspend any potential or actual criminal activity Discipline and, if necessary, remove from its employ

individuals who have engaged in, or otherwise condoned, criminal activity or other unethical conduct

Ensure its compliance training addresses those areas where the risk of misconduct is high

Enhance its compliance program to better address such high-risk areas


FCPA and Whistleblower Programs‒ The U.S. Department of Justice (“DOJ”) and U.S. Securities and

Exchange Commission (“SEC”) joint 2012 Resource Guide to the U.S. Foreign Corruption Practices Act (“FCPA Resource Guide”) includes confidential reporting and internal investigations as a “hallmark” of an “effective compliance program”

‒ The DOJ and SEC recommend the following practices: Consider implementing “anonymous hotlines or ombudsmen” Upon receipt of an allegation “companies should have in place an

efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken”

Companies should “consider taking ‘lessons learned’ from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate”


U.S. Sentencing Guidelines

‒ The FCPA Resource Guide’s recommendations reflect the U.S. Sentencing Guidelines which reward companies that respond quickly to allegations of misconduct and modify their programs as needed

‒ In particular, the Sentencing Guidelines advise that “[A]fter criminal conduct has been detected, the organization

shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program”

Companies should take “appropriate disciplinary measures” against individuals engaging in criminal conduct


Whistleblower Programs and Corporate Fraud Statutes

‒ In addition to global compliance program expectations, in which an effective whistleblower program is a standard component, corporate fraud statutes provide certain minimum operational standards for these programs and mandate protections for individuals making reports through a whistleblower program

‒ These protections may come into conflict with the data privacy and protection laws and regulations of some countries


Sarbanes Oxley Whistleblower Program‒ Corporate and Criminal Fraud Accountability Act of 2002

(“Sarbanes Oxley”) Enacted following the corporate accounting fraud scandals in

early 2000s As a result of the treatment whistleblowers in these scandals

received, the law Includes minimum standards for whistleblower programs and protections for whistleblowers

Requires publicly traded companies to create internal and independent “audit committees” which are then required to establish procedures for employees to file internal whistleblower complaints and procedures that protect the confidentiality of employees who report alleged misconduct

Prohibits retaliation against whistleblowers who provide truthful information to a law enforcement officer about the commission or possible commission of any federal offense


Dodd-Frank Whistleblower Incentives‒ Enacted in 2010, the Dodd-Frank Wall Street Reform and

Consumer Protection Act (“Dodd-Frank”) builds on the Sarbanes Oxley whistleblower requirements and allows whistleblowers who provide the SEC with original information about securities violations to obtain between 10% to 30% of any monetary sanctions in excess of $1 million recovered against a company Reports may be anonymous Does not require internal reporting prior to going to the SEC Includes anti-retaliation protections for whistleblowers who report

possible securities laws violations Also prohibits actions that impede whistleblower communications

with the SEC including “enforcing, or threatening to enforce, a confidentiality agreement” with respect to such communications


Effective Whistleblower Programs: Elements

‒ Building an effective whistleblower program involves: Ensuring your standards of conduct are published, widely

disseminated, and the subject of regular training Building the reporting structure and apparatus Developing intake and screening protocols Communicating and training personnel on the program Establishing monitoring and auditing procedures to continually

assess the program’s performance Creating a culture of trust in which voluntary, good faith

reports are encouraged


Ensure Code of Conduct and Related Policies and Procedures are in Place‒ A Code of Conduct, its related policies, and supporting

procedures are the foundation of a whistleblower program as they establish the standards of conduct that govern employee behavior Companies should require good faith reports of possible

violations of: o The Code of Conducto Company policies and procedureso Applicable laws and regulations

The opportunity to report should be open to officers, directors, employees and any third parties, including customers, with knowledge of potential wrongdoing

Key policies such as the anti-corruption policy should include obligation to report potential violations of said policy and set forth all whistleblower reporting channels


Build the Reporting Process Structure‒ An effective whistleblower program will provide multiple means of

reporting potential misconduct, such as e-mail; telephone; ground mail; fax; and Internet or website links

‒ These should be checked, and reports processed, on a daily basis

‒ If possible, the telephone should be staffed (a number of reputable vendors offer such services)

‒ Each report should be logged and tracked, and promptly addressed in accordance with investigation procedures

‒ It is important that technology and staff are able to receive reports in multiple languages (e.g., the primary countries of operation for the company)

‒ A best practice is to designate at least one compliance professional within the company to serve as a dedicated manager of the whistleblower reporting program


Establish a Process for Screening Reports‒ Reports should be received directly by the lead compliance professional;

Compliance department should classify concerns and allegations according to their risk level

‒ High-risk allegations should be given priority: Corruption (kickbacks and other corruption-related fraud and crimes) and

money laundering Release of proprietary information Cyber intrusions and other computer network crimes Financial crimes perpetrated against the company by third parties Financial crimes against the company committed by company

employees Misconduct involving company directors, officers, or senior

management

‒ Report should be then submitted to the appropriate company department for conducting inquiry or investigation (e.g., HR, Internal Audit, Legal)

‒ Keep documentation for all follow up on reports, including explanations as to why follow up was not necessary in some cases


Training on Program and Related Processes‒ All employees should received training on how to submit reports

using the whistleblower hotline, the company’s process for responding to such reports, and how the company manages the whistleblower program

‒ Business partners and other third parties should be included in the whistleblower training if possible

‒ Have in place a forceful non-retaliation policy that accompanies your whistleblower reporting program and ensure that all company personnel receive training on it

‒ Specialized training should be provided to managers and supervisors on how to respond to whistleblower complaints, including how to prevent retaliation and how to identify and respond to any attempts at harassment or retaliation targeted at a perceived or known whistleblower


Conduct Awareness Campaign

‒ Raise awareness of the whistleblowing program and related procedures through an internal awareness campaign utilizing company-wide communications such as emails, videos, and banners

‒ Post public notices providing whistleblower reporting mechanisms ‒ Prominently display the whistleblower hotline information on the

company’s external website and on Intranet‒ Include a statement on the whistleblower program and contact

information prominently in the Code of Conduct‒ Include the whistleblower program information in contracts with

business partners and other third parties


Monitor Program’s Performance‒ Track and regularly review statistics on the program in order to

monitor its effectiveness and identify compliance program enhancement needs

‒ Recommended tracking statistics: Number of matters opened on an annual basis and/or

monthly (misconduct categories; outcome) Average length of time matters remain outstanding

‒ Test and audit the reporting system to make sure it works; continuously improve the system based on findings (e.g., additional training or enhancements to compliance policies)

‒ Regularly, at least annually, report to the board of directors and/or audit committee on audit findings and subsequent enhancements to the program


Encourage Voluntary Reporting‒ Encourage whistleblowers to report internally and early

Make sure that reporting is easy and user-friendly, but secure and confidential; limit access to reported information

Various alternative reporting channels should be available Consider incentives for whistleblowers who come forward Promptly respond to credible allegations When possible, return to the impacted parties with the results

of the inquiry and thank whistleblowers for utilizing the company reporting channels

Discreetly check in with individuals making allegations and individuals involved in allegations, if appropriate, and monitor compliance with company policies to ensure no retaliation has occurred

Building an Effective Whistleblower Program at Your Company


What is a Healthy Compliance Hotline Trend?

0

200

400

600

800

1000

1200

2012

2008

2009

2010

2011

20132014

25


Compliance Hotline Benchmarking 1.1-1.4 Reports (Median) per 100 Employees Annually

http://www.navexglobal.com/file-download?file=uploads/NAVEXGlobal_2014HotlineBenchmarkingReport_031114.pdf&file-name=NAVEXGlobal_2014HotlineBenchmarkingReport_031114.pdf

26






Important Related Hotline Policies Hotline Policy

Whistleblower Policy

Investigatory Policy

Non-Intimidation and Non-Retaliation Policy

Disciplinary Policy

Code of Conduct

27


What All Companies Can Learn from the Health Care Industry and Non-Profit Law

Non-Intimidation and Non-Retaliation Policy

Annual Notification to Employees and Vendors

Volume Matters

Speed Matters

Board Oversight Matters

Training and Awareness Matters

Survey/Audit/Test Functions

28


Sample Hotline Awareness Cartoon

29

Whistleblower Programs in Global Context: Local Law Challenges


Global Codes Of Conduct

‒ U.S. drive for complete reporting of any and all wrongdoing, safety of anonymity and abhorrence for destruction of documents/obstruction of justice; at-will employment

vs.

‒ EU drive for data privacy, fear of malicious and anonymous reporting, desire for prompt destruction of outdated or unfounded documentation and more restrictive labor and employment laws


33

Global Roll-Outs

Needs to satisfy:‒ U.S. compliance obligations‒ Not offend local laws‒ Satisfy local employment

requirements and procedures‒ Satisfy local data privacy laws


34

Data Privacy Art. 29 Working Party – Hotlines

1. Anonymity cannot be preferred reporting method (promote “confidential” reporting)

2. Limited to accounting, internal accounting controls, audit matters, anti-bribery, banking, securities, and financial crimes (business transparency) “vital interests” and “moral integrity”

3. Data collected and processed must be “proportionate” to purpose


35

And More Guidelines…

4. Separate from other personal data5. “Substantiated reporting” deleted

within 2 months after investigation, proceeding or disciplinary action

6. “Unsubstantiated reports” deleted immediately – caveat: US obstruction of justice

7. Incriminated person must be informed as soon as practicable

8. Data privacy compliant


Other Reporting DivergencesAustria – prefers local hotline

Belgium – only matters that cannot be handled in Belgium: case-by-case

France – hotline cannot be extended to non-employees; employee reports limited to financial, accounting, banking, corruption, anti-trust, discrimination, harassment, workplace health, hygiene and safety and environmental protection

India – prefers issued by Indian entity

Netherlands – only matters that are substantial abuses that exceed the national level of the company: case-by-case law

Portugal – forbids anonymity

Russia - difficulty with non-Russian legal references or Codes issued by non-Russian entity

Spain – forbids anonymity

Sweden – hotline reports limited to managers and above

Switzerland – prefers local hotline


Data Privacy Considerations Checklist‒ Is the whistleblower program data privacy compliant‒ Are employee notices or consents required and, if yes, when and

where Is labor consultation required Have governmental filings, addressing both inbound and

outbound countries, been completed Are the Code of Conduct and its associated policies (internal

regulations/work rules) required to give the Code disciplinary “teeth”

‒ Is email monitoring permitted Do IT security policies address monitoring issues Are personal use restrictions required Have necessary labor consultations occurred Are any government filings necessary

‒ When developing document retention and access policies be sure to address deletion and archiving requirements


Lost in Translation

‒ Provisions That Don’t Translate Malfeasance v. Non-Feasance Monitoring and Surveillance /

Use of Company Property “Cause” Discrimination and Harassment

in Muslim Countries Export Controls and Anti-boycott

laws Not a Contract Reporting of Suspected

Violations


The Global Code Burger

Internal Regulations

Works Councils / Consultation / Acknowledgment

Data Privacy

The Code


Baker & McKenzie - Additional Resources

Follow ongoing developments in global anti-corruption enforcement and compliance via:

http://globalcompliancenews.com/

Baker & McKenzie’s “Inside the FCPA” Newsletter http://www.bakermckenzie.com/insidethefcpa/

http://globalcompliancenews.com/

http://www.bakermckenzie.com/insidethefcpa/

Thank you! Questions?

41


Our Presenters and Contact Information

.

Greg Radinsky, Vice President & Chief Corporate Compliance Officer, North Shore - LIJ Health System

Tel: +1 516 465 8327

[email protected]

Cynthia Jackson, Partner, Baker & McKenzie, Palo Alto, CA

Tel: +1 650 856 5572

[email protected]

Joan Meyer, Partner, Chair of Compliance & Investigations Practice Group, Baker & McKenzie, Washington, DC

Tel: +1 202 835 6119

[email protected]


This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.

For more information on BELA contact:

Laara van Loben SelsSenior Director, Engagement [email protected]

Business Ethics Leadership Alliance (BELA)

mailto:[email protected]


Wednesday, May 27 at 1:00 p.m. ET

Building on the Foundation of Ethics and Compliance to Achieve Sustainability

All upcoming Ethisphere events can be found at:http://ethisphere.com/events/

PLEASE JOIN US FOR

http://ethisphere.com/events/


www.latinamericaethicssummit.com

Early Bird Pricing Ends May 22!15% off Discount Code: WEBCAST15


THANK YOU

whistleblower best practices: what do compliance and business leaders need to know?

Business

baker mckenzie llp good

effective compliance

company whistleblower

compliance training

ca joan meyer partner

agenda key themes

key component

key considerations