PwC advice on addressing the SEC whistleblower rules
PwC has very graciously allowed me to share with you a copy of their report on this topic. I have included it in the files I share.
As PwC suggests, this is a fine time to review the organization’s internal processes for handling complaints. They address the following areas, with suggestions for each:
- Review internal reporting mechanisms and nonretaliation policies
These policies should define expectations specific to employees and relevant third parties such as customers, contractors, suppliers, and agents.
- Ensure internal processes to investigate and resolve issues are robust
Under the new rules, individuals considering making a whistleblower claim externally have 120 days to do so (120-day “look back” provision). If individuals believe that the company will investigate issues quickly, they may be more inclined to report internally first, while retaining the right to go to the SEC in the event they are not completely satisfied — in essence, giving the company a chance to address the issue first.
Companies should focus communication efforts on the benefits of internal reporting. However, actions speak louder than words. As such, the burden will rest on the company to ensure that issues reported internally will in fact be investigated and resolved well within the 120-day time frame. People reporting issues are likely to run out of patience quickly if they believe their concerns are not being taken seriously or addressed in a timely manner.
- Revisit communications and training on your internal reporting and non-retaliation policies and processes
As with any new or updated policy, companies need to make sure that employees and other relevant parties are consistently informed of company expectations and their own individual rights and obligations. Frequent reminders and reinforcement through varied communication channels will help to get the message out.
- Review your compliance confirmation process
This process serves as an additional opportunity to reinforce the message on the company’s ethics and compliance related expectations and supporting resources. However, it’s important to recognize that the code compliance confirmation process may leave the company exposed to situations in which an individual confirms observing or reporting misconduct but with insufficient information for management to determine whether, in fact, the matter was properly addressed.
- Ensure you have validation procedures to confirm that the operational aspects of the ethics and compliance program are working effectively
Certainly the best defense against any external whistleblower claim and the resulting government investigation is prevention of the misconduct in the first place, or early detection and mitigation. Although effective compliance and ethics programs can help to prevent misconduct, the 2011 Compliance Week State of Compliance Study confirms that companies have difficulty measuring the effectiveness of their programs and many do not evaluate their programs at all. Further evidence that routine monitoring is a challenge for companies came in a recent ECOA survey, which found that only 12% felt they did a good job. Although the new whistleblower provisions themselves do not add requirements to evaluate ethics and compliance program effectiveness, it is advisable to check that your overall ethics and compliance program is designed and operating effectively and that relevant information is being appropriately communicated up and down. The best defences against an external whistleblower claim and the possible resulting government investigation is prevention of the misconduct in the first place, or early detection and mitigation — the roles that ethics and compliance programs are intended to perform.
Specifically, focus should be placed on designing and implementing performance metrics that allow you to monitor your ethics and compliance performance. It may also be a good time to review technology options to refine or create effective, integrated dashboards for greater insight into available data.
PwC closes very effectively with this:
SEC whistleblower rules should already be embedded in an ethics and compliance program that follows leading practices. Fundamentally, the best solution to the recent whistleblower rule changes is a healthy corporate culture where employees readily speak up to report concerns, and operating procedures that both sustain this culture and properly deal with issues.
What would you add? Do you think enough is made of the culture issue in the last paragraph?