The missing link in whistleblower programs – the escalation protocols


In the world of corporate compliance, companies around the world are particularly focused on their whistleblower programs.  It is beyond best practices to have an effective whistleblower hotline, including anonymous reporting (where permitted), non-retaliation pledges, robust investigation and remediation, and plenty of training and awareness campaigns.  Companies are spending significant resources analyzing their hotline data, looking for trends and putting in place risk mitigation strategies.  But recent experience says that many companies are missing a vital part of their whistleblower program – escalation protocols.

Escalation protocols are the rules or guidelines for how to handle a complaint once it’s been lodged – whether through the hotline, in an email to a board member, or orally from a vendor to an employee.  What happens next?  Who gets notice, when and how?  How is it investigated and by whom?  How and when does the attorney-client or some other privilege attach?  How do you communicate with the reporter and what do you say?  These are all important questions that, if answered incorrectly, could lead to significant regulatory, civil and in some circumstances criminal risk.  Yet they are questions easily answered by referring to a fixed set of escalation protocols.

Escalation protocols should include the following, at a minimum:

  • Intake, notice and assignment – The first protocol should deal with the intake of the complaint, who gets notice of the complaint, and which department will be responsible for its investigation.  The majority of complaints will be received directly via the hotline, but directors, officers, vendors and employees who receive complaints should be instructed to immediately enter them into the hotline system.  The hotline system then should immediately notify the legal department and at least one other department, usually human resources or compliance.  Designated individuals from those departments would then determine whether additional notice was required based on the nature and severity of the complaint (ie, senior executives, board members).  The escalation protocols should lay out generally the criteria for providing notice for different types of complaints.  Once notice is provided, the legal department should determine who will investigate.  Investigator options include legal, compliance, human resources, security or some combination thereof.  Consideration also should be given to bringing in outside counsel or other external consultants, including media relations.  But having legal do the initial assessment of who should investigate allows the company to assert attorney-client privilege over those communications.
  • Investigation – Once it is determined who will conduct the investigation, the company should have investigation protocols that describe how to conduct the investigation.  The investigation protocols ensure that each investigation is performed properly, fairly, consistently and, where appropriate, subject to the attorney-client privilege.  Investigation protocols include: (1) developing an investigative plan; (2) setting a time frame; (3) preserving and reviewing documents and electronic data; (4) conducting interviews; (5) reporting; (6) disclosures; and (7) discipline and remedial measures.
  • Communicating with the reporter – The escalation protocols also should describe how and when to communicate with the person who reported the complaint.  These communications ensure the reporter is confident that the company is taking the allegations seriously, and may well prevent the reporter from reporting the complaint to an external regulator.  Proper communication also promotes a culture of compliance and empowers employees to report incidents of wrongdoing.
  • Remediation – It is now best practice for remediation to be a part of the escalation protocols.  This means that all complaints should be designated as “closed without further action” or “closed with remediation.” The remediation should be documented and then fed into a compliance risk assessment or internal audit plan so that it can be audited during the next audit cycle.

Putting escalation protocols in place is an easy and effective way to ensure that a whistleblower program functions efficiently and, perhaps more importantly, enjoys the protection of the attorney-client privilege where appropriate.  There are countless horror stories of companies facing civil litigation or regulatory inquiries where the mishandling of complaint intake has led to the production of bad documents, resulting in heavy fines, settlements and jury verdicts.  Mitigate those risks through carefully crafted escalation protocols.  And remember: there is no one-size-fits-all.  Every company will have its own view on how to handle whistleblower complaints.  Escalation protocols ensure they are handled properly, consistently, fairly and confidentially.