October 2024

Update on DOJ Whistleblower Pilot Program

Posted on October 28, 2024October 28, 2024 by Ethisphere

“Companies play a critical role as the first line of defense against corporate crime,” Argentieri said, underscoring the DOJ’s focus on corporate accountability.

On Sept 17, Principal Deputy Assistant Attorney General Nicole M. Argentieri discussed the Department of Justice’s Corporate Whistleblower Awards Pilot Program at NYU School of Law’s Program on Corporate Compliance and Enforcement. You can find a full transcript of her remarks here.

“Companies play a critical role as the first line of defense against corporate crime,” Argentieri said. “That is why we are focused on corporate accountability and corporate enforcement policies that create strong incentives for companies to take compliance seriously.”

The DOJ Whistleblower Pilot Program rolled out on August 1, 2024 as a three-year effort to reward employees who voluntarily report corporate misconduct to federal authorities. That is, offering information or assistance (that has not already been uncovered by other agencies’ whistleblower programs) leading to civil or criminal forfeitures.

This DOJ’s pilot program joins similar initiatives by the Securities and Exchange Commission, the Commodities Futures Trading Commission, and the Financial Crimes Enforcement Network and aims to cover the full extent of corporate crime that those agencies do not cover.

Retaliation and Speaking Up

Programs such as this have been an important tool by which law enforcement investigates and prosecutes corporate wrongdoing. The reward for speaking up acknowledges that too often, those who speak up against misconduct suffer professionally for it. “It takes courage to stand up and say when something isn’t right, says Ethisphere Chief Strategy Officer Erica Salmon Byrne, “But all too often, we meet these acts of integrity and accountability with suspicion and resentment.”

Even though the DOJ Whistleblower Pilot Program does not include anti-retaliation provisions, it is an issue the Department takes very seriously. “Let me be clear: our prosecutors will protect whistleblowers’ identities to the fullest extent allowable under law,” Argentieri said during her NYU remarks. “And if a company retaliates against a whistleblower, we will take all appropriate steps: the company will lose credit for cooperation and remediation and could face sentencing enhancements — and even prosecution — for obstruction of justice.”

The Speak-Up Gap

According to Ethisphere data, 93% of employees say they would report workplace misconduct if they witnessed it. But when the moment of truth arrives, only 50% actually report. The most common reasons cited are fear of retaliation and professional harm.

This delta between intent to report and actual reporting is what Ethisphere calls the speak-up gap. The DOJ Whistleblower Pilot Program is meant to help address that unfortunate reality.

What this means for companies is that the DOJ is incentivizing individuals to take advantage of both internal and external whistleblowing avenues when it comes to reporting misconduct.

“We are not only incentivizing individuals to come forward and report corporate crime to the department,” Argentieri said. “We are also incentivizing companies to invest in strong internal reporting structures and to report crime when they learn about it.” This includes giving greater rewards t companies that voluntarily report misconduct within 120 days of discovering it, and before the DOJ reaches out to the company.

To learn more about how your organization can advance speak-up culture, please visit the Ethisphere Resource Center for a host of free policy examples, best practices reports, interviews, and more.

Follow Ethisphere on LinkedIn and join the conversation on why good ethics is good business.

The Need for an Anti-Retaliation Policy Just Got Amplified

Posted on October 25, 2024October 31, 2024 by Ethisphere

Not only are certain forms of retaliation illegal, but even the fear of retaliation can have a chilling effect on employees’ willingness to report misconduct.

With the launch of the new Department of Justice Corporate Whistleblower Program in August of 2024, it should not be a surprise that in the DOJ’s latest update on the Evaluation of Corporate Compliance Programs (ECCP) they introduced new language regarding how companies protect those who speak up against misconduct.

The Department recognizes that an anti-retaliation policy is one of the most useful whistleblower protections a company can use to create an environment where employees feel comfortable raising their hands when they have a concern. Specific to this latest update, the Department has now included questions about:

1) Does the company have anti-retaliation policy;

2) Does the company train employees on both internal and external anti-retaliation and whistleblower protection policies, procedures, and laws;

3) Are employees who report misconduct treated differently than others who were involved but did not report? 

It’s clear that the first question above is at the front of E&C leaders minds given the questions we received during our live webinar on the ECCP update last week such as: 

Would combining the Anti-Retaliation Policy with the Speak-Up policy be appropriate?
Do you also see companies have a stand-alone Speak-Up policy and is this separate from or the same as the Anti-Retaliation policy?
Is it advisable to have a standalone Anti-Retaliation policy or can it be incorporated into a broader code of conduct?

Let’s address these questions and more below.

Why it is anti-retaliation policy important and how to craft a good one?

Not only are certain forms of retaliation illegal, retaliation, or the fear of it, has a chilling effect on an employee’s willingness to come forward to report misconduct concerns.

Among Ethisphere’s Culture Quotient® database of more than 3 million employee responses, we see 92% of employees are hypothetically willing to report a misconduct issue or concern, and yet of those employees who reported witnessing a concern in the most recent 12 months, only 50% actually reported it. When asked why they didn’t report, the top two reasons given were fear of retaliation (48%) or that nothing would be done about it (49%).

While many company codes of conduct may include a company’s commitment to non-retaliation, the DOJ guidance clearly points toward companies having a policy – whether that policy is a standalone document or included as part of a broader speak-up policy. A mention in the Code will not be sufficient. Codes are meant to be broad, aspirational, and values-based. Codes may describe basic standards for what will and won’t be tolerated as far as behavior, but not to the degree found in a topic specific policy. And, yes, you can have a single policy that covers both anti-retaliation and speak-up in its scope, as long as it is specific and more than a mention that “retaliation will not be tolerated”.

When it comes to crafting an anti-retaliation policy, keep in mind that the types of adverse or retaliatory behavior that employees report experiencing is not necessarily what lawyers have been trained to think of as illegal retaliation. It is not always a tangible employment action, but things like ostracism – being cut off from team meetings, not asked for input on projects, – that employees report facing most often as types of retaliation.

An anti-retaliation policy should cover actions that include what we might think of as illegal retaliation and also retaliatory actions that do not fit a legal definition. The policy should cover illegal and adverse employment forms of retaliation such as, failure to promote, reduction in scheduled hours, or termination, as well as more subtle forms of retaliation like transferring the employee to a different or lessor position, hostile or intimidating treatment, or ostracizing treatment by colleagues or managers.

“Managers are in a unique position to see signs of retaliation, and as such they should be on the lookout for adverse actions when one of their employees raises a concern or reports misconduct. Managers can also help prevent retaliation by reiterating this policy against retaliation. Make it clear to all members of the team or function that retaliation is not tolerated and that taking adverse action against an employee that reports misconduct in good faith—even if that report turns out to be unsubstantiated—can result in consequences.” – Erica Salmon Byrne, Executive Chair and Chief Strategy Officer, Ethisphere

All of Ethisphere’s recommendations for policy best practices would apply to an anti-retaliation policy. Write the policy so that all employees understand the company’s position, compliant and non-compliant behaviors are clearly communicated, and that all managers know what to do and not to do in carrying out their role.

The policy should:

Use language that is easy to understand. The language used should be simple and clear, as employees may not be experts in the subject. Avoid overly technical or legal language.
Provide examples to illustrate points and define key terms. Give employees guidance that helps them do the right thing.
Provide role specific guidance as needed. Expectations for individual contributors may be different from those of people managers. Distinguish between requirements for compliance with the policy based on role.
Define consequences for non-compliance with the policy. Consequences for non-compliance could include a range of remediation or disciplinary measures, and clearly stating them enforces the position that the company takes these actions seriously.
Be easily findable and accessible, including available in relevant languages, and culturally aligned or localized with the regions in which employees reside.
Use active voice to improve clarity when possible. In active voice, the subject of the sentence is performing the action. In passive voice, the action is performed on the subject, or the subject may be omitted entirely. Keep the use of passive voice to no more than 20%.
Keep the reading level under grade 14 (a college sophomore) or use a grade level that makes sense for the organization. It should be at or below the average level of education for employees. To lower the grade level, break long sentences into shorter ones, use shorter paragraphs, and include bulleted or numbered lists.
Refer to the organization in a consistent manner. Choose one way to refer to the company and stick with it throughout all written standards. This may be “the Company,” “ABC,” “ABC Company,” or something similar.
Ensure that the language used aligns with the purpose of the written standard. Use “we” language when discussing shared responsibilities and values, such as, “We all have a responsibility to raise issues of concern in good faith.” Use “you” language when providing actionable guidance, such as, “You should contact your manager, HR, or the Ethics Hotline if you experience or witness retaliation.”

Communications and training on the anti-retaliation policy

Training arms employees with the information they need to do their jobs correctly. Communications keep that training and your expectations top of mind. In addition to communication specifically about the anti-retaliation policy, include a reference to the policy in employee communications about your investigations process, especially as part of any guidance or resources you provide to those individuals who report concerns.

The goal of your training program should be to communicate a zero-tolerance message and to

make your employees and others aware of three key concepts:

What conduct is prohibited and why.
How they may encounter retaliation.
How to respond if they do.

Tailor your training. While all employees should receive basic anti-retaliation training, it is important to customize training to individual employees and people managers.

It is important that managers receive training on anti-retaliation not only to avoid and recognize prohibited actions but to support their employees as well. Managers are a valuable resource for ethics and compliance. They can help reinforce messages and policies and be a resource for those who want to raise a concern or ask a question.

Business Ethics Leadership Alliance (BELA) Member Template Example

BELA Members have exclusive access to Ethisphere’s library of sample policies and resources across programmatic elements and areas detailed in the DOJ’s ECCP guidance. Check out this excerpt from our model Anti-Retaliation Policy, and request guest access to the BELA Member Hub to see others.

bela member exclusive

Sample Non-Retaliation & Speak-Up Policy

Managers are in a unique position to see signs of retaliation, and as such they should be on the lookout for adverse actions when one of their employees raises a concern or reports misconduct. Managers can also help prevent retaliation by reiterating this policy against retaliation. Make it clear to all members of the team or function that retaliation is not tolerated and that taking adverse action against an employee that reports misconduct in good faith—even if that report turns out to be unsubstantiated—can result in consequences.

Request BELA Guest Access to get the Full Policy ⟶

5 Reasons Why Poor Compliance Costs Money

Posted on October 22, 2024October 22, 2024 by Ethisphere

When you look across the spectrum of U.S. regulatory agencies and tally up the fines, penalties, and legal settlements for compliance failures, those numbers are staggering—nearly $222 billion since 2020.

It is no secret that strong ethics is good business. There are many reasons for this, but a big one is risk reduction—a great ethics and compliance program fosters a culture of integrity where costly misconduct is prevented, or addressed proactively before things get out of control. Likewise, poor compliance actually costs organizations huge amounts of money. This blog will explore the five biggest reasons why.

Reason #1: Fines, penalties, and settlements

This is the obvious one. When you look across the spectrum of U.S. regulatory agencies and tally up the fines, penalties, and legal settlements that organizations are paying to the government for their compliance failures, those numbers are pretty staggering. Since 2020, the top 100 regulatory fines, criminal penalties, and class action settlements for corporate misconduct in the U.S. alone is nearly $222 billion. That’s enough to buy the National Football League and dissolve it.

Reason #2: The misconduct multiple

There is also an unseen aspect to regulatory costs. If you look at any given regulatory fine, penalty, or legal settlement, take that number and triple or quadruple it. That will reflect the costs to the organization before it ever got to the point of writing a check to the government or a plaintiff’s attorney. These are additional costs to in-house/defense attorneys, forensic accountants, the auditing team, and other functions that all have a very high resource cost.

Reason #3: The performance cost

This is the hidden cost of time that your company could have used to do other things, had it not been forced to spend it dealing with a serious regulatory or legal misconduct issue. Ongoing regulatory and legal concerns are a drag on morale and overall employee psychological safety. It also contributes to employee churn. Many employees will simply work for another company that endure a painful situation at their current one, and the cost of replacing talent is a multiple of any given position’s annual salary, when factoring in recruiting costs and lost productivity.

Reason #4 The rehabilitation cost

Companies that get into huge regulatory or legal trouble typically end up having to rebuild their compliance program, either because the government requires it, or shareholders demand it. Boeing will spend some $455 million over the next three years to rehabilitate its program. Walmart spent $845 million to rehab its program. Those are very large numbers.

Reason #5: The competitive cost

The four previous costs detailed all contribute to the inverse of the Ethics Premium, which tracks the financial performance of the publicly traded companies on the World’s Most Ethical Companies list. “You don’t see those fines and penalties in that particular cohort,” says Ethisphere Chief Strategy Officer Erica Salmon Byrne. “What you do see is a year-over-year outperformance against a comparable stock index.” Put simply, companies poor compliance lose business even if they do not face outright fines and penalties. They lose customers, they lose supply chain partners, and they lose strategic partners.

What Is a Good Compliance Reporting Structure?

Posted on October 14, 2024October 14, 2024 by Ethisphere

Having direct access to the board is a pretty clear regulatory expectation, particularly for industries with significant compliance oversight.

What does a good compliance org chart look like? How your compliance function is composed and to whom it reports can have a huge impact on your overall program effectiveness.

We advise a few key considerations: team composition, where the team sits, and what not to do.

Team Composition

Ethisphere data tells us that teams are becoming increasingly diverse, professionally.

We see more companies with communications professionals that are part of the compliance team and responsible for drafting compelling communications that employees actually want to engage with.
We see more companies put people with data backgrounds on the team and those people are responsible for data analytics and looking at different dashboarding and ways that data can tell an organization how the program is performing.
We see more teams with auditors on them or forensic accountants—particularly if you are in an industry where you might have to do a lot of forensic work as part of an investigation. By that token, we are seeing a lot people with investigations backgrounds on teams, also.
Lawyers, of course, continue to be very prevalent on teams, as well.

Overall, we see increasing specialization on compliance teams across a broad range of backgrounds. More often than not, we will see teams that have people who specialize in particular pieces of the program, so you might have somebody who focuses on your third-party risk management, or training, communications, manager preparedness, and things along those lines. But of course, we are also seeing a lot of people who are compliance managers and other kinds of generalist roles.

Where the Function Sits

On the age-old question of where does the compliance team sit within the organization, again, we are seeing a fair amount of diversity on that.

We still see a majority of compliance functions rolling into legal where the person who is running the program—the chief compliance officer—is increasingly not dual-hatted. While we do still see some compliance officers who are also the general counsel, increasingly, we see a recognition on the part of companies that those are two different full-time jobs, and you should designate the person who is actually running the program accordingly and give them the appropriate level of gravitas in the organizational chart.

We also see—and this is being driven by regulatory expectations—a lot of programs where the person who is running the program also has a direct line in to the chair of the relevant board committee that oversees the program. They are having their own direct conversations with that individual that do not go through the general counsel. This is very important. Having direct access to the board is a pretty clear regulatory expectation.

Things Are Different in Healthcare

An important caveat: The one place where we see a different reporting structure is for organizations that are subject to the oversight of Health and Human Services here in the U.S. That entity has been very clear that they believe that compliance reporting into the legal department is bogus. They want to see compliance as its own independent function.

That is driving the fact that in about 40% of the Ethisphere dataset, we see compliance reporting outside of Legal, and either directly to the CEO or somebody else in the C-suite (chief operating officer, administrative officer, etc.). These positions, of course, have that critically important direct line into the chair of the board committee.

What Not to Do

You do not want to see four levels between compliance and anybody who is ultimately responsible for the behavior of the organization. The farther down you are in the org chart, the less likely your information is getting to the people it needs to reach. For example, if there are a number of stops along the way, your information can get watered down, and you won’t have direct access to the chair.

If you have that kind of structure and you wind up in front of any regulatory body, they will not look favorably upon it. Going back to the 2010 amendments to the Federal Sentencing Guidelines, the federal government set an expectation for compliance to have unfettered access to the board. The primary reason for that was a case in which the general counsel was actually involved in misconduct and he board had no idea, because the general counsel prevented the compliance team from getting information to them.

So, since 2010, we have seen a very clear expectation from regulators that the people who are responsible for compliance on a day-to-day basis need to have unrestricted access to the board or to the chair of the committee that oversees the compliance program, where nobody else is filtering the information that compliance provides. Compliance should be able to sit in the executive session with that board committee and be able to talk on a regular basis with the chair. That has been the clear regulatory expectation for the last 14 years. You can find details on how to make a case for appointing a Chief Compliance Officer here.

Success stories from Ethics and Compliance Leaders

Posted on October 10, 2024October 10, 2024 by Ethisphere

Our mission is to provide ethics and compliance practitioners with a venue by which they could share their expertise with the broader ethics and compliance community. Whether it’s talking about an innovative new program, compliance policy, or procedure…highlighting trends worth watching…sharing ways to build a better culture of integrity…we’ve had guests from all over join us to share their insights.

As we’re fond of saying, there is no competition in compliance. That’s why we are so enthusiastic about showcasing this field’s incredible thought leaders and subject matter experts.

In particular, we have had a number of guests join us from the Business Ethics Leadership Alliance, or BELA, a global community committed to advancing business integrity that is comprised of senior legal, ethics, and compliance leaders representing more than 60 industries.

Being a BELA member means being part of an ethics and compliance community that shares best practices, expertise, and experiential benchmarking as folks share what is really moving the needle within their program.

In this episode of the Ethicast, we showcase a few of the BELA members who’ve come on the show. They don’t just represent best practices within their own organizations. They represent best practices within the ethics and compliance profession itself by sharing what they know in the interest of helping everyone advance business integrity.

Bo van Zeeland of SABIC shares how to secure ethics and compliance program resources, even when budgets are tight.

Marie-Claude Dumas and Julianna Fox of WSP share some key indicators of an E&C program that has truly embedded itself within an organization.

Craig Pedersen of PepsiCo talks about how the company incorporates culture assessments into their program.

Katy Creecy of Uber explains how data analytics have made such a powerful impact on Uber’s program.

2:33: SABIC secures E&C resources even when budgets are tight
5:15: WSP’s key indicators of a truly embedded E&C program
11:16: PepsiCo incorporates culture assessments into their program
12:41: Uber’s data analytics strategy in practice

Listen in to each full episode to gain ethics and compliance best practices.

How to Secure E&C Resources Even When Budgets Are Tight:

SABIC’s robust ethics and compliance program have earned the company its rightful status as a peer leader among other companies in the Middle East. Its focus on global diversity, culture, and anticorruption are just some of the program maturity hallmarks that have earned the company its Compliance Leader Verification status from Ethisphere. Bo van Zeeland, GM & Global Chief Counsel, Business Ethics & Compliance for SABIC has led the charge on elevating and advancing SABIC’s Culture of Integrity, Code of Ethics, and Human Rights Program. And he has also successfully managed to secure the resources his program needs, even during trying economic times for the petrochemical industry.

3:39: Launching a new Code of Conduct
9:28: Building a global speak-up culture across a diverse organization
11:09: Securing E&C resources even when budgets are tight

To learn more about the great work Bo and his colleagues are doing at SABIC, visit sabic.com and mouse over the About tab. There you’ll find link’s to SABIC’s Compliance Culture, its Code of Ethics, its Human Rights Program, and more.

How to Build a Truly Embedded Ethics & Compliance Program:

Earlier this year, Ethisphere granted the Compliance Leader Verification to WSP for a second time, in recognition of its exceptional ethics and compliance program. Marie-Claude Dumas, President and Chief Executive Officer of WSP in Canada, and Julianna Fox, WSP’s Chief Ethics and Compliance Officer, explain how WSP used cross-functional collaboration, innovative speak-up culture, and a global network of champions to build the ethics and compliance capabilities that lead WSP from strength to strength.

2:25: The Compliance Leader Verification
4:09: Inside WSP’s compliance maturity journey
5:59: How top leadership directly empowers a strong E&C culture
8:49: Optimizing risk management and audit processes to align with E&C
11:11: Key indicators of a truly embedded E&C program
15:50: Advice for CECOs looking to achieve program recognition

To learn more about WSP’s ethics and compliance program, visit www.wsp.com and hit the Who We Are tab. From there, click on Corporate Responsibility.

At PepsiCo, the Secret Ingredient is Culture:

Earlier this year, PepsiCo received World’s Most Ethical Companies honors for an astonishing 18th time in a row—something only a handful of other companies have achieved. The secret of Pepsi’s success here is no secret at all, though. As Craig Pedersen, Director, Global Compliance & Ethics Program, PepsiCo, explains, it comes from a substantial and sustained campaign with support from across the enterprise at all levels, all feeding into a robust culture that puts ethics and integrity first.

1:10: What it takes to maintain ethics & compliance program at such a high level of excellence
2:23: How PepsiCo’s E&C program evolves to keep pace with best practices
3:35: How PepsiCo incorporates culture assessments into their program
4:59: Specific initiatives to create a global culture of integrity that preserves local autonomy
6:25: Insights on participating in the World’s Most Ethical Companies program
8:54: PepsiCo contributions to the global ethics economy

Driving Ethics & Business Integrity with Data:

Ridesharing pioneer Uber recently earned the coveted Compliance Leader Verification from Ethisphere in recognition of its alignment with ethics & compliance best practices, program monitoring, and use of data analytics to ensure program effectiveness. In this episode, Katy Creecy, Senior Manager, Ethics & Compliance Programs, joins us to explain how Uber’s innovative and impactful data analytics strategy is moving the company’s E&C needle in a meaningful way.

1:35: Uber’s data analytics strategy in practice
6:03: Challenges faced in standing up the program
7:28: Future plans and aspirations for Uber’s data analytics
9:34: Advice for standing up your own data analytics program

Learn more about Uber’s Ethics & Compliance Program.

Want to appear on the Ethicast? Drop us a line at
[email protected]

To learn more about BELA, visit
www.ethisphere.com/bela to request guest access to the BELA Member Resource Hub and to speak with a BELA Engagement Director.