Broadening your awareness of incidents and risks: looking beyond your hotline

First enacted in July of 2002, section 301 of the Sarbanes-Oxley Act (“SOX”) stated that:

“…each audit committee must establish procedures for…the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”

The framers of SOX recognized a “whistleblower” hotline to be a dynamic and valuable tool. However, when they mandated a formal mechanism for the receipt of information that might otherwise not be brought forward, there was an assumption that organizations were already formally monitoring issues and events that flow naturally into an organization. Working with organizations across a wide spectrum of industry sectors, it becomes apparent that a formal monitoring process of issues and events that come from an open-door policy, suggestion box, incident reports, performance appraisals, or exit interviews simply doesn’t exist.

The framers also recognized that the “whistleblower” hotline was one – but not the only – key indicator of risk for organizations. However, when the act was put into place, and organizations worked towards compliance with SOX, the hotline activity often proved to be an Audit Committee line item, and therefore an often-discussed metric at the Board level. Several studies have been done to benchmark this data to provide boards and compliance professionals with a better understanding of how their organization’s hotline is performing. 

Six years and thousands of new regulations after the passing of SOX 301, organizations nationwide continue to struggle to meet and maintain their Governance, Risk, and Compliance (GRC) initiatives. The proliferation of regulations has caused most organizations to create between four and fifteen isolated and localized compliance “silos” to react and respond to these mandates. These silos, along with their increased expenditures, often resulted in duplication of effort, fragmentation of process, and an elusive return on investment.

Management and boards face the responsibility of thoroughly understanding and prioritizing the risks their organizations face, regardless of the venue from which these risks surface. This is a daunting task, one which is made even more complex by the lack of controls and consistency in the way issues and events are captured and analyzed.

Fundamentally, the methodology used by many organizations to manage these broader issues and events has not kept pace with their other initiatives. Inter-departmental communication (or the lack thereof) and “protectionist” attitudes prevent the kind of openness and communications needed to align these silos with an organization’s GRC strategies. Increasing communication with an integrated GRC solution is one way to increase transparency.

Organizations are just beginning to realize two important facts: one, issues and events that may be important risk indicators surface naturally throughout their organizations; and two, not all risk mitigating information can be effectively captured by the use of even the most successful hotline.

Therefore, gaining broader awareness of relevant indicators, as well as resolving or elevating any incidents that arise, is critical to any enterprise risk strategy. Gaining visibility of organizational issues and events from all areas – including your extended enterprise and supply chain – provides invaluable insight and the tools necessary to streamline processes, reduce functional overlap, and optimize resource allocation.

Where to Begin
Organizations seeking to improve their awareness strategies and associated resolution ROI must first identify where their risks surface. It’s key to remember that organizational risk comes in many forms and can be either real or reputational. Organizations should be looking into control processes, incident reports, audit and review procedures, and even the details that come from exit interviews. In most cases, organizations need to look no further than their own code of conduct to realize that the primary recommended venue for reporting an incident is an employee’s direct supervisor, followed by an open-door policy to senior management, and, ultimately, access to a confidential and anonymous hotline. The more difficult part of this process is determining what information is likely to be valuable, how to filter it effectively, and what escalations should be applied toward resolution. 

It’s necessary to define, evaluate, and train the stakeholders who support these initiatives and who have an effect on the organization’s success. Organizations must consider the compliance and social responsibility complexity they face. They must also consider the level of human and technical sophistication required by their processes, their geographic and workforce diversity, and the organization’s overall GRC maturity level to successfully support these initiatives. They must understand their current level of transparency and the important role interdepartmental communication plays in the overall process.

About the Process
Once it’s accepted that risk information surfaces naturally across a dynamic and distributed organization, organizations soon recognize that the procedural consistency and auditable rigor typically found in the more formally organized hotline data is lacking in most reports made directly to supervisors or management. These issues, if documented at all, are most likely locked away in distinct, operational silos with little or no transparency or analysis in support of an overall GRC strategy.

Identifying key potential stakeholders is yet another area to which attention must be paid. An organization’s primary stakeholders are employees, but today, with the increase in working with global operations, considerable compliance risk also exists with agents overseas. Vendors, contractors, spouses, agents, interns, and other stakeholders to the process should be tactically examined with the same rigor as the extended enterprise or supply chain.

It is important to remember that it is the issues themselves that are critical in this process, and not the venue from which they are brought forth. Optimizing incident management, workflow, and analysis, regardless of how issues are introduced to the organization, creates measurable results in terms of increased visibility, improved business process, and the preservation of your organization’s culture, intellectual capital, and reputation.

Once issues and events have been identified, it is necessary to define not only the individuals charged with their review and analysis, but also a policy for what happens to reports that are considered frivolous or unfounded. We need to determine the materiality criteria (e.g. monetary, implicated management, threat, or safety dangers) that cause escalation of the resolution process.

Ultimately, it is incumbent upon organizations to use the data that is captured – both in terms of reported issues, as well as the steps, duration, and outcome statistics – to provide a continuous, analytic feedback loop for change and improvement to both proactive and reactive processes.

Measuring Organizational Complexity and Maturity
Measuring your maturity requires gauging how well your organization addresses its compliance complexity and whether the tools are in place to provide the sophistication required to support their related processes. The Open Compliance and Ethics Group (OCEG) and the National Association of Corporate Directors have collaboratively developed an elaborate Corporate Maturity Model™ consisting of five maturity stages:

• Uninformed
• Reactive
• Adaptive
• Proactive
• Infused

The common desire is to migrate from a reactive compliance position to a proactive business process that encompasses the organization’s GRC strategy. Migration along this continuum, via the optimization of resources, allows an organization to move from a reactive to a proactive stance in the marketplace. As an organization’s goals mature, it is anticipated that moving forward on the GRC maturity continuum will likely affect risk management, training, corporate culture, policies and procedures, and even financial strategies.

Using Feedback for Continuous Improvement
When risk areas and stakeholders are identified, complexity and maturity is established, and a risk profile is known, an organization has a model opportunity to use reports and analytics to constantly improve their overall GRC initiatives.

Historically, organizations have spent countless hours, energy, and dollars on developing and analyzing their risk profiles. They have employed rigor and diligence to the documentation and analysis of “what may happen,” but unfortunately, these things are not always correlated to real risk.

Using a broader, more formalized set of data points, organizations can ensure that the same types of issue are better addressed in the future, examine trends across broader business or operational units, and evaluate the performance of individual and compliance activities.