CEP Magazine – February 2023. Compliance hotline cases: A risk-based approach | Society of Corporate Compliance and Ethics (SCCE)

[author: Peiman Saadat*]

CEP Magazine – February 2023

Compliance professionals regularly face various work-related challenges, yet the one shared most by everyone is timely access to accurate information. Such timely access is the key to compliance effectiveness mitigating the potential or existing risks within the organization. Access is usually obtained through getting a seat at the table, performing data mining, internal auditing, interviews, walkthroughs, compliance risk assessment, etc.

While compliance and ethics hotlines are accepted as the primary mechanism for employees to report nuances of fraud, waste, and abuse, hotlines are also considered a means for compliance professionals to access information. In fact, a compliance and ethics hotline can serve the compliance program as a direct line of communication between compliance professionals and employees—with no fear of retaliation. Organizations with hotlines detect fraud more quickly and have lower losses than those without hotlines.

The United States Sentencing Commission (USSC) set the elements of an effective compliance and ethics program, stating that every organization shall take reasonable steps “to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”

The piece that has been highlighted by the USSC, yet mostly undermined by the compliance professionals, is “seeking guidance.” Employees and agents should be able to use compliance and ethics hotlines to ask a question and seek guidance—even anonymously.

Does your compliance and ethics hotline accommodate this?

The customary approach to compliance and ethics hotline cases is the case-based approach, where cases are received, reviewed, or investigated and based on the outcome, a case-based action is taken. Then, the case is deemed closed in the system.

In a risk-based approach, while similar steps are taken, the process continues even after the closure of the case. Trending and benchmarking remain ongoing processes with all cases received.

The goal is to not only mitigate the risk involved with the reported case, but also further analyze the trends to prevent the risks from recurring.

Discussion

The Institute of Internal Auditors defines risk as “the possibility of an event occurring that will have an impact on the achievement of objectives.” A risk-based approach to a compliance hotline intends to build a systematic process where the data received via a compliance and ethics hotline is used not only to address the immediate concern but also further analyze and use to mitigate existing or potential risks in the future.

Compliance professionals should analyze the status quo to create a baseline to start the new approach. Some questions to consider include:

Have employees received appropriate training on reporting or seeking guidance using the compliance and ethics hotline?
How many reporting channels exist?
How many calls are received monthly?
What is the percentage of the calls which are truly a compliance-related concern?
Who is reporting most—employees or customers?
Are there any easily identifiable trends?
What are the steps taken when a call is made to the hotline?
Who gets involved with the compliance and ethics hotline cases, to what extent, and why?

The following three-phase approach is designed to build a risk-based approach to compliance and ethics hotline cases.

Building the fundamentals

Policy and procedures: Ensure a well-drafted policy with clear instructions outlining the steps taken when a call is received.
Vendor’s performance evaluation: Conduct internal reviews, such as secret shopper calls to the hotline and assess the timing and response given by the compliance and ethics hotline vendor. Does the vendor have multilingual capabilities when receiving calls?
Marketing: Promote the compliance and ethics hotline in various forums, including departmental meetings, high visibility on the organization’s website, and compliance program marketing materials.
Accessibility and convenience: Guarantee that the hotline is available 24/7 and the number is easy to remember.
Reminders: Send frequent reminders as part of compliance communications about the compliance and ethics hotline’s availability, topics to report, and employees’ roles and responsibilities.

Redesigning the compliance and ethics hotline

Proper design for a compliance and ethics hotline and website: Over the past decade, telephone hotline use has declined substantially, as email and web-based/online reporting have increased as preferred reporting methods. Organizations should maintain multiple platforms for their compliance and ethics hotlines.
Awareness: Regular evaluation of the employees’ and agents’ compliance and ethics hotline knowledge.
Education and training: Compliance and ethics hotline education should be part of mandatory annual compliance training. Such training should be vignette and case-based to encourage all to contact the hotline as needed. Closed cases can be de-identified and redistributed as training materials to all employees.
Transparency: Roles and responsibilities of the compliance team involved with hotline cases should be clear and evidence-based.
Follow up with reporter: If the caller is identified, it’s important to contact the caller and follow up directly with them. While the investigation and the outcomes of each case may be confidential, the caller needs to know that the matter was taken under consideration and the proper actions were taken.

Analyzing and trending should be conducted regularly

Frequency: To identify any trends within a specific case category.
Involved team: To detect any trends with the teams, departments, or locations involved.
Percentage of cases received anonymously versus identified.
Substantiated versus unsubstantiated.
Actionable versus insufficient information.
Compliance-related versus noncompliance, such as human resources (HR)-related matters.
Breakdown on intake forms: calls, emails, web submissions, letters.
Infraction duration: How long has the issue existed, and who has been aware of it?

When the analysis is made and trends are identified, it is essential that the results are shared with the relevant authorities within the organization in a timely manner—as outlined in the pertinent organizational policy and procedures.

Based on circumstances, the reporting should include, but not be limited to:

Organization’s executive leadership.
Legal, operational leaders, HR, and internal audits.
Compliance and audit committee.
Board of directors.
External regulatory entities.
Self-disclosures and/or notifications.

Risk-based response to the identified trends

Compliance professionals should use the data to tailor actionable next steps to mitigate identified risks. Such actions normally involve but are not limited to reprimanding or disciplining individuals involved, designation of ad-hoc training, incorporating the identified trends into the annual compliance training, and adopting the areas of concern into the annual compliance risk assessment exercise and work plan.

Takeaways

Organizations with compliance and ethics hotlines detect fraud more quickly and have fewer losses than those without hotlines.
Make sure you promote your hotline so everyone knows where and to can access it.
Analyze hotline cases as metrics to formulate a risk-based approach by compliance professionals.
Implement regular data mining and response monitoring to support the mitigatory risk efforts.
Identify trends and outliers to serve operational and organizational goals and adopt into the compliance annual work plan.

*Vice President and Corporate Compliance Officer at AdvantageCare Physicians PC, in New York, New York, USA.

[View source.]