Compliance case management is the foundation for ensuring that credible allegations of malfeasance are promptly reported, diligently investigated, thoroughly documented, and duly dispositioned. The lack of an effective and coherent compliance case management program can have chilling repercussions for organizations.
If handled improperly, for instance, confidentiality can be compromised, the identity of the reporter leaked, retaliation in the workplace can occur, and root cause analyses can be sidelined or ignored wholesale. All of these outcomes are inimical to the proper functioning of the organization’s compliance operation, which requires discretion, diligence, and actionable results.
Here are the top five (5) signs that your compliance case management program needs improvement:
1. Identities of internal reporters are compromised
It goes without saying that the signature sign of compliance case management program failure is that confidentiality is breached and the identity of the reporter is leaked. Under rules applicable to both public and private companies alike, organizations often have a legal obligation to take appropriate measures to ensure that the identity of the reporter remains known to a narrow universe of individuals typically associated with the compliance, legal, internal audit, and human resources teams of a company. Selective disclosure of information is required, as is the involvement of the company’s general counsel or his or her designee, to ensure that the investigation remains subject to the attorney-client privilege. While breaches of confidentiality can occur for a myriad of reasons, the most basic reason is that the organization lacks an appropriate mechanism to receive confidential and/or anonymized reports. Too often, companies take the easy way out—relying on internal “hotlines” where recorded messages can be left for the legal team or supposedly confidential email addresses for the submission of written reports, that in reality, are widely accessible by others.
Neither strategy is effective. In the case of the former, the impersonal nature of the intake process means that initial reports often lack key information due to the lack of follow up questions, and may end up being virtually worthless if the reporter chooses to remain anonymous because sufficient detail is not provided and no ability to follow up with the reporter is available. As for the latter, while a general email address for the receipt of internal complaints is preferable to having nothing, access to these mailboxes can be broader than what the sender perceives. For instance, it is often the case that such mailboxes are broadly shared within a particular team. Sensitive information that might need to be shared directly with the company’s compliance officer or general counsel might in fact be shared with administrative support personnel and other members of a compliance and legal team. No matter how trustworthy such individuals are, indiscriminate dissemination of confidential reports exponentially increases the likelihood that the reporter will be identified—and, in the worst cases, even targeted for retaliatory purposes.
2. Case Closure Times are Excessive
Another distinctive sign that compliance case management practices are not working is the lack of diligence exercised by the compliance function in investigating, documenting, and remediating compliance program failures. A significant backlog of cases, for instance, is a clear indication that inefficiency exists somewhere between the case receipt/initiation process and the investigatory/close out phase. Identifying each step of the case management process by creating an appropriate flowchart is an ideal way to assess where the backlog exists and what changes are needed to ensure that cases are promptly dispositioned. The requirement that cases be closed promptly is even more important as the European Union’s so-called “Whistleblower Directive” is transposed into the respective bodies of law of each of the EU’s twenty-seven (27) member states. Although the Whistleblower Directive sets a minimum threshold with respect to the establishment of internal and external reporting mechanisms and the protection of reporters generally, it also sets strict deadlines for the receipt of reports and follow up by the organization’s designated internal team. Generally speaking, organizations are mandated to acknowledge receipt of an internal report within seven (7) days and provide substantive feedback to the reporter no later than three (3) months following the acknowledgment of receipt or expiry of the seven (7) day period after the report was made. This makes it even more imperative for companies operating in the EU to ensure that their case management practices are efficient and effective, as EU regulators are notoriously more aggressive and attentive than their global counterparts.
3. Case Management is Largely an Ad Hoc Process
Another sign of ineffective case management practices is a lack of uniform policies and procedures that dictate how various types of internal reports are to be handled. This is also a clear indicator that an organization’s overall compliance program is immature and/or lacks appropriate management commitment or resources. While policies are the backbone of the compliance program structure, procedures are the arteries that allow cases to transition from initiation to completion. As such, considerable attention should be devoted to establishing workflows based on the nature and gravity of the report received. These workflows should be reduced to writing, made accessible to the compliance team as a whole, and revisited as necessary when inefficiencies or other obstacles are identified. In the absence of detailed procedures, compliance teams are left to handle potentially serious complaints in a fragmented and illogical fashion. If recent guidance issued by the U.S. Department of Justice and other global regulators is any indication, a consistent approach to investigation and disposition of compliance cases is a sign that the organization takes its commitment to complying with the letter of the law seriously and can lead to favorable outcomes even in serious cases. Conversely, organizations that take a lackadaisical approach to compliance case management can expect additional scrutiny and increased monetary penalties when compliance failures occur.
4. Root Cause Analyses and Actionable Results are Lacking
Contemporary regulatory guidance now routinely emphasizes the need for organizations to ascertain what the root cause of a compliance failure was. Too often, reports are made, investigated and dispositioned on an individual basis, without due consideration of broader organizational implications. In this regard, careful monitoring and analysis of the types of reports received is indispensable. Trend analyses should be conducted to determine if any patterns exist that suggest a broader cultural issue may be at play, or that training in a certain area of the law might require revamping. Simply compiling individual reports and placing them into a document retention system is a recipe for disaster. Each report should be considered as a piece of a broader puzzle so that a complete and accurate picture of the organization’s compliance risks can be visualized.
5. Reporting Metrics Lack Meaningful Context
To satisfy its fiduciary obligations to the organization as a whole, periodic reports (preferably quarterly) are often required of compliance officers and/or general counsel to an organization’s governing board. Typically, these reports consist of a series of statistics on the number of internal complaints received, processed, and dispositioned often broken down by category, but with little other context. Suffice to say, such reports are essentially worthless in that they provide the board with no real insight into the greatest risk factors facing the organization from a compliance perspective. The devil is often in the details. While careful consideration should be taken by the compliance officer to appropriately anonymize such reports, a more detailed presentation of the trends identified above, a discussion of the most serious substantiated cases of misconduct, and the status of remedial measures taken in the previous quarter should be addressed. Increasingly, electronic case management systems for compliance officers are capable of compiling relevant data and generating customized reports that can be utilized for this purpose. Organizations that lack access to such platforms—and are consequently much too reliant on manual processes—are at a distinct disadvantage when it comes to reporting relevant metrics.
The key takeaway for companies facing any one or more of these obstacles is that a dramatic change may be required to make compliance case management more automated and less reliant on manual processes and procedures. Many of these failures occur because the organization lacks a single platform for the complete administration of compliance cases. State-of-the-art internal reporting and case management platforms now exist. Because manual compliance processes are inherently insecure, grossly inefficient, and often ineffective in accomplishing the overall objective of ensuring that the organization remains faithful to its own ethical principles and fully compliant with its legal obligations, organizations of all sizes should consider whether investing in a holistic case management system is no longer a luxury, but a necessity.