Skip to content

How to Select a Hotline and Case Management Solution

The basic principle underlying the selection of an ethics hotline and case management solution is instrumentality. That is, the hotline and system must be a means to an end rather than ends themselves. Those ends are simple—providing an outlet for company employees (and external parties like the company’s vendors, suppliers, and distributors) to anonymously and confidentially report misconduct, while also providing the company a means of gathering the information it needs to investigate and appropriately resolve those claims. Employees who feel comfortable reporting through internal channels are less likely to resort to external regulators first—allowing you to more effectively mitigate your organization's risks and avoid the discomfort that accompanies additional regulatory scrutiny.

We’ve seen an influx of options in this space, and sometimes it can be difficult to identify the platform right for you and your business. Here are five key considerations that should factor into any company’s decision when it comes to choosing a hotline and case management solution.

1. Identify a Properly Staffed Hotline

First, the hotline provider must be staffed by trained intake specialists. While this premise seems obvious, the proliferation of hotline providers in the era of SOX compliance purporting to have all a company needs in terms of compliance solutions makes due diligence in this area critical. To meet the letter—and spirit—of federal regulations and guidance to offer a reporting mechanism, the hotline must be staffed by trained professionals who are able to engage callers in a dynamic conversation about the reported activity. This initial call represents the first, and sometimes only, opportunity to speak with the reporter and garner as much information as possible. A hotline with a pre-recorded message inviting the reporter to leave a message is an extremely poor substitute for human interaction but, surprisingly, all too common.

As a practical matter, would-be reporters are intimidated by the prospect of leaving a message in a general mailbox without any assurances that the reported information will be held in confidence or that the matter will be referred internally to the appropriate team for resolution. Such “static junklines” are more likely to become the repository of routine employee grievances (over cafeteria food or a coworker’s tardiness, for example) rather than a substantive source of information for detecting and addressing malfeasance. When choosing an external hotline provider, companies should inquire about the training frontline workers receive and examine the script they use to elicit information.

2. Ensure Access Around the Clock

Second, the hotline must be easily accessible 24/7, 365 days per year. Malfeasance doesn’t sleep, so reports of misconduct can come in at any time. Operating a fully-staffed hotline during normal business hours only is a guarantor of diminished effectiveness ab initio. Frequently, reporters resort to ethics hotlines at times that are not coincident with their normal work schedule. As such, a dedicated toll-free number should be established that allows anyone, anywhere to report at any time in their native language.

Companies should also give serious consideration to allowing reporters to utilize an online platform to report suspected misconduct. Best-in-class service providers now offer integrated solutions that pair a conventional hotline with sophisticated web-based reporting, case management, and data analytics capabilities. In the digital era, web-based reporting potentially offers a more robust means of gathering pertinent information (and documents) that are relevant to the claim being made. When combined with the functionality of a case management system, the result is greater efficiency. Reports and other information are aggregated into a single platform that permits the investigator to document the progress of the inquiry and communicate with the reporter on a follow-up basis, if necessary.

3. Opt For a User-Friendly Interface

Crucially, the user interface for both the web-based reporting and case management systems must also be intuitive—that is, capable of being utilized without having an advanced degree in computer science. Too often, organizations will allow the advanced features of a platform (and dreams of potential future applications) to become the decisive factor in dismissing other more streamlined alternatives. Simply put, the interface must be usable in order to be used. Any decent Silicon Valley start-up has an entire division devoted to user interface and user experience for this very reason. 

To be effective, the web reporting interface should mimic the script that a caller to the conventional hotline would encounter. It should maximize the ability of the reporter to provide pertinent details (in narrative form or otherwise), identify the parties involved, and upload supporting documentation. It should also contain reassurances that the submission will be treated confidentially and provide a mechanism—in the form of an incident ID number—to permit an otherwise anonymous reporter to follow up directly with the investigator.

The case management system must similarly be user-friendly. At the foundational level, that system should permit ethics and compliance professionals to identify relevant parties and witnesses; catalog and inventory supporting documentation; cross-reference applicable company policies; maintain notes and transcripts of witness interviews; and draft and publish interim and final reports.

4. Select a Customizable Solution

Customization is also critical for companies that have established compliance protocols. The key consideration here is that the architecture of the case management system should be flexible enough to replicate (rather than impede) existing company workflows. Predefined workflows that accompany ‘out of the box’ solutions may be beneficial to companies with little compliance program maturity, but these frameworks can significantly hamstring an organization with more nuanced and refined case management practices. To ensure that a service provider can meet the needs of the company, it is important to set clear expectations upfront and search elsewhere if early dialogue proves unproductive.

5. Maintain Data Privacy

Finally, companies selecting a hotline or case management system must be attuned to constantly emerging developments in the data privacy space—especially companies with an international presence. Comprehensive data protection schemes like the European Union’s General Data Protection Regulation (GDPR) require that companies and hotline providers:

  1. Limit data collection and internal reporting to accounting, auditing or related matters
  2. Meet certain technical requirements for the secure handling of personal data (and the transfer of such data outside of the European Economic Area)
  3. Destroy personal data associated with an internal investigation within strict timeframes (usually within two months after completion of the investigation).

To guard against incurring substantial monetary penalties for non-compliance with GDPR and other privacy regulations, it is essential that companies operating outside of the United States solicit the advice of competent counsel.

Finding the Right Hotline and Case Management Solution

At the end of the day, there are countless considerations to take into account when selecting a hotline and case management solution but identifying the right solution can make all the difference. So during your search, take your time and ensure you are considering these 5 key factors along with other unique challenges your organization or industry might present.


Michael Volkov

Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).

Implement a tailored Third-Party Risk Management solution