Skip to content

How to Choose a Compliance Hotline Provider

Oversight of the whistleblower hotline is a central duty for corporate compliance officers. More than that, the whistleblower hotline is instrumental to the broader success of your compliance program; if the hotline doesn’t fit within everything else your program is doing, your program won’t work well. So selecting a compliance hotline provider is one of the most important and consequential decisions a compliance officer makes.

Dealing with the hotline — making it work, showing others how to use it, assuring that hotline reports can be handled by the rest of your program — is something that consumes a compliance officer’s time every day.

In that case, how should one approach that decision? What do you need to consider when choosing a hotline provider, and how do you know that the choice you made is working? Let’s explore those questions today.

Why Do You Need a Compliance Hotline, Anyway?

That’s easy. You need a whistleblower hotline to comply with the law, period. In fact, you need a whistleblower hotline to comply with numerous laws, both within the United States and around the world.

For example, the Sarbanes-Oxley Act requires publicly traded to maintain a system for employees to submit allegations of financial misconduct (including anonymous submissions) to the board. Various state and federal contracting laws require employee hotlines if you want to bid on government contracts. The U.S. Sentencing Guidelines specify that for a business to have an effective compliance program, and therefore be eligible to win discounts on penalties for corporate misconduct — the company must have a whistleblower hotline.

That’s just within the United States. Around the world, we’ve also seen other countries adopt requirements for whistleblower hotlines too. Most notably these days, the European Union’s Whistleblower Protection Directive goes into effect at the end of 2021; it includes provisions for whistleblower hotlines.

It’s also true that businesses with a strong internal reporting culture also tend to achieve better performance across a range of metrics, so every company should implement a whistleblower hotline. But in the analysis that matters most, large organizations must adopt whistleblower hotlines because it’s the law; they have no choice.

What Does ‘a Hotline’ Actually Entail?

Contrary to what one might assume, the whistleblower hotline does not specifically need to be a telephone hotline. Nowhere in the Sarbanes-Oxley Act, or the SEC’s implementing regulations, is the word “telephone” ever used.

Rather, your compliance hotline provider should have an internal reporting mechanism that employees, business partners, and other third parties can use to bring concerns about misconduct to senior management’s attention. “Hotline” is more a concept than a physical thing such as a telephone, and in practice, your hotline system will probably exist in multiple formats.

For example, your whistleblower hotline system can also include anonymous submissions by email or webpage. It could potentially be accessed via employees’ personal phones or tablets, where they might collect evidence and background material until they’re ready to submit one whole package. It can even be a suggestion box mounted to the wall of a physical office. And, yes, it can be a telephone hotline.

Most large companies will use all of these channels in various ways, cobbled together in one whistleblower system. Regulators will have two primary concerns.

  • First, is the hotline system accessible to employees? For example, do you only allow electronic submissions, but many factory employees have no access to computers? Or do you only receive complaints in English, when many workers speak other languages?
  • Second, can employees submit complaints anonymously? Or does your submission form require the reporter to include his or her name?

So long as you can answer “yes” to both questions, use whatever hotline methods work best for your business.

Blog CTA - RFP: Whistleblowing Software - Find the Right Whistleblower Hotline and Case Management Software

How to Consider Your Compliance Hotline Provider Needs

As you consider various compliance hotline providers, you’ll need to work through several basic questions — issues that are important to any corporate whistleblower program, even though every company has its own unique needs. So be sure to get satisfactory answers to questions such as:

  • Does the hotline work in multiple formats? As we mentioned above, your whistleblower program will likely need to encompass multiple channels including a telephone hotline and webpage submissions. You may want different formats for different regions. Be sure the provider can meet those needs.
  • Does it work in multiple countries? Something as mundane as establishing a local hotline phone number in specific countries can be surprisingly difficult. Assure that your hotline provider can, in fact, provide hotline channels in the countries where you operate.
  • How easily can you customize forms and questionaires? Ideally, you want to “pre-load” forms and questionaires for certain issues that are likely to arise frequently at your business (say, sexual harassment or kickback schemes), so you can expedite investigation and resolution. Be sure your provider allows for easy tailoring of intake forms.
  • Can the system help you collect evidence? Say an employee wants to alert you to financial fraud, and has a collection of sales receipts or transaction records to prove it. Can your hotline provider allow for online submission of supporting evidence?
  • Who answers the call? Will calls to the hotline be routed to call center workers who speak the language of the reporter? Where, physically, is any data related to hotline tips being stored? (An important point for privacy considerations.) How are call center reps trained? What’s the turnover of those call center employees?
  • Can you analyze reporting statistics? You want to track metrics such as total number of reports, and number of reports classified by region, issue, business unit, and other factors. You also want to track reports of retaliation, since that’s a warning sign of a rotten corporate culture. You want to track all this data over time, too; so you can see how training and policy changes might drive hotline issues, and vice-versa.

How Will the Hotline Support the Rest of Your Program?

This is, perhaps, the most important question of all. Whatever compliance hotline provider you choose, the hotline needs to support the rest of your compliance program.

For example, if your hotline generates lots of reports, but you can’t seamlessly flow those reports into an investigations and case management system, then you’re still stuck with a manual compliance process (importing the reports into the case management system) that’s prone to error or abuse.

Also remember that most internal reports don’t come over a hotline; employees report them to managers. So you need to train your managers to recognize an internal report when they see one — and give them a way to feed that in-person report into your hotline and case management system. That system must also guarantee the confidentiality of whistleblowers every step of the way, too.

In other words, your whistleblower hotline — no matter how robust and versatile it might be unto itself — should not be an isolated part of your compliance program. It needs to mesh with the other elements of your program (case management, investigations, reporting, policy development, training) so that each one supports all the others.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution