Business Team Discussing Corporate Whistleblower Policy in a Conference Room

Risks of a Bad Corporate Whistleblower Policy

Michael Volkov

It goes without saying that the worst form of internal reporting or corporate whistleblower policy is simply having none at all. Not only are most companies required by statute or regulation to implement protocols designed to prevent and detect legal infractions, but key regulators like the U.S. Department of Justice (“DOJ”) and the U.S. Securities and Exchange Commission (“SEC”) (among others) are increasingly aggressive in enforcing laws like the Foreign Corrupt Practices Act (“FCPA”), the False Claims Act (“FCA”), and the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”).

In Europe, the new EU Whistleblower Directive is in the process of being transposed in all of the EU member states. All of these laws are designed to protect—and in some instances reward—individuals who present credible information to the federal government that leads to successful enforcement action. Given the Biden Administration’s laser-like focus on anti-bribery and corruption initiatives both domestically and internationally, it is critical that companies examine their internal reporting and whistleblower protection policies to ensure they meet regulatory standards and/or compliance best practices. 

What Are Whistleblowers? 

Broadly defined (and not particular to any statute or regulation), a whistleblower is any person that possesses credible information concerning a potential or actual violation of the law, for whom legal protection is in the form of certain anti-retaliation measures exists. Although commonly portrayed by the media as individuals involved in reporting major criminal schemes or legal violations, whistleblowers can also be individuals who have legitimate safety, health, environmental, discrimination, harassment, hostile work environment, or other concerns that fall under the purview of a multitude of state and federal agencies.

In the case of whistleblowers protected by prominent federal statutes, the potential even exists for such individuals to benefit monetarily from successful enforcement action. For instance, under the provisions of Dodd-Frank and related rules promulgated by the SEC, in certain circumstances, individuals who report violations of federal securities laws stand to benefit by virtue of receiving a certain percentage of the monetary sanctions ultimately collected by the federal government. 

The Advantages of a Corporate Whistleblower Policy

While publicly listed and traded companies are specifically required to have formal whistleblower policies by virtue of the Sarbanes-Oxley Act (“SOX”), even private companies, non-profit organizations, and other entities that are not subject to such stringent requirements should adopt such policies as a best practice. The advantages of having a fully functioning internal reporting, anti-retaliation, and whistleblower protection structure are manifold. 

First, empirical evidence repeatedly establishes that companies with a “speak up” culture routinely outperform companies that discourage their employees from reporting violations of ethical and legal norms. Second, a functioning and robust internal reporting mechanism is an essential component of a broader corporate compliance program. Numerous cases—chief among them, In re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996) and its progeny—have established the fiduciary duty of corporate directors to provide sufficient oversight of a company’s compliance program. Companies that lack an internal reporting mechanism are simply incapable of assessing whether the organization’s activities create any risk of violating local, state, federal or international laws. Such organizations are effectively operating in potentially treacherous terrain without the advantage of sight. This, in turn, impedes the ability of the organization’s compliance function to provide sufficient detail to the company’s directors to fulfill their most basic oversight responsibilities. 

The consequences for organizations that fail to detect and prevent the most obvious of legal violations can be severe. Not only are such organizations susceptible to government enforcement actions and enormous fines and penalties, but also civil liability in the form of shareholder derivative suits. In the Caremark case for instance, multiple derivative actions were brought against the individual directors of Caremark (subsequently acquired by CVS) alleging that they had breached their duty of care to the organization by failing to adequately supervise the conduct of its employees or institute remedial measures that would have prevented certain violations of the law from occurring. In Caremark, these violations included repeated instances of improper payments made to health care providers in contravention of federal laws prohibiting remuneration made to induce the referral of Medicare and Medicaid patients. Caremark’s most significant proposition is that an organization’s directors are legally obliged to ensure an adequate corporate information and reporting system exists. 

Blog CTA - RFP: Whistleblowing Software - Find the Right Whistleblower Hotline and Case Management Software

Establishing an Effective Corporate Whistleblower Policy

Establishing an effective corporate whistleblower policy begins with management commitment and requires cultural transformation. Senior members of the management team, as well as members of the organization’s board of directors must sincerely commit to the interrelated principles of transparency and accountability in the conduct of the organization’s business affairs. Once this commitment is obtained, the organization must consistently promote those principles through frequent discussions between mid-level managers and their teams, repeated company-wide communications emphasizing the importance of ethical conduct, and repeated inculcation of the notion that the organization is committed to zero tolerance for intentional legal violations. 

When actually drafting a formal whistleblower policy for adoption by the board, the organization should be as broad as possible in its definition of what a whistleblower is and how such persons are to be treated. For example, many organizations rightly choose to utilize the term “whistleblower” expansively— referring to all persons who make internal reports to the company’s compliance function and expressly prohibiting retaliation of any kind (including perceived retaliation) against such persons. Additionally, the whistleblower policy should clearly define what constitutes retaliation by providing concrete examples (e.g., an unmerited demotion, change of position, revocation of certain company privileges or perquisites available to other employees, to name just a few). Such a policy should also include the contact information of the individual responsible for enforcement of the policy (typically, an organization’s General Counsel or Chief Compliance Officer) and describe the process by which aggrieved individuals can escalate their concerns to senior management and to the board of directors, if necessary. Of course, the most crucial element of an effective whistleblower policy is both an assurance that the identity of the whistleblower will remain confidential and ideally, a description of how information concerning potential whistleblower claims will be collected, stored, utilized and eventually dispositioned. In recognition of emerging data privacy regulations—particularly in the EU and UK—companies are increasingly outlining how such personal information is stored in considerable detail. Whether in the context of the corporate whistleblower policy, a separate document retention/destruction policy or elsewhere, the storage and security of whistleblower information must be addressed by the organization. 

The Bottom Line

The protection of whistleblowers is a paramount concern of government regulators worldwide. As the sheer number of corporate scandals revealed in whole or in part by the contributions of such conscientious parties grows, organizations must take action to ensure that their identity is protected and the information they provide is appropriately processed and securely stored. Failing to take whistleblower protection seriously in this heightened enforcement environment is a virtual invitation for additional unwanted scrutiny, significant financial penalties, and perhaps most impactfully, a severely tarnished business reputation.