HONG KONG (December 9, 2020) – Governance Solutions Group (GSG) Participates in PRI Whistleblower Mechanism Report.
GSG recently participated in this report as a provider of such services to corporate clients. PRI’s report specifically looks at this mechanism from the corporate investor’s perspective. They cover almost all of the most salient points except for one. We’ll summarize their points while mentioning another aspect of growing concern.
Firstly, all issuers invest on some level into mechanisms to prevent or mitigate potential reputational damage. Internal corporate malfeasance, if left unchecked, could be discovered by employees, regulators, outside stakeholders, clients, suppliers and the public at large. And, it is well documented fact that an effective whistleblower mechanism is by far the most effect method for detecting corporate malfeasance at the earliest point. In fact, over the last 15 years the ACFE[1] has found consistently that around 40% of such fraud, corruption or other wrong doing has been uncovered from such related tip-offs.
However, without a truly effective employee / stakeholder disclosure mechanism in place, many such tip-offs many not be handled properly, yielding wide-spread reputational and financial damage. So, what are the key aspects of an effective whistleblowing mechanism?
1. Tone at the Top – The board and executive management, need to show pervasive tangible evidence, showing that they care about maintaining an ethical workplace. This, certainly can be demonstrated with the published corporate vision, mission and value statements along with an effective (and widely published) code of conduct. However, more important than the policies are the implementation of such. The most tangible execution mechanism is their whistleblower program, which should be displayed prominently on the website, all of the above-mentioned policy documents, as well as signage throughout the work place. Also, companies need to ensure awareness by conducting ethics and awareness training on regular basis along with surveys to verify to all that disclosing wrong-doing is welcomed and encouraged.
2. Anonymity – Regardless of all the structural or policy mechanisms a company may put in place, “blowing the whistle” is a challenging endeavor for an individual to do, especially an employee, even if the company states that they have policies against whistleblower retaliation. Accordingly, one of the most effective best practices is utilizing a trusted third-party provider for the company’s disclosure channels. Without providing this channel, there are often too many hindrances to disclosing. Ultimately, this will lead to the company not discovering malfeasance until such issues have caused damage.
3. Availability – There are many types of stakeholders. Not only employees, but also suppliers, customers, shareholders or even the public. The access to the reporting channels should include telephone, web access, email and such in all relevant languages.
The above, perhaps counter-intuitively, is the best way to contain corporate fraud, as ultimately when the company provides a professional and well-published disclosure mechanism that provides anonymous reports to the board and vetted senior executive personal, a company is likely to receive the maximum number of relevant reports. Such mechanisms also deal with non-relevant (or out-of-scope) disclosures in the most efficient and effective manner, since the provider will be responsible for handling and showing statistics on all the types of disclosures that have occurred over time. Such transparency on the types of disclosures that have occurred (including out-of-scope) are particularly important in the event of an investor, regulator or other type of relevant stakeholder.
The above represents some of the most salient points elucidated in the December 2020 UN PRI Whistleblower Mechanism report.
That said, there is an additional area that has recently become exceedingly important. Specifically, as the world has becoming increasingly digital, data protection (especially for sensitive information) needs to be handled with care and should not cross jurisdictional borders without implementing certain data security protocols before allowing such data transfer and storage. Accordingly, companies that operate in multiple countries need a “multinational” solution, not a global solution to ensure they remain in compliance with GDPR as well as all the other jurisdictional data privacy / security regulations. China, Singapore, India, Australia, Brazil and multiple other jurisdictions have recently promulgated new regulations in this area. And, while there are many similarities, each have nuances which need to be handled on a jurisdiction-by-jurisdiction basis.
For questions or comments on any of the above points, please feel free contact us and we’d be happy to advise on specific issues for your individual situation.
[1] Association of Certified Fraud Examiners