The Critical Dataset: HR, Hotlines and Incident Management
It is easy to get swept up into compliance trends, prognosticators of the future, and future compliance terms such as “artificial intelligence,” or “blockchain.” Do not get me wrong, these are the terms for the future and eventually they will be part of common compliance conversations.
But sometimes we need to get back to basics. In some cases, Chief Compliance Officers need to remind themselves of important basic principles. In this way, consistent compliance foundations can be built and program expectations are manageable.
While much has been written about “operationalizing” a compliance program, the term leaves out some important concepts. Sometimes internal constituencies do not play well with others. I am always surprised when speaking to compliance professionals about the lack of cooperation and coordination among natural brothers/sisters in arms.
Take, for example, the respective roles and responsibilities of human resources and compliance. In some cases, CCOs have complained that HR professionals will not “share data.” That is an odd problem and one that is hard to understand. HR and compliance are natural allies, they should be transparent with each other, and coordinate regularly.
One critical area to work together is incident data and overall management. HR has access to employment issues, complaints and overall working conditions and issues. Compliance has access to hotline complaints that are received through the hotline system. In most cases, HR issues that come in through the hotline are investigated and resolved by HR.
HR also receives lots of data from “walk-in” complaints, as well as non-hotline complaints. Sometimes HR receives complaints on non-HR topics or mixed topics (e.g. HR and fraud, conflicts of interest).
Compliance has a basic responsibility to collect, review and analyze data concerning all reporting and investigations. The Justice Department’s Evaluation Guidance issued in late April 2019 specifically mandated this responsibility as part of a company’s reporting and investigation function.
Under this responsibility, HR has to share incident data with compliance, whether reported formally or informally, and compliance should track, monitor and measure such data for purposes of managing the company’s culture and risks. No longer can HR maintain sole custody and responsibility over HR data since such data is a critical source of information needed by compliance.
With the data, compliance has to look for trends based on types of concerns, individuals involved, regions, business lines, specific functions, and other relevant factors. This data is something that can provide valuable insights into a company’s culture and provide opportunities for compliance to intervene proactively to address potential problems before they increase.
For example, a company might be able to identify a pattern of employee complaints focused on a specific supervisor or manager in a region or business line. Such misconduct, while not rising to the level of disciplinary response may indicate potential morale problems that can quickly translate into more serious employee misconduct (or supervisory misconduct).
Compliance is the keeper of a company’s culture and can use incident data to monitor employee perceptions and potential problems. It is essential that compliance have access to employee conduct data across the organization – “line-of-sight.” From this vantage, a CCO can exercise his or her discretion to focus on specific trends, intervene when necessary and implement proactive solutions.
Mr. Volkov,
If I may be candid for a moment… in today’s corporate culture, there is no compliance, no corporate governance, and no ethics within the framework of regulated corporations. Yes, regulations do exist, and they are well defined, well written, and well intended. But, not unlike a child that is not taken to task for his misdeeds, there is no enforcement… we all know that as fact, including the compliance teams within an organization.
One could ask how we got to this abysmal chasm of neglect. The answer is simple. We no longer prosecute individuals, and individuals are no longer held responsible for their actions. Somewhere in our mentality, we decided we could “prosecute” the corporate structure itself, through the use of disclosure agreements. There are no longer any criminal penalties for wrongdoers… there are fines.
Like the child that has his allowance taken away for his misbehavior, and sent to his room, corporate America is similarly charged with those same penalties. As a young child growing up on a farm, I knew often the sting of a wooden switch taken from a tree in my backyard. As I grew older, I did not hate my parents for their strict “regulatory enforcement,” and I passed on the tradition to my own kids, who today still love their elderly parents.
Unfortunately, today we are seeing the final act of crime and corruption in today’s society with the passage of the SECURE Act and the SEC Regulation Best Interest ruling. The hard working individual retirement saver will ultimately pay the price for these two bills, which give insurance companies a broad brush to wipe clean retirement savings with no accountability and no penalty for misleading 401k Plan employers.
The future is bleak for investors, mainly due to the lack of compliance and the continuing saga of crime and corruption in corporate America. You are moving in the right direction with your remarks…. if only your readers would listen and act on your message.