- That my complaint was properly documented,
- The information that I provided and my identity would be kept confidential (if the company does indeed accept anonymous reports),
- Only certain authorised individuals would have access to my complaint (and not the ones I have complained against or those closely associated with them), and
- The audit committee which is responsible for overseeing the whistleblowing policy would be made aware of my complaint and makes the decision as to whether it should be further investigated?
Today, the company has outsourced the management of the reporting platform to one of the Big Four accounting firms. I have not tried calling again.
Consider these other real-life cases. In one large organisation, an employee made a complaint to the independent board chairman about bullying behaviour by a relatively new business unit head who had been appointed by the group CEO. After more than two months, the employee received an acknowledgement from the board chairman that he had tasked the group CEO to investigate the matter.
REASONABLE TIME?
Meanwhile, the bullying behaviour continued. Nothing further was heard by the employee and no action was taken. Was more than two months a reasonable time to acknowledge a complaint from a whistleblower who had identified himself? Was the group CEO, who had appointed the business unit head, the right person to investigate the matter? It is difficult to imagine the whistleblowing policy working in this organisation.
While whistleblowing policies almost always provide that complaints can be made to the chairman of the audit committee, they may also provide for other persons or channels for reports to be made to.
In practice, whistleblowing policies may also provide for reports to be made to line managers, CEO, CFO, company secretary, legal counsel, head of internal audit, ethics officer, and others.
In another organisation, an audit committee member asked one of the persons designated to receive complaints as to what he would do if he received a complaint. That person said that he would review it to determine if there was any merit. When asked what if he thought there was no merit, he said he would “throw it into the rubbish bin”. The audit committee was left wondering if any genuine complaints ended up in the rubbish bin.
This is an extreme example but companies that provide for a number of channels (mail, email, online submission, calls) or persons for reporting should ensure that all complaints received are properly documented and brought to the right level for a decision as to whether an investigation should be initiated.
In a multilateral agency with global operations, a presentation requested by the audit committee showed that very few complaints were received through the “hotline”. The committee was surprised, given the high corruption risk in some of the countries that this agency was operating in. Rather than just accept what was presented, the committee asked why there were so few complaints through the “hotline”.
Was it because of a fear of reporting? Or lack of employee awareness of the policy? Or were complaints somehow “lost within the system” and not documented and escalated? Or was there a more serious corporate culture problem with employees feeling that misconduct is tolerated?
The committee asked to review the whistleblowing policy and did a walk-through of how it actually worked, including how reports can be made. Among other things, it found that the link on the website for making reports was not easy to find. Those who wished to make a report then had to click on a link to do so.
This triggered a discussion as to whether employees may be afraid that clicking a link on the website may enable their location or identity to be traced, and whether certain employees would feel safe making reports.
The committee felt that the lack of reports through the “hotline” may have been due to a combination of lack of awareness and fear of reporting. The organisation then took steps to address these concerns, including explaining in its fraud awareness training how employees can make reports, making the policy and channels more accessible on its website, and engaging an external service provider to manage the hotline.
The audit committee also received regular updates and discussed with the head of investigations about complaints received, whether an investigation was to be opened, status of ongoing investigations, closure and follow-up actions (if any).
How many audit committees actually ask for statistics on whistleblower complaints? How many would question if there are consistently no or few complaints? How many would seek to understand the details of complaints and have a thorough discussion as to whether to proceed with proper investigations? How many would ask the internal audit to not only review the policy but also the effectiveness of its implementation?
A number of large Singapore companies are doing business in countries and industries where bribery risks are known to be high. Do audit committees and boards of these companies ensure that their whistleblowing policies are effective and ask questions as to how their companies are able to do business while complying with applicable laws? Or do they just say they did not know after the company is caught?
No complaints or few whistleblowing complaints does not necessarily mean all is well. I remember one large Singapore company proudly proclaiming in its annual report some years ago that there had been zero whistleblowing complaints that year. Looking at the size of the company and its business, I would have doubts about the effectiveness of its policy.
For those who think that fear of being traced is just whistleblower paranoia, in 2018, Barclays and its CEO Jes Staley were sanctioned by regulators for the CEO attempting to discover the identity of an anonymous whistleblower. Last year, an audit committee member of a listed company told me that a service provider pitching for work said that they could help companies identify the source of whistleblowing complaints. To be clear, this is not one of the major accounting firms that provide ethics hotline services.
ADEQUATE PROTECTION
It is commendable that Singapore Exchange Regulation (SGX Regco) is proposing to “hardcode” into the listing rules the requirement for all listed companies to have a whistleblowing policy. However, what this article suggests is that this is just another small step.
In addition to implementation issues such as those discussed in this article, whether whistleblowing policies are likely to be effective depends on a number of other factors. Most important of all is the corporate culture of the company. Without an ethical corporate culture, the four lines of defence – with the whistleblowing policy as part of the first line – has little chance of being effective.
The company mentioned at the start of this article had introduced its whistleblowing policy when it was first recommended in the 2005 edition of the Code of Corporate Governance. However, this failed to prevent a major bribery scandal that occurred over an extended period of time.
Second, whistleblowers should feel safe when reporting, and therefore the policy should provide adequate protection for those who make reports in good faith and with reasonable belief. This means, minimally, protection of their identity, protection against reprisal actions, and a proper appeal process.
The absence of a comprehensive whistleblowing protection law in Singapore and lack of incentives or rewards encouraging whistleblowers to come forward (with minor exceptions such as whistleblowing about tax matters), coupled with weak corporate culture and implementation deficiencies, are likely to hamper the effectiveness of whistleblowing policies in many companies, despite the best intentions of SGX Regco.
- The writer is an associate professor of accounting at the NUS Business School, where he specialises in corporate governance.
