115PM Practical Law Three
115PM Practical Law Three
115PM Practical Law Three
This Checklist outlines the key steps to take and the This Checklist provides an overview of the key business and legal
issues to consider when setting up and operating a hotline. While this
principal issues to consider when setting up and Checklist focuses on corporate hotlines, many of the steps and issues
operating a company hotline (also referred to as an discussed also apply to hotlines in other types of organizations.
zz Section 301 of the Sarbanes-Oxley Act of 2002 (SOX), UNDERSTAND LOCAL LAWS AND CULTURE
which requires public companies to have an anonymous If the company is creating a multinational hotline that is available
whistleblower system for employees to internally report to its subsidiaries, affiliates, and other operations outside the US, it
concerns about questionable auditing or accounting matters should ensure that the hotline is:
(see Practice Note, Whistleblower Protections Under
Compliant with local laws.
Sarbanes-Oxley and the Dodd-Frank Act: SOX Whistleblower
Protections (7-501-7799)); Culturally appropriate.
Cross-border data transfers (W-007-9580) and Article, Expert Strategies to consider in launching a multinational hotline may
Q&A: EU-US Personal Information Data Transfers (W-000-8901). include:
Reporter anonymity. Some countries (such as France, Germany, Implementing multiple hotlines, for example, either:
the Netherlands, Portugal, and Spain): zz two hotlines, including one for Europe that complies with the
zz discourage or prohibit anonymous reporting; or strictest restraints in the region and one for the rest of the world
zz require companies to use special precautions when processing that meets robust US best practices; or
anonymous reports (such as a preliminary examination by a sole zz an individual hotline for each jurisdiction in which the company
reviewer). operates, with each hotline tailored to comply with local
Scope of reports. The types of reports that can be made through restrictions.
a hotline may be limited in different jurisdictions. For example, the Naming the hotline a “helpline” or “guideline” to overcome the
scope is limited in: negative connotations that may be attached to the terms “hotline”
zz France to issues of financial and accounting, workplace or “whistleblower line” (see Article, Whistleblowing: New risks, new
discrimination, harassment, and safety and environmental responses: Naming the hotline (7-520-4201)).
protection; Creating a two-way communication system for employees to seek
zz Finland, Greece, and Portugal to financial matters (such as advice or clarification on ethical, legal, or regulatory issues, so the
accounting, internal accounting controls, auditing matters, use of the “helpline” is less intimidating.
bribery, banking, and financial crime); and Providing alternative reporting methods to make communicating
zz Sweden to using the hotline only to report on company sensitive matters more comfortable for employees (for example,
executives and persons in key positions. in some countries, web-based reporting is preferred over live
telephone reporting).
Registration requirements. For example, to set up a hotline in:
Setting up easy, cheap access to the hotline and eliminating
zz France, a company must apply to the Commission nationale de
possible hurdles for reporters (for example, internet access may
l’informatique et des libertés (CNIL), the French data privacy
be unreliable in some locations or international calls may be
regulator, for authorization (see CNIL: Guideline document
cost-prohibitive).
for implementation of whistleblowing systems (10 November
2005)); and Creating targeted hotline communications for the local audience by:
zz Denmark, a company must register with Datatilsynet, the Danish zz translating hotline interfaces, materials, and communications
data protection agency. into the local language;
Employee rights. Local statutes or practices may require that the
zz avoiding terms that may be viewed negatively in the local
company: culture;
zz consult with its local worker representatives (such as works zz addressing different cultural understandings of acceptable
councils in the EU) before implementing a hotline that monitors behavior (for example, facilitation payments may violate the
employee conduct and can result in disciplinary action; company’s global anti-bribery policy but be standard practice in
the local culture; see Practice Note, Bribery Act 2010: facilitation
zz distribute in the local language any materials used to introduce
payments (3-505-3360)); and
and publicize a hotline; and
zz involving local management and personnel to promote the
zz ensure that all persons identified in a report have the right to
hotline and tailor communications and training to the local
access information provided in the report and to correct that
audience.
information.
For more information on employee rights across multiple For more discussion of strategies to implement an effective
jurisdictions, see Employment and Employee Benefits: Country multinational hotline, see Practice Note, Corporate whistleblowing
Q&A Tool. hotlines and EU data protection laws: Compliance strategies for
hotlines (1-366-2987) and Article, Whistleblowing: New risks, new
ACCOUNT FOR CULTURAL SENSITIVITIES responses: Local considerations (7-520-4201).
In some countries, the culture and history have made whistleblowing
either a sensitive subject or taboo. A multinational hotline requires SELECT A HOTLINE VENDOR
careful design and implementation to address cultural obstacles,
CONSIDER OPTIONS FOR MANAGING THE HOTLINE
such as a:
Lack of trust in the internal system.
The company should determine whether to manage its hotline
internally, such as through its human resources, legal, or compliance
Suspicion that a hotline threatens privacy rights.
department, or externally, by engaging a hotline vendor. There
Misguided sense of loyalty to the union or work group. are several advantages to having an externally managed hotline,
Belief that management is not held to the same standard. including:
Fear of entrapment by management. An external vendor may be seen as an unbiased third party and
Dialing an external number or speaking with someone who Insurance. Confirm that the provider has sufficient insurance
does not work for the company may create a more comfortable coverage for the services provided.
environment and help assure potential callers of anonymity. Other benefits. Ask what other service benefits are included in the
Having an external call center increases availability, consistency, agreement, such as:
and quality recordkeeping in handling calls. zz system customization;
The company can reduce costs by not having to hire full-time zz hotline posters and hotline-related policy templates; and
employees to provide 24-hour hotline coverage.
zz assistance with employee training on the existence and use of
If the company is large or has multiple locations, a hotline vendor the hotline.
can manage the administrative and logistical challenges and
provide more sophisticated case management, which can aid in
creating an appropriate and timely response.
CUSTOMIZE HOTLINE FUNCTIONS
Once the company has selected a hotline vendor, it should create a
EVALUATE COMMON HOTLINE FEATURES cross-functional team (including legal, compliance, human resources,
and IT personnel) to customize hotline functions with the vendor,
If the company has decided to engage a vendor to provide and such as:
manage the hotline, the company should compare several vendor
Designing the website for the hotline, which is usually hosted by
candidates by viewing demonstrations of the hotline and evaluating
the following hotline features: the vendor and generally includes:
The seniority and training to handle sensitive company information (see Practice Note, Discipline and Discharge Under the National
and employee data. Labor Relations Act: Grievance Procedures (7-523-7065));
Sufficient authority to take necessary action when the company zz coordinating investigation-related activities by internal groups
receives hotline information. such as legal, compliance, human resources, internal audit, and
accounting;
For a discussion on appointing individuals with compliance
responsibilities, see Practice Note, Developing a Legal Compliance
zz communicating report contents and investigation status to
Program: Build a Team of Compliance Personnel (4-606-5696). internal authorities (such as the audit committee or the full
board of directors and senior management) and external
DRAFT A HOTLINE POLICY regulatory bodies, as necessary; and
Draft a hotline policy that encourages employees to speak up when zz maintaining hotline reports and related records under the
they have legitimate concerns about misconduct. An effective hotline company’s record retention policy. For general guidance on
policy should: retaining and disposing of company records, see Practice
Note, Drafting a Document Retention Policy (0-506-7349) and
Be simple and easy to understand.
Records Management Toolkit (2-520-1257).
Communicate the company’s objectives for the hotline and the
For more information on responding to reports and conducting
responsibilities of employees to report misconduct.
internal investigations, see Conducting Internal Investigations:
Clearly set out the standards of behavior expected of employees. Addressing Employee Complaints and Compliance Issues Toolkit
Describe the types of misconduct that should be reported (for (2-502-1874) and Practice Note, Developing a Legal Compliance
example, harassment, fraud, corruption, conflicts of interest, and Program: Seven: Follow-up and Investigations of Complaints and
embezzlement). Violations (4-606-5696).
Explain who has access and when, why, and how to use the hotline. Facilitate the company’s communication with hotline reporters to
Offer multiple communication channels for reporting information request additional information and follow up on the progress of
(in addition to the hotline), such as: the investigation.
zz an internal reporting chain (such as the employee’s manager, the Emphasize and maintain the confidentiality of reports (see Practice
corporate ombudsman, or the human resources, compliance, or Note, Handling Employment-Related Internal Investigations:
legal departments) for in-person reporting (for a sample internal Confidentiality (1-501-9452)).
complaint form, see Standard Document, Discrimination/ Include a support strategy for reporters that identifies and
Harassment/Retaliation Complaint Form (8-501-8053)); addresses risks of reprisal, workplace conflict, or other adverse
zz a dedicated email address; treatment (see Prohibit Retaliatory Conduct).
zz a dedicated fax number; and Enforce the company’s policy of non-retaliation (see Prohibit
Retaliatory Conduct).
zz a dedicated mail address (for example, a P.O. box).
Comply with local law (see Understand Local Laws and Culture).
Outline the procedural steps involved in investigating any concerns
and the steps that the company may take if the investigation PROHIBIT RETALIATORY CONDUCT
establishes misconduct (see Best Practices for Employee Discipline
Checklist (0-501-7972)). Retaliation against employees for reporting misconduct may be a
SOX violation, expose the company to liability under state laws for
Emphasize that employees who report concerns in good faith will
wrongful discharge, and run afoul of local whistleblower protection
not be subjected to retaliation and set out the consequences of laws in non-US jurisdictions (such as Canada, China, Japan, and the
retaliation (see Prohibit Retaliatory Conduct). UK). To minimize the risk of retaliation, the legal, compliance, and
Clarify that employees: human resources departments should take precautionary steps,
zz are not protected from the consequences of their own including the following:
misconduct by using the hotline (but may be granted immunity Discuss with reporters any concerns they may have about
or more lenient treatment); and retaliatory conduct and ask reporters to flag any potentially
zz face disciplinary action if they provide false or deliberately retaliatory acts (for example, being reassigned to an undesirable
misleading information. location or being excluded from important meetings).
Review any performance management (such as decisions
PREPARE OPERATING PROCEDURES concerning compensation, performance reviews, and promotion)
Prepare operating procedures for the hotline that: or disciplinary action before implementing against a reporter to
Set a protocol for case management and investigation of hotline ensure that the action is not:
reports, including: zz being taken for retaliatory reasons or timed in a way that creates
zz routing and assigning incidents to appropriate personnel while that impression;
managing conflicts of interest and segregation of duties; zz less favorable because the employee came forward with
zz if collective bargaining agreements are in place, properly concerns; and
directing hotline reports that are covered by a grievance process zz dissimilar to how other employees in a similar situation are
treated.
Document the precautionary steps taken by the company to root zz explain that hotline reports may be made anonymously (to the
out the risk of retaliation (for a sample form to record retaliation extent permitted under local law);
investigation findings, see Standard Document, Discrimination/ zz emphasize that information received through the hotline is
Harassment/Retaliation Investigation Determination Form kept confidential (to the extent appropriate) (see Practice
(4-501-8050)). Note, Handling Employment-Related Internal Investigations:
For more information on whistleblower protections in the US, see Confidentiality (1-501-9452)); and
Practice Notes, Whistleblower Protections Under Sarbanes-Oxley zz confirm that all reports are considered seriously and acted on
and the Dodd-Frank Act (7-501-7799). appropriately.
Initiatives to create and maintain awareness of and use of the
For an overview of whistleblower protections across multiple
hotline. For example, consider having:
jurisdictions, see Financial and Business Crime: Country Q&A Tool,
Question 33 (W-006-7086). zz hotline posters placed in conspicuous, public spaces (such as
breakrooms and restrooms);
For resources to help the company minimize the risk of retaliation, zz hotline wallet cards and brochures distributed to all employees
see:
with instructions on how to access the hotline online or via the
Preventing and Responding to Retaliation Complaints Checklist. toll-free telephone numbers listed;
Practice Note, Retaliation (5-501-1430). zz targeted hotline messages included in regular employee
Practice Note, Health and Safety in the Workplace: Overview: communications (such as newsletters, intranet postings, town
Employee Complaints and Prohibition Against Retaliation halls, and department meetings);
(9-500-9859). zz interactive games and contests offered throughout the year to
Standard Document, Anti-Retaliation Policy (8-503-5830). promote the hotline, with awards and prizes promoting hotline
information; and
PROMOTE AND LAUNCH THE HOTLINE zz periodic reminders of the purpose of the hotline, integrated into
the larger corporate awareness programs on compliance and
Ongoing marketing and promotion are integral parts of a successful
ethics and loss prevention.
hotline launch and its continued operation. A hotline marketing
campaign should generally include the following: Demonstrations of the hotline’s effectiveness. For example,
consider:
Strong communication from senior management. Best practices
include conveying a message that: zz following up with employees on the actions taken in response to
their reports;
zz management clearly supports the hotline and demonstrates
leadership commitment to the program; zz explaining the positive changes made as the result of hotline
reports;
zz the hotline is not a “big brother” tool, but a positive way to
maintain a culture of integrity (for example, by using words zz publicly acknowledging successes, such as assets recovered and
such as accountability, transparency, responsibility, fairness, attempted misconduct prevented; and
opportunity, and corporate citizenship instead of fraud, zz communicating investigation outcomes in generic or
corruption, embezzlement, bribery, and crime); anonymized terms to build confidence that employees are using
zz the company values employees coming forward with concerns; the hotline and their disclosures are encouraged and dealt with
and appropriately.
zz if the company desires, reporters may be eligible for incentives TRAIN MANAGERS
(such as cash rewards or extra vacation days) for substantiated
reports that identify misconduct and corporate waste or that The company should train its directors, officers, managers, and
recover resources and savings for the company (see Article, supervisors to understand:
Whistleblowing: New risks, new responses: Whistleblowing Their role in setting the tone from the top and tone from the
incentives (7-520-4201)). middle by modeling ethical behavior and creating an environment
Meetings with employees (including new hires). Introduce the that encourages the reporting of concerns (for a discussion of
hotline program and: the board’s role, see Article, Board Assessment of Compliance
Programs: Reporting (W-006-5910)).
zz review the company’s policy on compliance and business abuse
(see Practice Note, Developing a Legal Compliance Program: Hotline operating procedures and use of the hotline.
Four: Ongoing Training and Communication on Compliance The steps to properly address complaints of misconduct and
Matters (4-606-5696)); avoid retaliatory actions (see Standard Documents, Whistleblower
zz encourage employee buy-in by explaining how the loss caused Reporting: Presentation Materials (W-002-7300) and Responding
by employee misconduct results in the loss of resources and to Employee Concerns: Supervisor Guidelines (7-501-8765)).
opportunities for everyone at the company; Company protocols for keeping detailed records of employee
zz assure employees that their good faith reports are protected and performance so that an employee who is disciplined or
can be made without fear of retribution (see Prohibit Retaliatory terminated cannot falsely claim protection under whistleblower
Conduct);
laws. For guidance on effective performance management and zz make test calls to the hotline to check the quality of the operator
recordkeeping, see: service;
zz Practice Note, Conducting Employee Performance Reviews zz check the vendor’s timeliness in conveying hotline calls and
(7-505-9572); translated hotline reports to the company; and
zz Best Practices for Employee Discipline Checklist (0-501-7972); zz evaluate the quality of those vendor reports.
and A review of the volume and quality of reports received by the
zz Standard Document, Employee Counseling Form (1-501-5595). hotline. For example, heavy hotline usage may indicate significant
compliance issues or conversely, that the hotline is working.
TRAIN EMPLOYEES
Interviews and surveys of employees. The company should
The company should conduct formal training programs (such as understand how employees view the hotline and if they feel
through live training at each employee site and e-learning) for all comfortable reporting misconduct.
managers and employees who are given access to the hotline to An assessment of the steps taken following receipt of a hotline
explain: report. Confirm that hotline policies and procedures are being
The laws and policies applicable to the company and them (for followed and action taken in a timely manner.
a collection of business briefings, memoranda, and presentation Benchmarking of hotline metrics across time or against industry
materials that can be used for training, see In-House Training and peers. For example, benchmark the:
Guidance Center (2-564-2345)).
zz number and types of reports and inquiries per period;
Who has access and when, why, and how to use the hotline.
zz rate of employee use;
Hotline benefits.
zz complaints by location, division, or claim type;
How to recognize red flags of fraud and bribery as well as unlawful
zz percentage of anonymous complaints;
sexual harassment, discrimination, immigration impropriety, or
other misconduct. For example, see: zz time spent per report from report receipt to case closure; and
zz Practice Note, The Foreign Corrupt Practices Act: Overview: zz percentage of complaints investigated and substantiated.
Recognizing Red Flags (0-502-2006); Continual updates to the hotline program as necessary. Hotline
zz Foreign Corrupt Practices Act (FCPA) Training for Employees: program updates should take into account the results and
Presentation Materials (2-586-5086); recommendations developed from the company’s assessment of
the hotline.
zz Complying with US Export Control Regulations Checklist:
Perform Due Diligence and Spot Red Flags (1-520-0908); For more information on compliance audits and hotline assessments,
zz Preventing and Responding to Sexual Harassment Complaints see Practice Note, Developing a Legal Compliance Program: Nine:
Checklist (4-500-4326); Monitoring and Auditing of Program Effectiveness (4-606-5696)
zz Preventing and Responding to Discrimination Complaints and Article, Whistleblowing: New risks, new responses: Evaluating
Checklist (5-500-1450); and hotlines (7-520-4201).
zz Drafting an Employment Eligibility Verification Compliance
Policy (8-509-5999).
For more information on compliance training, see Practice Note,
Developing a Legal Compliance Program: Four: Ongoing Training
and Communication on Compliance Matters (4-606-5696).