MANAGING OUTSOURCED REPORTING SERVICES EFFECTIVELY

WOULDN’T YOU LIKE TO KNOW? 

MANAGING OUTSOURCED 

REPORTING SERVICES EFFECTIVELY 

CONTENTS 

Brian Adams 

Introduction 2 

The Origins 3 

Recent Trends 4 

The Regulatory Framework 5 

Why Establish a Reporting Service? 8 

An Internal or an Outsourced Service? 10 

Guideline for Managing Disclosure Reports 13 

Rewards – To Pay or Not To Pay? 16 

Commitment from the Subscriber 17 

Cultural Issues 17 

Conclusion 18 

Appendix A – Rate Your Existing Outsourced Reporting Service 19 

___________________________________________________________________________ 

Brian Adams is a pioneer of hotline reporting services in South Africa having started his first service in 1999. He 

currently heads up Honey Badger Solutions (Pty) Ltd which operates the Be Heard® service which is accredited 

to the Ethics Institute of SA External Whistle-blowing Hotline Service Provider Standard EO 

1.1.1.

2 

INTRODUCTION 

Having been personally involved in the outsourced hotline disclosure business since 1999, it 

is absolutely clear to me that the difference between success and failure is marked by the 

total commitment, direction and example-setting from the top leadership of an entity. In fact 

I will say without hesitation that if the tone is not set from the top, introducing an outsourced 

reporting service (ORS) is a pointless and fruitless exercise. 

Top management commitment has to be coupled with an unwavering commitment to meet 

the other three critical success factors which separate those organisations, who really 

achieve outstanding results and the others, they are 

o Building an ethical culture. 

o Continuous awareness communication. 

o Commitment to following-up and investigating every report consistently, objectively 

and regardless of the seniority of the employee. 

That said, there are sadly still organisations who introduce an ORS because it is a box that 

needs to be ticked on a corporate governance checklist (or because a non-executive director 

has insisted) and show no commitment whatsoever to its success. 

Having a reporting service is like having an intruder alarm or an electric fence. If they are not 

maintained or switched on they simply won’t work! 

As I write this updated version of this document it is more than 16 years since the first 

commercial ORSs were introduced in South Africa. As these services have been progressively 

introduced throughout private and public organisations in South Africa incredible results have 

been achieved – some of which have become the stuff of legend. In fact, according to the 

results of most surveys and studies, these reporting services are by far the most successful 

single intervention in the fight against white-collar crime. 

The Association of Certified Fraud Examiners (ACFE) Global Report to the Nations on 

Occupational Fraud and Abuse for 2014 once again found that, what they call, “Tips” were 

significantly the largest “Initial Detector of Occupational Frauds” at 42.2%. This 

has dropped slightly from 43.3% since 2012. The 2 nd and 3 rd interventions were 

“Management Review” at 16% and “Internal Audit” at 14.1%. 

What none of the surveys or studies cover is the relative cost-effectiveness of these 

interventions and, while we have already established that reporting services are significantly 

the most effective, I believe that they are by far the most effective per Rand. One need 

merely compare what an organisation spends on security guards and internal audits 

compared to what they pay their reporting service provider to prove that thesis. When one 

Version 2015-01 © BE HEARD 2015

ears in mind that the monthly subscription for most ORSs is normally a fraction of the cost 

of one security guard and if we then compare the respective return, it is really a no-brainer! 

3 

So the bottom-line is that (if properly managed) ORSs are still (and will for some time be) the 

most cost-effective and successful intervention in the fight against white-collar crime and 

inappropriate behaviour in the workplace! 

THE ORIGINS 

Before defining and unpacking the nuances of successful ORSs it is important to briefly recall 

the origins of this very valuable risk management tool. 

It is widely accepted that the findings of the United States Presidential Commission – known 

as the Rogers Commission which was established by President Ronald Reagan - that followed 

the explosion that destroyed the NASA Challenger Space Shuttle on 28 January 1986 and 

cost the lives of six astronauts - including a teacher Christa McAuliffe - provided the model 

for all present day reporting services. 

Very simply, the spacecraft exploded in a ball of fire 73 seconds after the launch (while 

travelling at 684 meters per second) as a result of a defective O-ring seal on a solid rocket 

booster. The important finding of the commission was that the mission control management 

were advised of the threat but decided not to act on it. There was considerable pressure on 

the mission control management for the launch not to be delayed for a number of reasons – 

not least the hype surrounding Christa McAuliffe – and this may have clouded the judgement 

of the decision-makers to give the launch the green light. 

The commission concluded that if a communication channel had been available which 

stakeholders could have used (possibly even anonymously) to report their serious concerns to 

an independent entity, the tragedy could have been averted. 

Thus the seeds of independent reporting services the world over were sown in the USA in 

1987 and the first ORS providers started operating in South Africa in 1999. 

RECENT TRENDS 

When we pioneered outsourced whistle-blowing services, tip-off services, forensic reporting 

services or whatever you want to call them, they were viewed by many senior executives as 

the great panacea that was going to wipe out crime, catch all the crooks and generally solve 

all their problems on the risk management front. 

There is a tendency in most fields of endeavour to grasp an attractive solution with both 

hands and expect it to be the great panacea that will solve all existing problems at the 

expense of all others. Many people adopted this view of Close Circuit Television (CCTV) and 


electric fences in the past and sadly some organisations also consider this to be the case with 

reporting services. 

My philosophy of risk management is simply that one needs the skills of a competent risk 

management professional to integrate all the appropriate solutions available in the right 

combination to ensure that the most effective outcome is achieved for each specific 

organisation. This is rather like the analogy that a pile of building materials only become a 

home once an architect and skilled tradesmen have put the components together in the most 

optimum manner. A group of musicians, no matter how skilful each may be, only become an 

orchestra and produce sublime music once they unite under the baton of a conductor to 

reveal the mysteries of a composers score. 

The obvious conclusion is that a reporting service, while being an excellent (and almost 

indispensable) component of a well-structured risk management strategy, is never going to 

really live up to its potential unless it is skilfully integrated with other complementary 

solutions. 

Taking it a step further, and no matter what level of service is provided by the ORS, it is 

never “going to work” in an ethical desert! I have recently had two subscribers who, for one 

reason or another introduced an ORS and after a year cancelled their subscription because 

they didn’t achieve the results that they expected. 

4 

Whereas even 15 years ago most risk management effort and resources were of a reactive 

nature (like investigations), the trend lately has been to introduce proactive measures to 

identify unlawful and inappropriate behaviour in the workplace. ORSs fall firmly into that 

category. 

For years in risk management we have talked about the, entirely unempirical, 10:80:10 rule. 

This rule states that 10% of your employees will always behave ethically no matter what the 

circumstances, 10% will always look for opportunities to break the rules and take short-cuts 

and cut corners and the 80% majority will move between the two ends of the spectrum 

depending on the ethos of the particular organisation. 

Clearly the objective is to move as many employees as possible to the “good guy” end of the 

spectrum and either get rid of or transform the bad apples. That said, we are still (quite 

rightly) spending a lot of effort on keeping the “dodgy” 10% out of the organisation by 

introducing effective pre-employment processes and in identifying, apprehending and 

disciplining those that are already in the organisation but I don’t believe that we are doing 

enough to build a team of “good guys” and to celebrate their ethical behaviour. 

From the time when ORSs were introduced they were accommodated firmly in the 

compliance space. It was all about policies, procedures, rules and instructions. In most 

organisations the internal audit and/or forensic manager was responsible for managing the 

service. The original communication themes were all about catching the crooks. 


5 

REGULATORY FRAMEWORK 

Over the past 16 years the legislative framework governing the operation of ORSs has 

changed significantly. 

Government has also been very active and has set clear guidelines, strategies and plans for 

the establishment of reporting services in the public sector. The Public Finance 

Management Act, 1999 (Act 29 of 1999) and the related regulations led to the Public 

Service Commission establishing a National Anti-corruption Hotline in September 2004. 

On 16 February 2001, the Protected Disclosures, 2000 (Act 26 of 2000) became 

effective and provided a first and important legal framework for reporting services in South 

Africa. (Go to www.home-affairs.gov.za/PDF/Protected%20Disclosures%20Act.pdf for a PDF 

version). Unfortunately, despite the need for the Act to be amended and periodic rumours of 

amendments being imminent none have been forthcoming. In 2014 the Protected Disclosures 

Amendment Bill was published but notwithstanding follow-ups to MPs there is no certainty 

when this will be considered by parliament. 

The private sector really took the lead in recommending reporting services in the second 

King Report on Corporate Governance with the Chairman Mervyn King being quoted as 

saying that providing a reporting service makes “good hard business sense”! This report 

which was published in 2002 also recommended the establishment of “easily accessible safe 

reporting channels” to “support embedded ethical business practices”, for the benefit of an 

organisation’s stakeholders. 

King III was published in 2009 and one of the principles was that “the audit committee 

should be an integral component of the risk management process” and more specifically that 

the “… audit committee should review arrangements made by the company to enable 

employees and outside whistleblowers (including customers and suppliers) to report in 

confidence their concerns about possible improprieties in matters of financial and 

sustainability reporting, or non-compliance with laws and regulations …” 

Other initiatives have added impetus to the requirement for reporting services. The 

sentiments contained in the Sarbanes-Oxley legislation, which was adopted in the USA after 

the Enron and Anderson debacles, have cascaded into the South African economy and many 

entities in the public sector (especially listed companies) have adopted these guidelines. 

The Companies Act, 2008 (Act 71 of 2008), provides in Section 159 (7) that 

“A public and state-owned company must directly or indirectly – 

(a) establish and maintain a system to receive disclosures contemplated in this section 

confidentially, and act on them; and 


6 

(b) routinely publicise the availability of that system …” 

The Ethics Institute of South Africa (Ethics SA) has introduced a standard, namely the 

External Whistle-blowing Hotline Service Provider Standard EO 1.1.1, which is a 

best practice set of guidelines or norms for the professional and ethical conduct of external 

whistle-blowing hotline service providers, operating their own centres or facilities. This has 

been a major step forward in the professionalisation of the ORS industry as prospective 

subscribers can now access the Ethics SA website (www.ethicssa.org) and find a list of OSPs 

who have been accredited. 

Corruption Watch has produced an excellent document – Corruption and the Law in 

South Africa – A Quick Reference Guide – which is an excellent summary of the legal 

framework in South Africa. (Go to 

www.corruptionwatch.org.za/sites/default/files/CW_LawDoc_V2.pdf to download a PDF 

version.) 

The Protected Disclosures Act, 2000 defines a disclosure as 

any disclosure of information regarding any conduct of an employer, or an employee of 

that employer, made by any employee who has reason to believe that the information 

concerned shows or tends to show one or more of the following: 

(a) That a criminal offence has been committed, is being committed or is likely to be 

committed; 

(b) that a person has failed, is failing or is likely to fail to comply with any legal obligation 

to which that person is subject; 

(c) that a miscarriage of justice has occurred, is occurring or is likely to occur; 

(d) that the health or safety of an individual has been, is being or is likely to be 

endangered; 

(e) that the environment has been, is being or is likely to be damaged; 

(f) unfair discrimination as contemplated in the Promotion of Equality and Prevention of 

Unfair Discrimination Act, 2000 (Act No. 4 of 2000); or 

(g) that any matter referred to in paragraphs (a) to (f) has been, is being or is likely to be 

deliberately concealed; 

The important point to note is that the legislation only provides “protection” for an 

employee which is defined in the Act as 

(a) any person, excluding an independent contractor, who works for another person or 

for the State and who receives, or is entitled to receive, any remuneration; and 

(b) any other person who in any manner assists in carrying on or conducting the business 

of an employer; 


While the original draft of the Act only made provision for direct disclosures, the final version 

was amended after I had made representations to the drafters of the Act, that the Act should 

provide for indirect disclosures made through independent service providers. The relevant 

section of the Act relating to protected disclosures reads as follows 

7 

6. 

(1) Any disclosure made in good faith 

(a) and substantially in accordance with any procedure prescribed, or authorised by the 

employee’s employer for reporting or otherwise remedying the impropriety concerned; 

or 

(b) to the employer of the employee, where there is no procedure as contemplated in 

paragraph (a), 

is a protected disclosure. 

(2) Any employee who, in accordance with a procedure authorised by his or her 

employer, makes a disclosure to a person other than his or her employer, is deemed, 

for the purposes of this Act, to be making the disclosure to his or her employer. 

So a disclosure or reporting service is strictly speaking any procedure or channel of 

communication (by one or more means) that an organisation has set up internally or which 

has been outsourced by an entity to a third party service provider to enable employees to 

make disclosures. 

Although not covered by the Act, reporting services have always encouraged other 

stakeholders and not just employees to make disclosures. This is very important as many 

unlawful and inappropriate acts are committed by persons within an organisation working in 

collusion with people on the outside! 

A stakeholder is really any person or entity who wishes to draw the organisation’s attention 

to any action or activity which has already happened or which could potentially happen which 

would (or should) be of interest to that organisation. 

Clearly “would” is not always the same as “should” as the reporting of some actions or 

activities to an organisation may not always be welcomed by that organisation. This is where 

the depth of commitment of an organisation to transparency, integrity and honesty is 

sometimes tested! 


8 

WHY ESTABLISH A REPORTING SERVICE 

As was mentioned above, the need for an entity to establish a reporting service (whether 

internally or outsourced) has become a critical component of any really effective risk 

management strategy. 

As mentioned above, having a reporting service is mandated for a number of private and 

public organisations, the simple fact is that reporting services really do work! Most of the 

recent international fraud surveys put reporting services among one of the most successful 

methods of defeating unlawful and inappropriate activities. This is linked to the interesting 

global trend where organisations are now allocating up to 80% of their resources to 

prevention and only 20% to detection and investigation when only a few years ago the 

reverse was true. 

The following are some universally accepted reasons for establishing a reporting service 

o It demonstrates an organisation’s commitment to the universal business principles of 

transparency, integrity and honesty without which sound governance could not hope to 

be sustained. This statement of commitment (and the commitment to actively follow up 

and investigate every report received) is certain to add value to an organisation’s equity 

and create and encourage trust and confidence among all stakeholders. 

o It assists the directors and management to better manage and control their businesses 

– isn’t that what governance is all about? Not only would a reporting service identify 

potential or existing internal control breakdowns but also highlight collusive activities, 

which traditional internal control systems are not designed to expose. 

o It provides management with a mechanism to focus on their organisation’s reputational 

risk (as well as their own!) and in so doing protect their organisation’s profile, standing 

and reputation in the market place. A reporting service will seek to highlight this critical 

risk internally first and provide senior management with the opportunity to manage the 

risk before it becomes public knowledge. One need look no further than the recent 

corporate failures in South Africa and elsewhere, to underline this point. 

o It enables an organisation to comply substantially with the provisions of the Protected 

Disclosures Act, referred to above. Subscription to an independently managed reporting 

service would not only demonstrate compliance, but, more importantly, practically 

demonstrate management’s intentions to provide benefits and rights to employees, 

rather than simply paying lip service to it. 

o There is a widely held (yet not empirically tested) belief that 10% of all people will 

always be honest, 10% will always take any opportunity that presents itself to be 

dishonest and the remaining 80% will drift and float from the one extreme to the other 


depending on the environment. If the environment is such that there are poor controls 

and a low level of general ethics one can expect some in the middle group to take 

chances. Should an effective risk management structure be in place as well as a high 

level of ethics, this group will be far less likely to get involved in undesirable activities. 

If an entity introduces an effective reporting service this will support the latter scenario 

and the “good guys” will in all likelihood make use of the service provided to make 

themselves heard. 

9 

o Sadly a culture of non-compliance and cowboy-type behavior is still all too often 

encountered at all levels of many entities in all sectors of our economy. Introducing a 

reporting service underlines the view that employees at all levels should comply to the 

same extent with the ethical policies and procedures of the entity. The senior executive 

who “fudges” his entertainment claims should expect to be treated in the same way as 

the tea lady who “pinches” the milk! (Note how the euphemisms roll of the tongue!) 

o One of the greatest and often underrated benefits of a reporting service is that it acts 

as a very important practical deterrent to workplace dishonesty, inappropriate 

behaviour and unethical business practices. 

o The reports received from a reporting service provide a very useful indication of 

loopholes and weaknesses in an organisations systems and also highlight specific areas 

(whether functional or geographical) within an organisation where problems are being, 

or could be expected. This is very useful as it enables the organisation to apply the 

Pareto Principle and spend the greatest part of its limited time and resources focusing 

on the most important areas. 

o An outsourced reporting service will, in all likelihood be the most cost-effective 

component of any risk management structure. When one considers that the monthly 

subscription for most ORS providers is less than half the cost of one security guard on a 

24 hour basis for a large organisation and slightly more than the cost of alarm 

monitoring and armed response for a small company, one doesn’t have to be a genius 

to understand which is going to provide the better return on investment. 

o A reporting service provides a real motivation to streamline an organisation’s insurance 

portfolio and to reduce the cost of fidelity and other insurance premiums. 

Apart from all the obvious advantages of introducing a reporting service there are also a 

few disadvantages (listed below) which need to be highlighted to complete the picture. 

o I recall that we did a presentation to a very high profile and successful prospective 

subscriber some years ago. Once we had finished the presentation we asked the CEO if 

he wished to ask any questions or make any comments. After a short pause he said 

that he wouldn’t be subscribing to our service as he was concerned that the service 


would “expose his dishonest management”! If the anecdote doesn’t indicate a cancer 

that exists in many organisations it may be quite funny. The introduction of a reporting 

service is clearly a risk in entities where management is behaving inappropriately! 

10 

o Another concern which is often raised by prospective subscribers is the question of 

malicious and “bad faith” disclosures. This could well prove to be a significant problem 

if not managed properly. The golden rule is that no one should be confronted until an 

initial investigation has confirmed that a disclosure has substance. I recall a case where 

a CEO was so incensed when he received a report concerning one of the women in the 

accounts department that he ran down the passage to her office and tried to strangle 

her! This could have been avoided had the report been sent to a senior person such as 

the security risk manager of the internal audit manager who could have dispassionately 

undertaken an initial investigation and only subsequently brief the CEO. 

o Another prospective subscriber (a large retailer) commented that he didn’t like the idea 

of introducing a reporting service as it would indicate to his staff members that 

management didn’t trust them. When I asked him how a reporting service differed from 

the undercover agents, covert CCTV cameras and ghost shoppers that I knew he used, 

he was at a loss for words! This attitude is actually quite common. “We’re an honest 

bunch” lamented one CEO but he was unable to explain the fact that his organisation 

was losing millions of Rand through theft and fraud every year. 

o Finally, there is a real risk that the credibility of the directors and senior management 

could be seriously dented if a reporting service, once introduced, is not fully embraced. 

What this means is that employees soon become cynical when they constantly make 

disclosures but see no action being taken by management. Sadly this is a common 

phenomenon! 

AN INTERNAL OR AN OUTSOURCED SERVICE? 

I am perhaps, and may be forgiven for, not being entirely objective in this respect. It is a 

widely held view that independence is a cornerstone of any effective reporting service and 

this was even highlighted many years ago in the report of the Presidential Commission in 

the USA subsequent to the Challenger disaster. 

Notwithstanding all the evidence that exists to support an independently managed ORS 

there are still a number of major organisations that insist on an in-house service. Many 

insist that they don’t want any external party to have knowledge of their internal secrets! 

This argument sadly doesn’t inspire any confidence in me as, whether intentional or not, it 

creates the perception that the entity may not really be committed to transparency, 

integrity and openness. It casts a shadow and begs the question as to what the entity may 

wish to hide. 


The few internal services that I have observed all fail dismally when measured against the 

points listed below to support an outsourced service. One even had an answering machine 

situated in an open-plan office where incoming messages could be heard by anyone within 

earshot! 

11 

The following points set out the case for an outsourced reporting service and you, the 

reader, be the judge 

o An ORS provider manages his service as his principal business and not as an additional 

task or a side-line activity. Many have dedicated management teams with years of 

experience in managing the service. 

o ORSs are extremely cost effective and few in-house offerings, providing the same levels 

of service, can be favourably compared. 

o An ORS employs dedicated skilled professionals answering calls in a consistent manner. 

Staff members employed by many ORSs are thoroughly vetted and may even be 

required to undergo periodic and random truth verification testing. 

o An ORS is totally independent and objective and conveys to the subscriber exactly what 

is reported via the communication channels as accurately as possible without fear or 

favour. Most ORSs offer differentiated reporting which enables reports involving senior 

management to be escalated to a non-executive director, the chairman of the audit 

committee or another independent person. 

o Most ORSs offer a multilingual “live” service 24 hours a day 365 days a year including 

all public holidays and weekends. 

o A range of communication channels is normally provided so that the stakeholder can 

make the disclosure using the means most convenient to him. The following are typical 

channels of communication 

• A telephone number, unique to each subscriber, which is normally a FreeCall 

(0800) or a ShareCall (0860) number so that the caller incurs no, or only limited, 

cost in making the call. These numbers can be so called Golden Numbers such as 

0800-BLOGGS which are easy to remember. FreeCall (0800) numbers are still 

widely favoured but as calls to these numbers (as the name indicates) are made at 

no cost to the caller, they result in many nuisance calls being made which “clutters” 

the system and ties up the ORS’s staff. The ShareCall (0860) number costs the 

caller the cost of a local call and experience indicates that this reduces nuisance 

calls while not dissuading a motivated caller from making the disclosure. It is 

important to note that calls to 0800 or 0860 numbers are not free from cell phones. 

The reason why each subscriber is normally allocated a unique number is that the 


technology management system recognises the call as referring to a specific 

subscriber and enables the calls to be answered in a specific way and for accurate 

statistics of all the calls received to be generated automatically. 

12 

• A short-code SMS should be available to enable people to send text messages and 

to send a “Please Call Me” message so that the ORS can call them back. 

• A unique e-mail address is allocated to each subscriber which is normally 

bloggs@beheard.co.za thus identifying the subscriber. 

• Most ORSs have a facility on their website where a stakeholder can simply 

complete a template and submit a disclosure. This is a useful facility as, if it is 

properly designed, the person making the disclosure can’t be traced. Some of the 

larger subscribers have links on their own websites where stakeholders can be 

taken to their ORSs website and make a disclosure. 

• An application (App) for Smart Phones which enables people to complete a 

template similar to the website facility. 

• Skype. 

• A fax number is normally provided. This can either be a FreeCall, a ShareCall or a 

fax-to-email number and be either generic or a unique number for each subscriber. 

These numbers are seldom abused. The downside of a fax is that the ORS can 

normally identify the number of the fax machine that was used to send the 

disclosure. This is problematic if the person making the disclosure wishes to remain 

entirely anonymous but can be overcome by using an “anonymous” fax machine 

from somewhere such as Postnet. 

• A Freepost address is made available to enable stakeholders, who may not have 

access to other communication channels, to make a disclosure. This channel is 

often used where a stakeholder may wish to send evidence to support a disclosure. 

o An ORS that provides an effective service will have a technology solution in place which 

will ensure excellent security and have an Un-interrupted Power Supply (UPS) unit as 

well as a generator or inverter to ensure that it can provide an uninterrupted service 24 

hours a day. This solution will also ensure that all disclosures made by telephone are 

recorded digitally and stored so that these recorded calls can be accessed at some later 

stage should a dispute arise or should the details of the call need to be reviewed. 

o An ORS, because it operates at arms-length from the specific entity, ensures that the 

possibility of a caller being identified by his voice is extremely remote. This ensures that 

should a caller wish to remain entirely anonymous (even to the ORS) he can do so and 


avoid the possibility of being victimised. It is important to mention at this stage that 

there are some callers who, for whatever reason, wish to remain entirely anonymous. 

Others are happy to be identified and make an open disclosure. The vast majority of 

callers agree to provide the ORS with their identity and contact details but request that 

these details are not passed on to the subscriber. From all the parties point of view 

this is an excellent option as it enable the ORS to act as the bridge between the 

subscriber and the person making the disclosure on an ongoing basis without the 

identity of the caller ever being made known to the subscriber. This is very important 

when follow-up information may be required and when the subscriber may wish to pay 

the person making the disclosure a reward. (More about rewards below) 

13 

o Malicious disclosures, when they are received by the ORS, can be dealt with 

professionally and filtered on behalf of the subscriber. 

o An added benefit of using an ORS is that patterns and modus operandi as well as 

details of syndicate activity and in some cases even details of specific disclosures can 

be shared among subscribers in related industries. The ORS can also share case studies 

and best practice with subscribers. 

o Through its experience, the ORS can provide subscribers with advice regarding the 

promotion of the reporting service among its stakeholders including creative ideas that 

have proved to be successful with other subscribers. 

o The ORS could manage a reward programme on behalf of subscribers. To ensure that 

the person making the disclosure remains anonymous to the subscriber the reward can 

be paid by the ORS to the person who has made the disclosure in such a manner that 

any tax is deducted and paid to SARS before the reward is paid. This will mean that the 

person being paid the reward will not have to list the reward as revenue received on his 

tax return. The subscriber paying the reward will receive a VAT invoice for 

“Management Services” which he can bring to book in the normal manner. (More about 

rewards below) 

GUIDELINES FOR MANAGING DISCLOSURE REPORTS 

To be quite blunt it is not even worth the effort and the cost of introducing a reporting 

service unless considerable attention is given to planning how the reports from the ORS are 

going to be communicated to the subscriber and how they are then going to be managed. 

I recall one of our very first clients who I was very excited about as they were receiving a 

steady flow of substantive reports. At a feedback meeting I was very surprised to be 

informed by the subscriber’s representative that they were not happy that they were 

receiving a satisfactory return on their investment. After I had recovered from the shock, I 

asked the subscriber if the bulging lever arch file on the boardroom table contained the 


eports that he had been sent. After he had confirmed that indeed it was, I asked him how 

many of the reports had actually been followed up and investigated. Suddenly a silence 

descended on the gathering and he rather sheepishly replied that they hadn’t done much 

about the reports as they didn’t have the trained personnel to follow them up and 

investigate. 

14 

This is really a lame excuse in this day and age as even small organisations who don’t have 

their own resources can make use of any number of affordable, skilled and professional 

investigators to assist them. 

Sadly, the above scenario plays itself out all too often and defeats the purpose of having a 

reporting service – it actually gives reporting services a bad name! 

There are two important components that need to be addressed – how the reports are 

communicated and how they are dealt with. 

The following pointers are important when planning how reports should be communicated by 

the ORS to the subscriber: 

o The most important consideration about disclosure reports is that they should always be 

treated as strictly confidential as their content is invariably very sensitive and their 

improper handling could at best lead to embarrassment and at worst to having to pay 

significant damages after a claim by an aggrieved stakeholder! 

o The communication of reports should be customised to suit the subscriber’s structure. 

The designated person receiving the reports could be the MD/CEO, the Financial Director, 

the Internal Audit Manager or the Security Risk Manager or another manager who 

understands the working of the system. In larger entities it is preferable to designate 

someone other than the MD/CEO as they can undertake the initial investigation and 

report to the MD/CEO. In smaller entities, where no other suitable person exists, the 

MD/CEO will need to be the designated person. 

o It is important to ensure that all reports are accounted for so that none “disappear” or fall 

through the cracks. One solution is for the ORS to send a schedule setting out a summary 

of all the reports that were sent to a subscriber, directly to a person other than the 

designated person on, say, a monthly basis. This person should then hold the designated 

person accountable to provide feedback on all the reports that have been received. One 

large listed subscriber requested that this summary be sent to the chairman of their audit 

committee who monitored the action that had been taken on all the reports and held the 

executive management accountable. 

o At least one alternate designated person should be appointed to receive the reports in the 

event that the designated person should be unavailable. 


o Should a specific report concern the designated person, a second designated person 

(senior to the first), should be identified to receive the report. This should happen all the 

way up the ladder so that in the event that a specific report concerns the MD/CEO, 

provision should be made for the chairman of the board or the chairman of the audit 

committee to receive such reports. The MD of a foreign owned SA based subscriber 

nominated the person he reported to in Canada as the designated person should any 

reports have involved him. 

15 

o As a rule, all reports should be sent in Portable Document Format (PDF) by e-mail directly 

to the designated person. This is to ensure confidentiality but also to protect the ORS. In 

the past some designated persons insisted on the reports being faxed to their PAs but the 

risks of this should be obvious. This ceased when one CEO’s PA was heard discussing a 

particularly juicy report with a colleague in the passage. 

o Reports can also be hand-delivered or sent by courier provided that the service is secure 

and confidentiality is ensured. This is particularly useful when files, documents and other 

bulky evidence need to be sent. 

o In all cases telephone and cell phone numbers should be provided so that the ORS can 

contact the designated persons (at all levels) urgently should this be required. 

How the disclosure report is managed by the subscriber is critical and the following 

guidelines should be observed: 

o Needless to say, the reports should be stored securely whether in its electronic format or 

as a hard copy. Consideration should be given to filing the digital reports in a password 

protected folder so that even the IT administrator can’t access them. 

o While every report should be taken seriously, it should be treated as merely an allegation 

until an investigation has confirmed or refuted the contents. For this reason I am a firm 

believer that someone other than the MD/CEO should be the designated person so that 

“malicious seeds” can’t be planted in the mind of the MD/CEO until after some verification 

has taken place. 

o If the person making the disclosure has provided his identity to the ORS, the services of 

the ORS as a communication bridge should be used if certain information contained in the 

report may need to be clarified or verified. 

o In one case an MD/CEO received a report concerning a senior colleague who he was very 

friendly with. Instead of treating the report in the correct manner, he walked into his 

colleague’s office and showed him the report saying something like “Look what they are 

saying about you”. His colleague of course denied the allegation and the two laughed off 

the report. As it happened, this senior colleague was indeed involved in some serious 


irregularities but the subsequent investigation was severely hampered by the fact that he 

was able to cover his tracks as a result of the early warning that he had received. The 

golden rule is that anyone could be doing it and that no one – perhaps particularly not 

even senior managers - should be excluded! 

16 

REWARDS – TO PAY OR NOT TO PAY? 

Whether or not subscribers should pay rewards to stakeholders who have made meaningful 

disclosures is a complex matter and there is no right or wrong answer. The jury is still out on 

this one. While there some entities that swear by it, there are others who are totally opposed 

to paying rewards on the grounds that it is expected of employees to make disclosures in the 

interests of the organisation. 

While I was initially quite opposed to the payment of rewards, I now believe that they can 

play a very positive role depending on a few factors such as the specific “cultural profile” of 

an entity, specific circumstances and how the payments of rewards are managed. 

A relevant case study concerns a motor component firm who, notwithstanding an extensive 

awareness campaign among all their staff, did not have one disclosure in a twelve month 

period. On investigation it was discovered that the company’s shop stewards were running 

the syndicate which was stealing large quantities of product from the entity. They had made 

it quite clear to all the staff that they had people who would tell them when someone made a 

disclosure and that they knew how to “take care of” such people! After discussing the matter 

with top management it was decided to advertise that attractive rewards would be paid for 

disclosures leading to the arrest of thieves and/or the recovery of stolen product in an effort 

to break the shop steward’s grip on the staff. It worked and within a few months the ringleaders 

were rounded up and the volume of theft dropped dramatically. 

I am also a firm believer that subscribers should consider paying rewards in certain cases 

only. An example was a major paper producer who had a truck fully loaded with product 

hijacked by a syndicate. A special campaign was launched using the existing reporting service 

infrastructure and attractive rewards were offered for information leading to the recovery of 

the product and the truck and the arrest of the perpetrators. This worked and the truck and 

most of the stock was recovered. 

The manner in which the rewards are paid (as set out above) it critical. One major 

organisation in SA has turned the payment of rewards into a circus where the name of 

everyone who has made a disclosure during a specific period is “put into a hat” and one 

person’s name is drawn at a gala function. The “winner” is then called up to the podium to 

receive a very substantial reward. The risks to the “winner” should be obvious! 

Your service provider should be in a position to manage a reward scheme on your behalf so 

that the identity of the person who is to receive the reward is not compromised. 


17 

COMMITMENT FROM THE SUBSCRIBER 

The important role and function that the ORS plays has been covered in some detail above 

but the ORS is only one partner in the relationship. No matter how excellent the service 

provided by the ORS, a reporting service will only be really successful if the subscriber shows 

serious commitment to making the service effective. 

Entities who have achieved significant success from their reporting service have: 

o 

o 

o 

o 

o 

o 

o 

Fully embraced and taken ownership of “their” reporting service. This means that top 

management have led the way and set the example. 

Ensured that the introduction of the reporting service has been communicated to all 

stakeholders – not only initially during the roll-out but on an ongoing basis. 

Introduced a clear system of communication between the ORS and their entity. 

Taken the management and investigation of reports seriously and allocated resources to 

undertake these functions. 

Fully integrated their reporting service into their risk management strategy. 

Taken on their ORS as a “partner” who can really play a role in assisting them deal with 

inappropriate and unlawful activities within their organisation. 

Committed to respect the spirit of the law and not unleash witch hunts to trace and 

victimise people and especially employees who report illegal and inappropriate 

behaviour. They are of course legally bound (by the Protected Disclosures Act, 2000) to 

protect the identity of people who make disclosures. 

CULTURAL ISSUES 

Finally, before concluding, a word needs to be said about how cultural issues can affect the 

success of reporting services. 

On a visit to Australia some years ago it was frequently pointed out to me that a reporting 

service would not work there as a deeply entrenched culture of not “dobbing on your mate” 

exists in Australia. 

There are similar entrenched cultural taboos throughout the world which may negatively 

influence people who would otherwise be willing to make a disclosure. Negative epithets like 

rat, grass and (in SA) impimpi are commonly used to describe people who “split” on others or 

“spill the beans”. 


18 

These terms are normally used when a “them and us” situation exists. The parties could be 

the crooks and the police (rat and grass), the people and the Security Police in the old SA 

(impimpi) or of more relevance to us management and staff. 

The only way to reduce the impact of this phenomenon in an organisation is to actively try 

and change the way the two groups view each other and to try and unite everyone behind 

one common purpose. 

All groups have to learn that the existence of inappropriate or unlawful behaviour with an 

organisation is not in anyone’s interest and that their impact will be felt by everyone and not 

just the directors. 

CONCLUSION 

A quotation, apparently incorrectly attributed to the 18 th British philosopher Sir Edmund 

Burke, that "the only thing necessary for the triumph of evil, is for good men to do 

nothing" takes on a new meaning when considered in the context of reporting services. 

It is expected of good men and women, now more than ever before, to get actively involved 

in the fight against unlawful and inappropriate behaviour in the workplace and help to create 

the kind of environment that most of us strongly desire. 

Reporting services (and particularly outsourced reporting services) have proved, since their 

introduction in SA in 1999, that they are an important and extremely cost effective 

component of any risk management strategy. 


19 

APPENDIX A 

RATE YOUR EXISTING REPORTING SERVICE PROVIDER. 

Here's a quick checklist to evaluate your existing outsourced reporting service (ORS) 

provider, or if you don't yet have one, use the checklist to evaluate those service providers 

who you may approach for proposals. 

Does your existing ORS meet the following criteria? 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

Certified to the External Whistle-blowing Hotline Service Provider Standard EO1.1.1 of 

the Ethics Institute of South Africa. 

Independent of your external or internal auditor and forensic investigators. 

Is operating the reporting service their primary focused business or is it a side-line 

activity or loss-leader for forensic services. 

Has an experienced and dedicated management team with many years of experience. 

Offers direct access to and frequent contact by top-management. 

Offers a number of packages to suit your specific requirements. 

The service operates 24 hours a day, 7 days a week. 

The service is operated in most South African languages. 

Has an effective technology solution including voice recording. 

Reports can be made by using a unique 0800-FreeCall number, a unique e-mail address, 

via a website template, Smart Phone application, via SMS (including a "Please Call Me" 

facility), via Skype and via fax and via Freepost. 

Offers a web-based system of sending reports to you. 

Offers you on-line and real-time access to statistics and activity on your service. 

Has a user-friendly module to assist you in managing your reports. 

Offers a free Wheelsline service to provide information on your fleet. 

Offers free exit interviews to gather information from employees who have just left your 

organisation. 

Presents a free train-the-trainer workshop including a CD containing comprehensive 

information for all attendees. 

Provides a catchy free digital awareness video to create awareness among your staff. 

Has an extensive menu of awareness material to assist you in promoting your service. 

Provides a free E-Handbook on how to manage your reporting service. 

Has the ability to manage a rewards programme should this be required. 

Manages a help-line to enable prospective whistle-blowers to obtain advice and support. 

Constantly innovates.

MANAGING OUTSOURCED REPORTING SERVICES EFFECTIVELY

Create successful ePaper yourself

Delete template?

Save as template?