MANAGING OUTSOURCED REPORTING SERVICES EFFECTIVELY
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
WOULDN’T YOU LIKE TO KNOW? <br />
<strong>MANAGING</strong> <strong>OUTSOURCED</strong><br />
<strong>REPORTING</strong> <strong>SERVICES</strong> <strong>EFFECTIVELY</strong><br />
CONTENTS<br />
Brian Adams<br />
Introduction 2<br />
The Origins 3<br />
Recent Trends 4<br />
The Regulatory Framework 5<br />
Why Establish a Reporting Service? 8<br />
An Internal or an Outsourced Service? 10<br />
Guideline for Managing Disclosure Reports 13<br />
Rewards – To Pay or Not To Pay? 16<br />
Commitment from the Subscriber 17<br />
Cultural Issues 17<br />
Conclusion 18<br />
Appendix A – Rate Your Existing Outsourced Reporting Service 19<br />
___________________________________________________________________________<br />
Brian Adams is a pioneer of hotline reporting services in South Africa having started his first service in 1999. He<br />
currently heads up Honey Badger Solutions (Pty) Ltd which operates the Be Heard® service which is accredited<br />
to the Ethics Institute of SA External Whistle-blowing Hotline Service Provider Standard EO<br />
1.1.1.
2<br />
INTRODUCTION<br />
Having been personally involved in the outsourced hotline disclosure business since 1999, it<br />
is absolutely clear to me that the difference between success and failure is marked by the<br />
total commitment, direction and example-setting from the top leadership of an entity. In fact<br />
I will say without hesitation that if the tone is not set from the top, introducing an outsourced<br />
reporting service (ORS) is a pointless and fruitless exercise.<br />
Top management commitment has to be coupled with an unwavering commitment to meet<br />
the other three critical success factors which separate those organisations, who really<br />
achieve outstanding results and the others, they are<br />
o Building an ethical culture.<br />
o Continuous awareness communication.<br />
o Commitment to following-up and investigating every report consistently, objectively<br />
and regardless of the seniority of the employee.<br />
That said, there are sadly still organisations who introduce an ORS because it is a box that<br />
needs to be ticked on a corporate governance checklist (or because a non-executive director<br />
has insisted) and show no commitment whatsoever to its success.<br />
Having a reporting service is like having an intruder alarm or an electric fence. If they are not<br />
maintained or switched on they simply won’t work!<br />
As I write this updated version of this document it is more than 16 years since the first<br />
commercial ORSs were introduced in South Africa. As these services have been progressively<br />
introduced throughout private and public organisations in South Africa incredible results have<br />
been achieved – some of which have become the stuff of legend. In fact, according to the<br />
results of most surveys and studies, these reporting services are by far the most successful<br />
single intervention in the fight against white-collar crime.<br />
The Association of Certified Fraud Examiners (ACFE) Global Report to the Nations on<br />
Occupational Fraud and Abuse for 2014 once again found that, what they call, “Tips” were<br />
significantly the largest “Initial Detector of Occupational Frauds” at 42.2%. This<br />
has dropped slightly from 43.3% since 2012. The 2 nd and 3 rd interventions were<br />
“Management Review” at 16% and “Internal Audit” at 14.1%.<br />
What none of the surveys or studies cover is the relative cost-effectiveness of these<br />
interventions and, while we have already established that reporting services are significantly<br />
the most effective, I believe that they are by far the most effective per Rand. One need<br />
merely compare what an organisation spends on security guards and internal audits<br />
compared to what they pay their reporting service provider to prove that thesis. When one<br />
Version 2015-01 © BE HEARD 2015
ears in mind that the monthly subscription for most ORSs is normally a fraction of the cost<br />
of one security guard and if we then compare the respective return, it is really a no-brainer!<br />
3<br />
So the bottom-line is that (if properly managed) ORSs are still (and will for some time be) the<br />
most cost-effective and successful intervention in the fight against white-collar crime and<br />
inappropriate behaviour in the workplace!<br />
THE ORIGINS<br />
Before defining and unpacking the nuances of successful ORSs it is important to briefly recall<br />
the origins of this very valuable risk management tool.<br />
It is widely accepted that the findings of the United States Presidential Commission – known<br />
as the Rogers Commission which was established by President Ronald Reagan - that followed<br />
the explosion that destroyed the NASA Challenger Space Shuttle on 28 January 1986 and<br />
cost the lives of six astronauts - including a teacher Christa McAuliffe - provided the model<br />
for all present day reporting services.<br />
Very simply, the spacecraft exploded in a ball of fire 73 seconds after the launch (while<br />
travelling at 684 meters per second) as a result of a defective O-ring seal on a solid rocket<br />
booster. The important finding of the commission was that the mission control management<br />
were advised of the threat but decided not to act on it. There was considerable pressure on<br />
the mission control management for the launch not to be delayed for a number of reasons –<br />
not least the hype surrounding Christa McAuliffe – and this may have clouded the judgement<br />
of the decision-makers to give the launch the green light.<br />
The commission concluded that if a communication channel had been available which<br />
stakeholders could have used (possibly even anonymously) to report their serious concerns to<br />
an independent entity, the tragedy could have been averted.<br />
Thus the seeds of independent reporting services the world over were sown in the USA in<br />
1987 and the first ORS providers started operating in South Africa in 1999.<br />
RECENT TRENDS<br />
When we pioneered outsourced whistle-blowing services, tip-off services, forensic reporting<br />
services or whatever you want to call them, they were viewed by many senior executives as<br />
the great panacea that was going to wipe out crime, catch all the crooks and generally solve<br />
all their problems on the risk management front.<br />
There is a tendency in most fields of endeavour to grasp an attractive solution with both<br />
hands and expect it to be the great panacea that will solve all existing problems at the<br />
expense of all others. Many people adopted this view of Close Circuit Television (CCTV) and<br />
Version 2015-01 © BE HEARD 2015
electric fences in the past and sadly some organisations also consider this to be the case with<br />
reporting services.<br />
My philosophy of risk management is simply that one needs the skills of a competent risk<br />
management professional to integrate all the appropriate solutions available in the right<br />
combination to ensure that the most effective outcome is achieved for each specific<br />
organisation. This is rather like the analogy that a pile of building materials only become a<br />
home once an architect and skilled tradesmen have put the components together in the most<br />
optimum manner. A group of musicians, no matter how skilful each may be, only become an<br />
orchestra and produce sublime music once they unite under the baton of a conductor to<br />
reveal the mysteries of a composers score.<br />
The obvious conclusion is that a reporting service, while being an excellent (and almost<br />
indispensable) component of a well-structured risk management strategy, is never going to<br />
really live up to its potential unless it is skilfully integrated with other complementary<br />
solutions.<br />
Taking it a step further, and no matter what level of service is provided by the ORS, it is<br />
never “going to work” in an ethical desert! I have recently had two subscribers who, for one<br />
reason or another introduced an ORS and after a year cancelled their subscription because<br />
they didn’t achieve the results that they expected.<br />
4<br />
Whereas even 15 years ago most risk management effort and resources were of a reactive<br />
nature (like investigations), the trend lately has been to introduce proactive measures to<br />
identify unlawful and inappropriate behaviour in the workplace. ORSs fall firmly into that<br />
category.<br />
For years in risk management we have talked about the, entirely unempirical, 10:80:10 rule.<br />
This rule states that 10% of your employees will always behave ethically no matter what the<br />
circumstances, 10% will always look for opportunities to break the rules and take short-cuts<br />
and cut corners and the 80% majority will move between the two ends of the spectrum<br />
depending on the ethos of the particular organisation.<br />
Clearly the objective is to move as many employees as possible to the “good guy” end of the<br />
spectrum and either get rid of or transform the bad apples. That said, we are still (quite<br />
rightly) spending a lot of effort on keeping the “dodgy” 10% out of the organisation by<br />
introducing effective pre-employment processes and in identifying, apprehending and<br />
disciplining those that are already in the organisation but I don’t believe that we are doing<br />
enough to build a team of “good guys” and to celebrate their ethical behaviour.<br />
From the time when ORSs were introduced they were accommodated firmly in the<br />
compliance space. It was all about policies, procedures, rules and instructions. In most<br />
organisations the internal audit and/or forensic manager was responsible for managing the<br />
service. The original communication themes were all about catching the crooks.<br />
Version 2015-01 © BE HEARD 2015
5<br />
REGULATORY FRAMEWORK<br />
Over the past 16 years the legislative framework governing the operation of ORSs has<br />
changed significantly.<br />
Government has also been very active and has set clear guidelines, strategies and plans for<br />
the establishment of reporting services in the public sector. The Public Finance<br />
Management Act, 1999 (Act 29 of 1999) and the related regulations led to the Public<br />
Service Commission establishing a National Anti-corruption Hotline in September 2004.<br />
On 16 February 2001, the Protected Disclosures, 2000 (Act 26 of 2000) became<br />
effective and provided a first and important legal framework for reporting services in South<br />
Africa. (Go to www.home-affairs.gov.za/PDF/Protected%20Disclosures%20Act.pdf for a PDF<br />
version). Unfortunately, despite the need for the Act to be amended and periodic rumours of<br />
amendments being imminent none have been forthcoming. In 2014 the Protected Disclosures<br />
Amendment Bill was published but notwithstanding follow-ups to MPs there is no certainty<br />
when this will be considered by parliament.<br />
The private sector really took the lead in recommending reporting services in the second<br />
King Report on Corporate Governance with the Chairman Mervyn King being quoted as<br />
saying that providing a reporting service makes “good hard business sense”! This report<br />
which was published in 2002 also recommended the establishment of “easily accessible safe<br />
reporting channels” to “support embedded ethical business practices”, for the benefit of an<br />
organisation’s stakeholders.<br />
King III was published in 2009 and one of the principles was that “the audit committee<br />
should be an integral component of the risk management process” and more specifically that<br />
the “… audit committee should review arrangements made by the company to enable<br />
employees and outside whistleblowers (including customers and suppliers) to report in<br />
confidence their concerns about possible improprieties in matters of financial and<br />
sustainability reporting, or non-compliance with laws and regulations …”<br />
Other initiatives have added impetus to the requirement for reporting services. The<br />
sentiments contained in the Sarbanes-Oxley legislation, which was adopted in the USA after<br />
the Enron and Anderson debacles, have cascaded into the South African economy and many<br />
entities in the public sector (especially listed companies) have adopted these guidelines.<br />
The Companies Act, 2008 (Act 71 of 2008), provides in Section 159 (7) that<br />
“A public and state-owned company must directly or indirectly –<br />
(a) establish and maintain a system to receive disclosures contemplated in this section<br />
confidentially, and act on them; and<br />
Version 2015-01 © BE HEARD 2015
6<br />
(b) routinely publicise the availability of that system …”<br />
The Ethics Institute of South Africa (Ethics SA) has introduced a standard, namely the<br />
External Whistle-blowing Hotline Service Provider Standard EO 1.1.1, which is a<br />
best practice set of guidelines or norms for the professional and ethical conduct of external<br />
whistle-blowing hotline service providers, operating their own centres or facilities. This has<br />
been a major step forward in the professionalisation of the ORS industry as prospective<br />
subscribers can now access the Ethics SA website (www.ethicssa.org) and find a list of OSPs<br />
who have been accredited.<br />
Corruption Watch has produced an excellent document – Corruption and the Law in<br />
South Africa – A Quick Reference Guide – which is an excellent summary of the legal<br />
framework in South Africa. (Go to<br />
www.corruptionwatch.org.za/sites/default/files/CW_LawDoc_V2.pdf to download a PDF<br />
version.)<br />
The Protected Disclosures Act, 2000 defines a disclosure as<br />
any disclosure of information regarding any conduct of an employer, or an employee of<br />
that employer, made by any employee who has reason to believe that the information<br />
concerned shows or tends to show one or more of the following:<br />
(a) That a criminal offence has been committed, is being committed or is likely to be<br />
committed;<br />
(b) that a person has failed, is failing or is likely to fail to comply with any legal obligation<br />
to which that person is subject;<br />
(c) that a miscarriage of justice has occurred, is occurring or is likely to occur;<br />
(d) that the health or safety of an individual has been, is being or is likely to be<br />
endangered;<br />
(e) that the environment has been, is being or is likely to be damaged;<br />
(f) unfair discrimination as contemplated in the Promotion of Equality and Prevention of<br />
Unfair Discrimination Act, 2000 (Act No. 4 of 2000); or<br />
(g) that any matter referred to in paragraphs (a) to (f) has been, is being or is likely to be<br />
deliberately concealed;<br />
The important point to note is that the legislation only provides “protection” for an<br />
employee which is defined in the Act as<br />
(a) any person, excluding an independent contractor, who works for another person or<br />
for the State and who receives, or is entitled to receive, any remuneration; and<br />
(b) any other person who in any manner assists in carrying on or conducting the business<br />
of an employer;<br />
Version 2015-01 © BE HEARD 2015
While the original draft of the Act only made provision for direct disclosures, the final version<br />
was amended after I had made representations to the drafters of the Act, that the Act should<br />
provide for indirect disclosures made through independent service providers. The relevant<br />
section of the Act relating to protected disclosures reads as follows<br />
7<br />
6.<br />
(1) Any disclosure made in good faith<br />
(a) and substantially in accordance with any procedure prescribed, or authorised by the<br />
employee’s employer for reporting or otherwise remedying the impropriety concerned;<br />
or<br />
(b) to the employer of the employee, where there is no procedure as contemplated in<br />
paragraph (a),<br />
is a protected disclosure.<br />
(2) Any employee who, in accordance with a procedure authorised by his or her<br />
employer, makes a disclosure to a person other than his or her employer, is deemed,<br />
for the purposes of this Act, to be making the disclosure to his or her employer.<br />
So a disclosure or reporting service is strictly speaking any procedure or channel of<br />
communication (by one or more means) that an organisation has set up internally or which<br />
has been outsourced by an entity to a third party service provider to enable employees to<br />
make disclosures.<br />
Although not covered by the Act, reporting services have always encouraged other<br />
stakeholders and not just employees to make disclosures. This is very important as many<br />
unlawful and inappropriate acts are committed by persons within an organisation working in<br />
collusion with people on the outside!<br />
A stakeholder is really any person or entity who wishes to draw the organisation’s attention<br />
to any action or activity which has already happened or which could potentially happen which<br />
would (or should) be of interest to that organisation.<br />
Clearly “would” is not always the same as “should” as the reporting of some actions or<br />
activities to an organisation may not always be welcomed by that organisation. This is where<br />
the depth of commitment of an organisation to transparency, integrity and honesty is<br />
sometimes tested!<br />
Version 2015-01 © BE HEARD 2015
8<br />
WHY ESTABLISH A <strong>REPORTING</strong> SERVICE<br />
As was mentioned above, the need for an entity to establish a reporting service (whether<br />
internally or outsourced) has become a critical component of any really effective risk<br />
management strategy.<br />
As mentioned above, having a reporting service is mandated for a number of private and<br />
public organisations, the simple fact is that reporting services really do work! Most of the<br />
recent international fraud surveys put reporting services among one of the most successful<br />
methods of defeating unlawful and inappropriate activities. This is linked to the interesting<br />
global trend where organisations are now allocating up to 80% of their resources to<br />
prevention and only 20% to detection and investigation when only a few years ago the<br />
reverse was true.<br />
The following are some universally accepted reasons for establishing a reporting service<br />
o It demonstrates an organisation’s commitment to the universal business principles of<br />
transparency, integrity and honesty without which sound governance could not hope to<br />
be sustained. This statement of commitment (and the commitment to actively follow up<br />
and investigate every report received) is certain to add value to an organisation’s equity<br />
and create and encourage trust and confidence among all stakeholders.<br />
o It assists the directors and management to better manage and control their businesses<br />
– isn’t that what governance is all about? Not only would a reporting service identify<br />
potential or existing internal control breakdowns but also highlight collusive activities,<br />
which traditional internal control systems are not designed to expose.<br />
o It provides management with a mechanism to focus on their organisation’s reputational<br />
risk (as well as their own!) and in so doing protect their organisation’s profile, standing<br />
and reputation in the market place. A reporting service will seek to highlight this critical<br />
risk internally first and provide senior management with the opportunity to manage the<br />
risk before it becomes public knowledge. One need look no further than the recent<br />
corporate failures in South Africa and elsewhere, to underline this point.<br />
o It enables an organisation to comply substantially with the provisions of the Protected<br />
Disclosures Act, referred to above. Subscription to an independently managed reporting<br />
service would not only demonstrate compliance, but, more importantly, practically<br />
demonstrate management’s intentions to provide benefits and rights to employees,<br />
rather than simply paying lip service to it.<br />
o There is a widely held (yet not empirically tested) belief that 10% of all people will<br />
always be honest, 10% will always take any opportunity that presents itself to be<br />
dishonest and the remaining 80% will drift and float from the one extreme to the other<br />
Version 2015-01 © BE HEARD 2015
depending on the environment. If the environment is such that there are poor controls<br />
and a low level of general ethics one can expect some in the middle group to take<br />
chances. Should an effective risk management structure be in place as well as a high<br />
level of ethics, this group will be far less likely to get involved in undesirable activities.<br />
If an entity introduces an effective reporting service this will support the latter scenario<br />
and the “good guys” will in all likelihood make use of the service provided to make<br />
themselves heard.<br />
9<br />
o Sadly a culture of non-compliance and cowboy-type behavior is still all too often<br />
encountered at all levels of many entities in all sectors of our economy. Introducing a<br />
reporting service underlines the view that employees at all levels should comply to the<br />
same extent with the ethical policies and procedures of the entity. The senior executive<br />
who “fudges” his entertainment claims should expect to be treated in the same way as<br />
the tea lady who “pinches” the milk! (Note how the euphemisms roll of the tongue!)<br />
o One of the greatest and often underrated benefits of a reporting service is that it acts<br />
as a very important practical deterrent to workplace dishonesty, inappropriate<br />
behaviour and unethical business practices.<br />
o The reports received from a reporting service provide a very useful indication of<br />
loopholes and weaknesses in an organisations systems and also highlight specific areas<br />
(whether functional or geographical) within an organisation where problems are being,<br />
or could be expected. This is very useful as it enables the organisation to apply the<br />
Pareto Principle and spend the greatest part of its limited time and resources focusing<br />
on the most important areas.<br />
o An outsourced reporting service will, in all likelihood be the most cost-effective<br />
component of any risk management structure. When one considers that the monthly<br />
subscription for most ORS providers is less than half the cost of one security guard on a<br />
24 hour basis for a large organisation and slightly more than the cost of alarm<br />
monitoring and armed response for a small company, one doesn’t have to be a genius<br />
to understand which is going to provide the better return on investment.<br />
o A reporting service provides a real motivation to streamline an organisation’s insurance<br />
portfolio and to reduce the cost of fidelity and other insurance premiums.<br />
Apart from all the obvious advantages of introducing a reporting service there are also a<br />
few disadvantages (listed below) which need to be highlighted to complete the picture.<br />
o I recall that we did a presentation to a very high profile and successful prospective<br />
subscriber some years ago. Once we had finished the presentation we asked the CEO if<br />
he wished to ask any questions or make any comments. After a short pause he said<br />
that he wouldn’t be subscribing to our service as he was concerned that the service<br />
Version 2015-01 © BE HEARD 2015
would “expose his dishonest management”! If the anecdote doesn’t indicate a cancer<br />
that exists in many organisations it may be quite funny. The introduction of a reporting<br />
service is clearly a risk in entities where management is behaving inappropriately!<br />
10<br />
o Another concern which is often raised by prospective subscribers is the question of<br />
malicious and “bad faith” disclosures. This could well prove to be a significant problem<br />
if not managed properly. The golden rule is that no one should be confronted until an<br />
initial investigation has confirmed that a disclosure has substance. I recall a case where<br />
a CEO was so incensed when he received a report concerning one of the women in the<br />
accounts department that he ran down the passage to her office and tried to strangle<br />
her! This could have been avoided had the report been sent to a senior person such as<br />
the security risk manager of the internal audit manager who could have dispassionately<br />
undertaken an initial investigation and only subsequently brief the CEO.<br />
o Another prospective subscriber (a large retailer) commented that he didn’t like the idea<br />
of introducing a reporting service as it would indicate to his staff members that<br />
management didn’t trust them. When I asked him how a reporting service differed from<br />
the undercover agents, covert CCTV cameras and ghost shoppers that I knew he used,<br />
he was at a loss for words! This attitude is actually quite common. “We’re an honest<br />
bunch” lamented one CEO but he was unable to explain the fact that his organisation<br />
was losing millions of Rand through theft and fraud every year.<br />
o Finally, there is a real risk that the credibility of the directors and senior management<br />
could be seriously dented if a reporting service, once introduced, is not fully embraced.<br />
What this means is that employees soon become cynical when they constantly make<br />
disclosures but see no action being taken by management. Sadly this is a common<br />
phenomenon!<br />
AN INTERNAL OR AN <strong>OUTSOURCED</strong> SERVICE?<br />
I am perhaps, and may be forgiven for, not being entirely objective in this respect. It is a<br />
widely held view that independence is a cornerstone of any effective reporting service and<br />
this was even highlighted many years ago in the report of the Presidential Commission in<br />
the USA subsequent to the Challenger disaster.<br />
Notwithstanding all the evidence that exists to support an independently managed ORS<br />
there are still a number of major organisations that insist on an in-house service. Many<br />
insist that they don’t want any external party to have knowledge of their internal secrets!<br />
This argument sadly doesn’t inspire any confidence in me as, whether intentional or not, it<br />
creates the perception that the entity may not really be committed to transparency,<br />
integrity and openness. It casts a shadow and begs the question as to what the entity may<br />
wish to hide.<br />
Version 2015-01 © BE HEARD 2015
The few internal services that I have observed all fail dismally when measured against the<br />
points listed below to support an outsourced service. One even had an answering machine<br />
situated in an open-plan office where incoming messages could be heard by anyone within<br />
earshot!<br />
11<br />
The following points set out the case for an outsourced reporting service and you, the<br />
reader, be the judge<br />
o An ORS provider manages his service as his principal business and not as an additional<br />
task or a side-line activity. Many have dedicated management teams with years of<br />
experience in managing the service.<br />
o ORSs are extremely cost effective and few in-house offerings, providing the same levels<br />
of service, can be favourably compared.<br />
o An ORS employs dedicated skilled professionals answering calls in a consistent manner.<br />
Staff members employed by many ORSs are thoroughly vetted and may even be<br />
required to undergo periodic and random truth verification testing.<br />
o An ORS is totally independent and objective and conveys to the subscriber exactly what<br />
is reported via the communication channels as accurately as possible without fear or<br />
favour. Most ORSs offer differentiated reporting which enables reports involving senior<br />
management to be escalated to a non-executive director, the chairman of the audit<br />
committee or another independent person.<br />
o Most ORSs offer a multilingual “live” service 24 hours a day 365 days a year including<br />
all public holidays and weekends.<br />
o A range of communication channels is normally provided so that the stakeholder can<br />
make the disclosure using the means most convenient to him. The following are typical<br />
channels of communication<br />
• A telephone number, unique to each subscriber, which is normally a FreeCall<br />
(0800) or a ShareCall (0860) number so that the caller incurs no, or only limited,<br />
cost in making the call. These numbers can be so called Golden Numbers such as<br />
0800-BLOGGS which are easy to remember. FreeCall (0800) numbers are still<br />
widely favoured but as calls to these numbers (as the name indicates) are made at<br />
no cost to the caller, they result in many nuisance calls being made which “clutters”<br />
the system and ties up the ORS’s staff. The ShareCall (0860) number costs the<br />
caller the cost of a local call and experience indicates that this reduces nuisance<br />
calls while not dissuading a motivated caller from making the disclosure. It is<br />
important to note that calls to 0800 or 0860 numbers are not free from cell phones.<br />
The reason why each subscriber is normally allocated a unique number is that the<br />
Version 2015-01 © BE HEARD 2015
technology management system recognises the call as referring to a specific<br />
subscriber and enables the calls to be answered in a specific way and for accurate<br />
statistics of all the calls received to be generated automatically.<br />
12<br />
• A short-code SMS should be available to enable people to send text messages and<br />
to send a “Please Call Me” message so that the ORS can call them back.<br />
• A unique e-mail address is allocated to each subscriber which is normally<br />
bloggs@beheard.co.za thus identifying the subscriber.<br />
• Most ORSs have a facility on their website where a stakeholder can simply<br />
complete a template and submit a disclosure. This is a useful facility as, if it is<br />
properly designed, the person making the disclosure can’t be traced. Some of the<br />
larger subscribers have links on their own websites where stakeholders can be<br />
taken to their ORSs website and make a disclosure.<br />
• An application (App) for Smart Phones which enables people to complete a<br />
template similar to the website facility.<br />
• Skype.<br />
• A fax number is normally provided. This can either be a FreeCall, a ShareCall or a<br />
fax-to-email number and be either generic or a unique number for each subscriber.<br />
These numbers are seldom abused. The downside of a fax is that the ORS can<br />
normally identify the number of the fax machine that was used to send the<br />
disclosure. This is problematic if the person making the disclosure wishes to remain<br />
entirely anonymous but can be overcome by using an “anonymous” fax machine<br />
from somewhere such as Postnet.<br />
• A Freepost address is made available to enable stakeholders, who may not have<br />
access to other communication channels, to make a disclosure. This channel is<br />
often used where a stakeholder may wish to send evidence to support a disclosure.<br />
o An ORS that provides an effective service will have a technology solution in place which<br />
will ensure excellent security and have an Un-interrupted Power Supply (UPS) unit as<br />
well as a generator or inverter to ensure that it can provide an uninterrupted service 24<br />
hours a day. This solution will also ensure that all disclosures made by telephone are<br />
recorded digitally and stored so that these recorded calls can be accessed at some later<br />
stage should a dispute arise or should the details of the call need to be reviewed.<br />
o An ORS, because it operates at arms-length from the specific entity, ensures that the<br />
possibility of a caller being identified by his voice is extremely remote. This ensures that<br />
should a caller wish to remain entirely anonymous (even to the ORS) he can do so and<br />
Version 2015-01 © BE HEARD 2015
avoid the possibility of being victimised. It is important to mention at this stage that<br />
there are some callers who, for whatever reason, wish to remain entirely anonymous.<br />
Others are happy to be identified and make an open disclosure. The vast majority of<br />
callers agree to provide the ORS with their identity and contact details but request that<br />
these details are not passed on to the subscriber. From all the parties point of view<br />
this is an excellent option as it enable the ORS to act as the bridge between the<br />
subscriber and the person making the disclosure on an ongoing basis without the<br />
identity of the caller ever being made known to the subscriber. This is very important<br />
when follow-up information may be required and when the subscriber may wish to pay<br />
the person making the disclosure a reward. (More about rewards below)<br />
13<br />
o Malicious disclosures, when they are received by the ORS, can be dealt with<br />
professionally and filtered on behalf of the subscriber.<br />
o An added benefit of using an ORS is that patterns and modus operandi as well as<br />
details of syndicate activity and in some cases even details of specific disclosures can<br />
be shared among subscribers in related industries. The ORS can also share case studies<br />
and best practice with subscribers.<br />
o Through its experience, the ORS can provide subscribers with advice regarding the<br />
promotion of the reporting service among its stakeholders including creative ideas that<br />
have proved to be successful with other subscribers.<br />
o The ORS could manage a reward programme on behalf of subscribers. To ensure that<br />
the person making the disclosure remains anonymous to the subscriber the reward can<br />
be paid by the ORS to the person who has made the disclosure in such a manner that<br />
any tax is deducted and paid to SARS before the reward is paid. This will mean that the<br />
person being paid the reward will not have to list the reward as revenue received on his<br />
tax return. The subscriber paying the reward will receive a VAT invoice for<br />
“Management Services” which he can bring to book in the normal manner. (More about<br />
rewards below)<br />
GUIDELINES FOR <strong>MANAGING</strong> DISCLOSURE REPORTS<br />
To be quite blunt it is not even worth the effort and the cost of introducing a reporting<br />
service unless considerable attention is given to planning how the reports from the ORS are<br />
going to be communicated to the subscriber and how they are then going to be managed.<br />
I recall one of our very first clients who I was very excited about as they were receiving a<br />
steady flow of substantive reports. At a feedback meeting I was very surprised to be<br />
informed by the subscriber’s representative that they were not happy that they were<br />
receiving a satisfactory return on their investment. After I had recovered from the shock, I<br />
asked the subscriber if the bulging lever arch file on the boardroom table contained the<br />
Version 2015-01 © BE HEARD 2015
eports that he had been sent. After he had confirmed that indeed it was, I asked him how<br />
many of the reports had actually been followed up and investigated. Suddenly a silence<br />
descended on the gathering and he rather sheepishly replied that they hadn’t done much<br />
about the reports as they didn’t have the trained personnel to follow them up and<br />
investigate.<br />
14<br />
This is really a lame excuse in this day and age as even small organisations who don’t have<br />
their own resources can make use of any number of affordable, skilled and professional<br />
investigators to assist them.<br />
Sadly, the above scenario plays itself out all too often and defeats the purpose of having a<br />
reporting service – it actually gives reporting services a bad name!<br />
There are two important components that need to be addressed – how the reports are<br />
communicated and how they are dealt with.<br />
The following pointers are important when planning how reports should be communicated by<br />
the ORS to the subscriber:<br />
o The most important consideration about disclosure reports is that they should always be<br />
treated as strictly confidential as their content is invariably very sensitive and their<br />
improper handling could at best lead to embarrassment and at worst to having to pay<br />
significant damages after a claim by an aggrieved stakeholder!<br />
o The communication of reports should be customised to suit the subscriber’s structure.<br />
The designated person receiving the reports could be the MD/CEO, the Financial Director,<br />
the Internal Audit Manager or the Security Risk Manager or another manager who<br />
understands the working of the system. In larger entities it is preferable to designate<br />
someone other than the MD/CEO as they can undertake the initial investigation and<br />
report to the MD/CEO. In smaller entities, where no other suitable person exists, the<br />
MD/CEO will need to be the designated person.<br />
o It is important to ensure that all reports are accounted for so that none “disappear” or fall<br />
through the cracks. One solution is for the ORS to send a schedule setting out a summary<br />
of all the reports that were sent to a subscriber, directly to a person other than the<br />
designated person on, say, a monthly basis. This person should then hold the designated<br />
person accountable to provide feedback on all the reports that have been received. One<br />
large listed subscriber requested that this summary be sent to the chairman of their audit<br />
committee who monitored the action that had been taken on all the reports and held the<br />
executive management accountable.<br />
o At least one alternate designated person should be appointed to receive the reports in the<br />
event that the designated person should be unavailable.<br />
Version 2015-01 © BE HEARD 2015
o Should a specific report concern the designated person, a second designated person<br />
(senior to the first), should be identified to receive the report. This should happen all the<br />
way up the ladder so that in the event that a specific report concerns the MD/CEO,<br />
provision should be made for the chairman of the board or the chairman of the audit<br />
committee to receive such reports. The MD of a foreign owned SA based subscriber<br />
nominated the person he reported to in Canada as the designated person should any<br />
reports have involved him.<br />
15<br />
o As a rule, all reports should be sent in Portable Document Format (PDF) by e-mail directly<br />
to the designated person. This is to ensure confidentiality but also to protect the ORS. In<br />
the past some designated persons insisted on the reports being faxed to their PAs but the<br />
risks of this should be obvious. This ceased when one CEO’s PA was heard discussing a<br />
particularly juicy report with a colleague in the passage.<br />
o Reports can also be hand-delivered or sent by courier provided that the service is secure<br />
and confidentiality is ensured. This is particularly useful when files, documents and other<br />
bulky evidence need to be sent.<br />
o In all cases telephone and cell phone numbers should be provided so that the ORS can<br />
contact the designated persons (at all levels) urgently should this be required.<br />
How the disclosure report is managed by the subscriber is critical and the following<br />
guidelines should be observed:<br />
o Needless to say, the reports should be stored securely whether in its electronic format or<br />
as a hard copy. Consideration should be given to filing the digital reports in a password<br />
protected folder so that even the IT administrator can’t access them.<br />
o While every report should be taken seriously, it should be treated as merely an allegation<br />
until an investigation has confirmed or refuted the contents. For this reason I am a firm<br />
believer that someone other than the MD/CEO should be the designated person so that<br />
“malicious seeds” can’t be planted in the mind of the MD/CEO until after some verification<br />
has taken place.<br />
o If the person making the disclosure has provided his identity to the ORS, the services of<br />
the ORS as a communication bridge should be used if certain information contained in the<br />
report may need to be clarified or verified.<br />
o In one case an MD/CEO received a report concerning a senior colleague who he was very<br />
friendly with. Instead of treating the report in the correct manner, he walked into his<br />
colleague’s office and showed him the report saying something like “Look what they are<br />
saying about you”. His colleague of course denied the allegation and the two laughed off<br />
the report. As it happened, this senior colleague was indeed involved in some serious<br />
Version 2015-01 © BE HEARD 2015
irregularities but the subsequent investigation was severely hampered by the fact that he<br />
was able to cover his tracks as a result of the early warning that he had received. The<br />
golden rule is that anyone could be doing it and that no one – perhaps particularly not<br />
even senior managers - should be excluded!<br />
16<br />
REWARDS – TO PAY OR NOT TO PAY?<br />
Whether or not subscribers should pay rewards to stakeholders who have made meaningful<br />
disclosures is a complex matter and there is no right or wrong answer. The jury is still out on<br />
this one. While there some entities that swear by it, there are others who are totally opposed<br />
to paying rewards on the grounds that it is expected of employees to make disclosures in the<br />
interests of the organisation.<br />
While I was initially quite opposed to the payment of rewards, I now believe that they can<br />
play a very positive role depending on a few factors such as the specific “cultural profile” of<br />
an entity, specific circumstances and how the payments of rewards are managed.<br />
A relevant case study concerns a motor component firm who, notwithstanding an extensive<br />
awareness campaign among all their staff, did not have one disclosure in a twelve month<br />
period. On investigation it was discovered that the company’s shop stewards were running<br />
the syndicate which was stealing large quantities of product from the entity. They had made<br />
it quite clear to all the staff that they had people who would tell them when someone made a<br />
disclosure and that they knew how to “take care of” such people! After discussing the matter<br />
with top management it was decided to advertise that attractive rewards would be paid for<br />
disclosures leading to the arrest of thieves and/or the recovery of stolen product in an effort<br />
to break the shop steward’s grip on the staff. It worked and within a few months the ringleaders<br />
were rounded up and the volume of theft dropped dramatically.<br />
I am also a firm believer that subscribers should consider paying rewards in certain cases<br />
only. An example was a major paper producer who had a truck fully loaded with product<br />
hijacked by a syndicate. A special campaign was launched using the existing reporting service<br />
infrastructure and attractive rewards were offered for information leading to the recovery of<br />
the product and the truck and the arrest of the perpetrators. This worked and the truck and<br />
most of the stock was recovered.<br />
The manner in which the rewards are paid (as set out above) it critical. One major<br />
organisation in SA has turned the payment of rewards into a circus where the name of<br />
everyone who has made a disclosure during a specific period is “put into a hat” and one<br />
person’s name is drawn at a gala function. The “winner” is then called up to the podium to<br />
receive a very substantial reward. The risks to the “winner” should be obvious!<br />
Your service provider should be in a position to manage a reward scheme on your behalf so<br />
that the identity of the person who is to receive the reward is not compromised.<br />
Version 2015-01 © BE HEARD 2015
17<br />
COMMITMENT FROM THE SUBSCRIBER<br />
The important role and function that the ORS plays has been covered in some detail above<br />
but the ORS is only one partner in the relationship. No matter how excellent the service<br />
provided by the ORS, a reporting service will only be really successful if the subscriber shows<br />
serious commitment to making the service effective.<br />
Entities who have achieved significant success from their reporting service have:<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
Fully embraced and taken ownership of “their” reporting service. This means that top<br />
management have led the way and set the example.<br />
Ensured that the introduction of the reporting service has been communicated to all<br />
stakeholders – not only initially during the roll-out but on an ongoing basis.<br />
Introduced a clear system of communication between the ORS and their entity.<br />
Taken the management and investigation of reports seriously and allocated resources to<br />
undertake these functions.<br />
Fully integrated their reporting service into their risk management strategy.<br />
Taken on their ORS as a “partner” who can really play a role in assisting them deal with<br />
inappropriate and unlawful activities within their organisation.<br />
Committed to respect the spirit of the law and not unleash witch hunts to trace and<br />
victimise people and especially employees who report illegal and inappropriate<br />
behaviour. They are of course legally bound (by the Protected Disclosures Act, 2000) to<br />
protect the identity of people who make disclosures.<br />
CULTURAL ISSUES<br />
Finally, before concluding, a word needs to be said about how cultural issues can affect the<br />
success of reporting services.<br />
On a visit to Australia some years ago it was frequently pointed out to me that a reporting<br />
service would not work there as a deeply entrenched culture of not “dobbing on your mate”<br />
exists in Australia.<br />
There are similar entrenched cultural taboos throughout the world which may negatively<br />
influence people who would otherwise be willing to make a disclosure. Negative epithets like<br />
rat, grass and (in SA) impimpi are commonly used to describe people who “split” on others or<br />
“spill the beans”.<br />
Version 2015-01 © BE HEARD 2015
18<br />
These terms are normally used when a “them and us” situation exists. The parties could be<br />
the crooks and the police (rat and grass), the people and the Security Police in the old SA<br />
(impimpi) or of more relevance to us management and staff.<br />
The only way to reduce the impact of this phenomenon in an organisation is to actively try<br />
and change the way the two groups view each other and to try and unite everyone behind<br />
one common purpose.<br />
All groups have to learn that the existence of inappropriate or unlawful behaviour with an<br />
organisation is not in anyone’s interest and that their impact will be felt by everyone and not<br />
just the directors.<br />
CONCLUSION<br />
A quotation, apparently incorrectly attributed to the 18 th British philosopher Sir Edmund<br />
Burke, that "the only thing necessary for the triumph of evil, is for good men to do<br />
nothing" takes on a new meaning when considered in the context of reporting services.<br />
It is expected of good men and women, now more than ever before, to get actively involved<br />
in the fight against unlawful and inappropriate behaviour in the workplace and help to create<br />
the kind of environment that most of us strongly desire.<br />
Reporting services (and particularly outsourced reporting services) have proved, since their<br />
introduction in SA in 1999, that they are an important and extremely cost effective<br />
component of any risk management strategy.<br />
Version 2015-01 © BE HEARD 2015
19<br />
APPENDIX A<br />
RATE YOUR EXISTING <strong>REPORTING</strong> SERVICE PROVIDER.<br />
Here's a quick checklist to evaluate your existing outsourced reporting service (ORS)<br />
provider, or if you don't yet have one, use the checklist to evaluate those service providers<br />
who you may approach for proposals.<br />
Does your existing ORS meet the following criteria?<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
Certified to the External Whistle-blowing Hotline Service Provider Standard EO1.1.1 of<br />
the Ethics Institute of South Africa.<br />
Independent of your external or internal auditor and forensic investigators.<br />
Is operating the reporting service their primary focused business or is it a side-line<br />
activity or loss-leader for forensic services.<br />
Has an experienced and dedicated management team with many years of experience.<br />
Offers direct access to and frequent contact by top-management.<br />
Offers a number of packages to suit your specific requirements.<br />
The service operates 24 hours a day, 7 days a week.<br />
The service is operated in most South African languages.<br />
Has an effective technology solution including voice recording.<br />
Reports can be made by using a unique 0800-FreeCall number, a unique e-mail address,<br />
via a website template, Smart Phone application, via SMS (including a "Please Call Me"<br />
facility), via Skype and via fax and via Freepost.<br />
Offers a web-based system of sending reports to you.<br />
Offers you on-line and real-time access to statistics and activity on your service.<br />
Has a user-friendly module to assist you in managing your reports.<br />
Offers a free Wheelsline service to provide information on your fleet.<br />
Offers free exit interviews to gather information from employees who have just left your<br />
organisation.<br />
Presents a free train-the-trainer workshop including a CD containing comprehensive<br />
information for all attendees.<br />
Provides a catchy free digital awareness video to create awareness among your staff.<br />
Has an extensive menu of awareness material to assist you in promoting your service.<br />
Provides a free E-Handbook on how to manage your reporting service.<br />
Has the ability to manage a rewards programme should this be required.<br />
Manages a help-line to enable prospective whistle-blowers to obtain advice and support.<br />
Constantly innovates.<br />
Version 2015-01 © BE HEARD 2015