Q. I’m part of a team that is evaluating our company’s business ethics hotline (whistleblower) process. We are trying to decide if we should manage the process ourselves or hire a third party. What should we consider as part of our due diligence and decision?
A. While there may be some general designs for a business ethics hotline program, each company’s program must be detailed to fit its business operations and culture. There are a number of design decisions that must be made along the way and one of those decisions is whether to manage it yourself, hire a third party or implement some combination of both. When making this decision, there are a number of points to consider, evaluate, compare and prioritize while determining which management process best meets your needs. The priority and relative importance of each of these points will vary by company. Items to consider include:
• International vs. Domestic – Will your hotline reach out to an international audience? An International audience brings potential challenges with language, local costume and culture, local laws and regulations, time differences and technical support.
• Service Level – What is an acceptable service level? How much time is allowed to address an issue? How many hours (or days) are allowed from when the issue is received to start and completion of the investigation?
• Service Hours – What will be the desired hours of operation? Will all these hours require live call answer or voice mail, or a combination of both? What resources (personnel, technical and physical) will be required to accommodate the desired hours and method of operation?
• Call Volume – What is your current or anticipated call volume? What resources (personnel and technical) will be required to manage the call volume within acceptable service levels?
• Confidentiality – Is there a concern with third party knowledge of the issues raised on the company hotline? Is there a concern (real or perceived) or a need for “arms length” objectivity? How will caller anonymity (perception or reality) be maintained?
• Company Culture and Business Operations – How important is (good) knowledge of company operations and culture to receiving and interpreting incoming calls and issues? Will a third party provider have enough company knowledge to properly triage hotline calls?
• Resources (personnel) – What personnel resources will be required to manage an outsourced hotline operation? What personnel resources will be required to manage a proprietary hotline operation? Is this a function that can be added to existing operations?
• Resources (technical) – What technical resources will be required to manage an outsourced hotline operation? What technical resources will be required to manage a proprietary hotline operation? Is this a function that can be added to existing operations? How often will technical (hardware/ software/website) updates be required? Is it acceptable to have technical breaks in service? Must redundant operations be available?
• Resources (physical) – What physical resources (office space/equipment/furniture) will be required to manage a proprietary versus an outsourced ethics hotline operation?
• Administrative – How much of the hotline operation can be outsourced? Is it all or nothing? Can a hybrid process be created to meet company needs? What services are needed; incident reporting (call center/website/e-mail/postal), incident tracking, investigative, management reporting, program and awareness communications?
• Incident Receipt/Delivery – What are the requirements for hotline information receipt? Telephone (long distance requirements), email, text message, website, postal? Are all calls to be answered live or is voice mail acceptable?
• Data – What are your company or regulatory requirements regarding data protection and privacy for whistleblower related materials? What are your company requirements regarding incident reporting, incident tracking, management reporting and benchmarking?
• Cost – How do the costs compare? Are they justifiable? Can a third party program be customized allowing the option to purchase only what is really needed and desired?
• Legal – Does local law (US Federal Sentencing Guidelines/Sarbanes-Oxley/EU Whistleblower Guidelines) or industry or contractual agreement (labor or clients) require a particular type of hotline (whistleblower) process? Is there a reliable process to ensure on-going legal compliant operations in all markets?
• Other – Does outsourcing offer other service (security case management/assistance lines/client services) opportunities? Are there specific or unique company, industry, labor or professional considerations and/or requirements?
Establishing clear company objectives related to hotline/whistleblower programs will assist in the evaluation and comparison of the pros and cons associated with a proprietary versus an outsourced (third party) managed whistleblower program. Maintaining current program goals and a regular review of process will further help with keeping your program current, compliant, effective and efficient.
Answer provided by Kenneth Kasten, Security Executive Council Emeritus Faculty.