In-House Advisor: Welcoming Whistleblowers

By offering a range of secure and anonymous reporting channels, companies can empower employees to take the risky step of reporting ethical or legal breaches

In March 2012, the RCMP confirmed they were investigating Montreal engineering firm SNC-Lavalin Group Inc. over $56 million in mysterious payments that were wrongly assigned to certain construction projects. Chief Executive Pierre Duhaime resigned after an internal investigation found he had broken company rules by authorizing the payments. He was soon charged with fraud. The fallout continued in February 2014, when two former vice presidents were charged with fraud and bribery of foreign officials.

The corruption scandal led to a shakeup of SNC-Lavalin's compliance program, an enhanced role for its legal department and the establishment of an Ethics and Compliance Hotline staffed by a third-party provider available in 16 countries where the global engineering firm has projects.

Charles-Olivier Bernard, Vice President of Legal Affairs for the firm's Infrastructure and Construction Group, declines to say whether the alleged abuses would have been exposed earlier, or prevented altogether, if the new set-up had been in effect before 2012. “It's very hypothetical,” he says. “But I think what we're doing is great. We are engaged in a continuous improvement journey with respect to our ethics and compliance program.” They're not alone on that journey. It has been almost a decade since securities regulators, in reaction to the Enron and WorldCom financial scandals, imposed whistleblower requirements on publicly traded corporations. The Canadian Securities Administrators' National Instrument 52-110 required that publicly traded companies provide an anonymous mechanism for the disclosure of misconduct in accounting, internal accounting controls, or auditing matters to their audit committee before their 2005 annual meeting.

In the US, the Sarbanes-Oxley Act (SOX) and the New York Stock Exchange Corporate Governance Rules each required identical procedures for foreign private issuers listed on the NYSE to be in place by July 2005.

Although securities regulators dictated reporting channels for complaints of financial malfeasance, most companies have expanded the scope of their reporting channel to include lapses in health and safety, the environment, privacy and other ethical transgressions.


Some employers have made do with an entirely in-house reporting channel, but Kristine Robidoux, who leads the Global Business Integrity Practice Group at Gowling Lafleur Henderson LLP in Calgary, warns against this. “It can be perceived by employees to be lacking in objectivity.”

She advises companies to outsource the reporting channel to a third-party provider that has 24/7 accessibility and uses interviewers skilled in gathering information. Such a service costs as little as $15,000 a year, she says.

ClearView Strategic Partners Inc. of Toronto is one global provider of anonymous channels for employee whistleblowing. At one-quarter of all ClearView's corporate clients, it is the company's legal department that “owns” the company's whistleblower program. (At other clients, it may be internal audit, human resources or a separate compliance department that has overall responsibility.)

“But at a much larger percentage of clients, the legal departments are involved in reviewing the reports that are submitted,” says Phil Enright, ClearView's President and CEO.

Practitioners agree that the more secure, anonymous reporting channels are offered to employees, the more likely they are to feel empowered to take the risky step of reporting an ethical or legal breach.

“Giving employees a variety of options increases the chances that they will report,” says Joyce Mitchell, an employment lawyer with McLennan Ross LLP in Calgary, who advises clients on whistleblower policies.

ClearView provides four reporting channels: an encrypted, web-based email option; a telephone “hotline” staffed by a live agent who transcribes the complaint; a voice-mail phone option and a snail mail address. Some 80 per cent of complaints are lodged through the open-ended web portal, while 18 per cent come to the live agent.

Mitchell knows of cases “where it's pretty clear that if there hadn't been anonymous reporting available, the employee would not have reported.” But anonymous reporting also has a downside: “It may impact on your ability to conduct a fair and thorough investigation,” she says. “Due process implications may come into play, which means you can't take that investigation as far as you might like.”

While anonymity is the key factor in encouraging employees to speak up, experts agree it has to be backed up by a management and board committed to a culture of ethics. The starting point for that is the company's code of conduct, but it can't end there.

“There may still be companies in Canada that believe a compliance program is a piece of paper,” says Robidoux. But it has to be a “living, breathing animal. It needs to be constantly reinforced.”

She advises clients to actively promote their reporting channels — not only to employees but even to vendors and suppliers. “Even if you increase the possibility that you're going to get frivolous complaints, it's worth it to have to wade through all of those to get to perhaps the one allegation that does have merit. Companies need to be bold and brave, and welcome this possibility.”


Hudbay Minerals Inc. provides new employees with its whistleblower policy and code of conduct when they join the company, giving them 30 days to certify that they've read them and comply. “They know from day one that they're encouraged to make these types of complaints and that there won't be any retaliation against them,” says Patrick Donnelly, Hudbay's Vice President, Legal and Corporate Secretary. “We send the policy around once a year [as a reminder to employees].”

Within the next two years, Hudbay intends to introduce a more proactive training and compliance program. “If you can require [employees] to watch a 10-minute video that hits the key compliance messages and then make them answer a brief quiz, you know for sure that they understand the fundamentals of these policies.”

Hudbay has had no allegations of fraud or other serious wrongdoing in his five-and-a-half years at the company, says Donnelly. It has had low-level complaints, usually about one per quarter, often dealing with safety practices or employee relations. With the approval of the audit committee chair, Donnelly asks the head of the relevant business unit to conduct an investigation.

Donnelly typically receives a report from the business unit head on the conclusions and remedies they've implemented. He can send the file back for additional follow-up or, if satisfied, forward it to the audit committee chair. He sends updates to her every 30 days on the status of the probe. Donnelly also informs the complainant – through the anonymous reporting channel – of the outcome of the investigation.

If there were a fraud or bribery allegation, it would be fielded by the chair of the audit committee, he says. The board would quickly convene to review the allegation and launch an investigation. For this, the board would either turn to the legal department or (if it wanted to keep management out of the loop) hire third-party investigators.

Robidoux agrees that a company's investigation protocol should allow for different forms of investigation, depending on the level and gravity of the alleged offence. “Conflict of interest could be wholly within the ambit of in-house counsel or compliance counsel,” she says.

“Fraud or bribery are high-impact allegations that you would want specialized external counsel, if not conducting the investigation, then certainly assisting on it. Any allegation that reaches up to senior management levels should go to outside counsel. You have to preserve the integrity of the process at all costs. You don't want to go through the steps of an internal investigation only to be accused afterwards of having engaged in a whitewash.”


In addition to its newly created third-party hotline, SNC-Lavalin maintains five internal channels for reporting breaches of its code of conduct. Reports of alleged abuses go to the Corporate Compliance Group. Chief Compliance Officer Andreas Pohlmann is ultimately responsible for deciding whether to send a report to the board's ethics and compliance committee.

Investigations into allegations are led by compliance officers. One is assigned to each business unit and one to each geographic region. In a complex arrangement, the seven business unit compliance officers are in-house counsel who answer to both the General Counsel and the Chief Compliance Officer.

“It makes sense for Legal to be involved as part of the compliance program,” says SNC-Lavalin's Bernard. “By their nature, compliance is part of the lawyer's DNA. They know the business, the players, the markets. They can use that knowledge to assist with respect to compliance issues and give traction to that program.”

The company recently received the ethics certificate from the Quebec securities regulator, the Autorité des marchés financiers, that is needed to bid on public-sector contracts in the province. “I believe that our progress in ethics and compliance is a key to that achievement,” says Bernard.


Loblaw Companies Limited, in its Code of Conduct, offers employees the choice of reporting violations to their business unit manager, to Human Resources or to an “integrity action line” — an anonymous third-party service that fields complaints from both Loblaw's Canadian and American operations.

Says Adam Walsh, Vice President, Legal: “We try to make it abundantly clear in all communications about the action line that

(1) you have the right to be anonymous; and

(2) there's a no-reprisals commitment on the part of the company for people reporting through the action line.”

Action line personnel, working with a complex “call tree,” send an email summary of each complaint received to the appropriate manager for review, also copying the legal department. Walsh says, “We've spent significant time trying to get this ‘call tree' process right. So the efficiency of responding [to a complaint] is much faster because the right person is getting the right complaint in their email 10 minutes after the call is logged.”

On Loblaw's intranet, the HR or business unit manager fills in their response, says Walsh, who “can go on there and check the status of each complaint, whether it's been resolved.”

Loblaw also has a Code of Conduct Committee that includes representatives from HR, Legal, Financial Reporting and Audit. They collect and consolidate complaint data from across the business units.

The most material incidents are reported to the board's audit committee. While the Code of Conduct Committee meets only quarterly, any serious matter is addressed immediately, says Walsh. “We've not had many serious incidents beyond the usual HR matters,” he adds.


CIBC Financial Group gives employees the option to complain (anonymously if they wish) through its Ethics Hotline, a 1-800 line that is run by a third-party provider and available globally. Employees who call are given a file number and invited to phone back in 10 days to receive CIBC's response.

The third-party service emails a call summary to both a compliance officer and a senior corporate security person, who may direct it to HR or elsewhere in the bank, if appropriate. “Wherever it gets assigned to for follow-up, we stay on top of it and monitor it,” says Tim Moseley, a lawyer who is a Senior Vice President and Chief Compliance Officer.

Since CIBC has gotten the message across that the hotline is for ethics allegations rather than Human Resources complaints, “we don't get very many calls to the hotline,” says Moseley.

While the hotline is intended for employees wishing to raise material, systemic concerns, Moseley says such employees don't really need that channel to report them. “There's always been ways to anonymously raise concerns — by dropping an envelope into internal mail to the CEO or to the board or the Corporate Secretary. It's helpful to have the hotline, just in case, but I don't think it's necessary.”

All hotline calls are reported quarterly to the board's audit committee. But Moseley says the hotline has generated no material issues for the audit committee. “Having a call come in through the hotline doesn't make it any more or less likely that the committee is going to hear about it. It depends on the content, not the channel.”

Historically, the legal department doesn't normally head investigations within CIBC. Corporate security usually leads, says Moseley, “because they've got the staff, expertise and training to do investigation. As the investigation evolves, Legal might take over, depending on the nature of the investigation. It's case-specific and not dependent on the channel that was used to raise the concern.”

CIBC's whistleblower process reflects the separation of the roles of legal officer and compliance officer. “For an institution like CIBC, or our peers, it would simply not be permissible to include the two in the same group,” says Moseley. “Our regulators push for compliance to be an independent function in a way that Legal is not.”

Mid-sized companies, in contrast, are more likely to lodge both roles with the same in-house lawyer.

Says Mitchell at McLennan Ross: “There's a quote that says in-house counsel are there to tell the corporation whether it can do something; the compliance officer is there to tell it whether it should do something. I think there's validity in that. These two may have complementary roles, but they're not identical roles.

“I think for in-house counsel, it's easier if the job doesn't encompass this [compliance] role because they can be pulled in two different directions at the same time, which can be difficult.”


Some recent new developments in American whistleblower jurisprudence have caught the attention of Canadian businesses, especially those listed on US exchanges.

Last year, the Canadian National Railway Co. became one of the first Canadian companies to be sued under whistleblower protection provisions in the Sarbanes-Oxley Act.

Timothy Wallender, a trainmaster at the CN rail yard in Memphis, Tenn., sued his ex-employer claiming he was fired after complaining that CN was falsifying performance data. The data in question are a key measurement of a railway's efficiency and can affect its share price.

The plaintiff sued under whistleblower protections, which prohibit a publicly traded company from retaliating against an employee who reports fraud committed against shareholders. CN has denied engaging in fraud and also disputes that Wallender's dismissal was related to his complaint, which he raised with senior management.

The number of SOX settlements reached with employees who alleged retaliation has spiked upwards in the past few years, thanks to a broader interpretation taken of the whistleblower protections by new administrative adjudicators appointed to the Occupational Safety and Health Administration (OSHA).

Last October, OSHA ordered Clean Diesel Technologies Inc. to pay US$1.9 million to its former chief financial officer who was fired for reporting to the board of directors that, in a proposed merger, important financial information was being withheld from the board and the board's chair had a conflict of interest.

In another major development, the Dodd-Frank Act has provided incentives for employees to go public with their complaints. The Act enables a whistleblower who voluntarily reports wrongdoing to the U.S. Securities and Exchange Commission (SEC) to claim between 10 and 30 per cent of any “monetary sanctions” collected in actions brought by the regulator (where the sanction exceeds US$1 million).

The SEC disbursed US$14.8 million of “bounties” in its FY 2013, which ended in August. On October 1, 2013, the SEC announced it had paid US$14 million to a single whistleblower whose tip “led to an SEC enforcement action that recovered substantial investor funds.”

Ontario Securities Commission staff have been examining the idea of incentives and/or protection from retaliation for tipsters. Key considerations include the funding and possible need for legislative amendments to enable such a program.

In 2011, the regulator introduced a program under which a party would explicitly not be subject to OSC enforcement action in exchange for reporting possible breaches of Ontario securities law or activities contrary to the public interest, and for cooperating in an investigation.

Not surprisingly, companies are hoping Canadian regulators won't offer rewards for tips.

“Used responsibly, if it achieves its purpose of encouraging whistleblowers to report fraudulent behaviour, that's fine,” says Donnelly. “But if it encourages people to fabricate or exaggerate these types of reports in hopes of a windfall, obviously it's not achieving its objective. That's the concern the regulators have to address.”

“In the advice I give clients,” adds Joyce Mitchell, “one of the main goals is trying to ensure that the compliance program is robust and gives employees the confidence that they can deal with the employer internally and don't have to go external. The employer is much better served by having these issues dealt with internally. Bounties completely reverse the goal you're trying to accomplish there.”


> A reporting channel should exist within the context of a corporate code of conduct and a corporate culture of ethics.

> The compliance program must have “buy in” from the board of directors and senior management. A reporting channel will be effective if reporting is encouraged not only in written policy but in ongoing practice.

> Employees should be given multiple ways of lodging complaints anonymously: telephone hotline, web-based email, snail mail.

> These channels should be brought to employees' attention when they join the company and prominently displayed on the company's intranet.

> No one size fits all, but a company should consider outsourcing the task of monitoring its reporting channel(s) in order to give the process more credibility in terms of its objectivity.

> The company should consider making the reporting channels available to suppliers and vendors in order to encourage internal reporting rather than external whistleblowing.

> In-house counsel should be involved in the investigation of complaints and should provide the complainants with status updates on the follow-through.

> For relatively minor allegations, in-house counsel may work with HR or middle-management in the investigations. Where there are allegations of serious criminality or senior executives involved, outside counsel should be engaged.

> A senior, respected member of the legal department should be designated as responsible for the compliance program.

> In-house counsel should educate management about the need to protect, rather than retaliate against, complainants.