Eugene Soltes, associate professor of business administration at Harvard Business School, joins The HR Risk Podcast to discuss best practices for compliance hotlines. Subscribe to The HR Risk Podcast on iTunes/Apple Podcasts, Stitcher, or your favorite podcast app!

Jennings: Our topic today is Best Practices for Compliance Hotlines. Many organizations provide anonymous–or sometimes not-so-anonymous–hotlines for employees to report misconduct they witness or suspect, including financial misconduct, workplace harassment or discrimination, or other issues. Joining us to discuss this topic is Eugene Soltes. Eugene is the Jakurski Family Associate Professor of Business Administration at Harvard Business School, where his research focuses on corporate misconduct and fraud, and how organizations design cultures and compliance systems to confront these challenges. Last spring, I was excited to come across Eugene’s research in an article he and a co-author wrote in the Harvard Business Review, Why Compliance Programs Fail—and How to Fix Them. Eugene, welcome to The HR Risk Podcast.

Soltes: Hi, it’s a pleasure to be joining you.

Jennings: You’ve spent part of your academic career studying hotlines, including working directly with some big companies and some corporate attorneys to understand the role that hotlines play in reducing risk and meeting compliance obligations. Could you give us an overview of the research you do? Why do hotlines matter, particularly in the HR and workplace contexts?

Soltes: It’s incredible to look at the work about “how do violations in the workplace get reported?” The overwhelming evidence is that tips and hotlines are the most valuable source. One of my colleagues at the University of Chicago, Luigi Zingales, and some of his co-authors actually did a paper where they looked at “how do violations get reported?” and they find that actually it’s employees–more so than auditors, analysts, the media–who are the people that are most frequent to report misconduct and are actually the source of what gets detected. And similar work by the Association of Certified Fraud Examiners finds that, I believe it’s 40% of all cases of misconduct are detected due to tips. It’s not only that this is how they’re detected, but it actually shortens the length of the misconduct. So having an avenue which employees can report things that they observe–that not only are potential legal violations, but things that are undermining the culture of the workplace–it should be absolutely paramount. And that’s just over and over again in the research literature.,

Jennings: There’s an element that knowledge is dispersed within an organization and the people who live the knowledge on a day-today basis are the folks who work there. And so it makes sense that they would be the richest source for those types of tips and that information, even more so than outside folks like auditors would be able to pick up. Let’s say that I’m a general counsel, or I’m a compliance or HR executive, and I come to you and I say, “we’ve never had a hotline, but we’re starting one. We want to get one set up and we want to do it the right way.” What would you say to this person in terms of “these are the best practices, these are the objectives that a hotline really needs to be achieving and here are the elements you need in order to achieve those objectives”?

Soltes: The first question to ask, “what are you setting this hotline up for?” I think naturally the first thing that people think about is liability and the natural benefits that come with that. There’s a number of large hotline carriers that can provide 24/7 service in a variety of different languages to address what I think are a lot of the liability concerns with not having a hotline. But I think the next question is “what are you seeking to achieve with this within your firm’s culture and how will this support what you want to achieve from a conversation of people being able to and being willing to speak up?” Because I think one of the challenges that arises is you can set up a hotline and so you’re going to get that information, but do you have the support and resources to actually then do the investigation?

Soltes: Do you actually have the ability, that if someone comes and gives something anonymous through a hotline, that you’re going to be able to get to the bottom of that? And that’s not a trivial matter. Even the largest, most sophisticated firms in the world really struggle with that and the challenge that leads to it is if an employee brings you a complaint, does so anonymously, provides imperfect information and then doesn’t follow up later. Even if you give them a path to follow up later on, they’re going to blame you, the organization, for not being able to resolve this, for not addressing the manager who’s harassing or discriminating against someone. I think it’s not just the putting up the hotline. That’s really, I think, the easy part. The hard part is then how do you create the system and environment around a hotline to actually support that environment? To have a setting in which employees feel what they’re placing in the hotline is actually being valued. And I should note that if there are any listeners that are actually in the process of just setting up their first hotline, I would welcome them to drop me an email because this is an area that some of my colleagues and I are doing some work on. We’d love to know how people are actually thinking about this.

Jennings: I think that’s a great invitation for the listeners. And maybe as part of that, could you give us a little bit more flavor about your background as an academic researcher and what you’ve been doing in the hotline space?

Soltes: Of course. Over the last decade, most of my research at Harvard Business School–and increasingly my teaching–has been focused on misconduct that occurs within an organization and then how to develop both cultures and processes and systems to help mitigate that. And as part of that is “how do we mitigate misconduct?” We can think of codes of conduct. We get think of monitoring programs. We can think of analytics. There’s a whole host of different ways to really attack those challenges. Hotlines is one of the central ways of doing that. Much of my work originally focused on the psychology and organizational process associated with misconduct. Frankly, why reasonable, often smart, well-intentioned managers go on to engage in conduct that’s not only adverse to their organizations, but also adverse to themselves. Why does that happen? What are the social norms that actually give rise to that? How do managers actually influence that for the better or worse within their organizations?

Soltes: And so that’s where I spent a lot of my time. I actually ended up spending a lot of time with managers and senior executives who themselves engaged in misconduct, to try to better understand what happened, why that actually arose, and why they in some instances didn’t actually see the dramatic ramifications that were going to occur down the road. And now much more of my research is trying to figure out–now that I gave a better grip on the “why” question–the drivers of it is what can we do. How can we design the processes so they’re actually effective in mitigating this, and not simply things that help insulate the firm and provide legal protection?

Jennings: You’ve probably identified a lot of best practices in that research, at least for compliance hotlines. And I expect that you’ve probably seen some examples of not-so-best practices. Are there not-best practices that you would point out that companies should avoid?

Soltes: I’ve definitely seen a couple. I’ll give two examples, but there’s a whole host. One is just simply not actually having one hotline, actually having three, or four, or seven different ways. I’ll give the example of my own university, which really has done just tremendous work of trying to give students ways to speak out. It historically always gets in the bathrooms. And this happened since I was a college students, even when I joined the faculty, there was always posting of eight different numbers one could call, different resources. On one hand that was great, the university trying to help people. But the problem I always look at is if someone’s looking, just needs help, and wants to report something, where do I even start?

Soltes: So I can say I was thrilled when I actually saw at the beginning of our academic year our new posting where there’s a centralized number: this is where you start when you have an issue or concern and then that number will actually help to find the appropriate resource, whether it’s helping you, whether that’s making a report of something serious that happened. In some ways trying to be too supportive and providing too many resources can actually be compromised information. And it actually makes it just more difficult for an organization to actually even collect everything that’s going on. The second I will mention–and this is the one that probably frustrated me more than others in recent research I’ve done–we’ve actually tested and looked at hotlines for large organizations. So many organizations that say they have an anonymous hotline, to be honest, don’t, and I’ve seen this in a couple dramatic ways. In a recent paper I wrote, we were looking and calling hotlines to examine them, large respected firms. One firm that had an email hotline–so very convenient that people could send something from their smartphone–we actually sent a question–in fact we had allegation that we wanted an answer to–and we got an immediate email response back saying: “we care a lot about these potential violations. We really want to help you through this. But actually we only accept emails from employee email accounts. Can you please re-send this from your employee email account?”

Soltes: We sent it from an anonymized email account deliberately because this hotline was designed for Sarbanes-Oxley, which actually requires an anonymous hotline, at least for accounting and auditing matters, although most firms use the same hotline for their auditing accounting matters under SoX that they would also use for HR reasons. To be honest, this was not only undermining it, but this was in direct opposition to having an anonymous hotline. And we found many examples of that, variations of people asking that “we need you to provide more information to be able to really get to the bottom of this.” I think there’s other ways to go about this. You don’t need the person’s name to get the information you need. You need the underlying information. So if people are being vague and not telling you where something happened and they’re being an anonymous, you’re right, you’re not going to be able to substantiate get to the bottom of it. But someone could still be anonymous. You can still get the kind of information you need to do an effective investigation. That’s where I think we need to be a little bit smarter about how we design those hotlines, what information we ask from people that are calling them, and then how we ultimately resolve the matter at the end.

Jennings: I think that’s a really good point. From a practical standpoint, it sounds like not a good idea to have an HR hotline and an accounting/audit hotline and an ethics hotline or other hotlines. And also anonymity shouldn’t just be a word that’s thrown around. To have a system that is clearly not anonymous breeds cynicism. It potentially could reduce the candidness, the willingness of somebody to come forward with information that they think the company ought to have. In your article in the Harvard Business Review, you address the disconnect between having a compliance program for just check-the-box purposes versus one that’s really intended, and really designed, to reduce risk and increase compliance. Could you explore that disconnect a little bit as it relates to hotlines and HR issues?

Soltes: I think the real challenge that arises in misconduct-related issues and organizations is we so often see these different risks as being quite siloed. So the HR risk falls under HR, harassment, discrimination; legal compliance risks fall under compliance or the general counsel, and these things are separate. What I can say from the recent research we’ve been doing is that these things are absolutely interrelated. We actually find some (still quite preliminary) evidence suggesting that unsubstantiated HR issues are leading indicators of later financial compliance violations. Effectively, someone is being harassed by their boss. They report this to the organization. The organization doesn’t do anything because, perhaps, the harassment is not illegal harassment, and so it’s not substantiated. Nothing happens to that manager. And then what do we see six months, nine months down the road?

Soltes: We see that employee in some sense, I think, frustrated with the organization: not taking responsibility, showing up late, being sloppy, taking resources from the organization, so effectively committing a whole different kind of violation that is not only bad to the organization, but also to themselves. I think we need to think about how these things are interrelated. One of the challenges with HR investigations is there’s a host of liability reasons why you can’t necessarily get it back to employees about the outcome of a allegation. But what a number of firms are doing–and I think is really innovative–is not getting back to people about necessarily “we fired that person” or “we didn’t,” but coming back at the end of an investigation and asking people how they felt they were treated during the process.

Soltes: So for issues that are not under litigation, going back to people that were both accusers, but also people that were potential victims, people that were alleged to have engaged in violations, going around and figuring out, “do you feel that you are treated fairly in this process? Do you feel that your concerns were adequately heard?” They might not agree with the outcome. In fact, they might deeply disagree with the outcome to the extent that they have visibility around that, and that’s something that can’t be changed. But what one can do is to make sure that people feel respected throughout that process. And I think that’s ultimately what people really need from the organization. That’s one another kind of innovative way to start thinking about the whole ecosystem.

Jennings: I think that’s such a good point regarding just how people are treated in the process. So often I think employment charges that are filed with an employment commission, or litigation that’s filed, may not be driven entirely by the underlying conduct. It may be driven by just a dissatisfaction with the process that happened internally, or a feeling that the process was roughshod or didn’t really take into account or take seriously the allegations or complaints that were made. And that can definitely create some righteous–and understandably so–some righteous indignation on the part of employees who bring issues forward. For HR leaders who are thinking about hotline efficacy, what are some metrics that matter in terms of whether issues are getting reported in a hotline? It’s one thing to set up a hotline and announce that it’s available. It’s another thing to get those issues reported and have some confidence that it’s fairly comprehensive, or that it’s getting a good amount of the issues that exist. How can those metrics be collected and analyzed? And does it take having a PhD in economics or statistics to be able to assess whether you’ve got an effective hotline or not?

Soltes: Luckily no, but I like to think there’s some extra tricks one can do if you went to an excessive amount of school like I did. Let me give one easy idea, and that’s surveying, and some very basic survey questions that can be asked. It’s fascinating. If you ask people within most organizations “if you see a violation, will you report it?” in solid organizations that are pretty well-functioning, you are going to see 90%, 95% of people saying “yes, of course. If I see a violation, I report it, naturally.” Then later on in the survey, ask them a slightly different question: “did you see a violation in the past year?” So people will say “yes” or “no.” And then ask the question “if you saw a violation, did you report it to your manager, hotline, something, some source?” What you’ll find, in every organization I’ve ever looked at, it’s a dramatically different answer.

Soltes: You’re not going to see 95%. You’ll probably see something like 30%, 40%, 50%. Most violations that people observe, people don’t report them even though they say they will. I think this actually says something really profound about people’s behavior. If you ask people “why,” they’re concerned about retaliation, but there are also other concerns that people have. They just don’t want to see someone they work with get fired or punished because of something they had done. They don’t know if they have all the information. There’s a whole host of complex reasons that could potentially contribute to this, which are worthy to explore. But monitoring that metric about people’s willingness to speak up, conditional on having seen a violation, it’s a very simple way to start figuring out whether you’re actually detecting the kinds of information that you want, and, incidentally, what part of the iceberg, so to speak, is above water and what’s below.

Jennings: Oftentimes we think of hotlines as being a reactive tool, particularly if it’s more of a check-the-box function of “we’ll subscribe to a hotline service,” for example. “Here’s the number, here’s the email address, here’s the portal you can go to” and maybe it’s used and maybe it isn’t, but is there a way that you see for hotlines to be more proactive in preventing issues versus just being there to detect issues after the fact? If so, what can companies do to achieve that?

Soltes: Absolutely. This is a simple one: change the name. “Hotline” is a source where people think they need to have seen misconduct or alleged misconduct and they’re reporting. Simply change the name “hotline” to “help line.” People now see this as a source where they can not just report misconduct, but a place and a resource they can actually go to ask questions when they’re potentially uncertain about how to react or behave. Organizations I know that changed the name from “hotline” to “help line” have seen a dramatic increase in activity on that contact line. And that’s not because people are reporting more misconduct, but because people are now using it as a resource to figure out how to resolve issues in a preventative manner, thinking forward, rather than just a behavior that’s already occurred.

Soltes: I think so many of the hotlines have been created primarily as a liability tool: “so we posted a number, we’ve satisfied our Sarbanes-Oxley requirement, we’re making sure for EEOC violations, we know there’s somewhere where people can report there’s a harassment issue.” But people are not really thinking about how help lines or hotlines actually support the firm’s culture. And so I think the kinds of questions you were asking in our discussion were really going to the latter: “how do we create a help line to actually support a firm’s integrity culture rather than simply managing their liability risk?”

Jennings: It sounds like there’s a lot of opportunity there for hotlines and other reporting tools to move from a more reactive standpoint to a more strategic and proactive standpoint. I appreciate your insights on some things that we can do as HR leaders to move forward with that. Eugene Soltes, thank you for joining us on The HR Risk Podcast.

Soltes: Well, it was a pleasure joining you.


Comments are closed.