Skip to content



Responsibility of the Ethics Hotline in Corporate Functions

diverse team comprising members from Compliance, HR, Legal, and Security departments arguing about who should manage an ethics hotline

Determining the ideal department to oversee the ethics hotline depends on the organizational structure, size, and industry of the company. Several corporate functions can potentially be responsible for managing and operating the ethics hotline, including:

Compliance:

  • The compliance department is often well-equipped to handle the ethics hotline, as its primary role is to ensure adherence to laws, regulations, and internal policies.
  • They have expertise in conducting investigations, managing risks, and implementing compliance programs.
  • The ISO 37001 standard, focusing on anti-bribery management systems, underscores the importance of having a mechanism for reporting suspicious activities, a role well-suited for an ethics hotline under the Compliance wing. Such a configuration ensures that reports are evaluated with a lens focused on regulatory adherence, offering a systematic approach to mitigate risks.

HR (Human Resources):

  • The HR department can also be responsible for the ethics hotline, as they are responsible for fostering a positive work environment, addressing employee concerns, and promoting ethical behavior.
  • They have experience in handling employee relations and maintaining confidentiality. This alignment is particularly effective in handling cases related to workplace misconduct, discrimination, and harassment.
  • HR's involvement emphasizes the hotline's role as a tool for safeguarding employee rights and fostering a culture of respect and fairness, as suggested by guidelines from the Society for Human Resource Management (SHRM).

Legal:

  • The legal department has an in-depth understanding of the legal implications surrounding corporate ethics, ensuring compliance with applicable laws and regulations, and providing guidance on legal matters. E.g. ensuring compliance with international laws such as the UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA).
  • Can also assist in conducting thorough investigations and managing any legal implications that may arise.
  • Can effectively navigate the complexities of confidentiality and privilege, providing a secure channel for whistleblowers.

Security:

  • For issues related to corporate fraud, theft, and security breaches, positioning the ethics hotline under the purview of the Security department makes strategic sense.
  • Experienced in handling sensitive information and conducting investigations, ensuring that reported concerns are managed with the highest degree of confidentiality and professionalism.
  • In certain industries, such as cybersecurity or defense, the security department may be responsible for the ethics hotline, as they deal with sensitive information, insider threats, and potential breaches of security protocols.
  • Can contribute to identifying and addressing any unethical behavior that may compromise security.

Internal Audit:

  • The internal audit function stands as the utmost bastion of independence, ensuring complete impartiality in its scrutiny of hotline reports.
  • Conflict of interest or self review is a risk since conducting independent assessments of the effectiveness and efficiency of the hotline's operations should be part of IA's job.

It is important for companies to carefully evaluate their specific needs, resources, and expertise when determining the appropriate corporate function to oversee the ethics hotline. Collaboration between multiple departments may also be necessary to ensure comprehensive coverage and effective management of the hotline.

 

What position does the hotline serve within lines of defence?

 

The concept of "lines of defense" is a widely adopted framework within risk management and governance, detailing how different parts of an organization contribute to identifying, managing, and mitigating risks. Typically, this model is structured into three primary lines of defense:

 

1. First Line: Operational management, who own and manage risks.

Pros:

  • Rapid Response: The first line is positioned to act quickly on reports of misconduct, potentially resolving issues before they escalate.

Cons:

  • Potential Conflict of Interest: The first line may face conflicts between managing risks and achieving operational targets, possibly leading to underreporting or mishandling of issues reported through the hotline.
  • Lack of Anonymity and Independence: Employees may hesitate to report issues if they believe the process is not anonymous or independent, fearing retaliation.

 

2. Second Line: Functions that oversee or specialize in risk management and compliance.

Pros:

  • Specialized Oversight: Being one step removed from daily operations allows for a more balanced and less biased approach to handling reports from the hotline.

Cons:

  • Potential for Bottlenecks: Without solid triage and delegation - the centralizing hotline reports in the second line can create delays in addressing issues if the volume is high or if the issues are complex.

 

3. Third Line: Internal audit functions that provide independent assurance to the board and executive management on how effectively the organization assesses and manages its risks.

Pros:

  • Independence and Objectivity: The third line offers a high degree of independence, providing reassurance to whistleblowers that their reports will be handled objectively and without fear of retaliation.
  • Comprehensive Oversight: Internal audit's broad view of the organization can ensure that systemic issues identified through hotline reports are addressed at the organizational level.

Cons:

  • Perceived Inaccessibility: Employees might view the internal audit as too remote from daily operations, potentially making them less likely to use the hotline.
  • Resource Constraints: The internal audit function might not have the resources to manage and investigate all hotline reports promptly, leading to delays.

The optimal line of defense for hosting the ethics hotline depends on the organization's size, culture, and specific risk profile. A balanced approach might involve the hotline being managed by the second line of defense for its independence and specialized knowledge, with clear processes for escalating issues to the third line where necessary. Additionally, ensuring that the first line is educated about the importance of the hotline and encouraged to support its use can help maintain its effectiveness as a critical risk management tool.

 

The collaborative approach is the best practice

 

While each department presents compelling advantages, the most effective approach in managing an ethics hotline is a collaborative one. This involves a cross-functional team comprising members from Compliance, HR, Legal, and Security, each bringing their unique perspective and expertise to the table. Such a multidisciplinary team ensures a holistic evaluation of reports, covering legal, ethical, regulatory, and employee welfare aspects. Companies like Siemens and Walmart have adopted this integrated approach, setting a benchmark in effective ethics hotline management.

 

What do the existing frameworks and standards suggest?

 

Several frameworks, standards, and international laws provide guidance for the establishment and operation of ethics hotlines. These include:

Framework / Standard / Law Key Characteristics Specified Responsible Function for Hotline
ISO 37001
Provides requirements for establishing an anti-bribery management system.
Not explicitly specified; implies a compliance or similar oversight function.
ISO 37002
Guidelines for creating a whistleblowing management system.
Encourages a multidisciplinary approach, not limited to a single corporate function.
ISO 19600
Provides guidelines for establishing, developing, implementing, evaluating, maintaining, and improving an effective compliance management system.
Recommends compliance function oversight but supports flexibility based on organizational size and structure.
UK Bribery Act 2010
Illegal to offer, promise, give, request, agree, receive, or accept bribes.
Generally falls under legal and compliance functions.
US Foreign Corrupt Practices Act (FCPA)
Prohibits payments to foreign government officials for obtaining business.
Typically overseen by compliance and legal departments.
Sarbanes-Oxley Act (SOX) 2002
Protects investors from fraudulent financial reporting. Includes corporate responsibility and financial disclosures.
Audit committee of the board often oversees whistleblower complaints.
GDPR (General Data Protection Regulation)
Regulates protection of EU citizens' personal data.
Data protection officer (DPO) oversees data privacy concerns.
ISO 26000
Provides guidance on acting ethically and transparently.
Not specifically mentioned; recommends broad stakeholder engagement.
OECD Guidelines for Multinational Enterprises
Non-binding principles and standards for global business conduct.
Suggests an internal point of contact but not department-specific.
UN Global Compact
CEO commitments to sustainability principles and UN goals.
Not department-specific; focuses on overarching commitment.
OCEG
Integrates governance, risk management, and compliance processes.
Advocates for an integrated GRC function without specifying a department.
The US Federal Sentencing Guidelines for Organizations (FSGO)
Provides guidelines that federal judges use to sentence organizations convicted of federal criminal offenses, including the effectiveness of compliance programs.
Highlights the importance of an effective compliance and ethics program, without specific departmental guidance.
U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs

Provides criteria for prosecutors to consider the adequacy and effectiveness of a corporation’s compliance program.

Suggests operational independence and resources for the compliance function, without prescribing specific departmental oversight.

COSO Internal Control – Integrated Framework    

Provides a comprehensive framework for the evaluation and improvement of internal control systems.

Suggests oversight by management and the board, but specific hotline responsibility is not detailed.

 

Conclusion

 

Deciding which corporate function should manage the ethics hotline is a strategic decision that requires careful consideration of the organization's unique needs and ethical landscape.

While each department offers specific benefits, embracing a collaborative approach that leverages the strengths of Compliance, HR, Legal, and Security functions stands out as a best practice. This multidisciplinary model not only aligns with existing frameworks and international laws but also exemplifies a commitment to fostering an ethical corporate culture.

Ultimately, the effectiveness of an ethics hotline is determined not just by who manages it, but by how it is integrated into the broader ethos and operational framework of the organization.