Benchmarking Ethics Hotlines

Jan 1, 2007 12:00 PM, PAUL ROTHMAN

CORPORATE COMPLIANCE REPORTING STUDY GIVES COMPANIES A CHANCE TO MEASURE UP

It is an issue that senior management is taking very seriously — and it can have both direct and indirect impacts on security. The rise of Sarbanes-Oxley and other federal laws has brought corporate compliance to the forefront of corporate risk.

Hotlines have been used as a tool by corporate America to track and measure compliance — employees can anonymously report violations using them. But how does a company's program compare to industry standards? Are they getting too many reports? Not enough?

The Security Executive Council and The Network Inc., a provider of ethics and compliance hotline programs, have released the 2006 Corporate Governance and Compliance Hotline Benchmarking Report — the first of its kind — to help corporate and security executives figure out exactly how they measure up in compliance risk to their companies.

“When you are looking at security as prevention, this is a huge issue,” says Bob Hayes, managing director of the Security Executive Council. “Every report represents a potential security issue.”

The report can assist organizations in measuring how their hotline programs compare to similar organizations according to specific variables, such as size, industry type and reported issues. The data provides statistics to help executives understand how their organizations compare and identify areas that need improvement.

“This is all about risk and potential loss to a company,” Hayes says. “Illegal and inappropriate behavior in the workplace — including HR and safety — is a huge security issue.”

Among the report findings:

• 65% of corporate compliance reports received are considered serious enough to warrant an investigation;

• 46% of reports resulted in an investigation with some corrective action taken;

• 10% of reports received related to corruption and fraud issues;

• 54% of individuals reporting through the hotline preferred to remain anonymous; and

• Only 29% of reports stated that they had previously notified management of the issue.

“This allows security to evaluate its company's business units vs. the rest of the industry,” Hayes says. “If there is a discrepancy in a company's reporting that is too big or small for the industry norm, then executives can identify how their compliance reporting is better or worse.”

The report includes aggregate data from nearly 200,000 reports received over a four-year period from more than 500 client organizations of The Network. The report analyzes the impact of a variety of factors, including anonymity, means of awareness, incident category and investigation outcome. Data analysis was conducted by the Security Executive Council, while the Association of Certified Fraud Examiners (ACFE) provided guidance in the evaluation of the data and creation of the report.

For more information, visit www.csoexecutivecouncil.com or contact The Network at benchmarking@reportline.net.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue