Better the Devil You Know Than the Devil You Don’t

John Hanson | Corporate Compliance Insights

Statistically, more reports about fraud and potential compliance & ethics deviations are made through the management chain of command than through a “hotline.” While chain-of-command reporting is, in my opinion, the better path, it could also remove a significant compliance control feature – assuring that the compliance officer is made aware of such complaints.

As a corporate monitor, I routinely look for and test awareness of a compliance policy that requires managers, department heads, etc. to timely report to the compliance officer any complaints made to them that include or relate to potential compliance and/or ethics violations. Such a policy is the first step in helping assure that the compliance officer is made aware of such complaints. Not only is this important in that the compliance officer should have a lead role in any investigation involving compliance and ethics violations, but it also helps the compliance officer remain abreast of new or developing compliance and ethics risks that he or she may need to address and/or incorporate in their annual risk assessment.

Reputational Compliance

Reputational Compliance

Once such a reporting policy is formalized, the next step is to frequently and clearly train and communicate with management about the policy. While this can be done in the context of traditional compliance training sessions, it may be more effectively communicated by incorporation into routine management meetings, management communications, etc. A few comments about this during every such meeting or communication can be highly effective.

It is also important that management be held accountable when they don’t report a compliance- and/or ethics-related complaint to the compliance officer. Line level supervisors may receive many such complaints that they, in their sole discretion, determine need not be reported to the compliance officer. Objectivity is a real concern and line level supervisors may not want to report such complaints for many reasons, including, but not limited to:

  1. a close relationship with the person being complained about;
  2. concern about their own job due to a failure by them to effectively apply certain internal controls (i.e. time sheet reviews) that permitted the fraud or inappropriate activities to occur;
  3. concern that an internal investigation may be disruptive to their operational responsibilities or client relationships and;
  4. their knowledge of and/or complicity in the fraudulent or inappropriate activity being reported.

A policy that requires such reporting removes their discretion. If they then do not report such complaints, they have technically violated a compliance and ethics policy and should face consequences commensurate with the violation, up to and including termination of their employment.

It is much better for the organization as a whole that the compliance officer is made aware about all compliance- and ethics-related complaints. If a compliance officer is not made aware of such complaints, he or she cannot assure that they are investigated in accordance with the company’s internal investigations policy, which should be designed to assure not only that a thorough and effective investigation occurs, but that the findings are appropriately reported (internally and externally) and any failures in internal controls are appropriately remediated.

Presence of mind is peace at heart and “better the devil you know than the devil you don’t!”


Leave a reply

Your email address will not be published. Required fields are marked *



We're not around right now. But you can send us an email and we'll get back to you, asap.



Log in with your credentials

Forgot your details?