Conducting investigations into malpractice is a vital process for any organization; however, it can also be time-consuming, expensive, and stressful. To ensure all stakeholders reap the full benefits of the process, firms need to change the way they deal with the findings.
Leaks and whistle-blowers that expose poor practice or abuse will never be greeted as good news. The way businesses deal with them, however, determines whether they leave an organization stronger or weaker. Unfortunately, the reaction to unwelcome disclosures is often focused purely on limiting the damage. It is too rarely used to drive improvements.
The impulse, in many cases towards containment and control, is both understandable and necessary. Sensitive and commercial information needs to be protected, as does the privacy of the individuals involved—particularly before any wrongdoing or culpability is established. But the reaction often goes beyond this, to a defensiveness that is, ultimately, counterproductive.
Defensiveness can manifest in several ways. At its worst, it may mean whistle-blowers’ revelations or complaints are covered up or never investigated at all. A recent report suggests this is all too common. The second Silence in The City report was published earlier this year by the charity Protect, which runs an advice line for whistle-blowers. Based on over 350 calls by those in the finance sector over the last two years, it found a third of whistle-blowers said their warnings were ignored. Two-thirds of these also suffered victimization at the hands of their organization. And more than half of those said their complaints about being victimized were also ignored.
There have been well-publicized examples of investigations trying to identify the whistle-blower, rather than address the issues raised. Indeed, one of the demands of campaigners such as Protect is that UK law should put a positive duty on employers to prevent victimization and should address the wrongdoing that whistle-blowers expose. Current law, they say, is toothless.
Nipping It in the Bud
Organizations should not need to be compelled to take allegations of abuses seriously (wherever the accusation comes from). Nor should they require the threat of legal action to treat whistle-blowers fairly. Both are self-evidently in businesses’ interest. Yet a focus on keeping accusations quiet can lead organizations to lose sight of this.
One consequence is unnecessary employment disputes. One potential impact of a reform of the UK legislation on whistleblowing is that more claims by employees, who suffer detriment as a result of raising concerns, are successful. Even without reform, though, disputes are time-consuming, can be costly and do little for a business’s reputation or staff morale.
More seriously, a failure to investigate appropriately can prevent businesses from addressing issues that should be addressed. At its worst, this may mean the specific allegations of wrongdoing are temporarily silenced, only for them to emerge later, resulting in even greater reputational damage, regulatory sanctions or both. There is no shortage of examples, and again, pressure for new legislation in the UK (with private members’ bills currently in both the Commons and House of Lords) may soon make the consequences felt more frequently.
Even where investigations do address the issues identified by whistle-blowers or leaks, the desire to keep findings confidential can have negative consequences. One is that it surrenders the narrative to others if the organization’s efforts to keep the findings confidential fail—a real risk in a world of ubiquitous social media. More generally, it can prevent lessons from investigations being drawn and applied elsewhere within the organization. This is perhaps the greatest danger of all.
Learning From Mistakes
There are two respects in which constraining an investigation may prove damaging. First, if the findings are not shared appropriately, and the investigation is too constrained in its scope, the same problem may occur again elsewhere in the organization—in another territory or department. An isolated incident that is dealt with quickly and quietly can, as a result of that very discretion, emerge later as a systemic failure. In seeking to limit the reputational damage, organizations may store it up. They can snatch defeat from the jaws of failure.
That risk can be mitigated by, first, ensuring that any investigation’s scope allows for the possibility of abuse elsewhere, and second, by sharing its findings with those in the organization who could prevent similar abuse elsewhere.
More commonly, however, incidents prompting an investigation may point to broader issues. Rather than merely addressing the symptom, organizations should seek to identify the illness. Root cause analysis should examine what apparently isolated incidents may say about the weaknesses in the organization’s policies, procedures, controls or culture—and how these could manifest in other ways. The endpoint of an investigation should therefore be the starting point for serious review and reform of these areas. Effective investigations need to be followed by remediation of the underlying problems.
It’s by drawing these broader lessons that organizations can turn investigations into an opportunity to prevent future abuses. And it’s the failure to do so that means we too often see a scandal in one area (such as Libor rigging) later repeat in another (such as the foreign exchange trading); different teams and markets but the same cultural causes.
If they wish to prevent this, organizations must be willing to break down information silos and engage with the bigger picture. Organizations need to be braver and ensure they acknowledge, remediate and learn from mistakes rather than brush them under the carpet. Those who cannot learn from history are doomed to repeat it.
This article was first published in Global Banking and Finance Review on February 9, 2021.