Whistle-blower policies are designed to advance public-policy objectives and to promote public accountability in organizations of all types. Created to pierce corporate and public agency “walls of silence” concerning illegal activity, these laws and policies are intended to protect employees who report corporate wrongdoing, illegal conduct, internal fraud, and discrimination against retaliation. Promoting such transparency is critical to the public accountability of corporations, government, and nonprofits.
General public-policy imperatives aside, human resources, executive consultants, and organizational leaders have come to view internal whistle-blowing policies as crucial tools. Organizations can use these tools to identify problems and successes in the workplace, workforce, and leadership early on. With these mechanisms in place, intervention and prevention methods can strengthen and support a
workplace culture of integrity, openness, transparency, and, above all, two-way communication.
Consistent with this dual use of whistle-blower policies, there are (1) myriad laws relating to whistle-blower reporting and protection, including the whistle-blowing provisions of the Sarbanes-Oxley Act enacted in the wake of the Enron scandal in 2002 and (2) an evolving range of sophisticated ethical principles and models that support the adoption of appropriately adapted policies in entities of every size and from every sector.1
So what is the problem? Why are many employees, at every level, and even in “compassionate” nonprofit organizations, reluctant or fearful to report anything up the ladder that is not positive? If they do and subsequently face adversity, what is the remedy? What can we suggest to these employees and to organizational leaders?2
We begin with some facts as we often hear them: first, the laws and policies related to whistle-blower protection—and their real use and efficacy in nonprofit organizations—are two very different things. This presents a major issue for those employees who are weighing whether to report an organizational issue. Many maintain that it’s unrealistic to expect employees to whistle-blow in nonprofit organizations, particularly in smaller ones, because these employees worry about doing damage to the organization and because they fear retaliation. Such employer backlashes are often veiled as actions taken for other reasons. Only complicating the second point, many nonprofit employers believe that if fully implemented these laws and policies can be abused by disgruntled litigants to “cover themselves” from adverse employment decisions. In this kind of potentially obscure situation, nonprofit leaders have to be proactive to ensure organizational health; and one of the most important goals should be to create a “climate of corporate integrity.”3
First, it is essential to distinguish between true whistle-blower laws and broader protections where whistle-blowing isn’t the central purpose of the law. While the latter are components of a healthy workplace, they are sometimes mislabeled as whistle-blower policies. Massachusetts, for example, currently has 36 statutes on the books that include whistle-blower provisions and that prohibit discrimination against employees who report conduct covered by the law. But these laws stem largely from the civil-rights arena, which ushered in protections for minorities and women, for example, then came to include environmental and safety provisions, then anti-harassment protections, and now, post-Enron, encompass all kinds of fraud.
As far as state laws protecting whistle-blowers go, Massachusetts is about as good as it gets. The more commonly cited federal law provides more narrow protection for whistle-blowers, typically extending only to employees who “report” or “disclose” to authorities what an employee believes to be either an illegal activity on the part of the employer or the employer’s engagement in an activity that poses a threat to public health or safety. The Sarbanes-Oxley whistle-blower statute, for example, protects employees who provide information, cause information to be provided, or otherwise assist in an investigation regarding any conduct that an employee reasonably believes constitutes a violation of SOX.4 While SOX does not apply explicitly to nonprofits, we always recommend that nonprofits voluntarily comply with this statute. Another federal whistle-blower statute that applies to the nonprofit and health-care sectors is the False Claims Act (FCA). Its scope covers entities that participate in Medicare and/or Medicaid. Its whistle-blower provision is broader and covers retaliation against employees who expose false claims.5 Many nonprofits are now legally required to educate their employees regarding FCA and its whistle-blower protections as well as any state-law counterparts.6
The Whistle-blower Protection Act of 1989 (WPA) also provides narrow protection. WPA protects federal employees from any retaliatory action based on an employee’s “disclosure of information” that the employee “reasonably believes evidences (i) a violation of any law, rule, or regulation or (ii) gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.” This standard protects employees only in connection with “disclosures of information” and not from other, less clear-cut “reporting” activities.
Most states are consistent with federal laws,7 while some afford employees more protection than does the federal scheme. Massachusetts and New Jersey have broadened the scope of whistle-blower statutes by extending protection to employees who experience retaliation at the hand of their employers for cooperating with law enforcement without requiring that they disclose specific information about the employer.8 Employers in Massachusetts, therefore, are held to a much higher standard with regard to whistle-blowers than that required by federal statutes such as WPA.
Although some state laws are more liberal than others, these generally narrow protections are often insufficient or poorly understood by employees; in many kinds of organizations, employees don’t speak out or, despite federal and state law protections, are retaliated against when they do.9 In the nonprofit sector, where many organizations are small and anonymity is largely impossible, it will take more than law and the policies in place to achieve the positive goals we intend when we argue for the creation of a culture of integrity. This kind of culture requires that employees are encouraged to speak up without fear of retaliation, ostracization, or of being held responsible for harm done to their organization.
Still, despite the fact that there is only a narrow range of conduct actually encompassed by whistle-blower laws, not every nonprofit has whistle-blower policies in place. Nonprofits are not exempt from these legal and policy requirements, and we strongly urge readers to implement these important policies. Principle four of the Nonprofit Panel Guide—a statement of accepted best practice in the nonprofit sector for organizations of all kinds—indicates the widespread acceptance of these policies. Indeed, attorneys general who oversee nonprofits often recommend these policies, as does the first report of the Panel on the Nonprofit Sector. Additionally, most best-practice guidelines on nonprofit governance include standard whistle-blower policies. It should be noted that most recommended whistle-blower provisions are linked only narrowly to fraud or discrimination. So for the purposes of this discussion, we assume that all nonprofits understand and will comply with the law.
Some nonprofit employers hold exaggerated fears that employees will misuse whistle-blower policies to protect themselves from termination for other cause. In reality, the risk and exposure of attempted abuse can be handled by advanced planning and, as we have sought to demonstrate with our clients, good counsel. Instead of fretting about employee misuse of whistle-blower policies it’s better to embrace the spirit of these laws. This protects honest employers better than any other course.
We are concerned about nonprofits that have whistle-blower policies in place but that nonethless continue to have a culture where employees are reluctant to speak out. The act of speaking out is often threatening because the organization is too small and lacks anonymity, because the reporting employee fears retaliation, or because the employee fears others may assume that he is whistle-blowing to distract from his own poor performance. These fears are not unfounded and, if borne out, can be career breakers. They can also harm organizational integrity and threaten the quality of our work.
In many situations, where an employee observes an ethical lapse that he does not know is illegal, the decision to report is really a matter of discretion. But here you have the chance to establish a threshold. The question is whether employees are encouraged to report regardless of whether the reportable behavior is a clear violation of the law or simply an ethical violation of the values of the organization or sector standards. Does the employee feel protected by the organization’s written policies and culture? If employees are comfortable reporting minor matters, it is more likely that major ones will be addressed.
After reviewing the excellent array of best practices in every sector, we believe that while there is no silver bullet to address the problem, there are nonetheless solutions. The initial keys involve training, evaluation, supervision, monitoring, independent systems for reporting up to the highest levels of an organization, and, above all, inculcating the values that will change the culture from and at the top: that is where change really matters and truly begins. To that end, we need to devise policies and systems that focus on encouraging reporting, beginning with a board focal point and a C-suite executive whose job description includes ethics enforcement, as well as systematic ethics training that focuses on the gray areas, not just the black-and-white areas where reporting should happen. Training in decision making is important for employees and should include executives. An organization’s board should also periodically be subject to independent monitoring.
One example stems from the role of one of the coauthors of this article as the independent chair of the audit committee for a small influential international nonprofit organization. In this case, an employee who wanted to report a potentially confidential issue to the CEO contacted the coauthor. The employee was most concerned about suffering from reprisal; reporting the issue would inevitably expose her if it got out, because she was the only employee at this organization with access to such information. The employee’s ability to report the matter to an independent party provided her with assurance that someone else was aware of the situation and that employer retaliation would be difficult. Because it was crucial that the organization’s nonprofit management learn about the issue, the coauthor encouraged the employee to report the information. Again, a culture of integrity where employees at every level are encouraged to openly air concerns not only benefits staff and morale but also the organization as a whole.
In another example, at the Massachusetts Office of the Attorney General, it became clear that, when effective systems are in place, reporting can be effective. The coauthor’s legal counsel—who was responsible for implementing the office’s policies on ethics, professional responsibility, policy compliance, and upward reporting—was tasked with ensuring that we were the first to hear bad news (such as mistakes, poor performance, errors in judgment, citizen and staff concerns) as well as success from our 500–person staff. This system often prevented the escalation of minor issues to major ones.
Ethics and compliance officers have a wealth of knowledge about reporting policies.10 The sad reality, however, is that many nonprofit community leaders have ignored or dismissed such expertise; many consider their knowledge intrusive, costly, even unseemly. Organizations that have seen the light have tended to do so in response to a crisis, such as the Smithsonian, American University, the Red Cross, the Boy Scouts of America, Oral Roberts University, the Catholic Church, correctional facilities and police departments, pension boards, the United Way, foundations, or community-based organizations. While many of us talk the talk when giving others advice, far too few of us in the nonprofit sector walk the walk; we need to emphasize that you pay now or later, but you will pay eventually.
In this new era of nonprofit governance realities, we face external accountability, tighter financial realities as well as greater scrutiny and constituent activism. As in the case of the notorious public and corporate scandals (including the recent subprime mortgage fiasco and profiteering private contractors in Iraq ), insiders and employees at all levels had information. Had this knowledge been communicated openly within these organizations, it might have prevented problems and protected leaders from reputational and financial demise. We owe it to the public to listen to these insiders who speak truth to power about where our practices shortchange the public interest, trust, or benefit.
That said, we are left with the challenge of how to advise skeptical employees who have useful information but wonder whether they will become victims of having disclosed information. Another question is, how can we advise cynical CEOs or boards about handling this issue without juggling it like a grenade? Based on our experience, we believe that one person—whether as a reporter of misconduct or as an executive who is receptive to the concern—can make a difference. To our great surprise, it is rare that any serious concern is not already on the minds of other employees and executives, but these employees are still reluctant to act.
Many leaders wrongly assume they will be told if there are problems. In the absence of hearing complaints directly, they assume things are working fine. In fact, we believe these kinds of power-constructed ear plugs are more the rule than the exception.
In these cases, employees may reach their limit and report to external parties. Reporting confidentially or anonymously is at least a response; and in most cases, reporting to an external agency charged with the responsibility for enforcement is the least you should do. In fact, if you do not report concerns externally, you may not be legally protected. The Web also offers various new reporting avenues.
At the end of the day, we place responsibility where it belongs: on leaders in the executive suite and the boardroom. Creating an organizational culture of constructive self-criticism is not a choice but an obligation that you avoid at great peril—to your credibility, your reputation, and yes, to your obligations as a leader. One of the coauthors has faced such situations as an elected and appointed CEO of major public and nonprofit institutions, as well as in his capacity as a board member and adviser. These positions come with the power, but also the obligation, to lead, and we should view that as an opportunity arising out of the joy and privilege we have (albeit often with some pain and heartache) to be leaders of these worthy entities. At a minimum, it is in our best interests to be the first to deal with a problem, mistake, or crime—and to be sure we have a system that ensures that we do. We must then construct a strategy and a corporate ethic that enables us to be the first to remedy it.
1. See, for example, principle four of the Panel on the Nonprofit Sector’s Principles for Good Governance and Ethical Practice: A Guide to Charities and Foundations and the legal references therein. (http://www.nonprofitpanel.org/report/principles/principles_guide.pdf).
2. For an outline of the “whistle-blower” issues under Sarbanes-Oxley and other laws as applied to nonprofits, see “Does the Law Protect Whistle-Blowers?” on page 42.
3. Scott Harshbarger and Robert Stringer, “Creating a Climate of Corporate Integrity,” Corporate Board, 10, May/June, 2003.
4. 18 U.S.C. § 1514A. Sarbanes-Oxley Act. Section on civil action to protect against retaliation in fraud.
5. 31 U.S.C. § 3730(h). The False Claims Act. Section on civil actions for false claims.
6. 42 U.S.C. § 1396a(a)(68). Deficit Reduction Act of 2005. Section on state plans for medical assistance.
7. For example, the Florida whistle-blower statute protects an employee who “objected to, or refused to participate in, any activity, policy, or practice of the employer which is in violation of a law, rule, or regulation.” Fla. Stat. Ann. § 448.102(3) (West 2007). Although on its face this broadens the spectrum of protected activity, Florida courts have held that the employee must clearly identify a violation by the employer of a particular law or regulation in a memo to the employer “with substantial reason to question” the employer’s conservation programs was not specific enough to meet the standard. Schultz v. Tampa Elec. Co., 704 So. 2d 605, 606 (Fla. Dist. Ct. App. 2d Dist. 1997). So while the statute may afford protections that are broader than the federal statute, the courts have limited this protection.
8. The Massachusetts whistle-blower statute not only protects employees who disclose information to “any public body conducting an investigation” into a violation of law or public policy but has also been interpreted by courts as protecting employees who cooperate with law enforcement authorities (see Mass. Gen. Law ch. 149 § 185(b) ).
9. See “Does the Law Protect Whistle-Blowers?” on page 33, for example.
10. See, for example, the Ethics Resource Center’s recent publication “Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer,” November 2007.