As we see repeatedly in reports of current events, a workplace’s culture is often at the heart of ethical and regulatory misconduct. Corporate leaders are grappling with strategies to win back market share and deliver profits to the bottom line. In eliminating or downsizing groups inside an organization, a certain amount of institutional memory gets lost – and governance models are rarely reworked to reflect the new reality. While some processes to identify, report, and repair misconduct are operational because of the role of government regulatory oversight, most companies struggle with how to identify problems early and create a more transparent workplace where “speaking up” is expected.
Speaking up can take many forms, and smart companies describe the pathways to their employees. The last resort and most formal of the options is called whistleblowing, and is defined in the legislation that created the Whistleblower Protection Act of 1989 that covers federal employees who report misconduct. The Sarbanes-Oxley Act of 2002 (SOX) covers employees of publicly traded companies related to financial fraud. The Dodd-Frank Act of 2010 includes whistleblowers in the area of securities laws. All are administered by the U.S. Securities & Exchange Commission (the SEC). Ironically, Edward Snowden, who leaked classified National Security Agency documents in 2013, does not qualify for protections under any of these government programs because he was a subcontractor, not an employee. A more recent example of a whistleblower is John Barnett, 62, a quality control engineer at Boeing for 32 years. Suffering from stress related to his reporting and preparing for an appearance in front of Congress, he was found dead, reportedly from a self-inflicted gunshot wound.
No one ever reaches this level of whistleblower status without having tried, usually for years, to point out to their bosses the violations and/or safety issues they see. At the federal level, the protections afforded by the original 1989 and 2002 acts were strengthened in 2012. From the website of the Office of the Comptroller of Currency:
“The Whistleblower Protection Enhancement Act of 2012 was signed into law on November 27, 2012. The Act strengthens protection for federal employees who report waste, fraud, and abuse in government operations. The U.S. Office of Special Counsel (OSC) is an independent agency that protects federal employees from "prohibited personnel practices," including whistleblower retaliation. OSC also provides an independent, secure channel for disclosing and resolving wrongdoing in federal agencies.”
You can see that the examples I discussed here are specialized and do not occur routinely in business. Where misconduct occurs and is not handled on external review – by banking or airline regulators, for example – the entire workplace is infected.
For years, I’ve recommended that companies establish their own governance structure to handle the identification and reporting of misconduct. Most such programs look to the parameters established by our federal programs and include protections against retaliation unless they consider themselves to be atypical.
One company that operated with little regulation and a shaky governance structure for its size was FTX.
“FTX was a cryptocurrency exchange, [that]filed for bankruptcy protection in November 2022 after experiencing a "crypto bank run". At the time, FTX was the third-largest cryptocurrency exchange in the world. The collapse of FTX had a damaging effect on the cryptocurrency industry, causing widespread mistrust and toppling other cryptocurrency services” (AI definition, ”What is FTX?”).
In the workplace, it’s important to establish a culture that is comfortable speaking up and that rewards speaking up rather than punishing the messenger. We worked hard to establish this principle in the business I owned for 15 years and at Washington Mutual Bank as well. My managers translated it down to “No Surprises.” We insisted that my managers and I would never hurt the messenger and that it was important to identify and fix the problem before it got larger.
At the bank, reporting jointly to two C-suite executives offered each of them a certain amount of latitude. They knew I would always give them the unvarnished truth and a recommendation to improve the operating environment. They reported to the CEO, and the CEO reported to the board of the bank. When we set up the operational risk program, we ensured that reporting would go all the way to the top on any corporate safety or misconduct issue.
When I started teaching at the university, I realized how important it was to teach my students—the next generation of risk managers—the “when” and the “how” of speaking up if their assessments indicate potential misconduct. That is a hard but necessary lesson these days in the current environment, a lesson that is learned when the investigator realizes that the scale of the problem will only grow if nothing is done to correct it.
While it may appear self-evident, this form of misconduct is much wider, reflected in obvious strategies of denial and lying, pursued without clear recognition and analysis of the damage they can cause. It has become, as it were, a sign of our times in politics, in social media, and in many affairs where any official regulation is largely absent. We need to preserve the individual capacity to “be surprised.” Knowing when and how to speak up is not easy, especially when it appears to be needed everywhere.