I read a great report today on corporate governance and compliance reporting. The report was done by The Network. Not sure if you have heard of The Network, but they service nearly 50 percent of the Fortune 500 companies. The Network collects and addresses information on ethics, risk management, compliance issues to meet legislative mandates and global compliance requirements. I got the report from one of my contacts on the Security Executive Council.

The report talked about the importance of having a hotline to enable employees to report fraud, ethics violations, and other inappropriate behavior. It was really well written and included data on over 450,000 reports from 1,328 organizations and covered more than 12 million employees.

The real impetus for the report was the Sarbanes-Oxley Act (SOX) that required publicly traded corporations to provide a mechanism for reporting financial irregularities that enables employees to report information and remain anonymous.

Here are some of the highlights:

• A hotline report for financial irregularities provides additional ethics and behavior values. Many of the issues reported were related to employee/employer relations.
• 50% of the incidents reported were related to personnel management
• 38% of the reports investigated resulted in corrective action

What is really interesting, or at least proves the value of the hotline, is that 70% of the reports indicated that the participants did not notify management of the concern before using the hotline. To me, this really demonstrates the value of the hotline.

As I was reading the report it became very obvious that the hotline was very valuable and the anonymity of the hotline critical to getting feedback on behavioral and ethical concerns within the organization.

It also became evident that this service needs to be integrated into the unified security architecture. Think of the power of having a hotline number integrated into the standard data gathering tools used by the enterprise! Here is the scenario:

An employee calls a hotline number. The hotline number records the voice mail message. In the background you run a voice to text conversion and create a record in InfoPath. From there the security team can open an incident case record and conduct an investigation. If the incident reporting system is linked to the physical access control system or video management surveillance system, video and audit trail information could automatically be pulled into the incident and documented. Then, when the investigation is completed a complete case history could be saved and top line benchmark data displayed to management in a dashboard scenario.

Sounds pretty cool to me. What do you think?

PS: If you want to download the full report click here: http://www.tnwinc.com/whitepaperregistration/default.asp

Hope you find it interesting. Let me know your thoughts.