Nonprofits Alert: Can an Effective Whistleblower Policy Prevent Misconduct?
By: Virginia B. Evans*
As reflected in recent headlines, high-ranking leaders of a public university and nonprofit charitable organization are under the microscope for failure to adequately address allegations of specific misconduct. The CEO of the charity resigned after 28 years. Two executives at the school were charged with perjury. The university president and the beloved head coach of the football team were fired. The campus erupted in riots upon news of the coach’s firing. As a consequence, university leaders across the country are asking themselves about their vulnerability.
One principle seems clear; these organizations suffered a lack of leadership in the area of compliance. It is not enough to have whistleblower policies on paper; executives of academic institutions, and nonprofits as well as for profit organizations bear equal responsibility for fostering a culture of compliance. This means that a process for actually “following up” on investigative leads is an important piece of the whistleblower policy.
Truly effective whistleblower and investigative policies can reduce the risk of harm to individual victims and prevent monetary damages and reputational harm. Why should this be personally important to managers of nonprofits and other organizations?
The government and private claimants will increasingly target individual members of senior management or the board of directors who have knowledge of illegal activity within their organization but fail to act. The Department of Justice has begun to more aggressively use the “responsible corporate officer” theory, alternately known as the Park Doctrine, to hold executives liable for activity occurring on their watch.1
The Park Doctrine, originally used in cases brought under the federal Food, Drug and Cosmetic Act (FDCA), stands for the principle that corporate executives may be held “criminally responsible for failure to exercise the authority and supervisory responsibility reposed in them by the business organization.”2 Thus, in the case of three convicted Perdue Pharma executives, the Department of Health and Human Services (HHS) used a Park theory to successfully exclude them from participation in any federal health care benefits program for a period of twelve years. The Perdue Pharma executives argued on appeal that they had no personal knowledge of the fraudulent promotional practices that landed them in court. However, the executives were held to be “responsible corporate officers” despite the argument that they lacked personal knowledge of Perdue’s promotional tactics. The court cited Park for the proposition that a defendant need not have participated or even known about the criminal wrongdoing if evidence demonstrated that the corporate officer’s position vested in him “responsibility and authority” either to prevent in the first instance, or promptly to correct the violation complained of, and that he failed to do so.3
There is no reason to believe the Park Doctrine will be limited to FDCA cases. The Department of Justice has indicated that prosecutions of responsible corporate officers will increase in the health care and public safety areas. This trend is likely to spillover into the financial sector as well. Nonprofits and academic institutions may not be immune to its reach.
Every well-run nonprofit should have a whistleblower protection policy and related investigative policies in place. Recent events demonstrate that it is not enough to have a whistleblower policy if reporting is not encouraged and investigative procedures are not followed. It is time to dust off existing policies and take a look at whether the policies are updated and effective. Are the policies being enforced?
An effective organizational whistleblower policy speaks volumes about the commitment of senior management to compliance and abiding by laws and regulations. It sets the “tone at the top.”
According to the ABA Coordinating Committee on Nonprofit Governance:
All nonprofits should have some written policy or program for the communication of concerns regarding possible financial, accounting, or other legal and ethical violations to senior officers and members of the boards of directors, as appropriate under the circumstances… [T]here should always be some mechanism for concerned employees, volunteers, or outside individuals to effectively communicate compliance concerns to the board or a nonaffected officer. In addition, nonprofit organizations should have written policies prohibiting retaliation against employees who raise concerns regarding actual or potential wrongdoing in the organization.4
Both the IRS Form 990 reporting requirements for nonprofits and the Sarbanes-Oxley Act of 2002 strongly suggest that all nonprofits should implement an effective and comprehensive whistleblower policy.
The “Governance, Management, and Disclosure” section of the IRS Form 990 specifically requires each nonprofit to state whether it has a written whistleblower policy, thereby implying that a well-run nonprofit should have such a policy in place.5 Until 2008, the Form 990 was primarily a financial data reporting form; however, at that time, it was significantly amended in order to emphasize governance.6 The Form 990 is part of the IRS’s push for “transparency and accountability” within the tax-exempt sector.7 According to the IRS:
A whistleblower policy encourages staff and volunteers to come forward with credible information on illegal practices or violations of adopted policies of the organization, specifies that the organization will protect the individual from retaliation, and identifies those staff or board members or outside parties to whom such information can be reported.8
The Sarbanes-Oxley Act makes it a criminal offense, punishable by fines and/or up to ten years in prison, for any organization (for profit or not for profit) to “knowingly, with intent to retaliate” take action against a whistleblower.9 Although Sarbanes-Oxley was enacted in response to accounting scandals and financial abuses in the private sector, the provisions of the Act relating to penalties for obstruction of justice apply equally to non-profit and for-profit corporations.10 Sarbanes-Oxley has spurred “heightened scrutiny and regulation in the nonprofit sector.”11 In response to the Act, “many nonprofits have taken the initiative to voluntarily adopt its provisions”… including whistleblower protections.12
We offer the following whistleblower “best practices” applicable equally to non-profits and for-profit organizations:13
- Clear Definition of Covered Individuals. Whistleblower policies should clearly define who is covered by the policy. Covered individuals may include individuals within the organization as well as external parties who conduct business with the organization. Depending upon the size and structure of the organization, these individuals may include: employees, management, board members, vendors, contract employees, customers and shareholders. Whistleblower protection should not be limited to those who provide information about financial misconduct; any misconduct should be reported if it causes the risk of harm. Management should be held to the same standards as other employees in terms of reporting obligations.
- Nonretaliation provision. Whistleblower policies should specifically state that the organization will not retaliate in any way against individuals who make good faith claims.
- Good Faith Requirement. Whistleblower policies should include a requirement that anyone filing a claim must have a reasonable belief that an issue exists and must act in good faith. The policy may also note that the organization may take disciplinary action against anyone who makes unfounded allegations that are proven to have been made recklessly, maliciously, or with the foreknowledge that the allegations were false.
- Confidentiality and Anonymous Reporting. Although an organization may not be able to guarantee total confidentiality, because a whistleblower may eventually become witness in future criminal or civil matters, whistleblower policies should assure confidentiality to the greatest extent possible. Assuring that the whistleblower feels protected at the time of reporting is essential to an effective policy. An anonymous reporting system can create the opportunity for employees to feel comfortable reporting misconduct. Anonymous reporting has become the “gold standard” in the compliance industry. Anonymous reporting mechanisms include telephone hotlines, e-mail hotlines, websites, or suggestion boxes.
- Explanation of Process for Filing a Claim or Report. Whistleblower policies should clearly describe the process employees must follow to file a claim. The process should be clear and simple. Reporting mechanisms vary; organizations may require whistleblowers to direct their claims to a certain person (such as a compliance officer) or, alternatively, to follow a ladder of reporting whereby the claim would eventually reach the top of the organizational structure.
- Education of Individuals Who Receive Claims or Reports. The organization should educate individuals responsible for receiving whistleblower claims and reports. Most importantly, these individuals must know how to properly relay information to law enforcement in all circumstances indicating criminal activity.
- Explanation of the Investigation Process. Whistleblower policies should explain how each claim will be handled and investigated once received and state whether the reporting individual should expect to receive feedback.
- Communication. Whistleblower policies should be communicated in writing to all covered individuals. Education and training on the reporting obligations and the non-retaliation policy is essential. Training can be provided internally during the human resources orientation process or externally by a third party. Employees can also be informed about the reporting policy through employee handbooks and/or the corporate website.
- Tailored. Whistleblower policies should be tailored to the organization’s size, structure, capacity and culture. Each organization must determine what type of policy would best serve its individualized needs.
In conclusion, recent events provide nonprofits and other organizations the opportunity to thoughtfully reflect on their own reporting processes and culture. This is a good time to review polices and make sure there is a mechanism in place to report allegations of misconduct in a manner that provides for anonymity and guarantees nonretaliation.
* Virginia B. Evans is formerly of Ober|Kaler's Government Investigations and White Collar Defense Group and Health Law Group.
1 The decision of the United States Supreme Court in United States v. Park, 421 U.S. 658 (1975) is viewed as the seminal case upholding the propriety of the responsible corporate officer doctrine.
2 421 U.S. at 671, citing Morrisette v. United States, 342 U.S. 246, 255 (1952).
3 Park, 421 U.S. at 673-74.
4 Guide to Nonprofit Corporate Governance in the Wake of Sarbanes-Oxley, ABA Coordinating Committee on Nonprofit Governance, 46 (2005) (emphasis added); Principles for Good Governance and Ethical Practice: A Guide for Charities and Foundations, Panel on the Nonprofit Sector (October 2007), available at: www.nonprofitpanel.org/.
5 Non-Profit Governance: Critical Risk Management Issues for Boards and CEOs, Georgetown University Law Center, Lewin, Williams & Lovering, 2011 WL 2111711 (April 27, 2011).
8 Instructions to the Form 990, p. 20.
11 Avi Z. Kestenbaum The Age of New Corporate Governance for Nonprofit Organizations, 17 TXNEXEMPT 87 (2005).
13 The list was compiled using the following articles: Non-Profit Governance: Critical Risk Management Issues for Boards and CEOs, Georgetown University Law Center, Lewin, Williams & Lovering, 2011 WL 2111711 (April 27, 2011); Developing a Whistleblowing Policy, Delaware Valley Grantmakers (2007), available at www.niqca.org/documents/whistleblower_policy_delaware.pdf; Tim V. Eaton & Michael D. Akers, Whistleblowing and Good Governance: Policies for Universities, Government Entities, and Nonprofit Organizations, THE CPA JOURNAL (June 2007), available at www.nysscpa.org/cpajournal/2007/607/essentials/p58.htm.