A Year ago, Mike Salvarezza, director of compliance systems and records management for Altria Corporate Services, surveyed his company's system for retrieving, tracking and summarizing whistleblower reports. What he saw was disturbing: While there was a call center to receive confidential reports of potential transgressions and a plan in place to route them to the appropriate compliance officer at each of the parent corporation's operating units, there was no central system to keep track of them and whether they were appropriately handled. When it was time to provide periodic reports for Altria Group Inc.'s board, the process of compiling data took several weeks. "I was afraid things might be fallingthrough the cracks," says Salvarezza. "I knew we needed a way to become more efficient."
Fortunately for Salvarezza, a new generation of whistleblower technology is offering a more integrated approach based around comprehensive, Web-based systems that can retrieve reports, automatically send them to the correct managers and keep track of the resolution process. Finally, the new breed of systems compiles the data across business units and prepares board reports. Ultimately, Salvarezza chose EthicsAdvantage from Farmington, Conn.-based Software Impressions for the $97.9 billion cigarette and packaged food manufacturer. Although Ethics- Advantage offers a Web-based interface for whistleblower reports, Altria decided to retain its telephone hotline. "Now, it takes a press of a button for the system to prepare a report," he says.
Salvarezza's dilemma is one faced by most managers in charge of whistleblower compliance. By law, they have to collect and investigate all com- plaints, as well as provide regular reports to the board of directors. But it has proven difficult to do that efficiently. The snag has always been in the follow-up, largely because, as at Altria, there is no central repository of either the original complaint information or how it was eventually dealt with. Not only is pulling together data difficult, time-consuming and open to error and omission, but the lack of centralization also means that companies are likely to miss persistent problem areas and fail to address them quickly.
Indeed, corporate governance executives would put compliance with whistleblower mandates close to the top of the list of their Sarbanes-Oxley related concerns, according to Alex Adamopoulos, an analyst with Aberdeen Group. The decentralization of whistle-blower data creates inefficiencies and many fear that those may lead to being out of compliance. What's more, boards are pushing compliance officers to find more cost-effective ways to provide whistleblower compliance. "Boards want to know whether they're getting the most bang for their buck," says David Childers, CEO of EthicsPoint, a Portland, Ore.-based vendor.
There are no solid figures on the size of the market for whis- tleblower software because solutions are often lumped together with other governance software, according to analysts, but the growth potential seems apparent to most. While many of the tools available are largely similar in function, there are some differences. One key distinction is who hosts the data. Most, like EthicsPoint and the Intercede system from Durham, N.C.-based Greenfire International, employ a software-as-a-service (SaaS) model, in which the vendor's server acts as host. But Salvarezza's choice, Software Impressions, uses a third party to store the data. Michael Rasmussen, an analyst with Forrester Research in Cambridge, Mass., cautions companies to make sure the hosting model has been validated by an independent expert when not hosting the data internally.
Sometimes the model for hosting depends on the client base. Syfact, based in Stamford, Conn., doesn't have to worry about hosting because their customers are mostly large banks that want to maintain more control over the information by keeping it in-house, according to Patricia Cuomo, director of worldwide marketing.
There are other differences. Axentis Enterprise from Axentis, based in Warrensville Heights, Ohio, is a comprehensive governance, risk and compliance platform and doesn't include its own whistleblower reporting function at the front end. Instead, it allows for integrating a third-party program into its platform.
What these products share is a more advanced way of providing whistleblowers with anonymity--a key factor in the success of any system. For example, Greenfire gives whistleblowers a case number that they can use to check whether their report has been acted on. It also allows case managers to ask whistleblowers additional questions without forcing the individuals to reveal their identities.
As for costs, they usually depend on the number of users. Companies below the $750 million mark can expect to pay about $250,000. Bigger firms should be on the hook for about $500,000 to $1 million. For a growing number of compliance officers, it's worth the price.