Jeff Kaplan/Kaplan & Walker LLP SCCE Upper NE Regional Conference May 17, 2013 Encouraging C&E Reports and Preventing Retaliation

Today’s presentation 2 Overview of various aspects of policies, procedures and other means to encourage C&E reports and prevent retaliation Paul Robert will do a deep dive into approach at UTC

The legal imperative 3 While all parts of a C&E program are important, encouraging C&E reports and preventing retaliation have special status for companies and boards Specificity of legal expectations for boards, e.g., S-Ox 301, Caremark Bounty provisions, e.g., FCA, Dodd-Frank Necessity for being in a position to self report to win leniency or amnesty In developing, assessing and improving a C&E program, this area requires special attention

Special challenges 4 It is also perhaps the most difficult C&E program area in which companies can excel: Many studies have shown most C&E violations are not reported internally Challenges can be deeply culture-based ERC 2011 NBES: Retaliation against employee whistleblowers rose sharply from prior survey Need nearly all the general elements of a C&E program brought to bear on this

Policies – Code of Conduct 5 Need to report should obviously be featured in the code CEO letter Separate section in intro Perhaps in some risk-area specific sections But don’t want to overdo it Q&A on key points Reporting resources – often both at beginning and end of code

Policies – Code (cont.) 6 Specifics of reporting obligation Not just known violations but also where reason to suspect a violation or attempted violations Must report actual or suspected retaliation Specifics of retaliation discussion Not just that we don’t permit it, but it is a serious violation of our policies and will be dealt with accordingly Discuss bad faith reporting? If do so, be gentle

Policies – Code (cont.) 7 Reporting avenues Managers: should always be listed, but delicate issue is how strongly you push it Other C&E, Legal, HR, hotline, “part-time” C&E people But those who are listed should be trained on how to do deal with repots (discussed below) Board/Audit Committee Need to explain difference between confidentiality and anonymity If don’t already have, consider offering a web-based system for reporting

Policies – Code (cont.) 8 Broader discussion of C&E program, including what happens with calls Having discussion about the program overall should help provide confidence that company is sincere about dealing with suspected C&E violations and also help deter retaliation Managers’ responsibility section of code – include Maintaining a work environment that … encourages employees to ask questions and raise concerns Appropriate handling of any employee compliance reports

Other related policies - escalation 9 General escalation - factors to consider Potential impact Economic dimension Nature of issue (including retaliation) Involvement of senior personnel Implications for controls Build into training/communications Generally For investigators (discussed below) For lawyers - S-Ox 307

Other related policies 10 Procedures for the hotline provider Scripts for calls Notification issues Do you need a stand-alone whistleblower policy? Not everyone does, but it can: Be useful for bigger companies – or for ones with special reporting challenges Spell out more on different responsibilities and C&E measures Address data privacy requirements Be helpful for auditing of this aspect of the program

Training &… 11 Reporting should be a central focus of training, both General code training Short reminders, if you use these Also build it into risk-area specific training Not just reporting violations/preventing retaliation but also seeking guidance about risk area requirements Special importance for anti-corruption compliance

Training &…(cont.) 12 For managers and others, consider training on how to receive a report What/what not to say/do: attentiveness/empathy setting expectations avoiding unintended retaliation confidentiality escalation

Other communications 13 Should have an overall communications plan which includes periodically addressing reporting issues Messaging by all levels of management (and keeping track of these efforts) Posters, articles in company newsletters, various uses on intranet, mention on pay stub, tchotchkes… Publicizing information about number and results of cases can be very helpful More later on this

Investigations & … 14 Guidance – in the form of training and/or written procedures - for those involved with investigations on Maintenance of confidentiality Avoidance of retaliation Escalation procedures Note that training and guidance for investigations can be helpful for many other reasons, too Staying in touch with whistleblower Guidance for this – including what can say in close out Case management systems can help

Discipline 15 Fairness/rigor is key to encouraging reports The importance of “organizational justice” What the DOJ/SEC has said (in the 2012 FCPA guidance): “Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.” Can be particularly useful for retaliation cases Discipline for culpable failure to prevent/detect violations

Incentives 16 A few companies provide monetary incentives for reporting suspected violations Idea goes back about twenty years But one can generally get similar benefits from intangible rewards Publicize commendable examples of reporting (with attribution when appropriate) Provide more “local” forms of recognition – and train managers on how to do this

Governance and … 17 Should be an area of reasonably close involvement by boards and senior managers Both for measures to be effective and given legal imperatives Define categories (in escalation provisions) of reports they need to know about Build into protocol requirements that any circumstances suggesting need for independent investigation must be provided to the board/audit committee

Management 18 CECO’s duties in this area should be spelled out in her remit and/or program charter Better than trying to define them in the course of a crisis Having a high-level compliance committee for dealing with case management can help – through strength in numbers If investigations are overseen by regional committees, prepare a charter and conduct related audits

Auditing and monitoring 19 Monitoring – many dimensions Treatment of whistleblowers – by checking in with them Some companies do this on a sampling basis Time to complete investigations Results of investigations/discipline Auditing – also many dimensions Are hotline posters up where they should be? Review investigation files re: compliance with whistleblower protection policies

Risk assessment 20 Necessary for understanding need for Extra messaging Special messaging Extra monitoring Assess not only relevant organizational culture but also Geographic culture Mostly by countries but also isolation-related factors Industry culture

Self assessment 21 Questions from employee awareness survey General – on fear of reporting C&E-focused ones A good idea every few years Can dive much deeper – e.g., find out why misconduct not reported or what experience was for those who did Consider data correlations – what other factors coincide with low reporting? Possible use of focus groups

Third parties 22 The next frontier for many companies Many different types and different issues/challenges - range goes from contractors on site to agents and distributors far away and out of sight Approaches Direct Contractual