When a matter requiring investigation comes into a company, a timeline typically needs to be followed. First, I will speak about the beginning of that timeline at Tyco: how matters typically come in; how we manage various allegations or concerns that are raised, including our process for systematizing and managing those allegations and concerns; and how we coordinate the investigation.
Tyco International is a truly global company - more of our revenues come from outside the United States than from within. We have operations in more than 60 countries and sales in more than 100. We have 115,000 employees, over half of whom are located outside the U.S.Tyco takes in close to $20 billion in revenue annually. We have a diverse set of operations, incorporating five business segments, the best known of which is probably ADT, the global security company. We are also in the fire protection and fire safety businesses, manufacturing fire safety products, including fire extinguishers, foam suppression systems and firefighter gear. We manufacture electrical and metal products and also run a very large business called Tyco Flow Control, which makes valves and pipe for the petrochemical, oil, gas, water and nuclear industries.
As many people know, Tyco had a serious corporate scandal in 2002. Our former CEO is now serving 8-25 years in a New York State penitentiary. This crisis resulted in dramatic and substantial governance changes across the company. One area that saw the most drastic changes was in the senior leadership. Obviously, we found a new CEO, who replaced nearly all preexisting senior management. In addition, the Board of Directors is entirely new. Finally, we added a full-time ombudsman to the corporate office. The ombudsman handles concerns voiced by employees, shareholders, customers, suppliers and all other stakeholders. In addition to these personnel changes, we put in place new policies and procedures and extensively communicated to our employees our expectations for proper business conduct and meeting ethical obligations. We developed a new code of conduct we call our Guide to Ethical Conduct: Doing the Right Thing, and every year we have a substantial education program across the company to make sure everyone understands these expectations.
It has been widely recognized that having an ombudsman is a best-in-class corporate governance tool. Every company should have a function like this; some companies have many, many ombudsmen around the world. We have one main corporate ombudsman (as well as a European ombudsman), and we make that person available such that all concerns can be funneled in to her. Operating independently, she reports directly to our audit committee of the board of directors, rather than to management. On a day-to-day basis, she reports to me and is part of the compliance group. But, should she have any concern or feel that her independence is compromised, she goes directly to the Board. She is impartial and keeps everything she hears highly confidential, and we have systems in place to ensure that the concerns raised remain confidential. Her job is not only to determine how cases should be investigated and who should investigate them, but also to ensure that our employees have some level of comfort and certainty there will be no retaliation for raising a concern. This is critical. Our philosophy is to welcome concerns; it is essential that we hear about them so that we can take any necessary remedial action as soon as possible.
In order to facilitate the flow of information, we have created many avenues for reporting. In general, we encourage our employees to first speak with their supervisors - which of course will not work if the supervisor is the individual about whom there is a concern - or with their human resources representative.The law department itself is another reporting avenue. Probably the most accessible avenue is our hotline (which we call our ConcernLINE), a phone system with toll-free numbers enabled in 40 different countries such that a person can call locally or toll-free from almost anywhere in the world. We provide for email and regular mail, and the personal phone number of the ombudsman is publicized widely. In addition, we created a website - Vital Tyco Concerns (www.vitaltycoconcerns.com) - where anonymous concerns can be voiced from anywhere in the world. The website provides an ID number to the person expressing a concern, which allows us to communicate anonymously with him or her. This is available to anyone - our employees, outside vendors, suppliers, customers, shareholders - truly anyone. If someone has a concern about the company, there is always an available avenue for reporting.
To back this up, we display posters with relevant local hotline information in every one of our locations worldwide, including our plants, sales offices, and corporate offices. (Each poster is written in the local language; I believe about 28 languages are represented overall.) An outside service will take calls in the off hours. The service is staffed with multilingual people, so that any caller (especially an employee) can feel comfortable that he or she is raising a concern in confidence with someone who fully understands.
In certain countries in Europe, there are restrictions on anonymity; employees and others must give their name when raising certain kinds of complaints. (The idea in Europe is that a person being accused of something must be allowed to know who is accusing him or her.) In order to comply with this restriction and other Europe-specific data privacy issues, we have a separate ombudsman located in Europe. This way, we can avoid having European calls come into the U.S. Nonetheless, anyone can anonymously enter a written allegation on www.vitaltycoconcerns.com, and we maintain an EU-specific web address, as well (www.EUvitaltycoconcerns.com).
Finally, concerns can come up informally. Recently, I spoke with a colleague who told me she was training some of our employees at a session on international trade, and afterwards an employee came up to her to raise a concern in person.
Having created this funnel for issues to come in, the question becomes: what do we do once a concern arrives? We log it into the system and assign it for investigation. It is the ombudsman's role to assign an investigator. Concerns can get assigned to any one of our businesses, where they are then filtered down to the investigators. We've put together a matrix that addresses who should handle what type of concern or allegation.For example, if we receive an environmental or health concern, our Environmental Health & Safety ("EHS") Department will handle it, and we've determined that our HR department should also be notified in such cases. Similarly, the legal department handles conflict-of-interest concerns. This matrix of concern categories and appropriate investigators is embodied in a multi-page document that we have set up in consultation with the stakeholders, all of whom understand where a concern should go and who is best suited to investigate.
In addition, we use a web-based investigation management tool that allows us to track an allegation from beginning to end. The tool documents the source of the concern (whether anonymous or not), the subject of the case and the date and time the allegation came in. The system then sends out emails informing the responsible investigators that this case has been assigned to them and follows up with built-in reminders. But only the ombudsman can close out a case. It's important to note that the ombudsman is the first point of intake; that she assigns the case for investigation, and that she receives the results from the investigators. It is she who determines that there has been a thorough investigation and when it can be closed out. We have also developed a protocol for investigators that includes a checklist to ensure nothing is missed during an investigation.
Our experience has been that approximately half of the intake we receive - several hundred matters a year - involve employee relations or other human resource issues, including work environment, colleagues, difficulties with management, etc. We have a model letter we give to the person who has recorded a concern to assure them we are taking action on the matter. Depending on the case, at times we may provide more details about the ultimate outcome of an investigation. Typically, however, we do not provide much detail about the investigated matter to the reporting party, and we almost never disclose any sort of disciplinary action that may occur (beyond the general notices we provide to all our employees about disciplinary actions) because of privacy laws. But we do let the person who raised the issue know that something is being done.
Respect For Employees In All Cultures
As far as conducting an investigation is concerned, from the outset it is essential that cultural differences be taken into account, especially when interviewing employees. Whether you are conducting an investigation in Singapore, France, India, America or Indonesia, there are huge cultural differences that can upset your intended course of action in conducting an investigation if you are not cognizant of them. For example, you must be conscious of different gender attitudes in places such as the Middle East, where you may not want to send a woman to conduct interviews. You must consider language differences and translational issues. You must be certain you have an excellent translator whom you can trust. In addition, local laws can be an impediment. We were recently doing an investigation in Azerbaijan for which we were interviewing employees through a translator. We started to raise some very tough questions about why certain things were missing. We were immediately advised that employees there have the right, if they feel uncomfortable in an interview, to call the police to intervene in the investigation. It is important to understand local laws such as this in order to anticipate what you may encounter in an interview; indeed whether or not you even have the right to ask employees to subject themselves to an interview.
As mentioned earlier, data privacy - whether you have the right to access company computer systems or company email, whether you have the right to look for incriminating evidence - is a huge issue around the world. In Italy, for example, you need to carefully evaluate employee privacy rights when looking for email on the company system relating to an individual employee, which is not necessarily the case in the U.S. On the other hand, outside the United States, attorney-client privilege for in-house counsel exists in only a few jurisdictions. Certainly, for outside counsel, attorney-client privilege is fairly strong outside the U.S. But for someone like myself, who enjoys a strong attorney-client privilege in the U.S., once I step into Europe, it's gone.
One of the key things to keep in mind is to respect your employees in the investigation process; otherwise, you will run into further problems down the road. We go to great pains to ensure confidentiality, to maintain employee rights, and to be sure that they feel it's a fair process. Certainly there are times where we encounter significant wrongdoing. If, say, we are investigating whether an employee has embezzled $50,000, and the evidence is fairly strong, we still do everything we can to make sure the investigation is conducted fairly and properly. We try to have HR representatives in the room when we interview employees; we have learned that goes a long way to smoothing over any feathers that might get ruffled. We make sure our own investigators comply with our code of conduct. We cannot afford to have something like the pretexting situation that occurred at Hewlett-Packard. We go to great lengths to respect our employees even when it is obvious that there has been some significant wrongdoing. So far, our procedures have worked out well for us.
Lessons To Be Learned
Lastly, I should say that with the system I have described, there is a huge amount of data from which we can learn: we can use the data to figure out where our problem areas lie. For example, can we evaluate what types of concerns are being raised most often? Are we getting to those concerns quickly enough? On average, how long is a case open? We use all that information to help us focus on potential problem areas in the company and, with luck, resolve those and thus minimize the number of calls. I will say that it is a double-edged sword; you don't want so few calls that you fear your employees are not comfortable calling. There is a balance to be struck - having a lot of calls can be a good thing. Our goal is not to eliminate all calls to our ConcernLINE; instead, our goal is for our employees to know it's there, to feel comfortable using it, and to believe that there will be a fair follow-up process when they do raise a concern.