Retaliation: The Insider Threat That Can Shatter an Organization and Its Culture
Every single corporate code of conduct I have read over the years discusses the protection of employees who report possible violations. Furthermore, those codes reiterate how the organizations will not tolerate any form of retribution against anyone for reporting in good faith. The codes opine on how seriously the organizations consider retaliation and the various disciplinary actions that can be taken against anyone who impedes organizational justice. Employees are trained to report allegations to their managers or to use the multitude of other reporting channels detailed in the codes. Executives, managers, compliance officers, human resource professionals, and others continuously reinforce employee protections and non-retaliation policies. Yet retaliation remains a constant insider threat in both business and government environments. What makes retaliation such a problem is the human curiosity that makes people want to know who made the allegation against them or their company. All too often it is the senior leadership of an organization who wants to identify those who report misconduct and then retaliate against them. It is almost a personal affront to some in management when an employee dares to question their actions, even if those actions are improper. In recent years we have seen a spike in whistleblower complaints alleging retaliation from those in positions of power. Chief Retaliation Officers The chief executive officer of an organization is supposed to live the company values and promote tone at the top. Unfortunately, we have seen examples of where the CEO is more like the chief retaliation officer in targeting whistleblowers. In 2018, UK financial regulators fined investment bank Barclay’s CEO $1.5 million for using company resources to determine the identity of an anonymous whistleblower who questioned the qualifications of an executive that the CEO of the bank hired.[i] Evidently, this CEO took the allegation personally and conveniently forgot about tone at the top and company policy and ordered Barclay’s head of security to learn the name of the whistleblower. As the financial regulator overseeing the matter stated, the CEO “acted unreasonably in proceeding in this way and, in doing so, risked undermining confidence in Barclay’s whistleblowing policy and the protections it afforded to whistleblowers.”[ii] Here is a more egregious example of a corporate executive trying to unmask a whistleblower. In 2019, Reuters reported that the then-CEO of the Brazilian metals and mining company Vale SA was more interested in finding out who sent an anonymous email alleging concerns about the structural safety of area dams than in determining the validity of the email.[iii] The eventual collapse of one of the dams resulted in the death of more than 250 people. The CEO and other company executives were subsequently indicted for homicide by Brazilian authorities. A government report on the tragedy commented that the former CEO “had full knowledge of the necessity of adopting urgent measures to increase the security of the dams in the priority area.”[iv] Yet, identifying the anonymous sender of the email became the CEO’s priority. Retaliation Is All Too Common I also encountered the damaging effect of retaliation in my work for corporate clients. I was evaluating an organization’s compliance program and learned that employees did not trust the company’s hotline reporting system. I conducted focus groups of employees and was told of their horror stories when reporting misconduct. In one example, an employee called the company’s hotline and identified herself thinking her identity would be kept confidential. It was not, and other employees learned that she was the one who reported the misconduct. In another example, an employee reported allegations of misconduct to his manager, again in confidence. Employees in his group learned that he was the source of the information and it was his manager who disclosed it. Both employees then told me that they were subsequently retaliated against for doing what their code of conduct required they do, and they would never again report any concerns. What makes retaliation such a problem is the innate way that people want to know the identity of the person who made an allegation against them or their company. It bears repeating that it can be senior management who want to identify whistleblowers and retaliate against them. As such the retaliation can take many forms. Retaliation is more than just being fired or demoted. It can occur by being denied overtime or promotions or being reassigned to less desirable positions. It can be insidious by being subjected to threats, blacklisting, and false accusations. It can also be subtle such as being ostracized or left off meeting invitations and email communications. Retaliation continues as one of the biggest concerns of employees. Study after study confirms this. According to the Equal Employment Opportunity Commission, “Retaliation is the most frequently alleged basis of discrimination in the federal sector and the most common discrimination finding in federal sector cases.”[v] The fear of retaliation hinders many employees from coming forward to report allegations. So, what more can organizations do to ensure the safety of their employees to report misconduct without the fear of retribution? For whistleblower and hotline reporting programs to be successful, there needs to be appropriate non-retaliation policies and procedures. Even more important, there needs to be a strong organizational commitment in words and actions. Policies matter but only if employees believe that they will be more than just words on paper. Employees must feel empowered and safe so they can anonymously and confidentially report violations of an organization’s standards of business conduct and know they will be protected from retaliation. The Right Culture Bests Retaliation Here are some of the leading practices that organizations can implement to lessen the risk of retaliation and promote a culture of ethics and compliance: First and foremost, establish a persuasive tone at the top and throughout the organization that leaves no doubt that retaliation in any form is unacceptable and that swift and compelling action will be taken against anyone engaging in such a practice. Anyone must truly mean anyone in the organization, no matter their level. This stance needs to be continuously evangelized to employees. Ensure that the organization’s code of conduct includes a strong non-retaliation policy that details the many forms of retaliation and an immediate reporting requirement. Have an anonymous and confidential third-party managed hotline/helpline for employees and others such as contractors, vendors, and customers, to report concerns. Communicate that the reporting channel is externally managed. Explain the difference between anonymity and confidentiality. Confidentiality implies the caller’s identity and information will not be communicated broadly and only to those with an absolute need to know. Anonymity provides secrecy and nondisclosure for the caller’s identity but not the information provided. Take all tips and complaints seriously by thoroughly vetting them upon receipt using a risk-based analysis process, and then investigate professionally and timely. Broadly and frequently communicate the organization’s internal reporting process, investigation protocols, and non-retaliation policies. Appropriately discipline those who retaliate and consider publicizing to employees that such discipline has occurred. Consult with legal counsel before such a public disclosure. Consider keeping those who report misconduct informed of actions being taken to the extent possible. I know of one company that has a specific group whose function is to keep employees who report misconduct aware of the investigation status and the results of the investigation. Unfortunately, even leading practices will not stop retaliation. In April 2021, compliance management firm NAVEX Global reported the findings from their 2021 Incident Management Benchmarking Report. The report found that the number of retaliation reports by employees has declined in recent years. This is after years of increased reporting of retaliation. The reason for the decline in employee reporting is not because of an actual decrease in retaliation but a heightened fear of retaliation. If left unchecked, the insider threat of retaliation can do irreparable harm to an organization and its culture. Don’t let it happen to your organization. [i] “Whistleblower ‘mistake’ cost Barclays CEO $1.5 million,” CNN, May 11, 2018,
[ii] “Barclays CEO fined $1.5mn for trying to unmask whistleblower,” Gulf Times, May 12, 2018,
[iii] “Vale CEO received anonymous email warning ahead of Brazil dam disaster: congress report,” Reuters, November 4, 2019,
[v] U.S. Equal Employment Opportunity Commission, About Martin Biegelman Martin Biegelman, CFE, CCEP Managing Director SunHawk Consulting, LLC Martin Biegelman has spent a lifetime detecting, investigating, and preventing fraud and corruption in various leadership roles in law enforcement, consulting, and the corporate sector. His work on behalf of corporate management and boards includes conducting internal investigations, including independent investigations, alleging fraud, corruption, Foreign Corrupt Practices Act violations, conflicts of interest, whistleblower retaliation, and other employee and vendor misconduct. Martin’s work also includes developing, assessing, and enhancing corporate compliance and ethics programs including internal investigative and anti-bribery compliance programs, as well as performing fraud risk assessments. Click Here to view Martin's full bio SunHawk Consulting and its compliance consultants and advisors are highly experienced in conducting independent investigations with outside counsel. Their experience includes financial accounting fraud, conflicts of interest, inappropriate personal relationships, harassment, whistleblower retaliation, and other organizational code of conduct violations. Our subject matter experts can provide insight into your specific risk and other compliance program needs. We are happy to have a discussion with you and determine how we can possibly assist you in responding to and mitigating risk.