::BE HEARD::

There is a tendency in the security risk management environment (and probably in most fields of endeavour) to grasp an attractive solution with both hands and expect it to be the great panacea that will solve all existing problems at the expense of all others. Many people have adopted this view of Close Circuit Television (CCTV) and electric fences in the past and sadly some organisations have also adopted this view towards disclosure services.

My philosophy of risk management is simply that one needs the skills of a risk management professional to integrate all the appropriate solutions available in the right combination to ensure that the most effective outcome is achieved. This is rather like the analogy that a pile of building materials only become a home once an architect and skilled tradesmen have put the components together in the most optimum manner. A group of musicians, no matter how skilful each may be, only become an orchestra and produce sublime music once they unite under the baton of a conductor to reveal the mysteries of a composers score.

The obvious conclusion is that a disclosure service, while being an excellent (and almost indispensible) component of a well structured risk management strategy, is never going to really live up to its potential unless it is skilfully integrated with other complimentary risk management solutions.

Before defining and unpacking the nuances of successful disclosure services it is important to briefly recall the origins of this very valuable risk management tool.

It is widely accepted that the findings of the United States Presidential Commission that followed the explosion that destroyed the NASA Challenger Space Shuttle on 28 January 1986 and cost the lives of six astronauts including the first non-astronaut – a teacher Christa McAuliffe provided the model for the creation of all present day disclosure services.

Very simply, the spacecraft exploded in a ball of fire 73 seconds after the launch (while travelling at 684 meters per second) as a result of a defective seal on a solid rocket booster. The important finding of the commission was that the mission control management were advised of the threat but decided not to act on it. There was considerable pressure on the mission control management for the launch not to be delayed for a number of reasons – not least the hype surrounding Christa McAuliffe – and this may have clouded the judgement of the decision-makers to give the launch the green light.

The commission concluded that if a communication channel had been available which stakeholders could have used (possibly even anonymously) to report their serious concerns to an independent entity, the tragedy could have been averted.

Thus the seeds of independent disclosure services the world over were sown in the USA in 1987 and the first outsourced service providers (OSPs) started operating in South Africa in 1999.

In South Africa we have a widely celebrated piece of legislation known as the Protected Disclosure Act, Act 26 of 2000 (the”Act”) (go to http://www.info.gov.za/gazette/acts/2000/a26-00.pdf for a PDF version) which became effective on 16 February 2001 and which defines a disclosure as

any disclosure of information regarding any conduct of an employer, or an employee of that employer, made by any employee who has reason to believe that the information concerned shows or tends to show one or more of the following:

(a) That a criminal offence has been committed, is being committed or is likely to be committed;
(b) that a person has failed, is failing or is likely to fail to comply with any legal obligation to which that person is subject;
(c) that a miscarriage of justice has occurred, is occurring or is likely to occur;
(d) that the health or safety of an individual has been, is being or is likely to be endangered;
(e) that the environment has been, is being or is likely to be damaged;
(f) unfair discrimination as contemplated in the Promotion of Equality and Prevention of Unfair Discrimination Act, 2000 (Act No. 4 of 2000); or
(g) that any matter referred to in paragraphs (a) to (f) has been, is being or is likely to be deliberately concealed;

The important point to note is that the legislation only provides “protection” for an employee which is defined in the Act as

(a) any person, excluding an independent contractor, who works for another person or for the State and who receives, or is entitled to receive, any remuneration; and
(b) any other person who in any manner assists in carrying on or conducting the business of an employer;

While the original draft of the Act only made provision for direct disclosures, the final version was amended after I had made representations to the drafters of the Act that the Act should provide for indirect disclosures made through independent service providers. The relevant section of the Act relating to protected disclosures reads as follows

6. (1) Any disclosure made in good faith

(a) and substantially in accordance with any procedure prescribed, or authorised by the employee’s employer for reporting or otherwise remedying the impropriety concerned; or
(b) to the employer of the employee, where there is no procedure as contemplated inparagraph (a),
is a protected disclosure.
(2) Any employee who, in accordance with a procedure authorised by his or her employer, makes a disclosure to a person other than his or her employer, is deemed, for the purposes of this Act, to be making the disclosure to his or her employer.

So a disclosure service is strictly speaking any procedure or channel of communication (by one or more means) that an organisation has set up internally or which has been outsourced by an entity to a third party service provider to enable employees to make disclosures.

Although not covered by the Act, disclosure services have always encouraged other stakeholders and not just employees to make disclosures. This is very important as many unlawful and inappropriate acts are committed by persons within an organisation working in collusion with people on the outside!

A stakeholder is really any person or entity who wishes to draw the organisation’s attention to any action or activity which has already happened or which could potentially happen which would (or should) be of interest to that organisation.

Clearly “would” is not always the same as “should” as the reporting of some actions or activities to an organisation may not always be welcomed by that organisation. This is where the depth of commitment of an organisation to transparency, integrity and honesty is sometimes tested!