Many companies still have a fragmented approach to corporate GRC (governance, risk, and compliance), according to David Childers, CEO of EthicsPoint, provider of a SaaS (software as a service) GRC platform. They maintain separate bins for governance, human resources, internal audit, corporate security, and loss prevention.

But although a company might pass an outside audit by offering a hotline phone number, woe unto any organization if a case of employee fraud comes back as a case of company malfeasance. According to the U.S. Organizational Sentencing Guidelines (http://www.ussc.gov/orgguide.htm), "an entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees' illegal actions."

Fortunately, the same sentencing guidelines offer a way out. The U.S. Sentencing Commission (http://www.ussc.gov/) has stated in certain cases that the courts can reduce fines by as much as 95 percent "if an organization can demonstrate that it had put in place an effective compliance program."

Such a system not only offers protection but can actually reduce costs. Insurance companies such as the Redwoods Group are also pushing hard on GRC, offering clients a discount of 1 percent to 2 percent on general liability premiums if the company is using a reporting system. If you're a large organization such as the YMCA, which pays US$47 million in insurance premiums, that can be a substantial savings.

We are seeing the evolution of a technology. It started out as a notice stuck to a bulletin board in the employee lunchroom, offering a number to report any wrongdoing. Now companies such as EthicsPoint and The Network use a full lifecycle case management model with an integrated application, whereby client users can document what they have done to investigate and resolve each incident, from notification to closure.