Protected activities could be a useful tool for insurers to manage their most significant ethical risks. And they signal to key audiences that the insurer’s commitments around those risks are being taken particularly seriously. So how do they work and how can they make a difference?
I came across protected activities while doing some work on ethical decision making for a large insurer in East Asia. Their code of ethics made very clear that retaliation against anyone engaged in a protected activity would not be tolerated.
I believe the concept has its origins in the US legal system, where a ‘protected activity’ in a work environment mean activities that an employee should be able to engage in without fear of retaliation by the firm or other employees. In practice, this typically means raising a concern about some form of equalities breach.
I’m going to weigh up the protected activities concept in four ways. How do they differ from what you’re already doing? Where can they add value? Do they have any weaknesses ? And can their impact be measured?
What’s Different about Protected Activities?
The UK has had whistleblowing legislation for many years. And it was not that long ago that the regulator for financial services added more specific requirements onto the obligations of regulated firms. So what further value could the use of protected activities bring to a typical insurer?
Remember that whistleblowing legislation in the UK covers ‘protected disclosures’. That is narrower than a protected activity. This is best explained by an example. If I have a serious concern about something I’ve seen at work, but worry about reporting it to my manager, then I could make a protected disclosure. That protected disclosure would however have to be in relation to one of a number of specified concerns.
Let’s assume that activities relating to the code of ethics were protected activities. And let’s say my manager told me to do something that I was certain was in contravention of that code of ethics. I could refuse to do so and any retaliation against me for that refusal would be a breach of a protected activity.
You can see therefore that protected activities provide employees with support earlier on and in wider circumstances than protected disclosures. The value of so doing is that protected activities brings attention onto an issue earlier, which helps firms sort it out more easily.
Where There’s a Weakness
Outside of the United States, there’s an obvious weakness in the use of protected activities relative to protected disclosures. Only the latter are protected by the law. The former are protected only by the penalties set by the firm and the firm’s willingness to apply those penalties. The danger is that if it's the firm’s culture that was largely responsible for the problem arising in the first place, then there’s a risk that that same culture will undermine the value of protected activities.
That danger is counter-balanced to some degree by the earlier than usual signal an ignored protected activity gives to employees about what the firm stands for. And in such circumstances, the employee could then decide to report it to the regulator earlier.
Should We Consider Using Protected Activities?
I think insurers should consider experimenting with protected activities for these reasons:
- it supports their whistleblowing / speaking up programme;
- it emphasises to employees and managers that some activities are being given special protection, so raising attention to make sure they’re supported and making errant employees back off from playing around with them;
- it reduces some feelings of concern about taking a stand, about raising a question, perhaps even challenging what someone is doing that contravenes a protected activity. This will help such issues be dealt with earlier;
- it allows a firm to focus attention on areas of particular ethical risk, by making policies and procedures relating to that risk the subject of protected activities. This introduces a human form of control mechanism for that risk.
An Example at an Intermediary
I recall organising a workshop at an intermediary to discuss how their business gifts and hospitality policy could be improved. About fifteen minutes into the workshop, mention was made of a particular skiing trip by some employees. And the discussion just took off. The local manager listening in was absolutely astonished at what he was hearing. As a result, output from the meeting went to the next board meeting, at which more controls and monitoring was quickly introduced.
My point in mentioning that workshop is that it dealt with an area of considerable risk to that firm. It was some years ago, but if back then they had made that business gifts and hospitality policy subject to a protected activity, it would have made compliance with those new controls (and the dropping of bad habits in relation to things like skiing trips) much easier.
Do Protected Activities Work?
Let’s be clear: protected activities are not a magic wand. They need to be actively supported by management with visible ‘walking the talk’. They need to be addressed effectively on a case by case basis, plus monitored regularly. And they need to be communicated across the firm, from senior management to employees just starting out.
So they can work, so long as they’re supported. If they’re not, they’re just window dressing.
Let’s adjust the question slightly. Do they add more work? I don’t think so. What they help do is bring forward the problems already happening within the firm and allows them to be addressed earlier, before they get out of hand. So in effect, the work is already there. What protected activities do is highlight those issues and address them earlier. I would say therefore that they at best reduce work, and at worse add no extra work. They’re addressing an existing problem earlier.
What Activities Should be Protected?
There are no hard and fast rules here, although I’m sure that an analysis of how firms use protected activities would show patterns. In my opinion, the activities to be protected should be scoped according to criteria such as these:
- activities that introduce significant ethical and reputational risk to the firm;
- activities for which the related controls are both difficult and vital;
- activities where the gross-net risk gap is thought to be high;
- activities which have a high strategic value;
- activities for which the firm has been put on notice by the regulator.
Measuring Their Impact
We know that the UK regulator has long used metrics to gauge how effective a firm’s whistleblowing programme is. These metrics grade firms by size and give an indicative number of expected whistleblowing reports. If the firm then reports well over or well under that number, then the regular would look into it.
Well, that’s what they said they would do. I can’t recall hearing about any review of the accuracy or effectiveness of those metrics.
Let’s put that aside and think of a scenario where a firm has a particular ethical / reputation risk that it needs to manage down. They will have an idea of how that risk currently is, and after making it subject to a protected activity, will subsequently learn how much of a difference that make to the risk. In essence, incident tracking.
This could supplemented by sentiment tracking. Ask employees who are to some degree familiar or associated with that ethical / reputational risk how they feel that exposure is looking, both before and after making it subject to a protected activity.
A Key Point to Remember
Some people might see the use of protected activities as yet more rules, more restrictions on getting on with business. In my opinion, they’re missing the point of protected activities.
Protected activities do not add in extra rules. They simply focus attention on existing rules and the firm’s interest in having them adhered to. They reduce the fear of retaliation for people who are concerned about those rules not being adhered to. And they help to reduce risk, which helps a business to achieve success more easily.