Do you remember that annoying classmate in primary school who always provided to the teacher unsolicited reports of those who were “making noise” when the teacher had stepped out of class? Or the one in boarding school who reported to the dorm master when colleagues had scaled the fence using military grade subterfuge and sneaked out of school to have a good time? In school we referred to these dystopian citizens as “snitches” or “tattle tales” but this was largely informed by the folly of youth where everyone was supposed to be bound by the Mafian oath of omerta or silence when such indiscretions were being perpetuated. However in adulthood, the role of these informers in an organization is absolutely critical in providing information about criminal activities that are being perpetuated by staff, management or, in extreme cases, the board of the organization itself.

Such an informer is called a whistle blower and is defined as a person who informs on a person or organization that is engaged in an illicit activity. A bank I know had a whistle blower call in to say that the branch manager was stealing from the branch. An auditor was sent over to the branch but he couldn’t find any evidence of the stealing. The whistle blower was tenacious and called again, this time saying “tell the auditor to put a camera in the backroom where the ATM is loaded with cash. He will see.” Sure enough a hidden camera was placed and the branch manager was busted in all his glory skimming money from the ATM cassettes as he ostensibly loaded them with cash.
The Capital Markets Authority (CMA) code of corporate governance practices for issuers of securities to the public 2015(we should probably reduce that mouthful to two words: “The Code”) specifically mentions whistle blowers three times. Some context around its genesis would be useful here. The Kenyan private and public sector space has a litany of cases of gross malfeasance perpetuated by senior management, very often leading to the eventual collapse of institutions for lack of cash flow. More often than not, staff knew what was going on but did not have the avenue to report such activities, as it would lead to instant dismissal, or in some extreme cases, grave personal injury. Imperial and Chase Banks are classic cases of organizations that could have done with a whistle blower policy, but they also beg the question: who do you whistle blow to, when it’s the owners or key officers of the institution perpetuating the fraud? The CMA Code tries to address this, on the premise that companies issuing securities to the public – such as shares via the Nairobi Securities Exchange (NSE) or bonds – have the basic corporate governance framework of a board of directors where the buck should stop. Section 4.2.1 provides that the board shall establish whistle-blowing mechanisms that encourage stakeholders to bring out information helpful in enforcing good corporate governance practices. Sounds a bit la-di-da right? Like some flowery language meant to incorporate current buzzwords such as “good corporate governance” and “stakeholders”.
But a second and far more robust attempt is made further down the Code under Section 5.2.5 which states that the board shall establish and put into effect a Whistleblowing Policy for the company whose aim shall be:
a) To ensure all employees feel supported in speaking up in confidence and reporting matters they suspect may involve anything improper, unethical or inappropriate; b) To encourage all improper, unethical or inappropriate behavior to be identified and challenged at all levels in the company; c) To provide clear procedures for reporting of such matters; d) To manage all disclosures in a timely, consistent and professional manner; and e) To provide assurance that all disclosures shall be taken seriously, treated as confidential and managed without fear of retaliation.

Why should you wake up and take notice if your company is not listed on the NSE? The CMA Code covers any company that has issued securities to the public. Therefore an Imperial Bank, which had issued a CMA approved bond to the public not too long before it crashed and burned, would have been expected to be applying the code within its own corporate governance framework had it lasted long enough. Section 7.1.1 (w) of the Code gets even more prescriptive by declaring that the board shall disclose the company’s Whistleblowing Policy on its annual report and website.

The CMA Code is a fairly modern and well thought out regulatory framework that encourages issuers of securities to “apply or explain” the guidelines provided therein. It will therefore require an inordinate amount of CMA supervision to ensure that issuers of securities are religiously submitting annual returns where they undertake the self-evaluation mechanism that an “apply or explain” framework presumes. If the CMA does this well, it then provides a second level of scrutiny to banks that may have inadvertently escaped the Central Bank of Kenya’s statutory hawk eyes and wish to take money from the public in a different form.

The institutions that do this well outsource the whistleblowing framework to an independent third party whose number is widely circulated within the organization. Staff members are encouraged to call that number or send an email with the assurance that the information will be handled sensibly by a non-aligned entity. The third party entity provides these reports directly to the organization’s board audit committee for directive action to be taken. It is imperative that the feedback loop on the whistleblowing falls outside of current management for obvious reasons: management might be part of the problem. Outsiders have no way of knowing what rot goes on inside an institution until the crap hits the fan. What the CMA Code has done is provide a way to protect investors and enable them to hold issuers of securities to a higher standard of transparency. However, this can only work successfully if the CMA plays its enforcement role judiciously.