Comment by William Saunders

That the company will facilitate a verifiably anonymous process for current and former employees to raise risk-related concerns to the company’s board, to regulators, and to an appropriate independent organization with relevant expertise; Companies have a legitimate interest to protect confidential information, but this should not prevent discussion of risk related concerns. Employees with risk-related concerns might have reasons to not trust the governance structure of the company (otherwise, they could raise the issue through normal channels). In general, corporate leadership has an incentive to minimize or silence problems, to avoid hurting the company’s reputation. Concerns should be anonymous so that the employee can be protected from retaliation. The concerns should also be simultaneously shared with third parties outside of the company, so that they can be evaluated by someone without a conflict of interest. This should include all appropriate regulators. In case there are no regulators, or the regulators don’t have appropriate expertise, an independent third party organization should be found to monitor the concerns. This organization should not be incentivized by the company to minimize or silence problems, but they should also have an obligation to protect confidential information shared with them. Ideally, the independent organization should have enough credibility to be able to state things like “a number of confidential concerns have been shared with us recently, we can’t share the details but we think that the organization is not behaving responsibly with regards to issue X”. Unverified source (2024)