The Compliance Time Bomb

I’ve never encountered a business that didn’t have some sort of compliance issues, some more severe than others. Most are minor: Workplace posters that haven’t been updated in years, safety training certifications that lapsed but didn’t raise flags because the holder knew their stuff, hands down.

Some are not so minor: Tax strategies that walk (or cross) the line between aggressive and fraud, environmental practices that would look entirely different under 3^rd party scrutiny. Maybe even employment classifications that might not hold up under examination, or OSHA violations that have been there so long nobody even sees or thinks about them anymore.

You know, or should know, these exist in your business; most business owners do. And most business owners also know – or at least believe – that the odds of getting caught are low enough to accept. Regulatory agencies are historically understaffed, and this makes audits pretty rare. The risk feels abstract and distant.

No matter how distant, it’s important to understand that those risks don’t stay dormant forever; they sit quietly until someone decides to detonate what I am terming “the compliance time-bomb” in this article. And that someone is almost always a person who used to work for you.

The federal government, and increasingly state governments, have created powerful financial incentives for employees and former employees to report certain violations. Don’t make the mistake of thinking these are small incentives. We’re talking about 15-30% of whatever the government recovers – potentially millions of dollars for information that costs the reporter virtually, and sometimes literally, nothing to provide.

The person who knows about your business’ shortcuts has probably thought about this, and what determines whether they stay quiet or pick up the phone rarely has anything to do with the violation itself. Unless your violations are causing real destruction it usually boils down to how you – their employer – treat them as human beings, either during their employment, on their way out, or both.

Violations don’t report themselves. Regulatory agencies, despite their mandates, simply don’t have the resources to proactively investigate every business committing, or potentially committing, a compliance violation. The IRS audits fewer than 0.4% of returns and OSHA is only able to inspect a small fraction of workplaces each year. Environmental agencies prioritize large polluters and obvious disasters, as they should.

A side effect of these constraints is that a false sense of security is created. Years go by without consequences: The tax strategy that pushes legal boundaries hasn’t triggered an audit, the environmental shortcuts haven’t attracted significant attention, and the employee classification questions never got asked. Business owners start to believe they’re safe.

They’re not safe, they’re just undiscovered.

The shift from undiscovered to crisis almost always involves a human trigger – an employee who knows things, a manager told to execute bad decisions, a bookkeeper who saw the real numbers, or a supervisor who documented what they were told to ignore.

These people keep quiet for all sorts of reasons while they’re employed; loyalty, fear, not wanting to rock the boat, or simply not knowing there were alternatives. But employment relationships inevitably end, and when they end badly, every reason to stay quiet suddenly has a competing reason to speak up.

Qui tam provisions under the False Claims Act allow private citizens to file lawsuits on behalf of the federal government when they have evidence of fraud against government programs. Examples, not all inclusive: Medicare fraud, defense contractor billing irregularities or SBA loan misrepresentations. If the government intervenes and recovers money, the person who filed – the “relator” – receives between 15% and 25% of the recovery. If the government doesn’t intervene but the case succeeds anyway, that percentage can go as high as 30%.

These aren’t theoretical numbers – the Department of Justice reported recovering over $2.68 billion in False Claims Act settlements in fiscal year 2023 alone. Qui tam cases – those initiated by private whistleblowers – accounted for over $2.3 billion of that total. 86% of the funds recovered were the direct result of whistleblowers, and those whistleblowers received more than $349 million in awards that year for stepping forward. From the DOJ’s perspective, this is a win-win.

And the above just relates to the False Claims Act; the IRS Whistleblower Program offers 15-30% of collected proceeds for tips that lead to recovery of unpaid taxes, like those resulting from the “aggressive” tax strategies I mentioned earlier. There are plenty of other examples: The SEC whistleblower program, established under Dodd-Frank, has awarded over $1.9 billion to whistleblowers since its inception and OSHA has whistleblower protection provisions covering more than 20 different federal statutes.

Our government has created a system that pays people – sometimes handsomely – to report violations they witness, and the simple fact of the matter is that the person most likely to witness your violations is someone who worked for you.

Whistleblowers aren’t just paid; they’re also heavily protected. Federal law prohibits retaliation against employees who report violations to authorities, and this includes discharge, demotion, suspension, threats, harassment, or any other discriminatory action.

These protections have real teeth and employers found to have retaliated against whistleblowers can face reinstatement orders, back pay awards, compensatory damages, and in some cases punitive damages. The cost of retaliation typically exceeds the cost of the underlying violation.

These protections remove the downside risk for the reporter, and someone considering whether to disclose what they know doesn’t need to weigh potential financial reward against career destruction. The law protects them from the latter while enabling the former.

When you mistreat someone on their way out – withhold promised payments, disparage them to others, contest unemployment claims out of spite, threaten legal action for imagined grievances – you’re not creating a disincentive for them to report what they know. You’re removing the last psychological barrier that was keeping them quiet.

Most people, most of the time, don’t report violations even when they see them. There’s research on this. The barriers include loyalty to colleagues, fear of disrupting their own lives, concern about being seen as a troublemaker, and general inertia. People convince themselves that the violation isn’t that serious, or that someone else will handle it, or that it’s not their problem.

These psychological barriers erode quickly when the employment relationship ends badly.

Loyalty evaporates when betrayal enters the picture. Someone who felt connected to the company and its mission, or loyal to ownership, suddenly feels used, discarded, and disrespected. The mental framework shifts from “we” to “them,” and protecting the organization no longer feels like protecting something they’re part of.

Fear transforms into motivation; a person who was worried about rocking the boat while employed has nothing left to lose once that employment is gone – especially if it ends on bad terms. The thing they were afraid of – a sour parting relationship – has already happened. What’s left to fear?

Concern about reputation flips direction, and instead of worrying about being seen as a troublemaker, the former employee now begins to worry about being seen as complicit. They may wonder about having stayed silent and what it means that they went along with it for so long. Reporting becomes a way to correct that.

And inertia? That breaks the moment you give someone a reason to act, and mistreatment provides that reason. Every petty indignity, every withheld payment, every unnecessary cruelty during separation becomes fuel for action they might otherwise have never taken.

An employee who knew where bodies were buried – metaphorically speaking – leaves a company. They leave professionally, even cordially, with no intention of causing problems; they simply want to move on with their lives.

Then the company does something vindictive: Withholds a final commission check, accrued vacation, or a bonus already earned. Perhaps the company contests an unemployment claim out of spite, sends a threatening letter about some imagined breach of a non-compete, or bad-mouths them to a prospective employer or their professional network.

The point being, action is taken to inflict punitive damage out of an all too common human need to inflict pain if pain is inflicted. Suddenly that former employee isn’t moving on anymore; they’re angry and looking for ways to respond. They begin to focus on everything they saw: the billing practices that seemed questionable, the aggressive tax maneuvers on company expenses, or the environmental violations they documented because they knew something was wrong even if they didn’t say anything at the time.

That documentation still exists in personal email folders, on phones, in notes they kept; it exists in memories that are now extremely motivated to find an outlet.

A Google search for “whistleblower rewards” takes about two seconds and finding a qui tam attorney who has done plenty of work for a significant portion of the reward takes about ten minutes more. Once that process starts, you’re no longer dealing with a disgruntled former employee – you’re potentially dealing with a federal investigation.

Violations don’t age well. A tax strategy that saved $50,000 this year might create exposure for the last seven years of returns in the case of an error, or even longer. For example, the IRS considers any case of fraud to have no statute of limitations. An environmental shortcut that seemed minor in isolation looks different when it’s been happening for a decade and an employee misclassification that affected five people when first done may now affect fifty.

This is why I refer to them as compliance “time-bombs” – they don’t go off when the violation occurs, instead detonating when someone triggers them. Often, by the time they go off the exposure has grown by orders of magnitude.

False Claims Act violations, for example, carry penalties of up to three times the amount defrauded plus civil penalties per false claim. This doesn’t include the cost of the investigation itself: legal fees, management distraction, reputation damage, and difficulty in achieving a company sale or acquisition during due diligence if that is the plan down the road. The cost of defending against a whistleblower action often exceeds the settlement cost – and you incur it whether you win or lose.

If you are in this situation, whether intentional or not, you have two choices. You can fix your compliance issues, which is the right answer but rarely the realistic one. Business owners who were unaware of some of these more serious compliance issues often find their correction too expensive or disruptive to pursue seriously. And those business owners who orchestrated serious compliance issues have little to no reason to want them fixed, since presumably they had “good reason” to commit them in the first place.

The second choice is to, at the very least, stop creating whistleblowers by remembering that every employee who leaves your organization is a potential reporter. They saw things while they worked for you, and the right question to ask is not whether they have information – they do. The right question is whether they have motivation to use it, and how much of that motivation is within your control.

When someone leaves your company – whether they resign, were terminated, or something in between – business owners face a choice point. You can treat them with basic dignity and fairness, pay what you owe, provide reasonable references, and let them leave without unnecessary conflict. Alternatively, you can squeeze a penny until you produce copper wire, contest every claim, threaten legal action, and generally make their departure as painful as possible to show them who the “Boss” is.

The first approach costs you almost nothing beyond basic professionalism, maybe even some swallowed pride. The second approach saves you almost nothing when viewed big picture – and potentially creates an angry individual who might have information worth millions to the federal government.

This is risk management at its most fundamental. You’re not eliminating the underlying compliance risk – only genuine compliance fixes do that. But you’re significantly reducing the probability that dormant risks become active crises.

If you’re reading this and feeling defensive – good; that discomfort is worth examining.

Every business has areas where practices don’t perfectly align with regulations; this is the reality of complex organizations. Unfortunately, the businesses that end up in whistleblower cases aren’t always the worst actors; they’re often businesses that combine questionable practices with poor treatment of the people who knew about them. The violation provides the ammunition, while the mistreatment provides the motivation.

Remove either element; your risk profile changes dramatically. Fix the violations and it doesn’t matter how angry former employees are – they have nothing to report. This is the ideal, and one I encourage wherever possible. Alternatively, treat people decently and it doesn’t matter what they know; they have no motivation to report it because the path of least resistance is to just move on with their lives.

Combining both – violations plus vindictiveness – is what causes dormant risks to explode into active disasters.

I’ve spent my career in operations, keenly aware of a gap in how businesses typically run versus how they present themselves. The gap between the two isn’t rare; an absence of that gap would be the unicorn. The reality is that no business is perfectly compliant, especially not those making the compliance rules.

Regardless, that gap creates latent risk and latent risk becomes active crisis through the same vehicle that caused the gap to begin with: human choices – yours and theirs.

You can’t control everything and even if you intend to eliminate every compliance gap (which, again, is the right choice, always) you can’t do it overnight. Neither can you “un-know” what employees already know – the past is the past. But you can control how you treat people and you can choose not to create enemies out of people who have information about you.

I am confident there will be some readers who will see this as cynical advice to be nice to people, simply to keep them from tattling on you. Sure, if that’s the takeaway and it results in greater compliance and/or departing employees being treated with basic humanity, I’ll accept the mischaracterization.

But there’s a simpler message I’m trying to convey: Stop exposing yourself to risk through compliance issues, and if you choose to do so anyway – don’t be an asshole to people who can destroy your business. Especially when being decent costs you little or nothing.

---

Thomas Geller is the Principal of TBG Advisory, specializing in operational and financial transformation for small and mid-sized companies. He’s spent 20+ years as COO and CFO in operations-heavy industries. Now he focuses on what he always enjoyed most in those roles – diagnosing what’s broken and helping others fix it.

His approach: Think Strategically. Build Deliberately. Grow Sustainably.