With whistleblowing regulation on the rise globally, and a new age of accountability and transparency converging with flexible working trends, more executives are asking about best practices for whistleblowing. This was the background to a webinar hosted by WhistleB’s parent company, NAVEX, and which also featured WhistleB’s Jan Stappers.
More than 500 attendees joined the webinar entitled “Workplace Whistleblowing: What your board needs to know” and the quantity and quality of the questions received prompted this follow-up article. Questions ranged from identifying appropriate whistleblowing channels, to dealing with non-whistleblowing reports and creating a speak-up culture.
In this article we grouped the questions under common themes and answered them as best practices for whistleblowing that will be valuable to any organisation looking to build an effective whistleblowing programme.
Creating a culture of trust to encourage whistleblower reporting
What can an organisation do to improve the rate of whistleblowing from known sources rather than anonymous sources? And why might an organisation tend to receive reports more from anonymous sources?
Fear of retaliation seems to be the main reason for people to opt for anonymous reporting. We see organisations that succeed in creating a culture of trust and transparency receive more confidential (as opposed to anonymous) reports. A culture in which it is safe and encouraged to raise concerns is extremely powerful.
Top management needs to practice what is preached: maintaining a sound whistleblowing structure, acknowledging speaking up about wrongdoing and continuously maintaining awareness on this topic.
At a tactical level, ongoing training and creation of awareness of the company values are likely to improve the whistleblowing environment. This can be done through online and on-demand training programmes, and communication as part of standard HR processes (induction, 1:1s, team meetings).
Is whistleblowing channel use a reflection of lack of trust in line management protocols?
No, quite the opposite: internal whistleblowing shows that people trust the organisation to deal with matters properly. It may indicate a more open atmosphere, a healthy culture within the organisation – otherwise employees would opt for external reporting or public disclosure.
Should I be worried that we have a very small number of disclosures?
Perhaps your organisation has managed to create an environment in which risk incidents are raised or potential wrongdoings are addressed at an early stage. In any case, it might be worth considering awareness-raising activities, training and a third-party assessment of the efficiency of your whistleblowing structure.
Should organisations incentivize whistleblowing?
Yes, although incentives can come in many forms, of which acknowledgement is an important one. Thanking the whistleblower for their valuable input is an often-overlooked step.
Do you have any thoughts on how to promote whistleblowing as a positive activity to staff?
More transparent, ethical organisations are more pleasant environments to work and develop in. This will surely appeal to the majority of staff.
You might consider sharing the outcomes of whistleblower complaints with employees generally. This is an important part of creating engagement and showing commitment. This could be done by explaining the general measures that were prompted by a report, or by sharing anonymised statistics.
Appropriate systems and procedures for whistleblower reporting
For a global whistleblower hotline, is regular mail still a viable option?
Considering the security risk, risk of delay and risk of the physical mail getting lost, and taking into account the fact that the management of whistleblowing cases is subject to data protection laws, there is ever decreasing room for less secure reporting systems.
Where workplace locations allow, reports can also be submitted in person (also known as “walk up” reports). These can be uploaded to your case management system and then tracked, managed and reported upon in the same way as reports received via other channels.
What about systems for small organisations the size of 20 employees or so?
The fact that people work closely together makes the guarantee of confidentiality and anonymity a challenge. Appointing a third party to assess incoming reports might be a solution. Digital systems are also available that are almost “plug-and-play” with data security and protection laws embedded, which supports smaller companies in complying with such laws.
Is it considered good practice to encourage employees to speak up directly to management first, or should the main focus be on reporting via the whistleblowing channel?
The whistleblower should be free to choose the most appropriate reporting channel, without being directed toward a certain channel.
What are the arguments for widening the group of people allowed to report?
Broadening the group of potential whistleblowers, to perhaps include customers, suppliers and former employees, increases the likelihood of receiving valuable reports. People that are more distant to an organisation are sometimes better placed to report on a sensitive matter, compared to those within it. Further, opening up to more stakeholders is also a way of communicating that your organisation is serious about doing business ethically and transparently, and stopping misconduct throughout the entire value chain.
Best practices for whistleblowing case management and team processes
Does the organisation have to share the outcome with the whistleblower?
In the context of internal reporting, informing the reporting person, as far as legally possible and in the most comprehensive way possible, about the follow-up to the report is crucial for building trust in the effectiveness of the overall system of whistleblower protection. It also reduces the likelihood of further unnecessary reports or public disclosures.
The reporting person should be informed within a reasonable timeframe about the action envisaged or taken as follow-up to the report and the grounds for the choice of that follow-up. Follow-up could include referral to other channels or procedures, closure of the procedure based on lack of sufficient evidence or other grounds, launch of an internal enquiry and, possibly, its findings and any measures taken to address the issue raised, or referral to an external authority for further investigation.
In all cases, the reporting person should be informed of the investigation’s progress and outcome. It should be possible to ask the reporting person to provide further information, during the course of the investigation, albeit without there being an obligation to provide such information.
(If you are based in the EU, this area will be regulated by the transposition of the EU Whistleblower Protection Directive into national law, at the latest by December 2021).
But isn’t there a risk to updating the whistleblower on the progress of a complaint?
Indeed, the right balance has to be found between the rights and obligations of the whistleblower, the organisation and other people involved (e.g., the accused). If the report was made anonymously, technology can assist in allowing for a dialogue while the anonymity of a whistleblower is maintained. Certainly, no sensitive information should be shared with the whistleblower, as it may be detrimental to the investigative process and resolution of the wrongdoing.
Is it still necessary to investigate an anonymous report immediately if specific details are not provided?
Your whistleblowing process should facilitate follow-up with the reporter, either through a technology solution or other robust feedback process. A dialogue establishes trust and allows you to get to the core of a report. However, not all reporters wish to provide further information. Your investigation strategy should account for situations where follow-up information from the reporter may not be available.
(If you are based in the EU, this area will be regulated by the transposition of the EU Whistleblower Protection Directive into national law, at the latest by December 2021).
Do you have a “recommended” time frame for prompt follow up?
It is up to each organisation how promptly reports are followed up on. The recommended response time depends on the matter and urgency of the reported wrongdoing and the complexity of the investigation required. In any case, it is recommended to keep the whistleblower informed about the fact that the report is being dealt with.
(If you are based in the EU, this area will be regulated by the transposition of the EU Whistleblower Protection Directive into national law, at the latest by December 2021).
Many whistleblowers do not provide data to back up their accusations. How do we deal with such reports?
Whistleblowing reports rarely arrive fully “packaged”. A robust triage and investigation process that allows for dialogue and communication with a reporter is recommended. The onus is on the organisation, not the reporter, to investigate reports and determine their merit. Bear in mind that many reporters are cautious and fearful of repercussions, so may choose to withhold detailed information until they receive reassurance in the process.
How do we protect the whistleblower’s identity when we are trying to investigate issues?
By maintaining the anonymity or confidentiality of the whistleblower, e.g., through putting in place secure channels and experienced, impartial people who deal with the report.
How do you get sometimes siloed teams to manage cases so that all elements are dealt with?
Whistleblower reports can vary widely in subject matter and require many areas of expertise. It is a good idea to appoint individuals who oversee the entire process. This can also be outsourced to third parties, such as law firms. In larger organisations, it may also be valuable to set up a whistleblowing team made up of representatives from a range of areas including Legal, Compliance, HR, Accounting, Ethics and so on.
What if a company hires a manager to receive reports that is not trustworthy?
One person could indeed be the bottle neck. This is where a team of appointed people (as mentioned above) is also valuable, so that reports can be assessed properly and more independently. The mix of roles and departments can improve the integrity of the team. It is also good practice to establish an escalation procedure when setting up your programme so that your team is ready for such occasions.
Under which function should the whistleblowing process be placed?
A combination of Legal, Compliance and perhaps Audit is optimal. Please also consider establishing a supervisory board and ethics council.
Best practices for handling non-whistleblowing cases or malicious cases
Should separate grievance procedures be integrated into a whistleblowing procedure, or can they be maintained separately?
This depends on the characteristics of each organisation. It is recommended not to put the burden of categorising the report on the whistleblower, but to have this done by experts on the receiving side.
We recommend looking beyond the strict legal definitions of whistleblowing. For example, HR-related reports can very well be a good indication of an undesirable work culture, which is more likely to result in wrongdoing taking place. In the event that these types of cases are received, it is good practice to notify the person who sent the report and refer them to the relevant manager, the HR department or similar, as appropriate.
How can management distinguish actual whistleblowing from malicious reports from anonymous staff members?
A malicious report is one that is known to be untrue, or is willfully or intentionally misleading. Ascertaining these from anonymous reporters is difficult. The dialogue with a whistleblower might provide some indications on whether a report is bona fide or mala fide.
Preventing retaliation against whistleblowers
Why are some whistleblowers treated badly for taking very tough decisions in often unpleasant situations and how can we protect them effectively?
Some people might feel threatened by the report and therefore retaliate against whistleblowers.
One way to minimise retaliation may be by openly treating whistleblowers as heroes; for example, fashion multinational H&M hired the Cambridge Analytica whistleblower as research director.
How do you address any potential retaliation against third-party whistleblowers?
This should be condemned and prevented, as it discourages whistleblowing. Minimise the risks of retaliation or any negative consequence for the whistleblower by ensuring that all information provided is kept confidential.
(If you are based in the EU, this area will be regulated by the transposition of the EU Whistleblower Protection Directive into national law, at the latest by December 2021).
And finally, questions related to the EU Whistleblower Protection Directive
Is it only fraud and corruption that are classed as whistleblowing matters?
No, the Directive covers breaches of all EU law. It is expected that at least some Member States will broaden the scope of covered disclosures. We recommend any misconduct in the workplace to be considered as relevant. This could be fraud or corruption, bribery, human rights issues, data privacy, etc.
If the whistleblower does not follow the steps in the Directive and goes public, can a legal action be launched against them?
The Directive explicitly offers protection to the whistleblower in such scenarios. The whistleblower may go public directly, if this decision was taken on reasonable grounds, perhaps if they do not trust the internal system. If this were not to be the case, legal action might indeed be an option. However, organisations should consider the risks for the organisation involved: suing a whistleblower is a delicate matter.
How do you navigate the variety of definitions that occur in different jurisdictions, as well as different standards?
Choose solutions that allow settings to enable you to comply with the various national legal frameworks. In case of overlapping obligations, we recommend adhering to the most stringent framework; in this way, you make sure you comply with all applicable laws and your organisation shows its dedication to ethics.
If you would like to watch a recording of the webinar, you can view it here. You can also download the infographic referred to in this webinar.
