State of R&C Report Key Finding – European Organizations Lag Behind in Anti-Retaliation Policies

European organizations are not giving anti-retaliation requirements the attention they need, according to findings in our 2023 State of Risk and Compliance report.

In the 2023 NAVEX survey of more than 1,300 R&C leaders across the globe, over half of all respondents rated “Whistleblowing, Reporting & Retaliation” as “very important or absolutely essential”. However, U.S. organizations in particular valued these concepts as a higher priority, with 71% of respondents giving this rating compared to their European counterparts’ average of 62%.

Further findings reveal major differences in regional responses about whether organizations have actually implemented non-retaliation policies. In the U.S., 61% reported having these policies in place compared to Germany's 41%, the U.K.'s 36%, and France's 27%.

This gap between the U.S. and European organizations raises a critical question: why are European firms lagging behind in efforts to prevent retaliation?

What does non-implementation of anti-retaliation policies look like?

Non-implementation might present as:

  • Inconsistent communication with reporters about their rights
  • Unclear guidance on how to report retaliation
  • Opaque records on past handling of retaliation cases or reports of retaliation
  • A lack of training or undefined policies on how to identify retaliation
  • Poor transparency over what is done if retaliation is identified after a report is made

Organizations must understand that a strong compliance program isn't just about having policies – it's about the visibility and trustworthiness of those policies that guide employees beyond making a report. European organizations should reassess and strengthen their approach to ensure reporters are supported and not penalized for honesty. With fear of retaliation the leading cause of employees not speaking up, training is vital for reinforcing policies around anti-retaliation and earning employee trust.

Mixed investment in training raises another issue. Despite the EU Whistleblower Protection Directive's enforcement, the importance of improving or implementing training seems to be less pronounced in European organizations than ones based the U.S. than in European organizations. When surveyed about plans to implement ethics and code of conduct training within the next 2-3 years, the responses varied: 66% in the U.S., compared to 45% in Germany and 38% in France.

As anti-retaliation training is likely to be a key component of any ethics and compliance training, a lack of urgency in implementing this training hints at less investment. It also raises the question of whether organizations in particular regions may be less committed to clarifying rules and expectations around anti-retaliation.

Interestingly, our findings suggest that more European organizations prioritize data privacy over non-retaliation policies. This divergence between the intent of the EU Whistleblower Directive and practical approaches by organizations to adapt hints at a broader issue. Whether this reflects the ability or willingness to meet the Directive's requirements remains to be seen.

What next?

Consideration of the EU Whistleblower Protection Directive's requirements is essential. Even so, the State of Risk and Compliance Report findings show a surprising lesser focus on anti-retaliation and whistleblowing awareness in many European organizations.

While baseline activity around enabling reporters to report continues, inaction around eliminating retaliation and awareness of its nature is a concerning sign – or at least a sign that progress is slower than anticipated given the new legislation in play. The best whistleblowing processes and efforts to keep internal issues resolved internally will struggle if employees fear reporting due to retaliation. Reports that emerge externally may pose a far greater risk to organizations than clamping down on retaliation.

The pressure of the EU Whistleblower Directive was meant to prompt decisive action for organizations around enabling and protecting reporters – but there's evidently more work to be done.

Intrigued by these findings?

Explore more on the current risk and compliance landscape – and how you can stay ahead – by downloading the complete 2023 State of Risk and Compliance report.

Get insights for 2023


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest

The Path from CISO to Board Director

Everyone even peripherally involved with corporate governance, compliance, or risk management knows that corporate boards need more CISOs to help them navigate today’s cyber-saturated world. This post discusses how CISOs can deepen ties and increase influence with, and presence on, boards of directors.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

What is a Conflict of Interest? You’ll Know it When You See It.

Determining whether a proposed business relationship is a conflict of interest is usually subject to interpretation. Often, you’ll know it when you see it, but there are still many best practices to consider in managing conflict of interest disclosures. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.