BY: ComplyLog|April 27, 2021|Whistleblowing
Whistleblowers are integral to stamping out corruption and other wrongdoing within businesses and public bodies. With a typical company losing 5% of its revenues to fraud, it is important to develop a culture in which employees feel comfortable and safe when reporting breaches of the law. However, with new legislation coming into force, this will soon become a compliance issue as well. You need to develop the correct company culture — one that encourages whistleblowing and set up a robust internal whistleblowing system in order to meet the EU’s new strict requirements.
The EU Whistleblowing Directive, formally known as EU Directive 2019/1937, mandates that businesses and government agencies with more than 50 employees, as well as municipalities serving more than 10,000 inhabitants, must create an internal reporting system and protect whistleblowers from retaliation. Analysis shows that a quarter of European fraud cases were instigated by internal tip-offs, but, at the time the EU passed the directive, only ten member states provided full protection for whistleblowers.
Among other things, your internal reporting system should offer confidentiality, security and help you process cases in a timely and effective manner. In this article, we will look into the different systems in detail.
Table of Contents
4 What are the Key Features of an Effective Whistleblowing System?
5 Steps To Implement An Internal Whistleblowing System
A whistleblowing system, or whistleblowing mechanism, is a process that an organisation puts in place to encourage and enable the reporting of wrongdoing. The system should feature confidential reporting channels, such as a web portal, dedicated phone line or an independent ombuds function. The system is bolstered by a code of conduct and company rules that dictate how to publicise and encourage the use of the reporting channels, how the reporting process works, how to combat retaliation against the reporting person and how to use the information uncovered to reform the way the organisation works in the future.
By 17th December 2021, organisations of 250 or more employees and municipalities covering more than 10,000 citizens must adhere to the whistleblowing directive. For bodies of between 50 and 249 employees, the deadline is 17th December 2023.
Here is a checklist to ensure you are ready to meet the requirements by the necessary date:
|Type of Channel||How it Works|
|Postbox||Reporters post their reports into a box situated in the office, much like a suggestion box. Simple and easy to use. The downsides being that remote workers have no access to it and some whistleblowers will feel uncomfortable about this public method of reporting.|
|The organisation sets up a dedicated email address to receive reports. Email is commonplace in the working environment, making this an obvious choice. However, whistleblowers who want to remain anonymous might be dissuaded by having to create a new email address and an inbox that bears no connection to their identity.|
|Telephone||A dedicated whistleblowing hotline for employees to use. Call handlers can ask for additional information at the time, helping them to create a more thorough report. However, this solution requires well-trained staff to be on hand for the entire time it is open, which could prove costly. In addition, it is difficult to ensure the anonymity of the reporting person, if they require it, as their voice may be recognised by the call handler.|
|Ombudsperson||An ombuds (ombudsman, ombudsperson) function is an independent external body that organisations can task with investigating reports and making recommendations. This can allay fears of an internal whitewash but is an expensive option for businesses.|
|Digital Whistleblowing System||An online tool that whistleblowers use to make their report. It informs the relevant parties that there is a report so they can acknowledge receipt and begin an investigation. The dashboard shows the status of each case and notifies designated people of the deadlines. It also ensures unauthorised people do not have access to confidential information and complies with GDPR. As whistleblowers can access this privately, it is the best option for those seeking anonymity.|
|Face-to-Face Meeting||On request, whistleblowers can make their reports to an individual in a face-to-face meeting. This method relies on the representative of the organisation taking thorough and accurate notes and being impartial.|
In order to provide the best service for your employees, there are a number of key features your whistleblowing arrangements must contain. You need staff to trust the system and feel that it makes a positive change to your workplace. They must see that it helps inform strategy and the future shape of the business or public body. These features help achieve those goals:
Employees need to know where and how they can make reports. There should be as few obstacles in their way as possible. Whichever channel or combination of channels you decide to use, you must bear this in mind. An online tool is a good example of an accessible channel. Even when out of the office and without WiFi, a whistleblower can still file a report using mobile data from anywhere and at any time. If you use a telephone line as a reporting channel, making sure reporting persons can call 24 hours a day is advisable as this provides the opportunity for them to call when they feel the most comfortable.
Only authorised persons should have access to the details of a case, according to the directive, so your reporting system must be capable of maintaining privacy at all times. This means keeping the name of the reporter confidential, as well as their family, their colleagues who have supported them in making the claim and anyone accused of wrongdoing in the report.
As part of the General Data Protection Regulation, all organisations must comply with the rules on handling and protecting the personal data that they hold. This also applies to the data you receive in whistleblowing reports.
Your internal whistleblowing system must feature an effective workflow that allows you to receive and investigate reports in line with the ruling of the directive. This means acknowledging reports within seven days and feeding back with updates within three months.
A system can only work if people know how to access it and how to most efficiently and effectively deal with reports. This requires training for employees that educates them on how they can go about reporting in a confidential manner. In some cases, a culture shift may also be needed to encourage them to step forward. You should also make sure that the designated people know to deal with each case according to the requirements of the directive.
Another important element of training is to instil a robust anti-retaliation policy in the organisation. Companies can face large penalties, litigation and bills for damages if they or any individuals within the organisation are seen to have punished a whistleblower for making their report.
Finally, when training staff, it is a good idea to be transparent about the process of reporting and investigating, backing this up with anonymised case studies and statistics. This shows the system in action and breeds confidence that it works.
Before you can begin building your whistleblowing system, you need to understand what the EU Whistleblowing Directive requires. Keep in mind, however, that the directive is in place to set minimum standards for whistleblower protection. Member states can be more stringent if they wish. For businesses with bases in multiple EU countries, it is important to consult the local legislation in every jurisdiction in which you do business.
Organisations have many obligations to meet, so it may be necessary to dig deep into the employee handbook and code of conduct to align your existing policies with the directive.
You should work to the deadline of either 17th December 2021 for companies of 250 employees and over, and 17th December 2023 for those of between 50 and 249 employees. For local authorities, there is a concession that allows municipalities to share internal reporting systems, as long as that sits within national law and they are distinct from the external reporting systems. They must also continue to adhere to the requirement for confidentiality.
It is important that management buys into the protection measures you intend to put in place. Priming them at this stage and explaining the necessity of the measures and the benefits they will bring will help establish an open, speak-up culture.
Bearing in mind your obligations, you should decide on which reporting channels you will implement into your business. This will entirely depend on the nature of your organisation, corporate culture and your ability to meet the requirements of the directive. An important consideration is also the national law in terms of privacy, security and data handling. Compliance is key when deciding which channel to use.
When developing your portfolio of channels, you must consider who is to make a protected disclosure. It is not just current office-based staff. You are also obligated to provide access to suppliers, agents, former employees, freelancers and many more. This means that opting for a single, physical reporting point in your headquarters is not adequate.
In order to make it as easy as possible for whistleblowers to make reports, you should install a selection of channels. These can be tailored to the nature of the work you do and the culture in the organisation. Remote field workers may prefer a telephone hotline, whilst home-based staff may rather opt for a digital whistleblowing platform.
Cost is another consideration. To make a telephone hotline work to the best of its ability, you need trained staff to man it 24 hours a day. The sheer amount of resources needed could dissuade some organisations from using this method.
The impartiality of the person or department that receives, reviews and investigates claims is important for showing potential whistleblowers that their reports will be taken seriously and acted upon without conflicts of interest. You may choose separate people to receive, review and investigate or task the same person to take on all of these roles. That is a decision that you should take based on logistics and finances.
The person or division that handles reporting must diligently follow up on all signals and maintain communication with the whistleblower. This includes requesting further information and providing feedback on the status of the report as well as details of the next steps to be taken.
Some businesses may decide to use an ombuds function to perform this task on their behalf.
The directive requires an acknowledgement of receipt of the report within seven days and feedback within three months after that. You may choose to shorten the timeframe in your organisation, depending on how you intend to structure your process.
You need to first establish this process and then apply it to every case in the same manner. Consistency is important in creating a system that is seen to be fair and impartial.
Once you receive a case, you must decide how you proceed in order to conduct the fullest and most comprehensive investigation into the claims. With an online whistleblowing channel, you can set reminders and deadlines for managed actions and track the status of each report to maintain consistency. For example, IntegrityLog’s dashboard helps you easily visualise the status of each live case and allows you to prioritise accordingly, whilst also managing acknowledgement of receipt automatically. This automated process helps with compliance with the regulation.
To encourage people to blow the whistle, you need to inform all affected parties of how to make reports should they uncover any wrongdoing. Communicate the information that they need to know, with careful explanations about whistleblowing, its importance, your policy on it and the process of making and investigating claims.
To raise awareness, you can ask employees to complete questionnaires, provide FAQs for those who might want to make a report and ensure that all relevant details are included in your code of conduct, employee handbook and in training sessions. If you have a staff intranet, there should be a dedicated section for the whistleblowing system, and you can promote it on notice boards and in communal areas around the office.
Training should include how to file a report, how to receive and investigate reports, how to escalate if further action is needed and details of anti-retaliation policies.
For many businesses, this type of reporting system might be a completely new way of working. That is why it is best practice to monitor progress and assess the success or otherwise of your channels. Compliance is important, so you need to know if you are falling short in any aspect of the legal requirements.
It is also good practice to keep appraising the system with an internal audit and honing it to improve its effectiveness as you go. You will get a better idea of the ways in which people feel most comfortable reporting and you can adjust your policy accordingly.
It is up to individual member states to decide whether organisations in their jurisdiction can accept anonymous reports. If your country does allow them, it is often a good idea to accept them. Some whistleblowers are so concerned about their safety that, even though reports are confidential, they prefer to protect themselves further by maintaining anonymity. If you cut off the opportunity to report violations anonymously, you risk these potentially huge reports being made externally. This leaves you without the chance to show that you are resolving a problem and may hurt your organisation’s reputation.
Internal whistleblowing is made within the organisation in which the misconduct occurs. It allows the company to investigate itself and put right failings before the story leaks to the wider world. External reports can be made to an authorised body such as a trade union or an auditor. In addition, a whistleblower that doesn’t believe they will face a fair hearing might choose public disclosure of their grievance to the press.
Anyone who has worked within the organisation in any capacity can send a report. Whether it is current or former employees, those who have applied for work and have discovered wrongdoing in the process of application, contractors, agents, volunteers, interns, shareholders or non-executive directors — they are all eligible to make a confidential report.
You should handle reports by designating an impartial person or department to provide acknowledgement of receipt within seven days. They should liaise with the reporting person if they need more information for their investigation and provide feedback and next steps on the case.
IntegrityLog is an online whistleblowing system that provides a safe and secure solution for handling reports. It ensures full compliance with the EU whistleblowing directive and with GDPR. The easy-to-use dashboard helps you visualise where you are with each active case and track the success of your cases so you don’t miss vital deadlines in your investigations.
Request a demo for your organisation today.
There are many elements to implementing an internal whistleblowing system and each organisation should find the right mix of channels and strategies for its unique use case. In order to comply with the required code of ethics and the various pieces of legislation affecting whistleblowing and data collection, an online whistleblowing reporting tool is a sensible option that ensures the smooth running of your investigations.