BY: ComplyLog|October 25, 2021|Whistleblowing
The EU Whistleblowing Directive will soon be transposed into national law and your business needs to be compliant. In order to fulfil the directive’s requirements, there are a host of systems and procedures you must have in place. A robust whistleblowing policy will help you stay on top of the new, more stringent requirements.
The directive is clear on the importance of whistleblowers in preventing illegal activity. It states that:
“Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society.”
For organisations within, or who operate in, European Union member states, these are the deadlines for implementing the directive:
|Organisations that employ 250 or more staff, or municipalities who serve 10,000 or more citizens||17th December 2021|
|Companies of between 50 and 249 employees||17th December 2023|
Table of Contents
What to include in your whistleblowing policy
A whistleblowing policy is a set of procedures and standards set by an organisation in an internal mechanism to facilitate the reporting and investigation of wrongdoing within the business. It should encourage those with a genuine concern over information on criminal behaviour to feel confident in alerting the company. It should also inform staff that they will be protected from retaliation, their report will be taken seriously and action will be taken to uncover the truth.
All employees should have access to the policy so that they understand the procedures they must follow when reporting incidents, their rights, including their right to confidentiality, what happens during investigation and how they are required to behave towards a reporting person if they know or suspect them to be a whistleblower.
This is an example of a whistleblowing policy from international charity Sightsavers.
If you do not already have a whistleblowing policy in place, now is the time to implement one. The scope of the Whistleblowing Directive is such that it would be impossible to comply with it without one. In the legislation, it is stated that
“legal entities in the private and public sector that have internal reporting procedures in place should be required to provide information on those procedures […] It is essential that such information be clear and easily accessible, including, to any extent possible, also to persons other than workers, who come in contact with the entity through their work-related activities.”
Your whistleblowing policy provides this information to your employees and keeps you in line with the directive. This helps prevent you from incurring the “effective and proportionate” sanctions for non-compliance.
UK companies have to comply with the Public Interest Disclosure Act, which protects current employees who report fraud, illegality, criminal behaviour and other issues that they come across due to the circumstances of their work.
PwC’s Corporate Crime survey found that “while professional auditors were only able to detect 19% of the frauds on private corporations, whistleblowers exposed 43%.” This shows the benefit of empowering employees to speak out and report corruption and violations to the company they work for without discrimination.
The survey found that the “executives surveyed estimated that the whistleblowers saved their shareholders billions of dollars”. This goes to show there is a material benefit to having a clear, effective and encouraging whistleblowing policy.
In addition, the prevention of criminality is important for business reputation and integrity, so anything you can do to promote the exposure of wrongdoing is beneficial too. The directive requires employers to do all they can to encourage whistleblowers to report internally in the first instance, which suits organisations, too. They can deal with the criminal activity in-house, rather than be exposed in an external body, such as the press or on social media.
With so many positive reasons to create a whistleblowing policy, it makes sense to use it to show how supportive you are of reporting persons. Employees that feel confident their employer will look favourably on their report, rather than seek to punish them for “causing trouble,” are clearly more likely to blow the whistle.
If your policy shows them the steps they need to take to make their report, this can also help to persuade them that it is the correct channel for raising concerns without the fear of victimisation.
The scope of your whistleblowing policy should at least match the scope of the EU Whistleblowing Directive. This means that it not only applies to employees, but also to:
You should take this into consideration when deciding on your policy and where to display it or distribute it.
Your whistleblowing policy should set out which whistleblowing channels you have in place to enable people to make reports. There is also a range of different internal reporting systems to choose from. Deciding which ones you should implement depends on your business and its needs.
They can either involve written or oral reporting, and you should also bear in mind how they help you meet with the requirements of the Whistleblowing Directive in terms of confidentiality and record-keeping, as well as remaining compliant with other pieces of legislation, such as the General Data Protection Regulation (GDPR).
Some of the whistleblowing channels include:
The directive requires “appropriate persons or departments” to receive and investigate whistleblowing reports, so this should be reflected in your policy. The legislation stipulates that the choice of persons to fulfil these roles and responsibilities should “ensure independence and absence of conflict of interest.” They should look into the credibility of the concern about unethical conduct.
You could choose to have a separate person or department receive the report from those who investigate, or they could be the same. You should choose the option that works best for your organisation.
The directive currently applies to breaches of European Union law, in the areas of:
You might want to also encourage reporting of any breach of national law in your policy.
Indeed, some nations are extending the scope of the directive as they implement it within their boundaries to include national law too, so you should make sure you check the legislation in your territory to ensure you meet the local requirements.
Knowing how to make a report of criminal activity is an essential part of a functioning whistleblowing system. This is why you should document the process and expectations in your policy.
It should detail the choices that the reporting person has over the different channels, as well as how each works.
You should make sure the policy features the procedure that your company undertakes to process reports. This includes who receives the report and who investigates it.
Additionally, you must lay out your deadlines for acknowledging the receipt of the report and for giving feedback to the reporting person. In line with the EU Whistleblowing Directive, the acknowledgement must come within seven days and you should follow up with the whistleblower, offering feedback within three months. However, these are minimum requirements and you can shorten these deadlines if you wish.
You can choose whether to allow anonymous reporting of suspected wrongdoing if this is allowed in your jurisdiction. It is important to add this information to the policy.
As noted in the directive, whistleblowers should be afforded confidentiality, as should anyone mentioned in their report who is accused or suspected of illegal behaviour. Employees should be aware of this so that they understand where they stand if they find themselves in either position as the safety of any individual must be maintained.
One of the main reasons behind the implementation of the directive was to prevent retaliation against whistleblowers. An aim of this policy should be to promote ethical behaviour and honesty over personal interests to prevent potential whistleblowers from staying quiet. There should be no fear of reprisal.
The directive states that:
“Common minimum standards ensuring that whistleblowers are protected effectively should apply as regards acts and policy areas where there is a need to strengthen enforcement, under-reporting by whistleblowers is a key factor affecting enforcement.”
Retaliation, as described in the directive, includes dismissal, demotion, preventing promotion, harassment, disciplinary action and any other punishment relating to a report. Staff should know what protections and compensations are available if they experience bullying, as well as the sanctions the organisation will impose on anyone found to have carried out retaliation.
Effective whistleblowing policies:
A whistleblower, or reporting person, is described as “a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities” in the directive.
Your organisation should set sufficiently effective and proportionate sanctions in place to prevent retaliation against whistleblowers. Reporting persons should also have access to legal remedies and compensation if they feel that they have been unfairly targeted because of their report.
The EU Whistleblowing Directive is almost here and brings with it a plethora of minimum standards. The role of a clear and effective policy is to explain how to make and handle reports, complaints or allegations of malpractice, how to prevent and report unethical behaviour or criminal offence. All of this is essential for meeting your legal obligations. That’s why, for European Union countries, or those that do business within the EU, a whistleblowing policy is a key element of the compliance programme.
If you want to make compliance easy and automate the processes for dealing with whistleblowing reports, IntegrityLog can help. Try it free here.