2021 saw organizations subject to a surge of new whistleblower requirements in response to significant changes in worldwide regulations, such as Europe’s EU Directive on Whistleblowing and the US’s Money Laundering Act 2020. Now, new whistleblowing legislation is also being considered by U.K. Parliament.
With support from many industry leaders, a new Whistleblowing Bill was introduced in the U.K. House of Commons in April 2022. If passed, the Bill would replace the Public Interest Disclosure Act 1998 (“PIDA”), which many commentators argue is now inadequate. Instead, an Office for the Whistleblower would be established as an independent body that will champion whistleblowing by providing support and advice services, setting standards, ensuring accountability for those who inflict detriment on whistleblowers, issuing fines, penalties and prison sentences for non-compliance, and ensuring that concerns are investigated and acted upon.
These recent developments provide a clear impetus for organizations to revisit their escalation and whistleblowing provisions and make updates as needed, not least because the new regulations may render existing policies and procedures inadequate. Developing and maintaining an effective whistleblowing framework requires more than simply installing a hotline. Notwithstanding the technical elements such as confidentiality and GDPR (all of which are vital to a well-performing and regulatory compliant whistleblowing system), there are several more unassuming elements organizations can, and should, focus their attention on. These low-hanging-fruits can significantly support organizations in achieving perhaps the most important and fundamental element of a successful whistleblower framework: creating an environment that encourages people to speak up and share concerns.
We have compiled a checklist of key framework elements organizations should be taking time to reflect on.
Encourage speak up through all escalation channels (not just the whistleblower system)
First and foremost, organizations need to encourage speaking-up through all escalation channels, not just the official whistleblowing system. To some, “blowing the whistle” may sound frightening and overly promoting the anonymous whistleblowing system as the sole means of raising concerns can have a contradictory effect on speak up culture within an organization. Rather, organizations should focus on the general encouragement of raising concerns or speaking up, with the whistleblower system just being one of the channels to do this.
The first escalation point for sharing concerns will usually be an employee’s direct manager. But in instances where employees do not feel this is an appropriate avenue for their concern, there should be other channels they can turn to, such as senior level managers or support functions like HR, Legal and Compliance. The Whistleblowing Policy and any related intranet landing pages should make it clear where these escalation points exist throughout an organization and how they can be contacted. Promoting awareness of the escalation framework is vital.
As more and more countries specifically give whistleblowers the choice to escalate a concern internally or reach out to regulators directly (without needing to first raise a concern with management), organizations are well advised to promote all internal channels to prevent reputational damage or additional scrutiny.
Educate & hold receivers (the first point of contact) accountable
Organizations should ensure the individuals on the receiving end of the channels are appropriately trained to deal with concerns raised. These individuals should be able to identify when a concern is being raised (i.e., listen up), initially evaluate that concern and choose whether to resolve, forward or escalate it, know who to involve, direct the concern in a means that maintains confidentiality (and anonymity if required) of the report, and safeguard a swift and effective investigation of the concern raised.
Failure to handle concerns appropriately should result in disciplinary action to encourage the receivers to be accountable for their escalation responsibilities. Receivers should also have a dedicated point-person or team they can seek guidance from and should be advised to err on the side of forwarding the concern.
Choose an approachable name for the whistleblowing framework
As “whistleblowing” can often conjure bad connotations, it’s important to consider the naming convention of a whistleblowing program and whether it’s appropriate to use the term “whistleblowing” to describe a confidential reporting system. Instead, many organizations have adopted names such as the “Speak Up Portal”, “the Do Right Website” or “Share Your Concerns Hub” for their systems.
“Speak Up” is now generally the most common branding used by large organizations for their whistleblowing program. In its broadest context, “speak up” means informing an employer of any issues an employee is aware of – this phrase helps keeps the message simple. The key consideration for organizations is to be clear on what the whistleblowing program’s scope is, no matter what terminology an organization decides to use. An organization can design a fantastic framework that’s perfectly compliant but no one will use it if it is not understood.
Communicate clear definitions of what should be reported and/or escalated
Clearly communicating the difference between a “concern”, a routine business issue and a personal grievance is vital so that the system is not overloaded with irrelevant reports. Not all issues rise to the level of a “concern” that needs to be reported through the escalation channels. Many issues can be resolved by an appropriate responsible individual, while others may be best handled by infrastructure departments established to fix every-day problems.
Provide mandatory, annual staff training on speaking up
Employees need to understand what constitutes a “concern”, what disclosures are protected, and how such disclosures can be reported. Mandatory annual training is a simple means of ensuring awareness and understanding of the sharing concerns/speak up framework.
For example, to attract protection in the UK, a whistleblower must make a qualifying disclosure. Employees who make a disclosure under an organization’s whistleblowing policy should believe that they are acting in the public interest. This means that personal grievances and complaints are not usually covered by whistleblowing law. It is important that trainings, policy, procedures and other communications make this clear.
Elect an appropriate framework gatekeeper
When establishing a whistleblower framework, careful consideration needs be given to system ownership and who will have ultimate responsibility for the speak up program. There are various places a whistleblower function can live in an organization, such as the Compliance, Risk, Internal Audit, or HR departments. Most often, whistleblowing functions in large organizations tend to co-exist in either Risk or Compliance . Where a whistleblower function sits will likely depend on the structure of an organization; however, there is consensus that one area the function should definitely not sit in is in the 1st Line of Defense (i.e., with business and process owners).
As best practice, large organizations should also avoid placing the whistleblowing function in HR. Having the functional accountability within HR can cause employees confusion, as this is the same escalation point for grievances and personal issues. The optics of whistleblowing sitting in HR can also potentially prevent would-be whistleblowers from coming forward. Given HR’s role in bonus, salary, and promotion decisions, often employees want to avoid HR when sharing their concerns and may specifically request “please don’t share this with HR”.
The most important issue in choosing where to place your whistleblower function is the function’s accessibility to the Board of Directors. Also, no matter where your whistleblowing function resides, having clear conflicts of interest procedures is critical as it is inevitable conflicts will arise no matter where the function ultimately lives.
Use a blended team
The investigations team is without doubt absolutely key to the whistleblowing framework. Investigators need to be competent, skilled, and have the ability to engage with whistleblowers, while also having critical analytical skills. However, for a truly successful framework, organizations should use a blend of people to deliver the entire whistleblowing program.
Besides high-quality investigators, the team should also include or have access to experts in:
1. Data – include data analytics personnel to analyze trends and themes coming out of relevant financial and operational systems;
2. Controls – include system controls experts to ensure data privacy, confidentiality and GDPR are being sufficiently maintained, root causes identified, and control deficiencies addressed; and
3. Creativity – include team members on the visual and communications side that bring the creativity and engagement element into the framework.
Provide system and policy access to third-parties
There is an ongoing, global trend of broadening the scope of who a whistleblower is. Previously, only current employees were typically perceived as whistleblowers; however, amendments to whistleblowing laws in places such as Europe, Australia and Japan are now extending protections and reporting capacity to others, including former and retired employees and their family members, directors, contractors and vendors. Organizations should consider making their whistleblowing system externally available to third parties, accompanied by an external statement explaining the organization’s approach towards whistleblowing.
Highlighting the importance of non-employee whistleblowers, the US Securities and Exchange Commission awarded more than $28 million to a non-employee whistleblower(1) in 2021 whose tip led to bribery charges against a U.S. subsidiary of Japanese electronics company Panasonic Corp. and its former executives.
Build confidence through well-resourced and transparent processes
There is no quicker way to kill a whistleblowing program than to ignore those who are trying to provide information. Responding to and investigating the concerns and allegations that individuals bring to an organization’s attention is key to showing employees that their concerns are important and taken seriously. If months go by without an indication of action or resolution, the credibility of the program can be lost.
The EU Directive acknowledges this by requiring both internal and external reports to be acknowledged within seven days of receipt and a response must be issued within a reasonable amount of time (three months for internal reports and up to six months for more complex external reports).
At a minimum, organizations should ensure their system offers a live channel that is sufficiently staffed at all times – whistleblowers will most likely not leave a recorded voicemail if the hotline telephone is left unanswered. Organizations should provide whistleblowers clear timelines for response and action, and offer regular progress updates (as permitted) throughout the course of the investigation. To provide extra comfort to users, organizations should also consider educating employees on how the whistleblower system works – including how it is confidential, what happens after reporting, timing and discipline. This can be done via a simple how-it-works video on the landing page of the system.
Finally, organizations should regularly communicate, both internally and externally, the clear, positive objectives of the whistleblowing system. This will help demonstrate to would-be whistleblowers that the organization will act on genuine concerns raised and that the system is not just a “tick-box” exercise.
Motivate with stories of encouragement and reward whistleblowers with non-monetary incentives
Publishing results of non-confidential whistleblowing investigations to the broader organization, such as describing disciplines (where legally permissible) or improvements to processes, demonstrates that an organization is both listening and acting on concerns. This can further incentivize use of the system.
Organizations should also highlight employees who have had the courage to expose misconduct (in non-confidential situations and only for employees who are happy to have their actions advertised more widely). Acting as subliminal advertising for an organisation’s whistleblower system, communicating courage-based stories is a persuasion technique that can drive future reporting.
Managers also play a key role. If managers exhibit genuine gratitude to employees raising concerns, it can excite a trend that encourages others to speak up. When management praise employees for doing the right thing, it reduces employee fear of being labelled negatively for speaking out.
Report on whistleblowing metrics holistically
There is no one metric an organization can give to a regulator to say “look, we are doing this really well”. Many quantitative metrics exist across an organization – the key success factor is what organizations do with all this information. Organizations need to maximize the multiple data points available to them to gain the most valuable insights into organizational speak up culture and whistleblowing trends.
Whistleblowing reporting volumes in isolation need to be looked at with a degree of caution. High volumes aren’t necessarily good or bad, nor are low volumes. Organizations need additional context to go with these metrics, including understanding what their “normal” baseline is.
Organizations should link their whistleblowing and speak up data into other data points. What are the behaviors the audit team is seeing? What about HR data, such as the results of employee surveys? The real value of all this data being analyzed together is the possible identification of a lead indicator of an underlying trend in the organization. Therefore, whistleblowing data needs to be seen as part of the bigger organizational intelligence jigsaw puzzle. As programs mature, so should the analyses of how whistleblower reports and outcomes interrelate to other areas subject to auditing and monitoring.
Organizations should make sure the important data coming out of the whistleblowing system, such as metrics, hotspots and trends, is being reported to the Board of Director holistically.
Incorporate whistleblowing into the employee exit process
Employees exiting an organization are valuable sources of information. If conducted properly, exit interviews can provide organizations with much-needed information about what’s working (or isn’t working) in a company. Organizations should also include the whistleblowing team’s details in employee exit packs to remind employees they are still welcome to speak up about their concerns after they have left their employment. Sometimes people will reflect on issues and want to raise a concern weeks or even months after they have left an organization.
Some organizations also spend time educating their HR staff that issues may get raised during exit interviews that may amount to whistleblowing and that such information should be escalated to the whistleblowing team.
Take additional steps to prevent unlawful detriment
Detriment (both to employee and non-employee whistleblowers) continues to be a difficult element for companies to manage effectively. In cases of alleged retaliation, the EU Directive on whistleblowing has taken a unique stance by reversing the burden of proof onto the employer. EU employers must now show that measures taken against the employee did not arise as a result of the employee’s disclosure.
In order to prevent retaliation, some organizations are introducing a detriment risk assessment at the point of triage for all whistleblowing cases so that early warning indicators of detriment can be identified and appropriate controls to mitigate or stop that detriment from happening can be put in place. This is also another way to reassure employees about the whistleblowing framework.
Developing and maintaining an effective whistleblowing framework requires more than simply installing a hotline. The low-hanging fruits described above can significantly support organizations in achieving perhaps the most important and fundamental element of a successful whistleblower framework: creating an environment that encourages people to speak-up and share concerns.