When do you need a whistleblower policy?
Globally, the type of legal protection offered to whistleblowers is still quite fragmented. Across the European Union, however, thanks to the European Whistleblower Protection Directive, the situation has become more harmonised. Despite numerous delays, member states have now largely enacted their own national laws in line with EU requirements. All organisations operating in the EU with 250 or more employees were the first to be required with the new legislation while it was later extended to those with 50 or more members of staff.
Clearly, any UK companies with operations in the EU also need to comply with the bloc’s new legal standards. For companies that operate solely in the UK, national laws, such as the Public Interest Disclosure Act 1998 and the Employment Rights Act 1996, already provide extensive whistleblower protection. However, public disclosures in the UK may result in a loss of protection.
Wherever your company operates, compliance professionals need to be familiar with local legislation to be in a position to design a whistleblower protection policy that is fit for purpose. Given the disparities across different jurisdictions, is there a single whistleblower policy that might work for global organisations?
Only if you apply the strictest of standards wherever your organisation works in the world.
What is the purpose of your whistleblower policy?
Irrespective of any legal requirements, the main purpose of a whistleblower protection policy is invariably the same across the globe. Its goal is to cultivate a culture of integrity within an organisation. Full transparency is essential for individuals to put their trust in such a policy.
An effective whistleblowing policy builds trust by…
- Educating staff and other third parties on company standards.
- Providing clear guidance on the whistleblowing process.
- Explaining how to raise a concern.
- Defining the types of concerns that can be raised.
- Outlining any legal protections or restrictions.
In a nutshell, a whistleblower policy should promote a commitment to ethical behaviour and encourage a culture where wrongdoing is safely reported at an early stage.
What should a whistleblower policy include?
Many whistleblower policies will need to include the same basic information.
Who is a whistleblower and who is protected?
Any whistleblower policy needs to explain what is meant by “whistleblower”. Typically, it is someone who speaks up about suspected wrongdoing that they reasonably believe is in the public interest.
Under EU law, your policy will need to protect your employees and former employees, as well as interns, the self-employed, employees of a supplier and business partners who work with your organisation. Even third parties who are closely connected to the person reporting the misconduct have to be protected — and this includes family members.
What are valid whistleblowing concerns?
Your policy should leave no doubt as to the kind of whistleblower reports and concerns that are covered by whistleblower protection legislation. Generally, whistleblowers are legally protected if they act in the public interest and disclose any information related to corrupt, fraudulent, hazardous, or illegal activities.
The areas covered typically include:
- Accounting fraud
- Bribery and any form of corruption
- Corporate tax evasion
- Money laundering
- Financing of terrorist organisations
- Environmental damage
- Breaches of food and product safety regulations
- Breaches of public health and safety regulations
- Supply chain violations
What whistleblowing is not
Reports of personal grievances, such as harassment or bullying, are not generally covered by whistleblower protection legislation and this needs to be clear in your policy. Organisations should therefore set up formal employee grievance procedures for such issues to remain separate from your whistleblowing procedures.
Reporting options: internally, externally and to the media
Your policy needs to outline your legal obligations regarding reporting procedures. In the EU, for instance, companies are obliged to…
- Acknowledge receipt of a whistleblower report within seven days.
- Provide prompt and appropriate feedback on the report during the investigation.
- Conclude the investigation and provide a final follow-up within 90 days of the filing of the report.
- Maintain diligent and secure record keeping.
The EU Directive actively encourages internal reporting of misconduct first. However, if your internal reporting mechanisms do not result in a speedy and appropriate resolution of a case, the EU whistleblower protection legislation allows an individual to take their concerns to the relevant authorities — and still be legally protected from retaliation. An individual can turn to the media as a final resort and will still be protected from reprisals under EU legislation. You need to inform whistleblowers of such options in your policy.
Obviously, it is generally neither in a company’s nor in an individual’s interest for a whistleblower report to go first to the authorities or to the press. To avoid such scenarios, it’s essential for companies to set up appropriate reporting channels.
What kind of internal reporting channels are necessary?
Given the legal provisions, organisations need to provide and promote safe and secure internal channels for people to report misconduct in their workplace. You will need to clarify what they are in your policy.
At a minimum, this will require:
- A system that allows employees and third parties to report potential misconduct in a confidential manner.
- Various secure reporting channels to give individuals a choice to file a report in person, verbally or in writing.
- Reporting mechanisms that are accessible outside of the company network.
- Safeguards to protect whistleblowers from retaliation.
- Impartial individuals, including subject-matter experts, who follow up on the reports and communicate with the whistleblower.
- Guaranteed anonymity where desired or provided for in national law.
What is clear is that anonymous reporting is already, or will become, a common key feature of any whistleblower policy or reporting mechanism. Why protect the anonymity of whistleblowers? A major barrier to people coming forward when they witness corruption or misconduct is the fear of exposure and retaliation. For this reason, EU legislation requires that organisations set up reporting channels that allow for confidential reporting. The identity of the whistleblower — or the people implicated in any whistleblower reports — may not be disclosed without explicit consent of the individuals involved.
The key to success: communication
What should you do when there are legal constraints that prevent you from disclosing the exact outcome of an investigation? Even in such instances, it’s crucial to provide at least a minimum of feedback to the whistleblower. Your policy should outline what you can and cannot communicate.
One option is to publish anonymised reports at regular intervals to inform staff and the general public about any whistleblowing incidents in your organisation and their outcomes. Your policy should indicate where such reports can be found.
Ultimately, the more transparent you are, the more likely people will understand the legal restrictions in place, trust your policy and therefore speak up. An effective whistleblower policy can only succeed if people are aware of it and feel it can be trusted.
Guide to the Introduction of Whistleblowing Systems
How to successfully implement a whistleblowing system in your organisation.