ISO 37002 provides guidance for organisations to create a whistleblowing management system based on trust, impartiality and protection.
2. How can ISO 37002 lead to more acceptance and practical relevance of whistleblowing?
AS: I think it will make it easier for organisations to understand that establishing an effective whistleblowing programme isn’t an onerous task and will also remove organisational excuses for not doing it. It’s like in previous areas, such as health and safety. It takes time for people to understand the benefits and to shift their mindsets. Having a global standard in this space is paving the way for how organisations can run effective whistleblower programs. A global standard makes it more accepted and normal.
WV: There’s a huge variation in terms of the quality of the speak-up systems provided by organisations. There are some companies doing amazing work. There are also companies that just don’t want it. But the majority of companies actually really want to get this right. They see the value of it and they also need to meet the requirements set out in the legislation. These companies often say that they don’t have access to the best practice. This is where the ISO standard can really help.
4. What are the similarities and differences between the new ISO 37002 standard and the EU Directive?
WV: The EU Directive says you need to have an internal whistleblowing policy and channels for confidential reporting. The ISO standard gives you guidance on how you actually operate the whistleblowing system and what good practice looks like.
AS: Exactly, they’re complementary rather than different. The EU Directive actually lists three speak-up channels where whistleblowers are protected – internally, to a regulator or to the media. But I would argue that an organisation would prefer people to speak up internally first. By following the standard and setting up a system that builds trust over time, people will feel safe to speak up internally first rather than going to a regulator or media. By following the ISO 37002 standard, organisations will not just meet the letter of law laid down in the EU Directive, but also the spirit of what it’s trying to achieve.
6. Is the standard only for large corporations or is it also suitable for SMEs?
AS: I’d say it’s as applicable for smaller and midsized companies to follow. What you often find with smaller companies is that one of the reasons they haven’t set up whistleblowing management is because they think it is difficult to set-up and maintain. The standard is non-prescriptive which makes it quite simple and straightforward for organisations.
SMEs are particularly at risk here because organizations of 50+ employees will be coming under the Whistleblowing Directive by 2023 so they need to do something. But the challenge with doing something is that if you do the wrong thing, you actually expose yourself to more risk. ISO 37002 can really provide some good returns and some great protection.
8. Why are whistleblowers important for companies and why should reporting channels be established?
WV: Whistleblowers are early warning systems for organisations. If you look at the ACFE reports, they indicate internal reports are actually the most effective way for organisations to identify fraud.
AS: We believe whistleblowers are the first line of defence in any organisation because they are the eyes and ears on the ground. They detect things much sooner than a computerised system would and they detect things that algorithms do not, such as shifty behaviour. As a result, substantiation rates of reports which come through whistleblowing channels are fairly high. Fraud detection systems, on the other hand, can deliver false positive rates as high as 99.96. When it comes to return on investment, organisations with effective whistleblowing systems on average have a 2.8 percent increase on return on assets, a 20.4 percent reduction in settlements and 6.9 percent fewer material lawsuits (according to George Washington School of Business).