How to create a whistleblowing policy that builds trust and encourages a culture of integrity.
When do you need a whistleblower policy?
Globally, the type of legal protection offered to whistleblowers is still quite fragmented. Across the European Union, however, thanks to the European Whistleblower Protection Directive, the situation is about to become more harmonised. Essentially, all EU member states are required to transpose this Directive into robust local whistleblowing legislation by 17 December 2021.
The key requirements:
- From 17 December 2021, all organisations operating in the EU with 250 or more employees will be required to be compliant with the new legislation.
- From 17 December 2023, the law will extend to all organisations with 50 or more employees.
However, the Directive sets only a minimum standard to protect whistleblowing. Each member state is at liberty to enforce stricter regulation if they so wish. At the moment, it is unclear which countries will choose to do so.
Clearly, any UK companies with operations in the EU will also need to comply with local legislation. For companies that operate solely in the UK, national laws, such as the Public Interest Disclosure Act 1998 and the Employment Rights Act 1996, already provide extensive whistleblower protection. However, public disclosures in the UK may result in a loss of protection.
Wherever your company operates, compliance professionals need to be familiar with local legislation to be in a position to design a whistleblower protection policy that is fit for purpose. Given the disparities across different jurisdictions, is there a single whistleblower policy that might work for global organisations?
Only if you apply the strictest of standards wherever your organisation works in the world.
What is the purpose of your whistleblower policy?
Irrespective of any legal requirements, the main purpose of a whistleblower protection policy is invariably the same across the globe. Its goal is to cultivate a culture of integrity within an organisation. Full transparency is essential for individuals to put their trust in such a policy.
An effective whistleblowing policy builds trust by…
- Educating staff and other third parties on company standards.
- Providing clear guidance on the whistleblowing process.
- Explaining how to raise a concern.
- Defining the types of concerns that can be raised.
- Outlining any legal protections or restrictions.
In a nutshell, a whistleblower policy should promote a commitment to ethical behaviour and encourage a culture where wrongdoing is safely reported at an early stage.
What should a whistleblower policy include?
Many whistleblower policies will need to include the same basic information.
Who is a whistleblower and who is protected?
Any whistleblower policy needs to explain what is meant by “whistleblower”. Typically, it is someone who speaks up about suspected wrongdoing that they reasonably believe is in the public interest.
Under EU law, your policy will need to protect your employees and former employees, as well as interns, the self-employed, employees of a supplier and business partners who work with your organisation. Even third parties who are closely connected to the person reporting the misconduct have to be protected — and this includes family members.
What are valid whistleblowing concerns?
Your policy should leave no doubt as to the kind of whistleblower reports and concerns that are covered by whistleblower protection legislation. Generally, whistleblowers are legally protected if they act in the public interest and disclose any information related to corrupt, fraudulent, hazardous, or illegal activities.
The areas covered typically include:
- Accounting fraud
- Bribery and any form of corruption
- Corporate tax evasion
- Money laundering
- Financing of terrorist organisations
- Environmental damage
- Breaches of food and product safety regulations
- Breaches of public health and safety regulations
What whistleblowing is not
Reports of personal grievances, such as harassment or bullying, are not generally covered by whistleblower protection legislation and this needs to be clear in your policy. Organisations should therefore set up formal employee grievance procedures for such issues to remain separate from your whistleblowing procedures.
Reporting options: internally, externally and to the media
Your policy needs to outline your legal obligations regarding reporting procedures. In the EU, for instance, companies are obliged to…
- Acknowledge receipt of a whistleblower report within seven days.
- Provide prompt and appropriate feedback on the report during the investigation.
- Conclude the investigation and provide a final follow-up within 90 days of the filing of the report.
- Maintain diligent and secure record keeping.
The EU Directive actively encourages internal reporting of misconduct first. However, if your internal reporting mechanisms do not result in a speedy and appropriate resolution of a case, the EU whistleblower protection legislation allows an individual to take their concerns to the relevant authorities — and still be legally protected from retaliation. An individual can turn to the media as a final resort and will still be protected from reprisals under EU legislation. You need to inform whistleblowers of such options in your policy.
Obviously, it is generally neither in a company’s nor in an individual’s interest for a whistleblower report to go first to the authorities or to the press. To avoid such scenarios, it’s essential for companies to set up appropriate reporting channels.
The key to success: communication
What should you do when there are legal constraints that prevent you from disclosing the exact outcome of an investigation? Even in such instances, it’s crucial to provide at least a minimum of feedback to the whistleblower. Your policy should outline what you can and cannot communicate.
One option is to publish anonymised reports at regular intervals to inform staff and the general public about any whistleblowing incidents in your organisation and their outcomes. Your policy should indicate where such reports can be found.
Ultimately, the more transparent you are, the more likely people will understand the legal restrictions in place, trust your policy and therefore speak up. An effective whistleblower policy can only succeed if people are aware of it and feel it can be trusted.