No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Whistleblowing Management: The Coming Regulatory Storm

Europe’s New Regulations Will Have a Global Impact

by Frank Staelens
July 30, 2020
in Compliance, Featured
Storm Brewing Just Ahead Green Road Sign with Dramatic Storm Clouds and Sky

In honor of National Whistleblower Appreciation Day, Frank Staelens discusses the EU Whistleblower Protection Directive (WPD) at length. Frank explains the regulation’s broad impact and offers guidance for compliance.

Most listed companies and large public organizations already consider whistleblowing management as an important governance mechanism with, in most cases, boards/audit committees being accountable to measure its effectiveness. This group is now moving toward the use of whistleblowing systems beyond reporting wrongdoing and starting to understand that instilling a transparent, “speak up” culture is perceived by stakeholders as a sign of good health.

However, many other organizations still have a different position on the subject. Some of the reasons offered for not facilitating whistleblowing management include:

  • Self-denial or self-protection by company management
  • A non-transparent culture or fear of abusive reporting
  • It is not a regulatory mandate in most countries
  • Lack of budget or other investment priorities
  • Lack of knowledge about the benefits

Key Arguments for Facilitating Whistleblowing Management

  • A “speak up” culture helps to reduce employee turnover.
  • Whistleblowers have proven to be the most effective information source on and protection against unethical and criminal behavior within organizations.
  • Whistleblowing helps to avoid public disclosures and the associated reputation risks.
  • Whistleblowing management will become mandatory in Europe as a result of the new EU Whistleblower Protection Directive (EU WPD).

The Scope of the EU WPD

Scope of Applicability

Within the EU: All member states have until December 17, 2021 to transpose the new whistleblower protection rules into national law.

Within member states: All private and public organizations based in Europe, independently from ownership and location of head offices, will need to comply with the EU WPD principles (organizations with less than 250 employees have two more years to organize their compliance.

Within organizations: All internal persons with both standard and non-standard employment relationships and specific categories of external persons (former employees and business partners such as contractors and suppliers) have rights under the EU WPD.

Scope of Breaches

Protection of persons reporting on breaches of EU law and member states are encouraged to extend the scope to national law breaches (EU law breaches or potential violations covered include, among others, financial services regulations, anti-money laundering directives, fraud and corruption detrimental to EU interests, data protection regulations, corporate tax law, competition law and market abuse regulations, public procurement rules, public health and safety, environmental protection, etc.).  

Scope of Protection

All internal and external persons related to the reporting of wrongdoing in a work-related context.

“The EU is committed to having a well-functioning democratic system based on the rule of law. That includes providing a high level of protection across the Union to those whistleblowers who have the courage to speak up. No one should risk their reputation or job for exposing illegal behaviors.”

– Anna-Maja Henriksson, Finland’s Minister of Justice

EU WPD Principles and Duties to Comply With

Principle of 3-Tier Reporting Structure

Organizations will need to install tier-1 internal reporting, communicate on the tier-2 reporting structure setup by the competent authorities and allow the conditional reporting to the public with full protection for the whistleblower (organizations with fewer than 50 employees or municipalities with fewer than 10,000 inhabitants are not required to install tier-1 internal reporting lines).

Principle of Free Choice Between Tier-1 and Tier-2 Reporting

The whistleblower should be allowed to directly report to the authorities without first going through an internal reporting process.

Duty of Confidentiality

Reporting should be setup in a confidential way. Confidential reporting means that only the recipient of the report should know the identity of the reporter, and this identity should not be disclosed to anybody else without the approval of the reporter. Organizations have a duty of confidentiality and should organize themselves so that they can ensure the protection of the identity of all internal and external persons related to the reporting. Although the EU WPD does not require the facilitation of anonymous reporting, it is likely that it will trigger a more progressive approach in this respect because not facilitating it will increase the likelihood for whistleblowers to opt for tier-2 reporting to the authorities. Considering the duty of confidentiality, it is best to leave the choice to disclose identities to the whistleblower.

Duty of Feedback

The rules create an obligation to provide feedback to whistleblowers within certain delays, such as for receipt confirmation of the initial report within seven days and for status reporting within three months. Both organizations and authorities have feedback obligations (for the latter there is a possibility of extending the deadline to six months in duly justified cases).

Duty of Governance

This requires organizations to assign case managers who are competent, diligent and impartial.

Duty of Data Protection Compliance

Whistleblowing management should be set up in compliance with the privacy-by-design and the privacy-by-default principles of the EU General Data Protection Regulation (GDPR).

Duty of Documentation and Information

Organizations are required to fully document the whistleblowing processes and inform their employees, business partners and competent authorities about them.

Key Risks to Manage

Staged Whistleblowing (Threats)

If an employee learns about eminent sanctions/dismissal or missing out on promotions/salary increases in the future, it could trigger him/her to seek the protection as a whistleblower. Although there should be a link between the reporting and the adverse treatment, it will be presumed to be related to the whistleblowing if the employer is unable to provide proof of the missing link. Whistleblowers are relieved from the burden of proof, but they should be able to explain the reasonable grounds for believing in the truthfulness of the reporting, and they are allowed to report on the basis of suspicions.

Public Disclosure Immunity

Not providing feedback within the deadline and not facilitating tier-1 internal reporting or improper communication on the three-tier reporting structure could lead to public disclosure immunity for the whistleblower. I expect that it will be difficult for EU organizations to deny the EU WPD, even if they are based in member states with little enforcement, due to the exposure to public disclosure immunity and the associated reputation risks. Organizations that decide to not implement the EU WPD will constantly run the risk of personnel going outside without having the ability to sue for damages because courts are likely to sanction them instead of the personnel member.

Abusive Reporting Coverage

The principle of free choice between tier-1 and tier-2 reporting and the reversed burden of proof around adverse treatments will lead to more abusive reporting. Though an organization that can prove the intent to harm on the basis of lies will be able to sue for damages, it will remain difficult to recover substantial direct and indirect losses from individuals, and the risk of abusive reporting will remain difficult to cover by insurance carriers.

Functional Challenges

European Setup

From a privacy-by-design perspective, it is best to make sure all case-related information – including within Europe and in cases where data is sent outside Europe – is covered by the Binding Corporate Rules made available by the European Commission.

Secure Setup

From a security perspective, it is best to work with both certified data centers and a certified software platform that allows a two-way encrypted communication with all internal and external stakeholders (the whistleblower, witnesses, subjects of investigation, case managers, company risk management, investigators, crisis managers, lawyers, etc.).

Future-Proof Scalable Setup

On top of the above, a scalable and future-proof setup requires the following functionalities: automated metadata erasure within anonymous dialogue functions, integration of existing mail addresses, multiple reporting channels (both in writing and verbally), automated machine translation, automated risk category routing, automated alerting, personal data deep search and anonymization, a solution for channeling tier-2 reporting to the authorities in a secure and informed way and investigative document management and task assigning, among others.

ISO Compliant Setup

From an ISO compliance perspective, organizations should consider obtaining certification for both the ISO27001 security standards and the future ISO37002 whistleblowing management guidelines expected to be released around mid 2021.  

Operational Challenges

Allowing Tier-2 Reporting While Encouraging Tier-1 Reporting

Legal support will be required to assess how far an organization can go in encouraging internal reporting and ensuring the appropriate handling of internal reports without creating the impression that they want to deny the right for direct reporting to the authorities.

Avoiding Large Implementation Delays

Organizations will need to consult a large number of internal stakeholders; agree upon triage protocols, escalation management processes, crisis management plans and service-level agreements; organize documentation and communication processes; and get external support in periods of high demand for services.

Obtaining Back-Up Services Within Short Delays

Given the public disclosure risks associated with not respecting the deadlines for providing feedback to whistleblowers, all organizations should prepare to obtain back-up services within 48 hours.

Justifying Impartiality

For small and medium organizations that do not have risk management functions separated from the business, the (partial) outsourcing of case management might be the only way to justify the impartial treatment of whistleblowers. Defense lawyers that sue employers for adverse treatment related to whistleblowing are also expected to challenge the organization on the implementation of their duty of impartiality.

Planning for the Second Half of 2020

So, what should organizations already have planned for the end of the year?

  • Whistleblowing management gap analysis to better understand your readiness status and support timely planning for process and platform improvements related to EU WPD compliance, ISO certification preparations and reputation risk management.
  • Platform selection process to ensure the right choice of technology – tech that is compliant and future-proof and covers the needs of all your risk management functions.
  • Service provider selection to ensure prompt access to all required support (case management, investigation, GDPR compliance, public relations and legal), both first line and back up.
  • Process design drafting, including whistleblowing policies, identity protection setup, impartial case management organization, triage protocols and feedback monitoring setup, escalation processes, a crisis management plan, privacy-by-design and default frameworks, international group strategy and data protection binding corporate rules.
  • Information approach drafting to comply with the information duties toward employees and their representative bodies, business partners and competent authorities.
  • ISO 37002 certification preparation in case you are looking to improve your image as a transparent organization.
  • Association support solicitation with the objective to develop standardized approaches on a sector level for small organizations.

Tags: Reputation RiskWhistleblowing
Previous Post

Zero Trust: 3 Business Benefits and Beyond

Next Post

Defense Contractors: What’s Next with CMMC?

Frank Staelens

Frank Staelens

Frank Staelens has 30 years of working experience with whistleblower management. He is a subject matter expert on financial crime investigations and technology and regulatory compliance. As an independent consultant on whistleblowing management, he performs gap analysis, provides process and platform implementation support and helps to prepare for certifications. The confidential reporting network that he co-founded provides a fast-global access to back up service providers. Frank is a former Big Four forensic audit partner and the honorary President of the Belgian Institute for Fraud Auditors.

Related Posts

cfpb building sign

What Does Weakened CFPB Mean for FinServ Compliance?

by Carrie Pallardy
April 30, 2025

Federal deregulation doesn't mean compliance professionals can relax. CCI contributing writer Carrie Pallardy investigates the implications of a weakened Consumer...

turbulent waters

Compliance in Transition: Navigating Political & Regulatory Turbulence

by Anna Romberg and Julia Haglind
February 14, 2025

Returning to core values — not chasing regulatory or political shifts — is the key to sustainable compliance

megaphone

Whistleblowers Poised to Play Leading Role in Cybersecurity Enforcement

by Geoff Schweller
January 14, 2025

DOJ, SEC rely heavily on whistleblowing in enforcing cyber rules

top stories 2024 collage

Top Stories of 2024

by Jennifer L. Gaskin
December 11, 2024

Seismic shifts are threatening to reshape the modern compliance landscape, from Supreme Court decisions tossing out decades of regulatory advantages...

Next Post
woman pressing CMMC panel on virtual screen

Defense Contractors: What’s Next with CMMC?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights