No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Whistleblowing Management: The Coming Regulatory Storm

Europe’s New Regulations Will Have a Global Impact

by Frank Staelens
July 30, 2020
in Compliance, Featured
Storm Brewing Just Ahead Green Road Sign with Dramatic Storm Clouds and Sky

In honor of National Whistleblower Appreciation Day, Frank Staelens discusses the EU Whistleblower Protection Directive (WPD) at length. Frank explains the regulation’s broad impact and offers guidance for compliance.

Most listed companies and large public organizations already consider whistleblowing management as an important governance mechanism with, in most cases, boards/audit committees being accountable to measure its effectiveness. This group is now moving toward the use of whistleblowing systems beyond reporting wrongdoing and starting to understand that instilling a transparent, “speak up” culture is perceived by stakeholders as a sign of good health.

However, many other organizations still have a different position on the subject. Some of the reasons offered for not facilitating whistleblowing management include:

  • Self-denial or self-protection by company management
  • A non-transparent culture or fear of abusive reporting
  • It is not a regulatory mandate in most countries
  • Lack of budget or other investment priorities
  • Lack of knowledge about the benefits

Key Arguments for Facilitating Whistleblowing Management

  • A “speak up” culture helps to reduce employee turnover.
  • Whistleblowers have proven to be the most effective information source on and protection against unethical and criminal behavior within organizations.
  • Whistleblowing helps to avoid public disclosures and the associated reputation risks.
  • Whistleblowing management will become mandatory in Europe as a result of the new EU Whistleblower Protection Directive (EU WPD).

The Scope of the EU WPD

Scope of Applicability

Within the EU: All member states have until December 17, 2021 to transpose the new whistleblower protection rules into national law.

Within member states: All private and public organizations based in Europe, independently from ownership and location of head offices, will need to comply with the EU WPD principles (organizations with less than 250 employees have two more years to organize their compliance.

Within organizations: All internal persons with both standard and non-standard employment relationships and specific categories of external persons (former employees and business partners such as contractors and suppliers) have rights under the EU WPD.

Scope of Breaches

Protection of persons reporting on breaches of EU law and member states are encouraged to extend the scope to national law breaches (EU law breaches or potential violations covered include, among others, financial services regulations, anti-money laundering directives, fraud and corruption detrimental to EU interests, data protection regulations, corporate tax law, competition law and market abuse regulations, public procurement rules, public health and safety, environmental protection, etc.).  

Scope of Protection

All internal and external persons related to the reporting of wrongdoing in a work-related context.

“The EU is committed to having a well-functioning democratic system based on the rule of law. That includes providing a high level of protection across the Union to those whistleblowers who have the courage to speak up. No one should risk their reputation or job for exposing illegal behaviors.”

– Anna-Maja Henriksson, Finland’s Minister of Justice

EU WPD Principles and Duties to Comply With

Principle of 3-Tier Reporting Structure

Organizations will need to install tier-1 internal reporting, communicate on the tier-2 reporting structure setup by the competent authorities and allow the conditional reporting to the public with full protection for the whistleblower (organizations with fewer than 50 employees or municipalities with fewer than 10,000 inhabitants are not required to install tier-1 internal reporting lines).

Principle of Free Choice Between Tier-1 and Tier-2 Reporting

The whistleblower should be allowed to directly report to the authorities without first going through an internal reporting process.

Duty of Confidentiality

Reporting should be setup in a confidential way. Confidential reporting means that only the recipient of the report should know the identity of the reporter, and this identity should not be disclosed to anybody else without the approval of the reporter. Organizations have a duty of confidentiality and should organize themselves so that they can ensure the protection of the identity of all internal and external persons related to the reporting. Although the EU WPD does not require the facilitation of anonymous reporting, it is likely that it will trigger a more progressive approach in this respect because not facilitating it will increase the likelihood for whistleblowers to opt for tier-2 reporting to the authorities. Considering the duty of confidentiality, it is best to leave the choice to disclose identities to the whistleblower.

Duty of Feedback

The rules create an obligation to provide feedback to whistleblowers within certain delays, such as for receipt confirmation of the initial report within seven days and for status reporting within three months. Both organizations and authorities have feedback obligations (for the latter there is a possibility of extending the deadline to six months in duly justified cases).

Duty of Governance

This requires organizations to assign case managers who are competent, diligent and impartial.

Duty of Data Protection Compliance

Whistleblowing management should be set up in compliance with the privacy-by-design and the privacy-by-default principles of the EU General Data Protection Regulation (GDPR).

Duty of Documentation and Information

Organizations are required to fully document the whistleblowing processes and inform their employees, business partners and competent authorities about them.

Key Risks to Manage

Staged Whistleblowing (Threats)

If an employee learns about eminent sanctions/dismissal or missing out on promotions/salary increases in the future, it could trigger him/her to seek the protection as a whistleblower. Although there should be a link between the reporting and the adverse treatment, it will be presumed to be related to the whistleblowing if the employer is unable to provide proof of the missing link. Whistleblowers are relieved from the burden of proof, but they should be able to explain the reasonable grounds for believing in the truthfulness of the reporting, and they are allowed to report on the basis of suspicions.

Public Disclosure Immunity

Not providing feedback within the deadline and not facilitating tier-1 internal reporting or improper communication on the three-tier reporting structure could lead to public disclosure immunity for the whistleblower. I expect that it will be difficult for EU organizations to deny the EU WPD, even if they are based in member states with little enforcement, due to the exposure to public disclosure immunity and the associated reputation risks. Organizations that decide to not implement the EU WPD will constantly run the risk of personnel going outside without having the ability to sue for damages because courts are likely to sanction them instead of the personnel member.

Abusive Reporting Coverage

The principle of free choice between tier-1 and tier-2 reporting and the reversed burden of proof around adverse treatments will lead to more abusive reporting. Though an organization that can prove the intent to harm on the basis of lies will be able to sue for damages, it will remain difficult to recover substantial direct and indirect losses from individuals, and the risk of abusive reporting will remain difficult to cover by insurance carriers.

Functional Challenges

European Setup

From a privacy-by-design perspective, it is best to make sure all case-related information – including within Europe and in cases where data is sent outside Europe – is covered by the Binding Corporate Rules made available by the European Commission.

Secure Setup

From a security perspective, it is best to work with both certified data centers and a certified software platform that allows a two-way encrypted communication with all internal and external stakeholders (the whistleblower, witnesses, subjects of investigation, case managers, company risk management, investigators, crisis managers, lawyers, etc.).

Future-Proof Scalable Setup

On top of the above, a scalable and future-proof setup requires the following functionalities: automated metadata erasure within anonymous dialogue functions, integration of existing mail addresses, multiple reporting channels (both in writing and verbally), automated machine translation, automated risk category routing, automated alerting, personal data deep search and anonymization, a solution for channeling tier-2 reporting to the authorities in a secure and informed way and investigative document management and task assigning, among others.

ISO Compliant Setup

From an ISO compliance perspective, organizations should consider obtaining certification for both the ISO27001 security standards and the future ISO37002 whistleblowing management guidelines expected to be released around mid 2021.  

Operational Challenges

Allowing Tier-2 Reporting While Encouraging Tier-1 Reporting

Legal support will be required to assess how far an organization can go in encouraging internal reporting and ensuring the appropriate handling of internal reports without creating the impression that they want to deny the right for direct reporting to the authorities.

Avoiding Large Implementation Delays

Organizations will need to consult a large number of internal stakeholders; agree upon triage protocols, escalation management processes, crisis management plans and service-level agreements; organize documentation and communication processes; and get external support in periods of high demand for services.

Obtaining Back-Up Services Within Short Delays

Given the public disclosure risks associated with not respecting the deadlines for providing feedback to whistleblowers, all organizations should prepare to obtain back-up services within 48 hours.

Justifying Impartiality

For small and medium organizations that do not have risk management functions separated from the business, the (partial) outsourcing of case management might be the only way to justify the impartial treatment of whistleblowers. Defense lawyers that sue employers for adverse treatment related to whistleblowing are also expected to challenge the organization on the implementation of their duty of impartiality.

Planning for the Second Half of 2020

So, what should organizations already have planned for the end of the year?

  • Whistleblowing management gap analysis to better understand your readiness status and support timely planning for process and platform improvements related to EU WPD compliance, ISO certification preparations and reputation risk management.
  • Platform selection process to ensure the right choice of technology – tech that is compliant and future-proof and covers the needs of all your risk management functions.
  • Service provider selection to ensure prompt access to all required support (case management, investigation, GDPR compliance, public relations and legal), both first line and back up.
  • Process design drafting, including whistleblowing policies, identity protection setup, impartial case management organization, triage protocols and feedback monitoring setup, escalation processes, a crisis management plan, privacy-by-design and default frameworks, international group strategy and data protection binding corporate rules.
  • Information approach drafting to comply with the information duties toward employees and their representative bodies, business partners and competent authorities.
  • ISO 37002 certification preparation in case you are looking to improve your image as a transparent organization.
  • Association support solicitation with the objective to develop standardized approaches on a sector level for small organizations.

Tags: Reputation RiskWhistleblowing
Previous Post

Zero Trust: 3 Business Benefits and Beyond

Next Post

Defense Contractors: What’s Next with CMMC?

Frank Staelens

Frank Staelens

Frank Staelens has 30 years of working experience with whistleblower management. He is a subject matter expert on financial crime investigations and technology and regulatory compliance. As an independent consultant on whistleblowing management, he performs gap analysis, provides process and platform implementation support and helps to prepare for certifications. The confidential reporting network that he co-founded provides a fast-global access to back up service providers. Frank is a former Big Four forensic audit partner and the honorary President of the Belgian Institute for Fraud Auditors.

Related Posts

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

Syncing your ESG programme across the business: five tips for building ESG into your organisation

Syncing your ESG programme across the business: five tips for building ESG into your organisation

by Aarti Maharaj
February 9, 2023

In today's business landscape, there's a growing awareness of how ESG issues affect the bottom line. While companies are adopting...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

Next Post
woman pressing CMMC panel on virtual screen

Defense Contractors: What’s Next with CMMC?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT