Ethics, Risk and Compliance Roles in the U.K. – Part 1
We were delighted to interview Kevin Parle – Fellow of the International Compliance Association (ICA) and Deputy Chair of the Data Protection Forum – for insights and observations of whistleblowing roles within U.K. organizations. Kevin has worked in financial services, retail banking and insurance for over 20 years, bringing his knowledge and understanding of these sectors and ideas that other sectors might implement to this article. This is part one of two.
Please note that Kevin’s thoughts and opinions discussed in this interview are his own and not representative of the views of the Data Protection Forum or the ICA.
How do you feel the U.K.’s legal framework around whistleblowing will be influenced by the EU Whistleblower Protection Directive?
I expect the U.K.’s whistleblowing legislation will remain consistent with the EU Directive. Despite the U.K. no longer being part of the EU, it wouldn’t make sense for developments to swing in the opposite direction – from a business perspective, it would create a whole series of practical difficulties. To expand on this, it’s one thing for the U.K. government to state its intention to deregulate and opt out of certain EU provisions, but it is entirely another matter to ignore what happens in Europe as this will still have impacts across many different sectors of the UK economy.
I must add that answers to this question could vary depending on which sector or the economy is being discussed. In the U.K.’s financial services sector, we have the FCA (Financial Conduct Authority), which has talked explicitly about whistleblowing, ethics and certification regimes, for example.
How do you see best practices developing in the U.K. around who should manage whistleblowing channels?
The FCA handbook is fairly transparent about the regulatory expectations for financial services around whistleblowing. In theory, individuals in positions of power, authority or those delivering fit and proper roles should be responsible for following best practices.
I would say there are two or three roles that should fulfill responsibilities around managing whistleblowing, dependent on the size and type of the organization.
The first line role – and the first line of defense – is the whistleblowing manager.
The whistleblowing manager is the front line in the context of the first, second or third lines of defense as a regulatory model – something that the FCA (then the FSA) established around a decade ago.
The whistleblowing manager is likely to be the person who’s responsible for the day-to-day administration of the process and ensuring concerns are looked into in appropriate time scales. They will contact individual members of staff and ensure that those raising concerns are treated fairly and with respect. This individual may manage a team of people working together towards this goal, but they are very much hands-on in direct involvement with raised cases.
Secondly, we have the whistleblowing officer.
The whistleblowing officer typically acts in the second line of defense. They may not be strictly within the business, but they are not entirely independent of the day-to-day operations. This person would be the accountable officer, responsible for ensuring that the whistleblowing function – and by extension, the organization – is delivering on its legal and regulatory responsibilities.
The officer may be writing the whistleblowing policy for the organization and potentially some of the procedures, which make up the materials and resources made available to the first line of defense. This is what employees are expected to do and how they are meant to act within the organization. In line with this, the whistleblowing officer may also be responsible for delivering training around processes for raising concerns. Some elements of this role may be delegated to a third party regarding a platform or training materials, as the reach can be quite broad.
At the third line of defense, we have the whistleblowing ‘champion’.
A whistleblowing champion is typically a senior person within the organization, such as a board-level director or a non-executive director – typically the latter within many U.K. companies. The whistleblowing champion acts wholly independently from the business within the third line of defense.
The whistleblowing champion is responsible for nudging the organizational culture, encouraging ethical behavior and highlighting that whistleblowing/raising concerns can be a positive action for an organization regarding staff morale and retention. Their role, located at a senior level within the organization, allows them to positively influence key stakeholders and ensure the subject has explicit visibility at board level. The role also includes the prevention of regulatory, reputational or financial damage and shareholder detriment through the effective management of ‘concerns’ raised. Essentially, the chief priority of the whistleblowing champion is to achieve a strong whistleblowing culture and be the promoter of those positive ideals.
Overall, these roles are how – in general terms – I would expect whistleblowing to be managed within a U.K. financial services organization.
What are the biggest challenges around this approach or these defined roles?
I would say that the challenges of implementing these roles vary depending on the size of the company and the type of organization.
In one of my previous roles with a relatively small company, I was technically in the position of whistleblowing champion, though not delivering a board-level role. However, I was also carrying out some of the officer and manager roles, mainly if it leaned into my areas of expertise. Within that experience, I had parts of all three whistleblowing roles and worked with others – such as the HR and legal teams – on specific investigations.
This is a reflection of the size of the company as whistleblowing wasn’t the primary task within my title at the time, but budget constraints mean it is not always possible to hire for multiple roles in an organization. On the other hand, carrying out all those tasks simply wouldn’t be possible for one person to cope with within a much larger organization. Still, they would have the budget to allocate resources accordingly.
We receive a lot of questions about who should be responsible for channel management. Is there a solution that doesn’t involve putting these responsibilities on the desk of an existing role within the organization? What are the potential issues?
We have to draw a distinction here, as outsourcing doesn’t always mean an all-or-nothing approach to what elements of the whistleblowing process are handled. I think that is a very unusual and unlikely perspective to have all elements (roles) in a whistleblowing function outsourced.
From a process perspective, it is helpful to look at how the elements of your process are divided. Who receives telephone calls vs. emails from staff members, for example? Who does the initial triage of the level of concern raised? What about cases that may be legitimately missed as they don’t classify as reportable events within the U.K.? Only a subset of everything raised to the whistleblowing function will need investigation. Outsourcing does not need to take over a resource, but it can handle the initial layer of reporting that may not qualify as a whistleblowing concern (a protected disclosure).
A smaller organization might not actually need additional external resources to handle the relatively small number of cases which could be managed by one or two people internally. However, as soon as the organization is larger and it tries to spread multiple roles across only a few people, it becomes difficult to execute the mechanics of all those responsibilities.
In these sorts of organizations where the budget might not support more internal resources to allocate to a whistleblowing program, outsourcing in part may be the most practical option. This would allow internal resources to manage reporting to senior management or the board, take control of the more serious concerns raised, and have oversight over what cases or concerns the third party is managing.
When looking at large organizations – by definition, those listed on a Stock Exchange –appropriate resources should be allocated to that organization to deliver the whistleblowing function. Companies of this scale should be able to support the salary of a champion, officer, and manager; this reflects the FCA’s handbook requirement of a credible whistleblowing process within financial services. Not only does this size of organization typically have the funds to be able to resource that function correctly, it’s also under a regulatory expectation to do so. There have been cases where the justification for the under-resourcing of whistleblowing function has been a lack of funding and staff. At that point, the regulator can quite easily judge that this isn’t true based on the turnover of the organization.
Effective management of whistleblowing (the raising of concerns) is now recognized as a key requirement of managing an organization’s overall risk profile. Via the effective implementation of a whistleblowing function, with an appropriate division of responsibilities, the organization can mitigate those risks whilst achieving its strategic goals.
Kevin Parle Deputy Chair, Data Protection Forum & Fellow of the ICA
The DP-Forum welcomes new members to its ranks. If you are interested in finding out more, please see www.dpforum.org.uk.