ISO 37002 – Best practices in whistleblowing management systems
By Jan Tadeusz Stappers and Renaud Mousty
Since 2018, an international group of experts has been working together to develop ISO 37002, a new global standard with best practices for developing and implementing an effective and responsive whistleblowing management system. WhistleB is part of this process. For more information about the background of ISO 37002, its scope and its added value for organisations around the globe, we recommend a recent article in The Association of Certified Fraud Examiners’ Fraud Magazine, authored by WhistleB. In this blog post, we will answer some of the questions we are most commonly asked in relation to ISO 37002 – without getting into the details of the standard itself.
How does ISO 37002 complement the EU Whistleblower Protection Directive and other regulations?
With the approval of the EU Whistleblower Protection Directive, it is easy for many of us in the European Union to forget that ISO 37002 is in development and how important it is for organisations that want to implement a best practice whistleblowing management system. For that is what the ISO 37002 is about.
The EU Directive (and other national regulations) is a statement of what is required of both private and public organisations in Europe when it comes to whistleblower protection. It addresses obligations related to security, confidentiality, response times, skills of people receiving reports, data protection and more. What the ISO 37002 will provide, however, is practical guidance on the how. How can a forward-thinking organisation, anywhere in the world, that wants more transparency and recognises the important role of whistleblowers in preventing and detecting corporate wrongdoing, build an effective whistleblowing management system? That is the aim of ISO 37002.
What is WhistleB’s role in ISO 37002 development?
WhistleB is proud to be a participant in WG3, the working group preparing the ISO 37002 standard. We see the drafting of the standard as an important responsibility that is in line with our mission: Whistleblowing made trustworthy, helping organisations foster a safe and more transparent work environment.
What is our role in ISO 37002 development then? In addition to years of compliance and ethics experience, WhistleB brings expertise in technology to the discussion. WhistleB was an early mover in using the latest technology to make whistleblowing management more effective and secure. While technology will never replace legal and investigative expertise and experience in whistleblowing management, it is a powerful complement that simplifies actions, streamlines processes and boosts efficiency and security.
Further, but certainly no less important, we have always been convinced that anonymity lies at the heart of getting greater value from a whistleblowing system (see the question on anonymity below). Secure, technology-based solutions make anonymous whistleblowing possible and remove some of the main barriers to blowing the whistle.
Our perspective on the added value of technology, both for the experts involved in the whistleblowing management process and for the whistleblower, is a large part of what we provide in the ISO 37002 development process.
Below are some of the impacts of technology in whistleblowing management:
1. Confidentiality or anonymity of the whistleblower. Secure technology protects the confidentiality of the whistleblower and can guarantee anonymity if the customer allows it (see the question below).
2. User-friendliness. Technology simplifies the initial reporting process for the whistleblower and thus removes some of the logistical barriers that might reduce the likelihood of a person blowing the whistle. First, digital channels can be made accessible through a user-friendly interface, from all sorts of devices, at all times of the day, and anywhere in the world. Consequently, whistleblowers do not have to be concerned about where, when and how they can raise an alert securely. Further, technology can seamlessly connect the whistleblower with the authorised person/team that has the mandate to manage the whistleblower’s report, thus facilitating correct, sensitive, compliant and respectful management of the report. Finally, secure language translation software can greatly diminish language barriers.
3. Efficiency. For the whistleblowing team that receives the alerts, technology significantly reduces their day-to-day administrative burden. Everything from decisions about what needs to happen to the case, triage, assignment, a systematic audit trail, communication with a whistleblower, documentation of information, to effective investigations, handling of evidence and archiving can be improved through technology. The latency time for the handling of a report is thus significantly reduced and the process becomes more efficient when it is technology-enabled.
4. Transparency. Technology allows for more transparency and greater trust and confidence through defined processes, monitoring, feedback, access control, management and board reporting.
5. Legal compliance. With today’s stricter data protection laws, such as the GDPR in the EU, technology can help to minimise compliance risks and prevent information disclosure. Interpretation of complex laws and regulations can be embedded and configured into best practices within digital whistleblowing management systems. Going back to ISO 37002, WhistleB’s solutions are digital. The integrated communication channel and case management tool allow users to manage whistleblowing cases in an effective manner, in line with both applicable legal frameworks and international standards.
What is the difference between confidential and anonymous reporting?
This is a question we receive not solely related to ISO 37002, and it is worth considering in the context of best practice organisational whistleblowing management systems.
Confidential reporting is where the identity of a whistleblower is known by the person receiving the report, but it is kept confidential and should not be divulged without the consent of a whistleblower. Anonymous reporting is when the identity of the whistleblower is not known. The whistleblower may choose to divulge his or her identity later in the investigation process, once a trusted relationship has been established.
While we have come a long way, such as the EU Whistleblower Protection Directive requiring that the identity of a whistleblower be kept confidential, there is always a risk of a breach in confidentiality. For example, in some instances, state authorities have the right to seize confidential information for specific purposes. What happens if the whistleblower’s identity is leaked in that process? And what happens when a person within an organisation with the wrong intentions but significant power demands to know who was behind a report of irregularities? These cases are not uncommon and have been the subject of media discussions in recent times. Further, the identity of a whistleblower can unintentionally be divulged as more people become involved in an investigation, or if those managing a case are not properly trained in ensuring identities remain confidential through descriptions and reporting.
Anonymous whistleblowing removes many of these issues. Most importantly though, customer cases have shown us the power of anonymity for encouraging people to dare to blow the whistle at all. Understandably, fear of retaliation stops people having the courage to speak up if they cannot remain anonymous. Consequently, organisational leaders remain unaware of wrongdoing as they do not receive the valuable, hard-to-get information that could help them correct misconduct at an early stage. This is why WhistleB advocates permitting anonymous whistleblower reporting if that is what a whistleblower prefers.
Linking back to the above question on technology, the need for anonymity is why we have built a secure system that technically allows a person to remain anonymous throughout the entire reporting, case management, investigation, closing and deletion process. Our system has in-built functionality that protects the anonymity of the whistleblower and allows secure and anonymous dialogue to take place between the whistleblower and the case management experts.
One of the ISO 37002 WG3 experts based in Australia, Dean Newlan of RightCall, who is also a partner to WhistleB, provides a valuable summary of the importance of choice and anonymity here:
“In modern business, there is an ever-growing range of communication channels. Some people will prefer one form of communication in a given context while others, in the same context, will reject it and insist on another from a range of alternatives. The modern world seems to be all about ‘choice’ and presenting the individual with more alternatives than they could ever use. This principle has particular application to misconduct reporting. In order for a business to build a robust and effective misconduct reporting system, it needs to offer employees and other eligible whistleblowers an extensive range of alternative ways of ‘speaking up’. A platform such as WhistleB provides an important avenue for an organisation’s workforce to report suspected wrongdoing. It is particularly important where someone wishing to report wrongdoing fears reprisal either by the organisation or by an individual connected with the organisation. WhistleB provides a convenient and secure communication channel for people who wish to speak up but who fear retribution and need to be assured that their anonymity is guaranteed before they do.”
In the context of ISO 37002, the WG3 acknowledges the importance of creating a protective environment where people can confidently report concerns, as this is crucial to effectively preventing and dealing with wrongdoings.
Keep your eye on ISO 37002
Your organisation may be one of the many that are soon to become legally obliged to provide a confidential whistleblowing system. Or perhaps you may be in an organisation that is investigating whistleblowing management systems as a way to underpin your code of conduct and improve business ethics. Whichever category, it is well worth aiming for best practice in whistleblowing management, and thus keeping an eye on the development of ISO 37002. To understand more about the background to the standard, read WhistleB’s earlier blog on ISO 37002.
Otherwise, you can contact WhistleB for help with all your organisational whistleblowing management needs. We would be happy to share insights on any of the above questions, as well as our experience on what has worked best for other customers, and how our whistleblowing system can be adapted to fit your organisation.
Business Development Director