Top tips on whistleblowing – Our very best advice for a trusted and efficient whistleblowing system
With whistleblowing making the headlines so much in 2018, we decided to start 2019 by sharing everything that we think is worth sharing when it comes to whistleblowing. Every day we discuss whistleblowing and matters such as compliance and codes of conduct with business leaders, and these are the kinds of questions that always come up: Do we need an external whistleblowing provider? What if we get irrelevant reports? Why should we keep the whistleblower anonymous?
So in this post we have compiled the most frequent questions we receive. If you don’t find answers to your questions here – please get in touch. We are only too happy to share what we have learnt from years of supporting customers with whistleblowing around the globe.
So sit back and read on. Here come…
Our seven very best pieces of advice for implementing a whistleblowing system
- Why should I use an external whistleblowing provider?
- Will we get irrelevant cases through a whistleblowing service, thus wasting our time? How do we handle these?
- How many whistleblowing reports should we expect?
- I have read about incidents in which the company actually has a whistleblower hotline, yet reports have not reached the right people. How can I stop this from happening?
- We have just received a serious whistleblowing case, which we need to investigate. It came from an anonymous whistleblower – what shall I report back to them?
- According to the company union representative, the whistleblowing service must be available to everyone, i.e. not only through the web? What is your experience?
- How can we protect whistleblowing data? Our Board is worried that we might spread sensitive data or fail to comply with the GDPR, for example?
We know that the majority of customers want a whistleblowing solution that is easy and cost-efficient, but our most important advice here is: No DIY! There are two main reasons for this, whistleblower protection and secure and efficient follow-up of cases received.
1a. Why is whistleblower protection important?
Anonymous whistleblower reporting is what it takes if you want to receive business critical information. We know from experience that implementing truly anonymous channels increases the likelihood of your getting reports on serious misconduct and hence have the chance to minimise damage and risks, WhistleB Customer study. Why is this so? People need to trust that they will be protected against retaliation, and the only safe way is to allow them to remain anonymous both in the initial dialogue and throughout any investigation.
True whistleblower protection implies that you need a whistleblowing solution that is separate from your own IT environment. You must be able to show that a whistleblower cannot be tracked – and it’s not just us that say so, read more whistleblower protection. Also, the whistleblower system you choose must be fully secure, for example it should not use e-mail and should minimize the number of individuals with access to content.
1b. How does an external whistleblowing system help with secure and efficient case management?
When it comes to case management, you can absolutely use your internal resources, but an external whistleblowing system can support you. It will contain an easy-to-use case management system that guides you through appropriate steps and legal considerations, for example. It provides a solid IT solution and structure so that you can manage the cases, investigations and communication using internal resources. It will have rich functionality such as a case log, secure communication, correct archiving and deleting procedures and so on. An external whistleblowing provider can also ensure the software is kept right up to date with the latest data security functionality to help protect your data throughout case management.
There’s another important benefit to assigning reception of whistleblower cases to an external party, namely to prevent a report being disclosed to a particular whistleblowing team member. We support many companies with receiving reports from their whistleblowing hotline, and aside from support with general management our responsibility as a third party whistleblowing provider is to make sure that any appointed receiver/investigator implicated in a report does not receive this specific whistleblowing report.
The question of irrelevant cases comes up in almost every whistleblowing system implementation. Of course we cannot give any guarantees – but our experience shows that this concern is unfounded. This was also reflected in our latest annual customer survey. Irrelevant reports might include matters to be handled by HR, such as grievances about salary or promotion. These are nonetheless important for the individual, which is why the whistleblowing team benefits from having systems that offers a possibility to securely assign cases to HR (see more under question 4).
At the end of the day though a whistleblowing service aims at unveiling misconduct, and our advice is to invest time in thorough communication about the service so that you receive true whistleblowing reports. Help employees understand what constitutes a whistleblowing case, and what doesn’t. Inform them of alternative communications channels for other matters. Communication should include a whistleblowing policy and guidelines, and our system helps with that.
Another piece of advice here is to introduce the service in stages. For example, run the whistleblower system for a year or so, then as you feel comfortable with the results, broaden your target group to suppliers, partners, customers and the public.
What we like to remind customers is that the reason for allowing whistleblowing is to minimise business risks, and this requires anonymous communication channels. We think that the benefits of implementing a whistleblowing system far outweigh the risk of receiving irrelevant reports. Sometimes we just have to take the bad with the good.
There are a couple of considerations when it comes to the number of whistleblower reports. Firstly, how can you increase the likeliness of people reporting suspicions on real whistleblowing cases?
As mentioned earlier, whistleblower anonymity is key.
Communication is also essential and must be continuous to really drive engagement. First, set the right tone at the top to create trust. That includes communicating the company’s core values and philosophy on how to do business, according to your Code of Conduct.
Secondly, a person most likely blows the whistle only once in their lifetime making this a very stressful situation for the whistleblower. De-dramatize the process of whistleblowing in your communication and keep the reporting process simple. Don’t make it worse with complex questionnaires!
The above two points underline why the whistleblower communication channel should be as easy and efficient to use as possible. Remove any thresholds, such as when, where or from which device a whistleblower can send a report. At the end of the day, you don’t want to risk not receiving business critical information, and in today’s environment, this basically boils down to solid whistleblowing software and technology.
Finally on this point, many customers implement a whistleblowing service as a preventive measure. The very fact that the system is in place prevents misconduct occurring in the first place. A very low number of reports coming through the whistleblowing channel might actually mean that it is working.
Think very carefully through how whistleblower reports should be received, investigated – and above all by whom. We advise customers to appoint an internal team that creates trust and ensures cases are dealt with in a secure way. The team should preferably include non-operational individuals, such as members of the Board and internal audit. We see managers from a range of functions, often Compliance, HR, Sustainability and the CFO represented on the whistleblowing teams at our customers. Ensure your team does not come from one single part of the organisation, but that it is spread across managers from a range of functions.
The whistleblowing system itself should also support rigorous and correct case management. For example, through your case log it should be impossible to delete a case without notifying team members.
Finally don’t forget to be transparent. Tell your employees and other stakeholders about how reports are managed. Make sure follow-up is transparent and that you communicate your results to the Board through regular reports on whistleblowing, see interview.
You know nothing about the whistleblower, which is why we advise you to proceed with caution in this situation. Be as careful and as brief as possible in your communication with the anonymous person. At least until you know more about who you are communicating with. Unfortunately, whistleblower anonymity allows for some level of abuse of the whistleblowing system from persons who may in some way want to harm the organisation, or a specific person within the organisation.
Your whistleblowing system should provide you support in this situation, in terms of secure management of data and allowing for continued dialogue to build trust between the parties. For example, you need to ensure that all related data is protected, use secure encrypted systems, do not use e-mail, and so on. Keep investigation documents and communication within the protected whistleblowing system. Use a system that undergoes regular professional penetration and information security testing. Limit the number of persons involved. Once again, if you have the right team in place to manage whistleblowing reports, they will be able manage this process with integrity.
During the last two years we have seen that many companies are now skipping the whistleblowing phone hotlines as a mode of reporting. Some of the reasons given are that it is less secure (the information cannot be encrypted all the way from the whistleblower to the receiver of the message), it is less cost-efficient and less user-friendly. Today, in the world of smart phones, whistleblowers are more likely to attach pictures and text files as evidential material, which is valuable for the investigations.
This move away from telephone reporting was supported in a poll of Compliance officers we conducted at the 3rd Summit on Anti-Corruption (Nordics Edition) in November 2016. Nearly 80% of Compliance officers revealed that they preferred to receive whistleblowing reports through a web service, whereas only one in ten preferred to receive them via the telephone, read more.
So our advice is to offer voice phone whistleblowing hotlines as an option only in countries where Internet access is not widespread, or for employee groups that might hesitate to report in writing.
Our advice here is simple – ensure you select a whistleblowing system with the very toughest security on the market! We think it is key that our customers control their own data and that it is not accessible to any persons not authorised by the customer. Suppliers should access encrypted data, it should not be accessible to read. The decision on the individuals to whom access to sensitive data should be given must at all times remain with the customer.
Data security is something we feel very strongly about at WhistleB. From the beginning we have been fully behind all regulatory moves towards more secure management of personal data, as we knew that this one principle, above all others, is fundamental to the proper working of an organisational whistleblowing system. Top security in whistleblowing systems is the very foundation of trust, and it is what we thought lacked in the systems we came across in our former roles. This is one of the reasons we started WhistleB.
And it is why we started readying our whistleblowing system to be fully compliant with the EU’s GDPR regulations some six years ago. We do not see data security and regulatory compliance as a cumbersome matter, we see it as a competitive advantage for our product, and therefore for our customers. Read more at this link about the security measures we have taken to ensure that we always provide market-leading IT security in our whistleblowing service.
So there you go, our very best advice for implementing a trusted an efficient whistleblowing system. But there’s one more thought we’d like to leave you with. We’ve talked a lot about whistleblowing in the context of risk management, of protecting the company brand. We would also argue that a whistleblowing service is a brand enhancer, a way to strengthen the organisation’s sustainability profile. Here’s our argument…
There’s tough competition for attracting the best talent, and today, the younger generation is more likely to select an employer whose values match their own. We are also seeing that existing employees are more loyal if they feel they are in companies where they know they will be safe, where ethics are taken seriously.
When we put this knowledge together with the recent #Metoo campaign, we’re inclined to say that what we’re currently seeing is a grass-roots movement. A more aware labour force has spoken out – and what it wants is ethical business.
Digital tools, such as an online whistleblowing system, provide opportunities to respond in new ways. Forward-thinking leaders who take business ethics seriously will already have a robust code of conduct in place. Above and beyond that though, they will be able to point to tools and other mechanisms that underpin their code of conduct, give their employees a voice and strengthen their brand as a responsible employer, such as a secure, online whistleblowing system.