Whistleblowing channel mandatory for all organisations employing 50 or more people
The EU Directive, adopted in autumn 2019, obliges all organisations employing more than 50 people to provide a whistleblowing channel for both staff and a range of external stakeholders.
A whistleblowing channel is therefore a legal obligation.
What is whistleblowing?
Whistleblowing is the act of bringing an abuse or suspicion of abuse to light.
Through the whistleblowing channel, all members of the organisation, including external stakeholders, can report suspected wrongdoing. This channel provides an important safeguard for the anonymity of the person reporting the wrongdoing.
An additional feature of the First Whistle is to reduce the risks posed to the organisation through human error, misconduct or lack of trust.
This is achieved in two ways:
- through guidance and automation for case managers
- through psychological support elements and guidance for the whistleblower inside the First Whistle
FIRST WHISTLE WHISTLEBLOWING CHANNEL IS
- In accordance with the requirements of the EU directive
- Secure, accessible, reliable and easy to use
- GDPR compliant
- Finnish owned and operated
- Built to minimise human risk:
- Psychological guidance for the whistleblower throughout the whistleblowing process; and
- Automation and guidance for the case managers.
Evil necessity or genuine benefit?
Whistleblowing should not be approached as an administrative imposition. It can, if implemented correctly, significantly support an organisation's risk management processes and help save time, nerves and money. According to the Association of Certified Fraud Examiners (ACFE) 2020 "Global study on occupational fraud and abuse" report, the most common way (43% of the time) to detect misconduct or other wrongdoing is through a whistleblowing report.
Role of the whistleblowing channel in your organisation
The core of the Whistleblower Directive is to protect whistleblowers from discrimination and retaliation. This protection applies not only to employees, but also to job applicants, former employees, journalists, etc. The email channels and intranet feedback channels that used to be in place are no longer sufficient.
In many organisations, the whistleblowing channel is seen as part of a broader development of corporate culture and ethics. In other organisations, it is enough to comply with the obligations imposed by the EU Directive. It is good to have a joint discussion about what your organisation wants to do. The channel will be most useful if the reporting threshold is set low and people are encouraged to report sensitively. This will allow for the earliest possible detection of malpractice.
Be alerted on time
With hindsight, it is often easy for an organisation to identify the chain of events that led to the ethical risk.
In retrospect, it is possible to identify missed opportunities where the course could have been reversed. At the time, those moments seemed less important or it was believed that there would be enough time to correct the situation.
The whistleblower helps you to be alerted early. This is another reason why it is important to take every report seriously. Is it harmless if, for example, someone eats someone else's lunch from the fridge? As an isolated incident it may not be that serious, but as a recurring phenomenon it shows that the property of others is not being respected. And if nobody cares, what does it say? It's easy to shape culture when all you have to do is tweak it a little. A big change is a big job. That's why it's often worth tackling phenomena while they're still harmless.
Code of ethics is a key part of ethical risk management.
The whistleblowing system is an integral part of the company's GRC system and the development of an ethical organisational culture. The aim of the First Whistle is to contribute to the positive development of an ethical organisational culture.
What are the expectations of staff and management in terms of behaviour and addressing grievances? It is important to plan the launch of the whistleblowing channel so that the positive purpose and use of the channel is clear to the whole organisation. At the same time, it can be discussed what types of issues are to be reported and where feedback on how work is organised, for example, should be taken up.
It is helpful if the organisation has defined a code of conduct. By drawing up a set of principles, it becomes clear what kind of activities and behaviour the organisation wants to encourage and what kind of behaviour it does not want to encourage.
What the Whistleblowing Directive requires of board members
Comprehensive whistleblower protection legislation is coming into force across the EU. The legislation applies to organisations employing 50 or more people. What does a company's board need to do and what are the issues that need to be addressed now to comply with the legislation? What is the role of board members, and in particular the chairperson, in all this? Should the board take a position on whistleblowing?
One of the board's responsibilities is to ensure good governance. This includes ensuring that the organisation is aware of the law and its obligations and is compliant. As is often the case with legal texts, there is a lot of detail involved. E.g. the whistleblower protection does not only apply to employees, but to anyone who has a work-related relationship with the organisation, including job applicants, former employees, subcontractors and suppliers. Cases must be managed professionally and the whistleblower must be informed about the outcome of the investigation.
A whistleblowing channel is a welcome addition to the range of tools available to boards and executive management to prevent and manage misconduct. Below, more on the role of a board member as a potential case manager.
REPORTING TO THE BOARD
Board meetings should systematically address the indicators related to reported cases. For instance: how many reports have been filed, what topics they have been related to, and how serious they have been.
The focus should be on what has been learned from the reports, whether skills gaps have been identified (and action taken to develop skills), what previously unidentified risks have been addressed, and what measures have been taken to improve the processes and culture of the organisation.
If, quarter after quarter, the message is that there have been no reports or no learning or improvement from them, it can be good for the board to stop and think why this is the case. Is something preventing people from reporting their concerns? Is the code of conduct sufficiently well known? What kind of message is the organisation's leadership sending out on a day-to-day basis by their example? What are the facts and what are opinions?
If cases are filed, it is good to assess at regular intervals whether a specific theme or part of the organisation is repeatedly mentioned. Have particular risks been identified? Is management's ability to lead ethically sufficient? What can be improved? A systematic and frequent assessment of the situation will allow us to focus attention on the essentials and to develop ethics in an appropriate way.
Who should be involved in the processing of whistleblowing reports?
The EU Directive requires the handling of reports to be done in a professional manner. Internal audit is an easy choice for case management.
What if there is no internal audit? Then it makes sense to set up a separate team to handle reports and prevent ethical risks. The team has no executive mandate or decision-making power, for example in terms of consequences. The team's role is to engage in dialogue and articulate what is relevant, to recommend remedial measures to prevent a similar risk from recurring, and to remain operational in difficult situations.
The organisation's legal team, the sustainability manager, the HR manager, the administrative manager are all good options for team members. There is no one typical solution because organisations have structured their resourcing in different ways and with different priorities. It is important to ensure that the team has sufficient competence, courage and patience, as well as sufficient calibre to deal with challenging situations.
In terms of size of the team, between two and four case managers is a good size for a functional team. Choose people who will maintain their ability to act even in challenging situations:
- are from different parts of the organisation, so that if the the content of the report requires a member of the team to withdraw from case management temporarily, the group remains functional
- are the kind of people who have the courage to calmly take difficult issues forward
- form an entity with slightly different skills (e.g. financial, administrative, etc.)
- have sufficient status not to be swept aside
- are able to keep things to themselves and take confidentiality seriously
ROLE OF THE CEO
Typically, the thinking is that it is not good for the CEO to be involved in case management on the grounds of good governance and the workload of the CEO. However, the CEO is responsible for the whole organisation and it is therefore important to carefully agree, already as part of the escalation process, how the CEO will be kept informed of events. Cases that concern the CEO are a different matter.
ROLE OF THE BOARD AND OWNER
For a board member to be involved in the day-to-day running of the organisation as a case manager would be a very operational activity. However, it is worth considering whether one board member should be the recipient of messages from the First Whistle. In this way, the board would automatically have access to reports concerning, for example, top management and, on the other hand, to cases which, because of their low level, might not be reported to the board at all, but which could still be of major concern.
Access to reports would likely improve the ability of the board to ensure good governance, regulatory compliance and transparency. Participation appears to be a growing trend among our clients and we see this as a positive development. Boards are genuinely interested in ensuring that all activities within the organisation are sustainable and ethical. This can be a good role for the founder as well.
The cases must be managed in accordance with the agreed process
As part of the introduction of a whistleblowing system an escalation process is defined, helping to identify the seriousness of the different cases and how reports of varying degrees of seriousness will be escalated to different levels in the organisation.
The steps of the process must also be defined to determine how the cases will be managed. The main elements of the case management process should be explained in connection to the whistleblowing channel so that the person considering blowing the whistle can be familiar with the process in advance. It is useful if the process can also be described as part of your code of conduct.
The integrity of the process should also be considered.
- How is it ensured that interested parties and potential interested parties are excluded from the case management process at the earliest stage possible?
- How robust is the process in the case of a report involving senior management?
- Is there sufficient diversity, calibre and expertise involved in the case management?
- Have dangerous work or task combinations been avoided?
- What opportunities for pressuring the case managers are identified and how can these be prevented?
- It is also worth checking whether case management is adequately resourced, i.e. whether case managers have a realistic chance of processing all incoming whistleblowing reports.
First Whistle users
Case management of the very first case
When the first whistleblower report is filed, it's time to take a good look at the process you have agreed on earlier. What has been agreed and what are the first steps of the process? We strongly recommend that each person in the case management team should read the report as soon as possible.
At this point, it is also worth recalling the security of the process and the responsibility of the case managers to protect the identity of the whistleblower. If the whistleblower tells you who they are or you guess or infer their identity from the report, it is important to remember that you have a legal responsibility to protect and keep this information to yourself.
This is important to bear in mind also when discussing the case between case managers (adequate sound proofing) and in communications (email is not a secure environment). The identity of the whistleblower must not be disclosed to any person other than the team members or the competent authority - without the express consent of the whistleblower. This also applies to any other information from which the identity of the whistleblower can be inferred, directly or indirectly.
Communicating with the whistleblower
As a first step, it is a good idea to send a short and neutral thank-you message to the whistleblower for submitting the report. The message should not yet promise anything concrete about the future. First Whistle thanks the whistleblower at the end of the submission (technically acknowledging receipt of the report), but a human-written message is always better. The First Whistle does not send the whistleblower any messages out of the system.
The communication with the whistleblower is done through the First Whistle, via a text box at the bottom of the whistleblower's report page, with the heading
"Questions and comments to whistleblower"
The messages posted to the whistleblower and her/his/their replies are automatically documented with time stamps and in chronological order.
The whistleblower should be informed within a reasonable time (maximum three months), of the action taken or planned in response to the report and the grounds for the action. It is important to inform the whistleblower of the impacts of the report as fully as possible and to the extent permitted by law, in order to reinforce confidence in the effectiveness of reporting and to reduce the likelihood of reporting the same case again or unnecessary disclosure of information. Necessary follow-up means any action taken by the organisation to assess the accuracy of the allegations made in the report and, where appropriate, to address the reported wrongdoing.
- directing the whistleblower to use other channels or procedures if the report relates solely to her/his/their individual rights,
- terminating the procedure due to insufficient evidence or for other reasons,
- opening an internal investigation and possibly its results or any measures taken to address the problem raised,
- referring the matter to the competent authority for further investigation, provided that this does not adversely affect the investigation and inquiry or the rights of the person reported.
The appropriateness of further action will depend on the nature of each situation and the nature of the notification.
The case manager's actions are logged in the First Whistle, allowing, for example, for auditing or liability in the event of irregularities in the processing of reports.
How to deal with unnecessary reports?
In any initial case assessment, there are concerns about both false positives (a report is interpreted as appropriate when it is not) and false negatives (a report is interpreted as inappropriate when it is appropriate). Of the two, the second, false negatives, are a significantly greater problem.
If the report is first interpreted as appropriate, an investigation will be launched and the possible wrongfulness of the report will eventually become apparent. If, on the other hand, the report is initially interpreted as unfounded, the investigation will not be launched, and thus the erroneous initial interpretation will not be corrected by further examination. For this reason, the Board should encourage management to ensure that reports are always treated seriously, even if they do not at first sight appear to be appropriate.
Reports that are received through the wrong channel should be directed to the correct channel, such as the HR department or customer feedback. In addition, it is necessary to delete such notifications as soon as the redirection is completed. Unnecessary data should not be kept (GDPR).
There is always a risk of unethical behaviour within an organisation. In order to identify and address problems, it is important to provide as many channels as possible to raise issues and voice concern. In addition to providing channels, it is essential to consider how we prevent abuse, how ethically competent our management is and how well we manage whistleblowing reports. All of this has an impact on how serious the ethical risks are in the everyday life of an organisation.
First Whistle protects the identity of the whistleblower
The whistleblower can file a report on the device of their choice, easily and securely. First Whistle scales to mobile, tablet and computer screens.
The whistleblower's personal details – such as name, email address or IP address – are not stored unless the whistlebloiwer decided to submit such information themselves.
At the end of filing a report, the whistleblower receives a personal code that allows them to return to First Whistle to check the status of the report and answer any questions they have been asked.
Case managers will receive an email alert on the new report, no need to visit the system just in case.
Anonymous communication with the whistleblower is easy and automatically documented. If you can write a text message, you can use First Whistle to communicate with the whistleblower.
What if someone blows the whistle on me?
Any member of an organisation can be the subject of a report and the possibility of being the subject of a report is of concern to many. Research evidence - and our own experience supports these findings - suggests that very few reports are filed with the intention to harm. Misinterpretations of situations do occur and this can lead to the generation of a false report, which is then found to be unfounded following a good investigation.
The aim of the Whistleblower Directive is to bring abuses to light as early as possible. To facilitate reporting, whistleblowers are guaranteed strong protection against discrimination and retaliation. The protection applies not only to employees, but also to job applicants, former employees and subcontractors, for example. This means that a wide range of people can report.
When a whistleblowing report implicates you, it is important to remind yourself, that in life, things happen. We gather sensory information about our environment all the time. When we hear or see something in passing, we interpret it and draw conclusions from our past experiences. We may also interpret what we see as something questionable and report it as a sign of misconduct. It may be that we saw correctly, but it may also be that we misinterpreted the situation. Either way, it is good to wait calmly for the investigation to progress.
What can I do to defend myself?
Do not interfere with or try to influence the case management process in any way. As part of the investigation, you will be able to share your perspective and knowledge.
What if someone wants to report me with malicious intent? If you start to suspect or know that someone has blown the whistle on you, even with intent to harm you, it is good to hold your horses. Make sure you do not interfere or influence the investigation in any way. Also be careful not to become negative towards someone because you think they are the one who reported you. Also, do not put pressure on the (supposed) whistleblower to withdraw her/his/their report. The report may turn out to be unfounded, but these above mentioned actions by yourself around the handling of the report would have been illegal.
The best defense is prevention. Follow the laws and regulations, as well as your own employer's code of ethics.
“The best defense is prevention. Follow the laws and regulations, as well as your own employer's code of ethics.”
Blowing the whistle is always a good option
The world around us is changing faster than ever and new threats are on the horizon. It is easier and more cost-effective to solve problems proactively than to act after the event. So it pays to report early and sensitively.
Did you already encourage people to raise the issue first? Speaking up often moves things forward more quickly than reporting, because then things can be discussed directly. If you feel it would be too much of a risk for you personally, a whistleblowing channel is a good option.
The whistleblowing channel allows you to report anonymously. First Whistle does not store metadata related to whistleblowing and does not track the IP address of the whistleblower. After submitting a report anonymously, the whistleblower will receive a code that allows them to come back and provide additional information, as well as answer questions from the case managers.
Reports must always be made honestly and in good faith.
How to do it, step-by-step
- Write down the key facts you want to report.
- Find the address (URL) of the channel on the website of the organisation (your employer or other organisation you want to report).
- Copy the address into the address field of your browser and go to the channel.
- First Whistle will guide you to make a good report. Read the instructions.
- Finally, be sure to capture your personal code.
- You will receive messages from the people handling the report within First Whistle. Remember to log back in using your code.
- Three months after your report, you have the right to know the outcome of the investigation.
More useful information for whistleblowers is available on our support page:
It is a good idea to put the above link to your own website to support the whistleblower.
PREVENTION IS ALWAYS THE BEST WAY
In order to highlight and address problems, it is important to provide many channels for raising issues. Staff should be encouraged to speak up and the psychological safety of the organisation should be nurtured. Speaking up is only done if it feels like a safe option.
In addition to the whistleblowing channel, it is essential to consider how we prevent abuse, how ethically competent our management is and how well we handle whistleblowing. All of this has an impact on how serious the ethical risks are in the everyday life of an organisation.
AN EASY-TO-USE AND RELIABLE WHISTLEBLOWING CHANNEL
The whistleblowing channel will become mandatory for all organisations employing more than 50 people. Take the easy-to-use and reliable First Whistle whistleblowing channel into use.
This service is provided by Juuriharja Consulting Group Oy.