Read our whistleblowing articles.
The new regulations come with a reversed burden of proof for organizations. Any decision with a negative impact on any whistleblower can lead to high costs to proof that there is no connection with the whistleblowing. As described in the following blog around the key whistleblowing management risks an employee who learns that he/she is about to be dismissed could also evolve towards staged whistleblowing in order to create an obstruction for the dismissal. The solution to avoid this risk is the outsourcing of the whistleblower identity management. We are able to guarantee that we will not inform you about the identity of a whistleblower up till the time is right to disclose identities with the approval of both the whistleblower and the organization.
The governance principles require for organizations to assign competent, diligent and impartial case managers. The internal handling of whistleblowing cases can create grounds for dissatisfied employees and third parties with reporting rights (former employees, contractors, suppliers) to openly question the respect of the governance principles and send complaints to competent authorities about it.
The new regulations come with formal deadlines, amongst which the notification of receipt within 7 days and the status reporting within 3 months. Outsourcing whistleblowing management will guarantee your access to back up services to ensure compliance with the deadlines.
Non-compliance can have severe consequences, both financial and reputational. The first mainly because it can lead to high litigation costs. The latter mainly because it can lead to public disclosure immunity. In the next blog we explain that this could create circumstances where employees or former employees can go public using whatever channels they see fit including social media to report on the misconduct with full protection and with the organization losing the right to sue for damages. Outsourcing to a specialized party will help you with managing the risk of non-compliance.
If an employee learns about eminent sanctions/dismissal or missing out on promotions/salary increases in the future, it could trigger him/her to seek the protection as a whistleblower. Although there should be a link between the reporting and the adverse treatment, it will be presumed to be related to the whistleblowing if the employer is unable to provide proof of the missing link. Whistleblowers are relieved from the burden of proof, but they should be able to explain the reasonable grounds for believing in the truthfulness of the reporting, and they are allowed to report on the basis of suspicions.
Not providing feedback within the deadline and not facilitating tier-1 internal reporting or improper communication on the three-tier reporting structure could lead to public disclosure immunity for the whistleblower. I expect that it will be difficult for EU organizations to deny the EU WPD, even if they are based in member states with little enforcement, due to the exposure to public disclosure immunity and the associated reputation risks. Organizations that decide to not implement the EU WPD will constantly run the risk of personnel going outside without having the ability to sue for damages because courts are likely to sanction them instead of the personnel member.
The principle of free choice between tier-1 and tier-2 reporting and the reversed burden of proof around adverse treatments will lead to more abusive reporting. Though an organization that can prove the intent to harm on the basis of lies will be able to sue for damages, it will remain difficult to recover substantial direct and indirect losses from individuals, and the risk of abusive reporting will remain difficult to cover by insurance carriers.
Organizations with more than 250 employees are expected to fully comply with the new regulations once they have been transposed into national law (deadline: 17 December 2021).
Organizations with less then 250 employees but more then 50 employees will have 2 more years before they need to organize their full compliance with the new regulations. Organizations with less than 50 are, opposed to the general belief, submitted to the main part of the new regulations.
They are exempted from installing internal reporting lines. However, our recommendation is to consider the implementation of internal reporting lines because otherwise employees might have no other choice than to report to competent authorities. Small organizations with less than 50 employees will have the obligation to inform their employees about their rights to report to the competent authorities.
Standard email systems are not secure and can lead to dataleaks. Emails should at least be encrypted or integrated within a secure web-based platform.
The new regulations demand a confidential reporting setup, meaning that the recipient needs to protect the identity of the reporter and can only forward a report with the approval of the reporter. Emails are usually accessible to multiple persons within the company and are easily forwardable which could lead to infringements.
Also GDPR compliance is amongst the requirements. From a privacy by design perspective web-based reporting channels are best practice.
Most listed companies and large public organizations already consider whistleblowing management as an important governance mechanism with, in most cases, boards/audit committees being accountable to measure its effectiveness. This group is now moving toward the use of whistleblowing systems beyond reporting wrongdoing and starting to understand that instilling a transparent, “speak up” culture is perceived by stakeholders as a sign of good health.
However, many other organizations still have a different position on the subject.
Some of the reasons offered for not facilitating whistleblowing management include:
▪ Self-denial or self-protection by company management
▪ A non-transparent culture or fear of abusive reporting
▪ It is not a regulatory mandate in most countries
▪ Lack of budget or other investment priorities
▪ Lack of knowledge about the benefits
Key Arguments for Facilitating Whistleblowing Management include:
▪ A “speak up” culture helps to reduce employee turnover.
▪ Whistleblowers have proven to be the most effective information source on and protection against unethical and criminal behavior within organizations.
▪ Whistleblowing helps to avoid public disclosures and the associated reputation risks.
▪ Whistleblowing management will become mandatory in Europe as a result of the new EU Whistleblower Protection Directive.
▪ Whistleblowing management gap analysis to better understand your readiness status and support timely planning for process and platform improvements related to EU WPD compliance, ISO certification preparations and reputation risk management.
▪ Platform selection process to ensure the right choice of technology – tech that is compliant and future-proof and covers the needs of all your risk management functions.
▪ Service provider selection to ensure prompt access to all required support (case management, investigation, GDPR compliance, public relations and legal), both first line and back up.
▪ Process design drafting, including whistleblowing policies, identity protection setup, impartial case management organization, triage protocols and feedback monitoring setup, escalation processes, a crisis management plan, privacy-by-design and default frameworks, international group strategy and data protection binding corporate rules.
▪ Information approach drafting to comply with the information duties toward employees and their representative bodies, business partners and competent authorities.
▪ ISO 37002 certification preparation in case you are looking to improve your image as a transparent organization.