If you are responsible for managing the whistleblower programme at your company, you have a lot on your hands. By now, you probably know that it is not just about having a piece of software installed and getting access to a case manager that tracks reports made through the system: it is about managing a comprehensive whistleblower programme under the direction and support of both the company’s governing body and its management.
Managers of such programmes often do not know what to do or what to focus on. They have typically just followed their own intuition and developed their own set of priorities. This, coupled with the fact that there was no formal advice on which qualities a whistleblower programme manager should have, has many in the position suffering imposter syndrome and wondering whether they are the right person for the job.
There is good news, however: we have formal guidelines by which we can compare our whistleblower programmes and test whether they have the right resources.
Using the ISO whistleblower guidance
In late 2021, the International Organization for Standardization (ISO) formally enacted the International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblower Guidelines). The ISO Whistleblower Guidelines are now available, and you are able to get a copy from the ISO website in your country for a small fee.
The ISO Whistleblower Guidelines are the first comprehensive guide for companies that operate whistleblower management systems. The guidelines provide advice for organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities. Following the ISO Whistleblower Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.
What do the ISO Whistleblower Guidelines say about the management of the whistleblower programme?
The ISO Whistleblower Guidelines clearly set out what the person (or group) that is responsible for the whistleblower programme actually needs to do.
The guidelines state that the people managing the programme have the responsibility for and authority over:
- the design, implementation, operation and improvement of the whistleblowing management system
- ensuring that the whistleblowing management system is designed and resourced to ensure comprehensive assessment of reports and the risks of detriment, impartial and timely investigations of reports and protection and support arrangements
- ensuring, to the maximum extent possible in the organisation, that investigation and protection functions are delivered independently (i.e. provided by different persons or areas), while recognising that each may be assigned to existing functions
- providing advice and guidance on the whistleblowing management system and issues relating to reporting wrongdoing
- reporting on a planned and ad hoc basis on the performance of the whistleblowing management system to the governing body, top management and other relevant functions, such as the compliance function, as appropriate.
The whistleblowing management function (which is what the ISO Whistleblower Guidelines calls the team managing the whistleblower programme) should be adequately resourced with personnel who have the appropriate ‘competence, integrity, authority and independence’. This should include ‘direct, unrestricted access to adequate resources as necessary to ensure the impartiality, integrity and transparency of the whistleblowing management system and its processes’. The whistleblowing management function should also have ‘direct, unrestricted and confidential access to top management and the governing body’.
Can I delegate any of this?
Under the ISO Whistleblower Guidelines, the short answer is yes, you can delegate some of the above responsibilities. Organisations that do not have a person dedicated solely to the whistleblowing function can appoint one or more persons to perform that role, in addition to other responsibilities, as long as there are no conflicts of interest or trust or impartiality issues.
The ISO Whistleblower Guidelines also require you to work out which resources are needed for the establishment, implementation, maintenance and continual improvement of the whistleblowing management system and for meeting its objectives. The guidelines say that these resources may include, but are not limited to, financial and human resources, IT solutions, specialised skills, organisational infrastructure, investigators, contemporary reference material on whistleblowing, legal expertise, and professional development and training. These resources may be provided internally or sourced externally.
Are there certain minimum requirements for the person who will manage the function?
The ISO Whistleblower Guidelines don’t set out minimum requirements or competencies for whistleblowing function managers, suggesting that organisations should define their own.
The guidelines state that an organisation should:
- determine the necessary competence of person(s) doing work under its control that affects the whistleblowing management system, its performance and operations;
- ensure that these persons are competent on the basis of appropriate education, training, or experience;
- ensure that, where relevant, the personnel are able to work with the appropriate level of impartiality;
- where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken.
Being an ISO advice, there is also a clear obligation to keep appropriate documentation as evidence of competence.
The ISO Whistleblower Guidelines also oblige those responsible for carrying out activities related to protection, support and investigation to display trustworthiness, emotional intelligence, diplomacy, impartiality, integrity, leadership, confidentiality and sound judgement.
The ISO Whistleblower Guidelines will really help those managing whistleblower programmes to gain confidence by outlining best practices for and characteristics of whistleblowing function managers. If your whistleblower programme meets the ISO guidelines in all respects then you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.
The guidelines also reinforce the message that the leadership and management of the company have to be great supporters of the whistleblower programme and its managers. If that support is lacking it puts the whole programme in jeopardy.
Using the ISO Whistleblower Guidelines as a handbook is a huge advantage for every company, so we strongly encourage people managing whistleblower programmes to adopt these guidelines.
If you are interested in building your programme from scratch, in consultative advice on the ISO Whistleblower Guidelines or for a free trial of the Speeki whistleblower platform, please contact us here.