How do you know if your whistleblower programme is successful? You know that there is a ‘hotline’ in place and that people occasionally use it, but does your whole programme actually work?
Until now, there has been little that really helped companies know whether their whistleblower reporting programmes were actually meeting objectives and adding value. But there is good news: there is a formal guideline that you can use to test the performance of your programme and compare it against best practice.
The ISO guidance
In late 2021, the International Organization for Standardization (ISO) formally enacted the International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblower Guidelines). The ISO Whistleblower Guidelines are now available and you are able to get a copy from the ISO website in your country for a small fee.
The ISO Whistleblower Guidelines are the first comprehensive guide for companies that operate whistleblowing management systems. The guidelines provide advice for organisations to create whistleblower programmes based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities.
Following the ISO Whistleblower Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.
What do the ISO Whistleblower Guidelines say about performance testing your whistleblower programme?
As you would expect, the ISO Whistleblower Guidelines suggest that the first step is working out what exactly you are reviewing, monitoring and checking for performance.
According to the guidelines, you need to determine:
- what needs to be monitored and measured
- who is responsible for monitoring
- the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results
- when the monitoring and measuring should be performed
- when the results from monitoring and measurement should be analysed and evaluated.
Every company should evaluate the performance and effectiveness of their whistleblowing management system against their decided metrics. Of course, good documentation should be kept as evidence of the results of these evaluations.
Which key metrics should you review and track?
As part of your review, you need to decide how to monitor and measure the whistleblowing management system’s performance. Like most measurement systems, this could reference both quantitative and qualitative indicators.
In most cases, the measurements will include the number of reports, the time it takes to review reports, and the feedback from users. But there are also some more sophisticated measurements for interpreting costs and value to the business.
The following non-exhaustive list is what the ISO Whistleblower Guidelines suggest can be monitored and measured by an organisation in the context of its whistleblowing management system:
- the number of reports of wrongdoing received by country, region and department
- the nature of the wrongdoing reported
- the time taken to acknowledge receipt of an initial report of wrongdoing
- for each step in the process, the time taken for completion
- the relative proportions over time of reports received via normal reporting lines, any internal alternative reporting systems and any external alternative reporting systems
- whistleblower feedback including satisfaction with the whistleblowing management system and suggestions for improvement
- periodic survey of personnel about awareness of and trust in the whistleblowing management system
- the proportion of reports that are sustained by an investigation against those that are not sustained
- the proportion of reports that fall outside of the scope of the whistleblowing management system
- the proportion of reports where the information provided was knowingly false
- the employment outcomes for whistleblowers (i.e. monitoring the proportion of whistleblowers who depart the organisation after having made a report of wrongdoing and the reasons for their departure)
- the proportion of reports resulting in corrective actions
- average time taken to investigate/close cases
- seriousness of issues raised
- the effectiveness and value of corrective actions taken.
In addition to the above, there are quite a few other measurements that could be reviewed regarding the benefits, value and actual costs of the system and associated investigations. Focusing on measurements around value will assist in proving the system’s worth to management and will support the ‘return on investment’ that is often required for budget approval.
Additional elements to measure value include:
Where to find the data
The ISO Whistleblower Guidelines also give some direction on potential sources for evaluating your whistleblowing management system. Sources of information include:
- incoming reports
- investigation case files
- survey data
- feedback from whistleblowers and relevant interested parties, such as subjects of reports, witnesses, investigators, management
- indicator analyses
- other relevant available documentation.
Auditing is another way to test performance
Every compliance programme should be tested using some form of audit. Indeed, the ISO Whistleblower Guidelines require internal audits to be carried out at planned intervals to determine whether the whistleblower programme is conforming to the company’s own requirements and the requirements of the ISO guidelines.
These internal audits need to be scheduled in advance, and there should be a written plan that defines each audit’s objectives, criteria and scope, as well as who is going to complete each audit (i.e. an objective and impartial auditor).
The results of the audits must be reported to relevant managers and considered and acted on as appropriate. Of course, all of this needs to be clearly documented.
Management views and opinions are also helpful
Another mechanism for determining the success of the programme is seeking feedback from management. The ISO Whistleblower Guidelines state that top management should regularly review the whistleblowing management system and report their findings to the board.
To ensure the programme’s continuing suitability, adequacy and effectiveness, management should consider:
- the status of actions from previous management reviews
- changes in external and internal issues that are relevant to the whistleblowing management system
- changes in needs and expectations of interested parties that are relevant to the whistleblowing management system
- information on the whistleblowing management system performance, including trends in:
> nonconformities and corrective actions
> monitoring and measurement results
> audit results
> opportunities for continual improvement and learning.
Knowing whether your whistleblower programme actually works is not as simple as it seems. It requires far more than simply looking at the technology and making a test report.
The solution involves measuring and reporting on the programme’s objectives and metrics, conducting internal audits and gathering feedback from top management. Together these will give you a solid set of data to decide whether the entire system is reaching its objectives and adding value to the business.
The ISO Whistleblower Guidelines provide very useful steps on how to make your platform work. If your whistleblower programme meets the ISO guidelines in all respects then you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.
If you are interested in building your programme from scratch, in consultative advice on the ISO Whistleblower Guidelines or for a free trial of the Speeki whistleblower platform, please contact us here.