If you are a board member of a company that has a whistleblower programme, you have a role to play and it is important that you understand your obligations.
If you are not a board member, but you are an operator of a programme, this article might still be useful as a training guide for directors to understand their role.
Until now, there has been little that really helped directors know their specific duties when it came to the company’s whistleblower programme. Directors have typically just followed their own intuition for their oversight of the programme and developed their own priorities around giving strategic direction to those in management for resourcing the programme. The good news is that we already have specific guidelines on how a board director should be supporting the whistleblower programme.
Using the ISO whistleblower guidance
In late 2021, the International Organization for Standardization (ISO) formally enacted the International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblower Guidelines). The ISO Whistleblower Guidelines are now available, and you are able to get a copy from the ISO website in your country for a small fee.
The ISO Whistleblower Guidelines are the first comprehensive guide for companies that operate whistleblower management systems. The guidelines provide advice for organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities.
Following the ISO Whistleblower Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.
What do the ISO Whistleblower Guidelines say about the role of directors in the whistleblower programme?
The ISO guidelines have two significant sections that discuss the role of leadership and management. They say that the governing body (meaning the board or the highest level of the organisation that is strategic in nature and addresses broad risk management oversight) should do the following:
The top-ten things for a board member to ask about the whistleblower programme
As a board member, these are the questions that you could ask your top management or the programme managers to learn about the whistleblower programme and meet your requirements under the ISO Whistleblower Guidelines.
- Have you set objectives for an effective whistleblowing management system? What are these objectives? Are there clear owners and timelines to meet these objectives? How do we know if the objectives have been met? What are the criteria for success?
- How do you monitor the objectives? Do you have the team regularly report to the board (or a committee) about whether the objectives are being met? Is there a focus on measuring these objectives? Is there a clear picture that shows each objective and how close it is to being achieved?
- Did the board formally approve the organisation’s whistleblower policy? Is this approval recorded (e.g. in the meeting minutes)? Are the approval date and approving board directors indicated on the approval document?
- Have we as a board effectively communicated our approval of the programme to both management and the company at large? Are the messages about its existence, importance and use clear to everyone? Has this communication been tracked and stored with the documentation for the programme? When was the last time that you communicated the board’s approval? Are the communications regular enough?
- How have you demonstrated your commitment by embracing the policy and the whistleblowing management system? Have you talked about it in staff forums, or at shareholder meetings? Have you been able to discuss the existence of the policy to major shareholders and give them comfort that it exists and that you are supportive of it? Have you checked yourself to see if the system actually works?
- How have you been updated on the programme? Do you receive scheduled updates about the content and operation of the organisation’s whistleblowing management system? Are these scheduled at the right intervals and is the information enough? Do you feel that the information is complete and that the requirements of the ISO Whistleblower Guidelines have been met?
- Do you feel that there are adequate and appropriate resources for effective operation of the whistleblowing management system? Have you listened to the team’s feedback on their resource needs? Have you made sure that the right budgets are provided and somewhat protected from any job cuts or programme cuts that could mean the company did not meet its programme commitments?
- Have you validated that the people that operate the programme have the right skills? Have they received training on the ISO Whistleblower Guidelines and the operation of whistleblower programmes? Do they understand their obligations around privacy, confidentiality and independence? Are they highly qualified, competent and acting fairly in the eyes of any reporter?
- Have you exercised adequate oversight of the implementation, integrity and improvement of the organisation’s whistleblowing management system?
- Do you see evidence that the programme is being improved? Have you reviewed any complaints? Have you engaged someone independent to review the programme and provide a gap analysis against the ISO Whistleblower Guidelines?
If your top management can answer all of the questions positively, it is likely that the board has exercised its duties under the ISO Whistleblower Guidelines and that the organisation has a comprehensive and effective whistleblower programme.
If you are an operator of a programme, can you comfortably say that your board meets all of the requirements? If it is apparent that there is still work to be done, the priority would be for the board to endorse provision of adequate resources. There is nothing better than having the board behind you on the resources side. If management ever trims the budget to a level that does not allow you to run ‘an effective whistleblowing management system’, then pull the ‘board and leadership’ card. This alone is a good enough reason to operate according to the ISO Whistleblower Guidelines.
How to learn more
The ISO Whistleblower Guidelines are available to purchase from the ISO stores in each country. Check the ISO website for further details.
If you are interested in building your programme from scratch or for consultative advice on the ISO Whistleblower Guidelines, please contact us here.