If you are a senior executive at a company that has a whistleblower programme, you have a role to play and it is important that you understand your obligations.
If you are not a senior executive, but you operate the whistleblower programme, this document might be useful as a training guide to help senior managers understand their role.
Until now, there has been little that really helped senior or top management know their specific duties when it came to the company’s whistleblower programme. Senior and top management have typically just followed their own intuition and developed their own set of priorities when determining the resources for operating the programme. The good news is that we now have specific guidelines regarding the role of a top leader in supporting the whistleblower programme.
Using the ISO whistleblower guidance
In late 2021, the International Organization for Standardization (ISO) formally enacted the International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblower Guidelines). The ISO Whistleblower Guidelines are available, and you are able to get a copy from the ISO website in your country for a small fee.
The ISO Whistleblower Guidelines are the first comprehensive guide for companies that operate whistleblower management systems. The guidelines provide advice for organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities.
What do the ISO Whistleblower Guidelines say about the role of the top leadership in the whistleblower programme?
The ISO guidelines go into significant detail on the role of top management. You should demonstrate leadership and commitment with respect to the whistleblowing management system by:
- ensuring that the whistleblowing policy and whistleblowing management system objectives are established and are compatible with the values, objectives and strategic direction of the organisation
- approving the organisation’s whistleblowing policy
- ensuring the accessibility of the whistleblowing management system and encouraging its use
- ensuring the integration of the whistleblowing management system requirements into the organisation’s business processes, including management systems
- ensuring that the resources needed for the whistleblowing management system are available, adequate, appropriate and deployed
- communicating the importance of effective whistleblowing management and of conforming to the organisation’s established whistleblowing management system requirements
- communicating the whistleblowing policy internally and externally
- ensuring that the whistleblowing management system achieves its intended result(s)
- directing and supporting persons to contribute to the effectiveness of the whistleblowing management system
- promoting continual improvement
- supporting other relevant roles to demonstrate their leadership as it applies to their areas of responsibility
- committing to, promoting and practising a speak-up/listen-up culture within the organisation, e.g. by actively participating in relevant staff training sessions and, with their consent, publicly commending organisation’s whistleblowers
- ensuring that whistleblowers and others involved will not suffer detriment by the organisation in relation to whistleblowing
- at planned intervals, receiving and reviewing reports on the operation, and performance of, the whistleblowing management system
- ensuring an impartial investigation of matters reported using the system, regardless of the identity of the whistleblower, the subject of the report and the implications of the issues identified.
This is a very exhaustive list of actions. If you are just starting out and applying this set of guidelines for the first time, it might take some time to walk through each of these elements. There are certainly clear obligations to make sure the programme works, that it is available, that it is known by everyone and that it is reviewed and improved. There is also a real focus on ‘practising what you preach’ by developing a speak-up culture in the organisation.
The ISO Whistleblower Guidelines also clearly state that you should give the whistleblowing management function the responsibility and authority for ensuring that the whistleblowing management system conforms to the recommendations of the ISO Whistleblower Guidelines, and that the whistleblowing management function should report back to you on the performance of the system.
As identified above, you can assign some or all of the whistleblowing management function to persons external to the organisation. If you do, you need to ensure that people within the organisation have responsibility for and authority over those external parties.
The top-20 things for senior leadership to ask about the whistleblower programme
The following are questions that you should ask yourself and your whistleblower programme managers.
- Does the whistleblowing policy and whistleblowing management system have stated objectives? Are those objectives achievable? Are they SMART (specific, measurable, achievable, realistic, timely)?
- Are the agreed objectives compatible with the values, objectives and strategic direction of the organisation?
- Has top management approved the organisation’s whistleblowing policy?
- How is the whistleblowing management system accessible to everyone, including internal and external people? How can suppliers and partners access it?
- How are we encouraging people to use the system? What are the stated benefits or incentives?
- How has the whistleblowing management system been integrated into the business processes, including management systems? Has a reference to the system been included in communications, such as annual reports, policies, HR onboarding forms, supplier contracts and pop-up messaging in meeting rooms?
- Have you authorised enough resources for the whistleblowing management system to be available, adequate, appropriate and deployed? Have you accounted for leave with the human resources? Have you also authorised the use of outside resources when necessary to assist in investigations, document reviews, programme development or technology usage?
- What steps have you taken to communicate the importance of whistleblowing? Has this been communicated to your main stakeholders, including suppliers, customers and partners?
- Have you asked for clear reporting from the system and mapped that against the stated objectives? Is there a system to review the achievement of objectives and review comparisons over time? Are the objectives regularly reviewed?
- Are you actively directing and supporting the people who contribute to the effectiveness of the whistleblowing management system? Do you meet with them regularly? Do they report to you or one of your executives? Are they correctly managed, remunerated and given guidance and feedback? What incentives or bonuses are given to drive achievement?
- What steps are you taking to make sure the programme is being continually improved? How are you measuring improvement? How do you communicate the improvement objectives to the team?
- How have you provided support to other relevant roles to demonstrate their leadership as it applies to their areas of responsibility? Have you identified the roles that will support the programme who also need to be on board? Are they on board? Have you connected with internal audit, HR and other groups that may influence the development of the programme?
- Are you committing to, promoting and practising a speak-up/listening culture within the organisation?
- Have you participated in internal training sessions?
- Have you publicly commended the organisation’s whistleblower programme?
- Which steps have you taken to ensure that whistleblowers and others involved will not suffer retaliation after whistleblowing?
- Have you done any reviews to see if whistleblowers or reporters have had negative reactions post reporting? Has anyone that has made a report left the company? Has anyone that has made a report been discriminated against? Have you made sure there are no less-obvious ways of retaliation occurring (e.g. demotions, office moves, vacation restrictions)?
- Do you receive and review reports on the operation and performance of the whistleblowing management system at scheduled intervals? Have you scheduled those reviews and are you holding people accountable for their delivery and quality?
- Which steps have you taken to ensure that matters reported using the system are investigated impartially, regardless of the identity of the whistleblower, the subject of the report and the implications of the issues identified?
- Are you comfortable that confidentiality, privacy and procedural fairness has been exercised in all investigations?
For top management, if you can answer all these questions, there is a fair chance that you have exercised your duties under the ISO Whistleblower Guidelines and you are well on the way to having a comprehensive and effective whistleblower programme.
For programme managers, one thing you might consider when exercising your duties is getting each of your top managers to sign off on their obligations annually, for example by using a simple survey.
How to learn more
The ISO Whistleblower Guidelines are available to purchase from the ISO stores in each country. Check the ISO website for further details.
If you are interested in building your programme from scratch or for consultative advice on the ISO Whistleblower Guidelines, please contact us here.