Is your company bought in on the whistleblowing programme?

Share this post
Is your company bought in on the whistleblowing programme?

How do you know if your leadership and management have bought into your company’s whistleblowing programme? Leaders always say they are supportive of this initiative, and they provide the occasional support through reminder emails to use the whistleblowing system, but is that enough? What should they be doing? What are the best practices around leadership and management support, and how do we know whether the support is enough?

Until now, few guidelines have really helped companies know whether the support they are receiving from leadership and management is enough. The good news is now we have a standard by which we can compare whistleblowing programmes and test whether we have the right resources and support from the company.

Using the ISO whistleblowing guidance

In 2021, the International Organization for Standardization (ISO) formally enacted International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblowing Guidelines). ISO Whistleblowing Guidelines are the first comprehensive guide for companies that operate whistleblowing management systems. If your whistleblowing programme meets the ISO guidelines in all respects, then you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.

The ISO Whistleblowing Guidelines provide advice for organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities.

Following the guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.

What do the ISO Whistleblowing Guidelines say about ‘leadership’ commitment?

The guidelines have two significant sections that discuss the role of leadership and management. They say that the governing body (meaning the board or the highest level of the organisation that is strategic in nature and addresses broad risk management oversight) should do the following:

  • set objectives for an effective whistleblowing management system and monitor top management with respect to these
  • approve the organisation’s whistleblowing policy and communicate clear messages about its existence, importance and use
  • demonstrate that commitment by embracing the policy and the whistleblowing management system
  • at planned intervals, receive and review information about the content and operation of the organisation’s whistleblowing management system
  • ensure that adequate and appropriate resources needed for effective operation of the whistleblowing management system are allocated and assigned
  • exercise adequate oversight of the implementation, integrity and improvement of the organisation’s whistleblowing management system.

The question for most compliance teams with a mature whistleblowing programme is whether they could comfortably say that their organisation

Most people could show that their board has approved the programme and receives regular updates about it, and in most cases the board would exercise some oversight of the programme. But it would be important for compliance teams to ‘prove’ these elements with clear documentation, such as minutes of meetings.

Where many programmes might have gaps is with the governing board setting objectives for the programme and also ensuring that the programme has been allocated adequate resources. These objectives are important because they really set the standards and goals for the programme to achieve and form the basis of determining whether the programme is a ‘success’ in meeting those objectives. Having the board ensure that adequate and appropriate resources have been provided for the whistleblowing system is an excellent initiative – there is nothing better than having the board behind you on the resources side. If management ever trims the budget to a level that does not allow you to run ‘an effective whistleblowing management system’, then pull the ‘board and leadership’ card. This alone is a good enough reason to operate according to the ISO Whistleblowing Guidelines.

What do the ISO Whistleblowing Guidelines say about top management?

The guidelines also go into significant detail on the role of top management. Top management should demonstrate leadership and commitment with respect to the whistleblowing management system by:

  • ensuring that the whistleblowing policy and whistleblowing management system objectives are established and are compatible with the values, objectives and strategic direction of the organisation
  • approving the organisation’s whistleblowing policy
  • ensuring the accessibility of the whistleblowing management system and encouraging its use
  • ensuring the integration of the whistleblowing management system requirements into the organisation’s business processes, including management systems
  • ensuring that the resources needed for the whistleblowing management system are available, adequate, appropriate and deployed
  • communicating the importance of effective whistleblowing management and of conforming to the organisation’s established whistleblowing management system requirements
  • communicating the whistleblowing policy internally and externally
  • ensuring that the whistleblowing management system achieves its intended result(s)
  • directing and supporting persons to contribute to the effectiveness of the whistleblowing management system
  • promoting continual improvement
  • supporting other relevant roles to demonstrate their leadership as it applies to their areas of responsibility
  • committing to, promoting and practising a speak-up/listen-up culture within the organisation, e.g. by actively participating in relevant staff training sessions and, with their consent, publicly commending the organisation’s whistleblowers
  • ensuring that whistleblowers and others involved will not suffer detriment by the organisation in relation to whistleblowing
  • at planned intervals, receiving and reviewing reports on the operation, and performance of, the whistleblowing management system
  • ensuring an impartial investigation of matters reported using the system, regardless of the identity of the whistleblower, the subject of the report and the implications of the issues identified.

This is a very exhaustive list of actions for top management. If you are just starting out and applying this set of guidelines for the first time, it might take some time to walk the top management through each of these elements to really make sure they are committed. There are certainly clear obligations on top management to make sure the programme works, that it is available, that it is known by everyone and that it is reviewed and improved. There is also a real focus on management ‘practising what they preach’ by developing a speak-up culture in the organisation.

The ISO Whistleblowing Guidelines go on to clearly state that top management should give the whistleblowing management function the responsibility and authority for ensuring that the whistleblowing management system conforms to the recommendations of the ISO Whistleblowing Guidelines and reporting on the performance of the system to the governing body and top management. The role and obligations of the whistleblowing management function are detailed and discussed in another article.

As identified above, top management can assign some or all of the whistleblowing management function to persons external to the organisation. If this happens, management need to ensure that people within the organisation have responsibility for and authority over those external parties.

So, how do you know if your leadership and management have bought into the company’s whistleblowing programme? The ISO Whistleblowing Guidelines provide a great benchmark for determining whether the governing body and top management are doing what they should be doing.

Remember, as with the standards produced by ISO, stating that someone does something is not enough – you need to be able to prove it. You need to be an expert at thinking about which evidence will prove the activities mentioned above, and tracking that evidence so you are ready for an audit at any time.

How to learn more

The ISO Whistleblowing Guidelines are now available to purchase from the ISO stores in each country. Check the ISO website for further details.

If you are interested in building your programme from scratch or for consultative advice on the ISO Whistleblowing Guidelines, please contact us here.

Share this post