Does your whistleblowing programme actually work?

Share this post
Does your whistleblowing programme actually work?

How do you know if your whistleblowing programme is successful? You know that there is a ‘hotline’ in place and that people occasionally use it, but does your whole programme actually work?

Until now, there has been little that really helped companies know whether their whistleblowing reporting programmes were actually meeting objectives and adding value. But there is good news: there is a formal guideline that you can use to test the performance of your programme and compare it against best practice.

The ISO guidance

In late 2021, the International Organization for Standardization (ISO) formally enacted the International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblowing Guidelines). The ISO Whistleblowing Guidelines are now available and you are able to get a copy from the ISO website in your country for a small fee.

The ISO Whistleblowing Guidelines are the first comprehensive guide for companies that operate whistleblowing management systems. The guidelines provide advice for organisations to create whistleblowing programmes based on the principles of trust, impartiality and protection. The guidelines are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities.

Following the ISO Whistleblowing Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.

What do the ISO Whistleblowing Guidelines say about performance testing your whistleblowing programme?

As you would expect, the ISO Whistleblowing Guidelines suggest that the first step is working out what exactly you are reviewing, monitoring and checking for performance.

According to the guidelines, you need to determine:

  • what needs to be monitored and measured
  • who is responsible for monitoring
  • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results
  • when the monitoring and measuring should be performed
  • when the results from monitoring and measurement should be analysed and evaluated.

Every company should evaluate the performance and effectiveness of their whistleblowing management system against their decided metrics. Of course, good documentation should be kept as evidence of the results of these evaluations.

Which key metrics should you review and track?

As part of your review, you need to decide how to monitor and measure the whistleblowing management system’s performance. Like most measurement systems, this could reference both quantitative and qualitative indicators.

In most cases, the measurements will include the number of reports, the time it takes to review reports, and the feedback from users. But there are also some more sophisticated measurements for interpreting costs and value to the business.

The following non-exhaustive list is what the ISO Whistleblowing Guidelines suggest can be monitored and measured by an organisation in the context of its whistleblowing management system:

  • the number of reports of wrongdoing received by country, region and department
  • the nature of the wrongdoing reported
  • the time taken to acknowledge receipt of an initial report of wrongdoing
  • for each step in the process, the time taken for completion
  • the relative proportions over time of reports received via normal reporting lines, any internal alternative reporting systems and any external alternative reporting systems
  • whistleblower feedback including satisfaction with the whistleblowing management system and suggestions for improvement
  • periodic survey of personnel about awareness of and trust in the whistleblowing management system
  • the proportion of reports that are sustained by an investigation against those that are not sustained
  • the proportion of reports that fall outside of the scope of the whistleblowing management system
  • the proportion of reports where the information provided was knowingly false
  • the employment outcomes for whistleblowers (i.e. monitoring the proportion of whistleblowers who depart the organisation after having made a report of wrongdoing and the reasons for their departure)
  • the proportion of reports resulting in corrective actions
  • average time taken to investigate/close cases
  • seriousness of issues raised
  • the effectiveness and value of corrective actions taken.

In addition to the above, there are quite a few other measurements that could be reviewed regarding the benefits, value and actual costs of the system and associated investigations. Focusing on measurements around value will assist in proving the system’s worth to management and will support the ‘return on investment’ that is often required for budget approval.

Additional elements to measure value include:

Additional elements to measure value: the monetary value of savings and the potential cost to brand reputation

Where to find the data

The ISO Whistleblowing Guidelines also give some direction on potential sources for evaluating your whistleblowing management system. Sources of information include:

  • incoming reports
  • investigation case files
  • survey data
  • feedback from whistleblowers and relevant interested parties, such as subjects of reports, witnesses, investigators, management
  • indicator analyses
  • other relevant available documentation.

Auditing is another way to test performance

Every compliance programme should be tested using some form of audit. Indeed, the ISO Whistleblowing Guidelines require internal audits to be carried out at planned intervals to determine whether the whistleblowing programme is conforming to the company’s own requirements and the requirements of the ISO guidelines.

These internal audits need to be scheduled in advance, and there should be a written plan that defines each audit’s objectives, criteria and scope, as well as who is going to complete each audit (i.e. an objective and impartial auditor).

The results of the audits must be reported to relevant managers and considered and acted on as appropriate. Of course, all of this needs to be clearly documented.

Management views and opinions are also helpful

Another mechanism for determining the success of the programme is seeking feedback from management. The ISO Whistleblowing Guidelines state that top management should regularly review the whistleblowing management system and report their findings to the board.

To ensure the programme’s continuing suitability, adequacy and effectiveness, management should consider:

  • the status of actions from previous management reviews
  • changes in external and internal issues that are relevant to the whistleblowing management system
  • changes in needs and expectations of interested parties that are relevant to the whistleblowing management system
  • information on the whistleblowing management system performance, including trends in:

nonconformities and corrective actions

monitoring and measurement results

audit results

opportunities for continual improvement and learning.

Knowing whether your whistleblowing programme actually works is not as simple as it seems. It requires far more than simply looking at the technology and making a test report.

The solution involves measuring and reporting on the programme’s objectives and metrics, conducting internal audits and gathering feedback from top management. Together these will give you a solid set of data to decide whether the entire system is reaching its objectives and adding value to the business.

The ISO Whistleblowing Guidelines provide very useful steps on how to make your platform work. If your whistleblowing programme meets the ISO guidelines in all respects then you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.

If you are interested in building your programme from scratch, in consultative advice on the ISO Whistleblowing Guidelines, please contact us.

Share this post