Checklist for a good whistleblowing solution

by Daniel Vaknine

Employees play a key role in an organisation’s well-being. As we all know, it is they who make the organisation work. If the employees in an organisation are dissatisfied or experience injustices in the workplace, it can have major negative effects, ranging from lack of motivation and lack of results to enormous negative media attention or lost partners. A critical component in the well-being of employees is the possibility of whistleblowing. Historically, there have often been situations where people are afraid of being singled out as whistleblowers, either for fear of retaliation, special treatment or getting rid of their jobs. Today, these are well-established facts amongst many within the risk and compliance industry.

This is one of the many reasons why the EU has chosen to implement the new Whistleblower Directive. As a result, new minimum requirements in whistleblowing have emerged. In this article, we’ll discuss these and give you tips on how you can ensure that your organisation’s whistleblowing solution is actually a good one, not only for complying with the new EU Whistleblower Directive, but also for minimising risk within your organisation.

Make sure your whistleblowing solution is good and that it gets used

Meeting the minimum legal requirements is of course a good thing but even better is to go from simply having a sufficient whistleblowing solution to having one that is actually of benefit, but what you can do as an organisation to improve your existing whistleblowing solutions or to create a really good one?

Make sure that management is on board

Make sure your CEO and management team really understand and accept the concept. For a successful whistleblowing solution, the management team must not only implement the solution, but embrace it completely.

An introductory letter from the CEO describing the expectations of behaviour and the responsibility shared by all employees to ensure that the organisation and its integrity are protected from all types of errors could be a one example. By ensuring that people in managerial capacity and in higher roles embrace the concept, it has a positive impact on the rest of the organisation.

Educate employees

Introduce the whistleblowing solution and explain examples of ethical dilemmas. Educate your employees about red flags that can help detect scams or frauds. Lifestyle changes, hints of abuse, gifts from suppliers or failure to take vacations are all subtle clues that there may be something wrong.

Employees need to be educated about the events that can indicate disasters, and the earlier a fraud is detected, the less damage to the organisation – both from a financial perspective and in terms of your reputation.

Read the ACFE’s 2022 Report to the Nations for more information on how whistleblowing can help you combat fraud.

Use a good whistleblowing policy

While the importance of whistleblowing is obvious, adopting a whistleblowing policy is not something an organisation should rush into. A bad policy can cause as much headache for an organisation as no policy at all. Many also believe that a policy is enough to comply with the new EU Whistleblowing Directive. In short, that’s most often not the case.

Also read: How to make your whistleblower policy easy to understand.

For example, your policy should include/highlight:

• What types of problems should be reported. Give examples, such as accounting fraud, contract fixes, corrupt payments, theft of company data and racial discrimination. If you want to go beyond the whistleblower law also for example sexual harassment, office bullying and so on, and maybe even a “and everything else that you consider to be misconduct”.
• Employees’ obligation to report irregularities. In most cases, you want to specify that employees must report disturbing misconduct they see, even if they are not direct victims of the behaviour in question.
• Opportunity to report anonymously. By providing an anonymous reporting channel, you provide employees who are in some way involved in misconduct but who want to come clean in a way to do so.
• Protection against retaliation. Either as part of your general whistleblowing policy, or as a company policy for courtesy in the workplace, emphasise that it is strictly forbidden to take revenge on employees for submitting a whistleblowing report and may result in disciplinary action including dismissal.

It’s a good idea to get professional help with developing your whistleblowing policy, either from a law firm specialised in whistleblowing, your whistleblowing system provider or someone else with good knowledge of the field.

Checklist for a good whistleblowing solution

Outlined below is our brief checklist for a sound whistleblowing solution:

Confidentiality

• Does your whistleblower system allow a whistleblower’s identity to remain strictly confidential? Preferably even anonymous?
• If necessary, can the system be opened up to external parties without revealing the whistleblower’s identity?
• Are identities protected all the way from reporting to investigating cases?
• Is access to case management systems secure enough? Does it have two-factor authentication? Can notifications via email or such undeliberately expose the whistleblower’s identity?

Contact persons

• Do you have a system, competence and routines for handling investigations? You should at least know where to turn if you need help.
• Does your whistleblowing solution allow you to securely add external experts to the case management process?
• Do you have competent resources in place to follow up reports in an appropriate manner?

Archiving & storage

• Does your system keep a user and case log of each case?
• Does your system allow the deletion of personal data in accordance with the GDPR?
• Does your system delete all personal data when the case is deleted?
• Is your whistleblowing solution fully compliant with the GDPR in all EU countries where you operate?

In summary

All in all, there are many things to think of when implementing a whistleblowing solution. Internal solutions such as an anonymous mailbox or a simple email often don’t meet the recommendations for a good whistleblowing solution and even the legal requirements.

An increasing number of companies all over Europe and the world are implementing web-based whistleblowing solutions to deal with the new legal requirements. Many also go beyond the legal requirements and follow a checklist like the one you have been given here to ensure that the solution is actually one that can benefit employees and the organisation as a whole.

If you have any questions about this article or how to implement a good whistleblowing solution, you’re always welcome to reach out.

The author, Daniel Vaknine, is CEO and Partner of Visslan, a Sweden-based whistleblowing solution to simplify whistleblowing and compliance with the new EU Whistleblowing Directive. Daniel and his team meet Compliance Officers and Legal Counsels on a daily basis to help them with whistleblowing. Through these encounters, many frequently asked questions arise from which they write articles to provide an answer to the question to a broader audience.