The EU Whistleblower Protection Directive will fundamentally change whistleblowing and reporting in the 27 Member States, but that noble mission brings with it a need for strong processes and whistleblower process management to support that mission. These processes and their related communications, such as internal reporting, external reporting, and anti-retaliation, touch every element of the Directive; yet many companies affected by the Directive don’t have them in tip-top working order and may not be ready to comply by the December 17, 2021 deadline. Although processes and their management aren’t the most glamorous part of the Directive, they are the essential scaffolding that will shape and reinforce the Directive in real-world scenarios.
We know that you’re feeling the pressure of the rapidly-approaching deadline. Move forward knowing that we’re all in this together and you have the support of other international ethics and compliance professionals. Want to discuss your whistleblower processes with other managers who are in the exact same boat? Join us in the Converge Community, Convercent’s community built for the modern E&C professional.
Recent surveys have identified that an audit only identifies 19 percent of fraud, whereas whistleblowers identify a whopping 43 percent.
If your organization already has a whistleblower hotline in place, along with operational support on the communications, data, and management fronts, congrats! At the other end of the spectrum, some companies may have little or none of this in place, and the EU Whistleblower Protection Directive will essentially drive their helpline implementation. Regardless of which camp you currently occupy, there are always ways to polish your whistleblower hotline process and ensure compliance with the Directive. Recent surveys have identified that an audit only identifies 19 percent of fraud, whereas whistleblowers identify a whopping 43 percent. The benefits of an effective internal whistleblowing operation should never be underestimated.
The three-tier reporting system, introduced by the Directive, includes three reporting channels: internal, external to a nominated body/regulator, and externally to the media. Although there are a few stipulations in which employees or third parties should report externally – such as imminent danger or no response to previous reports – whistleblowers are encouraged to report internally first. This is exactly why your internal reporting channels must work well, be respected, and be painstakingly publicized within your organization and with third parties engaged in a “work-based relationship” with your company. Reputational damage is the ethics and compliance professional’s Sword of Damocles, an ever-present danger for organizations who don’t take their internal reporting channels seriously.
If companies don’t implement an internal reporting channel, then a whistleblower’s only option is to report externally, eliminating that company’s opportunity to manage the investigation and make any necessary corrections internally. In order for an internal reporting channel to be effective and compliant with the EU Whistleblower Protection Directive, it requires a reliable helpline service, good employee communications, and strong case management processes – such as follow-up investigations and anti-retaliation efforts. If you already have a whistleblower hotline, test your current process by making test reports and following up with every internal touchpoint and stakeholder. There is a real risk of cases being “triaged away” or simply dismissed. If this happens to your test cases, you can guarantee that a potential reporter will opt to use an external reporting channel out of frustration.
Publicizing your whistleblower hotline is paramount and no single method will suffice. Consider a combination of the following methods to communicate your internal reporting resources:
- Workplace posters in breakrooms, common spaces, washrooms, etc.
- Emails, distributed on a regular schedule
- Team briefings conducted by internal subject matter experts
- Competition and prizes for hotline and knowledge base testing
Remember that bad news travels fast. If your internal channels fall short or enable whistleblower retaliation, your reporting levels will assuredly decline because there is no internal trust. Ensure compliance with the scope of the Directive and empower your employees to speak-up by enabling multiple confidential reporting methods, either in writing (through an online reporting platform, email, letter, or complaint boxes) or orally (via telephone hotline, voice messaging system, or in person). Provide easily accessible and transparent information about reporting channels to promote — and not deter — reporting.
External reporting needs to be publicized just like internal channels, but external “competent authorities” at the EU or state level will not be your organization’s biggest advocate; they will operate to protect the whistleblower and investigate any potential breaches of EU law and will not concern themselves with any subsequent reputational damage. In order to comply with the Directive, spend the time to research and promote related external reporting channels well, both at the local and EU level, but work to ensure that your internal channels are reliable and trusted enough to be your employees’ first choice.
If a whistleblower goes to the media, their case may evolve and snowball, risking retaliation or a failure to deal with concerns internally in the required timeframe of three months. In our current reactionary media environment, losing control over the narrative could easily escalate a relatively small matter into disaster for your company. These are all strong incentives for companies of any size to establish their own internal reporting channels.
Once your organization receives a report, what processes do you have in place to address whistleblower retaliation? Do you have robust data and analytics that you can pull from on a regular basis? If the health of your anti-retaliation strategy is at all in question, focus as much energy and attention on it as possible because the revolutionary “reverse burden of proof” mandate in the Directive requires companies to prove that they did not retaliate. Regardless of the method a whistleblower utilizes to make a report, you will have to pull follow-up reporting data, communications with the whistleblower, and all related timelines.
Retaliation also occurs with third parties, and their reports need just as much attention as individual reporters. If a vendor loses a contract after submitting a report, your analytics and follow-up management processes will play a key role in addressing the situation. A helpline and case manager that is configurable, supports multiple languages, and automates triage will help you build trust with reporters and strengthen your reporting efforts with rich analytics.
The fear of retaliation means that 34 percent of potential whistleblowers won’t come forward at all.
If you’re in need of a few powerful statistics to support your efforts to improve your data operation or internal hotline health, consider that, according to Keith Read, Convercent’s Chief Compliance Officer & Advisor for Europe, the fear of retaliation means that 34 percent of potential whistleblowers won’t come forward at all. Furthermore, according to Keith, 72 percent of retaliation takes place within three weeks of a report and 90 percent occurs within six months. An additional six to ten percent happens after the six-month mark, making anti-retaliation follow-up much more than a “one and done” endeavor.
Master the Requirements of the EU Whistleblower Protection Directive
Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021 with this free series of eight expert-led webinars.