On Tuesday 5th July, we hosted a workshop on whistleblowing, where we were joined by many compliance experts and other industry professionals. The workshop gave us the opportunity to showcase our multi-practice whistleblowing team, which draws lawyers from across various practices, including EPIC, Regulatory, Privacy and Commercial Crime.
Recent movements such as #MeToo and Black Lives Matter have shown that poor organisational culture and behaviour are becoming increasingly intolerated. Whistleblowing has risen in profile, and will continue to be an important focus for clients in the years to come. The number of reports made to whistleblowing channels has grown dramatically, alongside an increase in the number of whistleblowers reporting outside their organisations, including to regulators. Many clients are also having to grapple with the changes introduced by the EU Whistleblowing Directive, which is driving positive change across Europe.
At our whistleblowing workshop, partner Nick Thorpe introduced the session, and a senior leadership perspective was given by Michael Julian, the former Chief Compliance Officer at ALSTOM Group.
He emphasised that for a whistleblowing programme to be effective, it was important for it to be clearly-communicated so that staff are aware of it, with transparent governance, a clear mechanism for escalation, anonymous reporting, and a hotline managed by a company's whistleblowing team.
Establishing trust among staff was also key, he said, and if the whistleblowing reporting channel was never used, that was not a good sign.
There were then a series of breakout sessions, where participants talked through their approaches to different scenarios, discussing best practice and how policies applied in their respective organisations. Please see below for a summary of the breakout sessions:
- Ensure the Board/Management are engaged and supportive of the Whistleblowing programme.
- Improve/increase reporting whistleblowing cases to the Board/Management Team.
- Present bad experiences of other companies being fined to the Board/Management.
- Ensure there is good leadership of the Whistleblowing programme.
- Compliance team is usually the first point of contact, however in smaller businesses, the HR director might be the individual to receive the first report.
- Appoint an appropriate whistle-blower officer or dedicated team for governance and compliance who are;
- Not part of the company management team
- Should be an independent director.
- Train and Communicate the Whistleblowing Programme to all employees
- Training on the Whistleblowing programme should be provided at all levels, i.e. given to HR, Internal Audit team, Compliance and the legal team, general employees and the management team
- Ensure all employees know the rules, how to programme works and how to access the programme.
- Review and measure the effectiveness of your Whistleblowing programme
- Have annual independent 3rd party assessment of the whistleblowing programme/process
- Annual compliance tests for all team members on fraud, AML, Health and Safety, GDPR
- Have KPI's relating to:
- Staff training
- Onsite visits to different offices.
- Communicating outcomes of the Whistleblowing programme
- Anonymise the report when communicating it to the company.
- Have a dedicated page on your website communicating Whistleblowing investigation and outcomes.
- Have someone from the business (not from the Compliance or HR Team) communicate the report to the team in difference jurisdictions
- Create and circulate a spreadsheet report of Investigation and outcomes which covers;
- What the issue is?
- How it was dealt with?
- What the outcome was?
- What the learning outcomes of the case it?
The Role of HR
- We challenged the orthodoxy that responsibility for whistleblowing programmes should sit solely with compliance teams. While some delegates expressed concern about decision making 'by committee' (particularly in the triaging of concerns), many acknowledged the potential benefits of a multi-stakeholder approach and involving other teams, including HR, from the outset.
- It was also acknowledged that HR teams had a role to play in promoting whistleblowing or 'speaking up' programmes as part of a wider programme to promote the organisation's values and culture. However, it was important that employees could also turn to HR to raise concerns informally.
- Most organisations adopted a zero tolerance approach to workplace retaliation but very few took proactive steps to mitigate the risk of retaliation when concerns were raised. Several delegates saw the benefit in carrying out early risk assessments to mitigate the risk of workplace retaliation occurring.
- Delegates also saw the benefit in offering psychological or wellbeing support to employees who blew the whistle or who were subject to investigation. While a number of organisations offered employee assistance programmes, no organisation offered tailored support. However, many delegates saw the benefit in so doing, particularly during the course of investigations.
Whether implementing your own internal system or using a third-party whistleblowing system, key privacy factors to consider are:
- Have adequate privacy features been implemented, such as a "Just in Time" whistleblowing privacy notice and the ability for individuals to submit responses anonymously? As well as fostering a culture of compliance, these features will also help foster trust.
- Is your anonymous reporting truly anonymous? For anonymous responses, check that users are not tracked or identified by any other means. This 'invisible tracking' issue led to a recent fine from the Italian Data Protection Authority.
- Has a data protection impact assessment been carried out? This is especially important given the nature of the personal data processing that could take place (e.g. in relation to wrongdoing) as well as the harm and embarrassment that may be caused to individuals should their responses fall into the wrong hands. Data protection impact assessments should also be regularly revisited and kept up to date.
- Have data flows been mapped? Whether using your own system or a third-party whistleblowing system, the tech housing the personal data could well be third-party provided and supported – including by a chain of subcontractors. If data is sent to or accessed from outside of the EEA/UK, put appropriate data transfer arrangements in place to comply with the GDPR/UK GDPR.
The New EU Whistleblowing Directive
- The implementation of the new EU Whistleblowing Directive (the "Directive") will create an homogeneous set of whistleblowing rules across Member States. Differences are likely to arise when, for example, in transposing the Directive, Member States decide to include within its scope other types of infringements such as criminal or administrative breaches (e.g., Germany or France).
- Although the objective behind the Directive is the harmonisation of the EU framework, only nine member states ("MS") have so far transposed the new framework. The diverse implementation across MS highlights the importance of mapping the countries in which a company operates and sets a challenging task for companies when trying to identify a base-level approach across their network. "Localisation" can be hard to achieve, depending on resources and personnel, and companies preparing an effective regional policy are more likely to address the nuances of a specific territory.
- The Directive sets clear timeframes around the acknowledgment of (seven days) and the response to (three months) a whistleblowing report. Such a timeframe is likely to create difficulties when carrying out internal investigations. Companies need to access whether they have enough resources in place to achieve these timeframes.
- While the Directive does not aim to "re-invent the wheel", the requirement to conduct the investigation where the whistle is blown can be an onerous task for businesses. It remains to be seen how or whether this criteria will be enforced at national level by the entities in charge of regulating whistleblowing.
Partners Nick Thorpe and Quinton Newcomb rounded up the findings of the workshop, and they, along with Miguel Vaz, can be contacted to find out how whistleblowing and other compliance risks may apply to your clients' work and operations.
Sign up to our email digest