Recent webinar on whistleblowing rules
Following our recent webinar on whistleblowing rules in the UK, EU and US, we have compiled all the questions received with answers.
You can listen to or watch the webinar again (see the link at the bottom of this post), or contact us to find our more about VinciWorks’ whistleblowing solutions including portals, training, and policies.
Our company operates in 21+ countries. We have a central software system – whereby all reports get notified to our chief compliance officer in the US in the first instance before being handled regionally. One question is whether that system is ok as it is, or whether it needs to route the report locally first rather than centrally (to the US for example). I have received conflicting advice for Denmark whether reporting to the local entity is required…
It’s probably a good idea to have both. So a report can go to the US central system, and perhaps a copy sent at the same time to the local entity in Denmark. The rules in Denmark require a centralised system that allows all matters to be submitted, as well as written documentation, internal policies to meet the Directive’s requirements and a way to communicate the reporting system to potential whistleblowers, external authorities and the public. It would likely depend on the specific formation of your group and the relationship between the individual entities and the US central system. I would imagine that copying a report submitted to a ‘designated person’ within the country is likely to be sufficient, but it might be useful to get further advice. One issue might be if whistleblowers are submitting in the local language, is the CCO in the US able to effectively handle that complaint? Since an acknowledgement must be sent within seven days, the time it took the CCO to review it, translate it possibly and then send out an acknowledgement (if not automated) might delay the workflow. Whereas automatically submitting the report to both the CCO and a locally designated person may be better.
Whistleblowing: Questions and answers from the webinar
How can the organisation choose the person to receive the report/alert? Should it be within the HR or Legal team for instance?
The EU directive required an ‘impartial person’ be designated who is competent to follow up on the reports. This can also be the same person who will receive the reports. The designated person will remain in communication and provide feedback. It would make sense for this to sit somewhere like HR or Legal, and also probably to provide some training to those individuals in handling the reports. It might also require a back up in case there was a whistleblowing case that the designated person could not be impartial on. Let’s say HR was designated, but someone blew the whistle on an HR issue or staff member. So consider how an alternate designated person could handle that situation, perhaps a senior manager in that instance.
Does the 50 to 250 employees threshold relate to employees in each Member State or if you have only 10 employees in France but 300 employees globally would you still be caught by French implementing legislation?
It is unlikely that there are only 10 employees in France. Globally you would want to have a whistleblowing solution that everyone in the businesses can use, and it would make sense to spend a short amount of time ensuring that system is acceptable in France. In short, this means publishing the internal regulations and submitting them to the Works Council, Industry Tribunal, and/or Work Inspector as required under French labour law. Archived cases should be anonymised and securely stored in central storage as long as is deemed required without exceeding 30 years. This is the same as transcribed phone calls and accurate reports of in-person meetings. This means if the business ever exceeds 50 employees in France, the whistleblowing solution is already compliant.
How do you manage anonymity, if you need to feedback a report to the whistle blowing person? How do you address solution finding, if it is an anonymous process?
An online reporting tool should ensure that the whistleblower remains anonymous. An external tool can segregate the data to ensure that the whistleblower details are never revealed to the organisation. This allows communications to remain anonymous.
Does Canada follow the US or are there any differences? Are there any additional factors we should consider for China and Russia?
Canada has its own whistleblowing rules which should be followed by Canadian companies and those operating in the country. There are some protections under the Competition Act around violations of that act, which would mainly cover corporate whistleblowing. Other whistleblowing legislation in Canada includes the Public Servants Disclosure Protection Act, which has a tribunal headed by the Integrity Commissioner who can order remedies. Canadian whistleblowing legislation is seen as relatively weak on protecting whistleblowers from retaliation. There is also little protection for private-sector whistleblowers and Canada is seen as having one of the worst protections for whistleblowers in the G20. For global companies, it would be beneficial to consider whistleblowing protections which go beyond the national standard and implement global protections across the business.
In China there does not seem to be a specific requirement for a foreign entity to have a policy, but companies listed in China should ensure they have protections. In Russia there does not appear to be effective whistleblowing protections. Companies operating in jurisdictions which lack effective protections should consider implementing a strong global policy and communicating to staff how they will be protected if they blow the whistle.
Is it mandatory to have an internal channel for anonymous reporting?
Under the EU directive yes it is.
Any suggestions around how we can report on effective whistleblowing mechanisms (e.g. Key Performance Mechanisms) given the confidential nature of whistleblowing reports/incidents?
The confidential nature doesn’t prevent key metrics being disclosed such as number of whistleblowing complaints made, perhaps from which sections of the business and any follow up action taken. For example X people disciplined or Y policies and procedures changes as a result of the whistleblowing reports. Crucially, a whistleblowing system should be able to provide that kind of data without compromising confidentiality.
What is the best way for a company to deal with a Whistleblowing report from an employee where it is soon clear that the report is unfounded/done with malice?
Reports received into a system which do not meet the threshold of whistleblowing would not have to be investigated as a whistleblowing report. So after an acknowledgement has been sent, the reporter could be informed that their complaint is not being investigated as a whistleblowing complaint, but they should put it through the business grievance procedure.
What complications could arise with companies close to or on the border with the North and South of Ireland (given one is EU and one is UK)?
This would depend of course if the entity is covered by Irish law. If so they would likely have to comply with the requirements of Irish whistleblowing laws as well as the UK. Having a centralised solution will ensure that the one system can deal with both situations, whether the reporter is based in the North or South.
If you’re complying with, say EU regulations could this be in conflict with other regulations in the US?).
It’s unlikely to operate in two or more places where the whistleblowing rules are in actual conflict. That would only be the case if a jurisdiction actively penalised businesses who had a whistleblowing reporting solution which is unlikely to be the case. On a company level, the best way forward is to create a single global whistleblowing policy which follows or exceeds the most stringent protections, at the moment that is the EU whistleblowing directive. Someone reporting from the US would then be protected under the same rules as an EU employee. Even if the particular law in the US didn’t require that level of protection, it is better to provide that anyway to encourage whistleblowing and take it seriously.
Would you recommend external whistleblowing hotlines, versus internal whistleblowing lines?
An external whistleblowing portal will ensure anonymity, and help segregate the information. It also demonstrates to employees and third parties that the organisation takes whistleblowing seriously.
A good system should do the following:
- It should provide a secure place to log incidents. This should be accessible worldwide and available 24 hours a day, 7 days a week, 365 days a year.
- It must be easily accessible to all employees and third parties who might need to report.
- It should allow the whistleblower to upload relevant documents and/or evidence related to the incident.
- It should allow the admin of the system to add whistleblowing complaints to the portal even if they have been reported using a different medium. This is to ensure that there is one centralised tracking system.
- The portal should be adequately secure with password protection. You should also consider other measures such as single sign on and data encryption to prevent unauthorised access.
- It should be GDPR compliant in each country where it operates, and allow deletion where necessary, such as when a case is closed.
Whistleblowing can be a difficult process for employees – what support should be available?
It’s crucial to have a very clear policy and communicate that regularly. Let people know how they can blow the whistle, and that they will be protected if they do. Let them know who to report to, what will happen when they do, and that they won’t suffer as a result. What often stops people whistleblowing is the fear of retaliation. To counter that you need a proper internal marketing strategy to demonstrate that people will not be penalised if they disclose something.
How do you counter the fear of whistleblowing?
Tackle it like any other internal communication process. Imagine you are doing a rebrand. You would communicate those messages digitally of course, but also things like physical posters on the wall, information sessions, Q&A, messages from the CEO. Whistleblowing deserves the same attention. Tell people how they can report, that they should feel safe doing so. It is better to receive a report and try and figure out the issue than to let the issue fester or to ignore it.
What are an employer’s responsibilities in regards to whistleblowing?
It does depend on the specific jurisdiction of course, but in general it is good practice for employers to create open, transparent and safe working environments where employees feel comfortable speaking up. They say that workers are the eyes and ears to witness any type of wrongdoing, and this can include wrongdoing by direct managers as well, so there needs to be a way for people to share that.
How can a business make sure a employees feel like something will be done on whistleblowing?
That’s difficult because a whistleblowing report doesn’t always have action points that can be taken. But having a process for providing feedback on the report is really important for that, and even sharing that among staff when possible. So if the business makes changes as a result of whistleblowing, make that clear and say it. Explain what the failings were, why they weren’t caught before and the importance and benefit of someone blowing the whistle. The more transparent the company culture, ultimately the less need for whistleblowing.
What if the whistleblowing report doesn’t have a lot of detail? Is the business required to follow up?
Most whistleblowing reports will look like that. They might even be just a sentence or two about the issue. They won’t always come with data or information. That could be because the whistleblower fears being exposed, or they need reassurance before sending more, or they just don’t have. But the onus is on the organisation to investigate the reports and determine if they have merit or not. The reporter is not the one who has to do the work for the business.
What if a non-whistleblowing report is made through the system? Like an HR complaint?
Whenever a report is received, you do need someone to differentiate between what is a legitimate whistleblowing report based on the law and flag those, and what is not. Because some things which are relevant complaints might not reach the threshold of whistleblowing. You could ignore it, but it is much better practice to treat any report seriously. Investigate, understand, see if things need to change and then follow up with the reporter.
On demand webinar: Whistleblowing – are you up to date?
Whistleblowing is a fundamental part of good governance, and vital for any business concerned about their ESG score. But whistleblowing rules differ widely between countries, with the UK, US, and now the EU Whistleblowing Directive all mandating differing levels of protection for whistleblowers.
Beyond the regulations, many companies face the challenge of how to implement a whistleblowing solution. Organisations can make it easier for staff to whistleblow, boosting their governance credentials and meeting their regulatory obligations as well.
In this webinar, we reviewed the whistleblowing regulations across the US, UK and EU, what the new EU Directive means, and what best practice looks like for whistleblowing compliance.
The webinar covered:
- Whistleblowing regulations in the EU, US, and UK
- The new EU Whistleblowing Directive
- Elements of a successful whistleblowing programme
- Navigating differences between jurisdictions
- How to deal with a whistleblowing complaint
- Whistleblowing and ESG
VinciWorks’ whistleblowing reporting solution
On 17 December 2021, the EU Whistleblowing Directive came into force. While some countries are behind in transposing the regulation into national law, there are a minimum set of whistleblowing standards that should be adhered to. The regulation requires certain businesses to establish channels and procedures for internal reporting.
Our whistleblowing reporting solution is ready to be implemented today. The tool allows businesses to capture all breaches, complaints and issues in one secure framework to mitigate organisational risk in real time.