As the EU Whistleblower Protection Directive (Directive 2019/1937) comes into force at the end of this year, many thousands of affected organizations across the EU will be implementing a whistleblowing program for the first time.
It is fortunate then that the International Organization for Standardization (ISO) has published the voluntary guidance standard, ISO 37002: Whistleblowing Management Systems. The standard aims to provide “guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective management system within an organization for whistleblowing”.
This raises an obvious question: How can the new ISO guidelines help organizations develop a compliant response to the incoming EU Whistleblower Protection Directive?
What’s the Difference Between ISO 37002 and the EU Directive?
The EU Whistleblower Protection Directive sets out minimum whistleblower protection standards that EU member states will need to transpose into law by 17th December 2021. Organizations within those member states with 250 or more workers will need to comply with the new laws from the same date. Smaller organizations with 50-249 workers will have a further two years to comply.
The ISO 37002 standard provides voluntary guidelines for organizations looking to establish a whistleblowing management system. With the establishment of such systems at the heart of EU Directive’s requirements, the standard offers an internationally recognized framework that incorporates global best practices for development and deployment.
How Do the EU Directive and ISO 37002 Compare?
Looking at the stated aims, or intended outcomes, of the two documents, it’s immediately clear that there is a complimentary relationship between them in their key areas of focus.
| EU Directive | ISO37002 |
| Create safe reporting channels for workers (both internal and external) | Encouraging and facilitating reporting of wrongdoing |
| Ensure workers know how and where to report wrongdoing | Ensuring reports of wrongdoing are dealt with in a proper and timely manner |
| Acknowledge receipt of reports and provide timely feedback | Supporting and protecting whistleblowers and other interested parties involved |
| Protect the confidentiality of whistleblowers and those named in reports | Improving organizational culture and governance |
| Protect employees from retaliation | Reducing the risks of wrongdoing |
The core areas of enabling reporting, addressing those reports when received and protecting the people involved, are common to both the requirements of the Directive and the guidance laid out in the ISO standard.
The EU Directive is, of course, focused on provisions to ensure the protection of whistleblowers, but all requirements of the Directive are addressed to a greater or lesser extent in the ISO standard as well.
Mapping the Directive’s Requirements to the ISO Guidance
Create Safe Reporting Channels for Workers
Section 8 of the ISO standard provides guidance and recommendations for the implementation of safe reporting channels. This includes suggestions for the more common methods of receiving reports, but more importantly, how such methods can be leveraged to increase the accessibility, trustworthiness and efficacy of the reporting program.
This section of the ISO standard also includes a useful list of example questions to ask the whistleblower that will help ensure critical information is captured.
Ensure Workers Know How and Where To Report Wrongdoing
This requirement of the directive is covered in Section 7 of the ISO standard, which delves into training and awareness measures, as well as best practices for communication of the program.
Thorough training and awareness-raising will be vital to meeting the requirements of the Directive, so the detailed considerations laid out in the standard should prove highly valuable when defining the scope of the training.
Similarly, understanding not only how and when to communicate, but who with and from whom the communication should come, can play a big role in raising awareness and, perhaps more importantly, building and maintaining trust in the reporting program.
Acknowledge Receipt of Reports and Provide Timely Feedback
Within Section 8 of the standard, recommendations for providing feedback throughout each stage of the whistleblowing process can be found.
Building feedback loops around the operational steps as defined in this section will help to structure communications and manage expectations. Guidance on acknowledging reports, acceptable timeframes and details of what level of feedback to provide is also included here.
Protect the Confidentiality of Whistleblowers and Those Named in Reports
Within Section 7, the ISO standard stipulates the importance of maintaining the confidentiality of all parties involved in any report. Of particular note, here are the examples listed for special consideration during planning, which highlight some of the less obvious ways that the parties involved could potentially be identified.
As part of the plans to ensure confidentiality, it’s also important to define the procedures for dealing with breaches of confidentiality, or where attempts have been made to identify the parties involved. Other sections of the standard – dealing with data protection and controlling documented information – will also contribute to this requirement.
Protect Employees From Retaliation
With the protection of whistleblowers the driving force behind the Directive, there are several parts of the ISO standard that will help with defining processes to ensure this requirement is met.
Section 8 provides advice on assessing and preventing the risks of detrimental conduct early in the reporting process. Identifying potential risks at this stage will help when assessing and investigating reports. Detailed guidance on protecting whistleblowers, the subjects of reports, as well as other relevant parties is also provided. Should retaliation occur, however, guidance is offered on how to address instances of detrimental conduct.
Areas of Further Interest
There are many further areas of the ISO standard that delve deeper into the areas of improving organizational culture and governance, which are well worth referring to when planning to implement a whistleblowing program.
One of the key challenges many organizations face is getting full buy-in and acceptance from employees, but there are numerous parts of the standard that contain guidance and considerations for overcoming this.
For more background on how the standard is intended to create transparency, trust and an ethical culture through whistleblowing systems, read this interview with the ISO Convenor for ISO 37002, Dr. Wim Vandekerckhove.
A Standard With Global Relevance
Because the ISO standard comprehensively covers a wide range of the challenges related to setting up and managing a whistleblowing program, the guidance is not only suitable for those organizations affected by the EU Whistleblower Protection Directive, but has relevance around the world.
With the global legislative drive in this area, ISO37002 can help address the requirements of other regulations, such as the 2019 Treasury Laws Amendment (Enhancing Whistleblower Protection Act of Australia), or the Japanese Whistleblowers Protection Act, for example.
Leveraging internationally recognized best practices such as this not only helps to ensure that compliance obligations are met, but will help organizations to get the most out of these programs and ensure that they do actually make a difference, not just tick a box.
