The whistleblowing landscape has changed substantially over the past few years. High profile cases have spurred new whistleblower protection regulations across the globe. This has driven organizations already operating in heightened regulatory environments to reevaluate the effectiveness of their internal reporting systems. It has also motivated all organizations with a global footprint to consider how these trends may affect their business.
Whistleblower regulations and protections were a featured discussion topic at NAVEX Global’s annual Ethics & Compliance Virtual Conference (ECVC) on Thursday, October 24. The session included a panel of whistleblower experts from around the world invited to discuss the specific changes taking place, why they are happening now, and what the implications are for businesses.
From the political arena to some of the world’s biggest companies, scandals exposed by whistleblowers have driven a succession of news cycles in recent years. But even with the heightened awareness among compliance professionals about the need to identify and address issues internally, many employees still feel the need to report publicly. The question is, why?
The most likely answer is lack of trust. Many employees lack trust in institutions generally and in their organizations in particular. Not knowing whether an internal report will be taken seriously can be discouraging; having to consider if it will result in retaliation can be debilitating. This situation has been further complicated by the U.S. Supreme Court’s ruling that the Dodd-Frank Act’s whistleblower protections only apply to those who report to the SEC, leaving internal whistleblowers exposed.
Not knowing whether an internal report will be taken seriously can be discouraging; having to consider if it will result in retaliation can be debilitating.
"As a profession, we have not yet been able to figure out how to identify, manage and prevent retaliation,” Carrie Penman, chief risk and compliance officer at NAVEX Global, said during the panel discussion. “That’s the common theme through all of the various changes, regulations and directives we’re seeing.” And these changes are happening all around the world. Increasingly, there is a demand for policies and processes to be codified within an organization’s standard operating procedures. When there is a lack of trust, consistency and transparency become critical.
A Look at the Specific Regulations
Regulatory Changes in the EU, Australia
New legislative and regulatory changes in some jurisdictions are now attempting to restore this trust. The European Union’s new whistleblower directive, set to take effect in 2021, is arguably the most comprehensive of these efforts. The directive seeks to provide a normalized set of requirements across the EU and advance a common understanding of appropriate reporting channels for every company with over 50 employees, as well as municipalities and public institutions. It will obligate affected organizations to create or update their reporting channels, ban all forms of retaliation, and shift the burden of proof to employers whenever retaliation is alleged.
Prior to the whistleblower directive, only one-third of the 28 EU member states had legislation around whistleblowing activity and the protection of whistleblowers.
Under the new directive, all member states will operate under a similar framework, resulting in consistent requirements in every country. Standardization makes things much easier, especially for compliance officers working in multiple jurisdictions.
Meanwhile, changes to Australia’s Corporations Act, which took effect July 1, 2019, have encouraged whistleblowing in that country by defining who is eligible to submit and receive reports. The changes also enhance identity and legal protections for whistleblowers, enabling them to submit a report anonymously for the first time. Corporations found to be causing detriment to, or disclosing the identity of, a whistleblower face penalties of up to $1 million.
ISO 37002, 2019 DOJ Guidance and the Whistleblower Protection Reform Act
Another major whistleblowing guidepost is in development: ISO 37002, which is expected to be issued in 2021. Essentially, this will be a tool to ensure an organization’s whistleblowing systems and processes meet best practices and are built around trust, impartiality and protection. “Its main aim is to provide guidance on how a whistleblowing management system can help you to become, and be seen as, a responsive organization,” asserts Wim Vandekerckhove, chairman of the ISO 37002 committee. “That is what drives trust; that is what makes trust grow inside of an organization.”
Read More: The New Voice of The Whistleblower
Also of note is the U.S. Department of Justice guidance, initially released in 2017 and updated in 2019, which helps organizations understand how federal prosecutors will evaluate the efficacy of a company’s compliance program during an investigation. The 2019 guidance says that prosecutors will look for proactive measures that aim to create a workplace atmosphere without fear of retaliation, along with appropriate processes for submitting complaints and systems to protect whistleblowers.
Finally, a new Whistleblower Protection Reform Act is currently making its way through the United States Congress. The bipartisan bill, which passed the House by a vote of 410 to 12 this summer, would extend the rights and protections currently guaranteed under the Dodd-Frank Act to internal whistleblowers. If enacted, this legislation would effectively reverse the Supreme Court’s decision to limit such protections to those who report to the Securities and Exchange Commission.
More Reasons to Implement and Maintain Strong Internal Reporting Systems
Compliance is a relatively young profession, but it is being normalized around the globe. There is compelling evidence that compliance – and in particular, robust use of a reporting hotline – is associated with better business performance. But if that is not enough, the recent spate of new legislation, regulatory actions and ISO standards are additional motivation to up-level compliance programs in order to protect your organization and its people.