For the last several weeks I have been working with NAVEX to research whistleblower protection laws across Europe. Meanwhile, several benchmarking surveys about corporate compliance programs have arrived lately, with some intriguing findings about the effectiveness of whistleblower hotlines.
Put both of those things together, and corporate compliance officers have a lot to ponder as you keep working to roll out effective whistleblower hotlines at the global level.
Let’s start with those whistleblower protection laws in Europe. The European Union has seen a wave of legislative activity in the last 12 months or so, as EU member states transposed the EU Whistleblower Protection Directive into their own national law. Much of that action came from member states that had not transposed the Directive by the end of 2021, per the Directive’s original deadline; then European Commission bureaucrats began court proceedings to force the issue.
Well, consider it forced. We now have whistleblower protection laws across (most of) the land.
The good news for global corporations is that these laws are substantively the same across Europe. (That was the whole point of the EU Whistleblower Protection Directive, after all.) For example, every EU nation’s whistleblower protection law requires the following:
- Companies must establish a secure, confidential channel for receiving whistleblower reports.
- Whistleblowers must be allowed to submit reports verbally (say, over the phone), in writing, or in person.
- Companies must appoint an impartial person or department to follow up on every report received.
- Every report must receive diligent follow-up.
- Companies must acknowledge receipt of a report to the whistleblower within seven days; and then follow up again with the whistleblower within three months on the status of the report.
- The identity of the whistleblower must be protected at all times, and the company must also work to protect the whistleblower from retaliation.
Where we see any variation at all in EU countries’ whistleblower protection laws, it’s mostly in the penalties for violating the laws (the fines range as low as several hundred euros to more than €200,000); or in how national laws treat anonymous reporting. Some EU countries give full-throated support to anonymous reports, while others (Bulgaria, for example) allow businesses to ignore anonymous reports if they want.
As a practical matter for compliance officers, however, none of these requirements should be terribly surprising. They generally align with what global businesses have had to do for years to comply with U.S. whistleblower protection laws; and the laws also allow companies to manage their hotline programs at the “group level.” That is, so long as you can fulfill each nation’s requirements (which, as we’ve noted, are generally identical), you can manage your hotline through one EU-wide or global team.
So, the mechanics of complying with Europe’s whistleblower protection laws are clear, even if that involves a lot of chores around establishing hotlines or translating policies or conducting training. Compliance officers understand the motions to go through.
The bigger question is how you can assure that employees will actually embrace the whistleblower system once it’s built. Which brings us to those benchmarking surveys mentioned earlier.
Effectiveness depends on trust
All of that points to a fundamental issue for internal hotlines: employees need to trust it before they’ll use it.
The first survey was published by KPMG and the law firm White & Case. They polled 200 senior compliance professionals at large companies, and found that while a majority of companies measure employees’ awareness of the internal hotline, far fewer measured employees’ comfort with using the hotline.
That report also asked about employees’ fears over reporting misconduct. The top concern was fear of retaliation, followed close behind by a suspicion the company wouldn’t take action over their report.
All of that points to a fundamental issue for internal hotlines: employees need to trust it before they’ll use it. Right now, evidence suggests that either they don’t trust it (fear of retaliation, fear that nothing will be done), or worse, the compliance team doesn’t know whether employees trust the hotline because they’re not assessing their comfort with it.
Corporate compliance teams need to ruminate on that as you roll out expanded hotline programs across the EU and the world, or even as you strive for a more robust internal hotline program in the United States. Employees aren’t that confused about how to place a call or submit an online report; they’re ambivalent about whether the company truly is a trustworthy partner when they submit that report.
The other benchmarking survey that caught my eye comes from NAVEX itself: its 2023 State of Risk and Compliance Report, which polled 1,300 compliance professionals. Among many other findings, the report found that only 51% of companies had a non-retaliation policy as part of their internal reporting program. The numbers were even lower across Europe: 27% in France, 36% in Britain, 41% in Germany.
Employees aren’t that confused about how to place a call or submit an online report; they’re ambivalent about whether the company truly is a trustworthy partner when they submit that report.
With numbers like that, is anyone really surprised that many employees don’t trust the hotline?
Internal reporting hotlines are only going to become more important to corporations, both as a regulatory compliance obligation and as a useful risk management tool to let executives know what’s going on in the enterprise. But that will only succeed when employees trust the internal hotline program, which is a very different set of challenges than rolling out the hotline and telling everyone it exists.
Compliance officers will need to think much more about, say, consistent disciplinary actions and strong, swift internal investigation capabilities. You’ll need to persuade the CEO and business unit leaders to sing the praises of internal reporting as something intrinsically beneficial to corporate success, not just a must-have because the regulators decreed it.
Simply put, you’ll need to focus on the why of internal reporting, much more than the how. Then the company will get more out of its hotline program in the EU, the U.S., and everywhere else.
To learn more about how NAVEX can help your organization stay compliant with global whistleblower protection regulations, improve corporate culture through hotline and incident, policy and procedure, code of conduct management, and much more:
