ISO 37002 is an all-new whistleblowing management system standard set to be released later this year. This standard seeks to address and provide guidance on effective, internal whistleblowing management in organizations of all sizes. While many countries and individual organizations have standards of their own, ISO 37002 provides a unified standard of effectiveness and efficacy of these systems.
Dr. Wim Vandekerckhove, a whistleblowing expert and Associate Professor of Business Ethics at the University of Greenwich, sat down with us to discuss his involvement in writing the standard, how it applies to organizations and how it can help both the whistleblower and the organization. Vandekerckhove has a Ph.D. in Applied Ethics from Ghent University and more than 20 years researching whistleblowing and whistleblower management systems and led a webinar on ISO 37002 with us last year.
What is the scope of ISO 37002?
Dr. Wim Vandekerckhove (WV): The scope of the standard is on handling reports. It asks a series of questions: What does a good system look like? How do you design it? What do you need to do or need to know? What are the key characteristics? It also asks how you support that kind of system: What do people at the board level need to do? What does the executive team need to do/know? What are the key characteristics?
In that sense, you could say it’s complementary to what the EU Whistleblowing Directive is doing.
What is the benefit of a global whistleblowing management system standard?
WV: ISO 37002 can be used by any organization, regardless of its size, its sector, or how it is organized. Organizations will be able to solve a lot more problems that otherwise might escalate, which is really avoiding harm to the organization and its stakeholders.
It’s also a new way to look at your organization's culture. One type of compliance officer I still meet is the officer that says, “Well what about those with bad intentions?” - and I say, well you know they work for your organization, you hired them, so what does that say about your culture?
How does ISO 37002 seek to determine effectiveness?
WV: Whistleblowing systems start with a report coming in. The first stage is an acknowledgment of the report and the second stage is triage. How do you do a triage, what are the pitfalls, what are the possible decisions you can make? You can ask for further information, but which other procedure in the organization can we put this to? Then you can decide that you need an investigation.
It’s about making sure your internal whistleblowing management system is trustworthy, impartial and offers protection.
When the investigation is over, what do you do? Do you need to correct the action, is there a need for disciplinary measures, do you need other steps? How do you then learn from a case and finally how do you close a case?
So it provides guidance on all of these things, it says “What does good look like in handling a whistleblowing report?”
How should organizations apply whistleblowing management sytems?
WV: The key thing for this standard is deciding what part of the organization you are going to use it for. Organizations need to really think about the scope of the system and figure out how to make it fit. All organizations are unique in this because of their supply streams, the different regulatory contexts in which they exist, and organizations need to decide the scope for their internal whistleblowing system.
A key component of the standard is accessibility and who can use the system. Many organizations say generally, "Well, our employees will have access." However, a lot of people who may work in your buildings are not necessarily your employees, they may be contractors, so you need to think about how you are going to train those people to use the system.
Others, including those who work for things like humanitarian aid associations, say that those who are beneficiaries of their organization will need to use the whistleblowing management system as well. So while the application of the standard sounds trivial, you can see that once you start looking at it it’s really not that trivial at all. Any kind of organization can use it, but the scope of it is bound to look different for different organizations.
Is there any specific size organization that this standard applies to?
WV: Companies of all sizes really need to think about this and will be able to apply the standard. There are 3 overarching principles that all the guidance leads to. It’s about making sure your internal whistleblowing management system is trustworthy, impartial, and offers protection. Protection applies to the person making the report as well as the person being accused in the report.
However, in an organization of 100 employees, they may not have the capacity in-house to carry out the investigation in an impartial way. So then you ask, "Does training need to be developed in-house or can it be developed with other companies?"
In the next couple of years, I think we are going to see good movement and innovation there in the marketplace surrounding smaller organizations.
Were there any specific incidences that spurned the need for a new whistleblowing management system standard?
WV: One of the things that led to it was the growing regulation in general around whistleblowing. The U.S. has had this for a number of decades with the Sarbanes-Oxley Act, but in other parts of the world, it is quite new. So you see growing regulation in different parts of the world and also regulation getting more sophisticated.
The people going external immediately is really a small fraction, around 8%. The rest, if they ever go outside, it’s because they’ve tried to raise a concern inside more than once.
For example, the French legislation that came around in 2016 said if you breach a whistleblower's confidentiality or identity, there’s a penalty. So there’s a growing need outside the U.S. for companies to be able to show that they’ve done everything that can be reasonably respected from them or that is considered as “doing enough”.
In developing ISO 37002, we looked at the Australian standard, the Japanese standard, a British standard, a Canadian standard, and the French standard and did a gap analysis. These guidelines didn’t contradict each other, but they all had their own style and emphasis and had a lot of gaps.
So we started with those and said, "Ok what are the really useful and insightful things in each of these national guidelines?", and we just built it up from there.
Does ISO 37002 specify the type of technology that can be used to improve whistleblowing in organizations?
WV: The standard doesn’t say that there is one best channel, but it does say that you need to think about who you want to be making reports and, based on where they are located or accepted norms, that’s what you need to cater to. The standard shows examples of different types of channels and for each of those shows how to make it more trustworthy.
Online systems like GAN’s software are really great, because you can have a two-way anonymous conversation and really build trust.
In Germany, for example, you have corporate ombudsmen, so German multinationals will say, “Well we have a division in Latin America but no reports come from that.” Well of course not, the ombudsperson has a German name and speaks German, so the employees in Latin America won’t feel comfortable calling.
Often I hear people say, “Well sure in the U.S. people make reports, but here it’s not in our culture.” I think in every culture, people have concerns if there is corruption or if integrity is breached. If people can choose, they are much more comfortable doing the right thing, and that’s universal. What is culturally different is what type of channels people feel comfortable using.
With the right whistleblowing protections in place, could somebody be more likely to report internally versus immediately going outside the organization?
WV: The short answer is yes. There is some very recent research done that suggests that out of all the stuff that comes into your whistleblowing channel, some of it is purely personal grievance and some is purely public interest, and actually, organizations seem to handle that pretty well.
But the big chunk, around 50% of what comes in, is a mix between the two. There is an integrity dimension to it, but there’s also some pre-history. Perhaps a person asked a difficult question and their line manager shouted at them, or if there’s something else going on.
I think it’s these cases that are not handled well enough, so if organizations can get better at handling those, you really are going to win a lot. You’re going to be better at dealing with them, you will be able to spot it.
The people going external immediately is really a small fraction of it, around 8%. The rest, if they ever go outside, it’s because they’ve tried to raise a concern inside more than once. It’s not even always that people are retaliated against, a lot of time it’s that people are just neglected and it just escalates.
What are the biggest inhibitors to employees reporting and using whistleblowing management systems internally?
WV: There’s this notion that people think reporting is not safe or it’s not going to make a difference. Safety and indifference in reporting are perceptions that correlate a lot. In any case, they don’t think the system or the organization is trustworthy. That might be because of previous experiences raising concerns with a manager, or that they’ve seen other colleagues do it and nothing happens.
The fear in reporting is also related to confidentiality and anonymity. That’s where technology comes in. In the US, telephone hotlines are still a big thing, but in European organizations, telephone hotlines are not widely used. They get their reports from different channels. Online systems like GAN’s software are really great because you can have a two-way anonymous conversation and really build trust.
Studies show that employees can often be retaliated against if they report internally and this can make employees feel unsafe in reporting. Was any of this taken into consideration in developing the ISO 37002 standard?
WV: That’s one of the areas where the standard will really be quite progressive. According to the standard, a risk assessment is performed as soon as a report comes in. That includes an assessment of the likelihood that this person will be retaliated against. That depends on the size of their team, whether they raised the concern before or not, whether they asked a question in a meeting about it, and their own perception on whether they feel they will be retaliated against. So with a couple of simple questions, you can have a proactive attitude and avoid someone being retaliated against.
Once you know what the risks are, you can help them stay out of trouble. Doing that up front really makes a difference - if you wait until the employee starts to feel the retaliation, it’s already too late.
Understanding Whistleblower Management Systems
To learn more about best practices on whistleblowing and the latest research, make sure to check out Wim’s latest book ”The Whistleblowing Guide: Speak-up Arrangements, Challenges and Best Practices”, and some of our resources: eBook: The Ultimate Guide to Internal Reporting & Investigations, and our webinar: Navigating the Future of Whistleblowing and Case Management.