In the wake of corporate scandals and increased attention to ethical business practices, the EU Whistleblower Protection Directive came into force in December 2019, marking a significant step towards strengthening transparency and compliance within organisations. Under the directive, all private companies with 50 or more employees are required to establish internal procedures for handling whistleblower reports. 
Choosing the right whistleblowing system for an organization’s needs, overcoming the hurdles of timely implementation, and establishing a reliable and legally compliant process flow for handling whistleblower reports are all key considerations for organizations.
The implementation of a whistleblowing system raises many questions, ranging from simple topics such as the need to offer incentives for whistleblowers to more complex, such as whether to keep multiple systems for the various purposes (data protection incident, supply chain issues, whistleblowing), or have it all in one solution. 

Based on our experience, we see that there are three key questions that come up frequently when designing and implementing whistleblowing procedures and systems. These questions should be a starting point for any organization needing to implement or improve their whistleblowing approach. In this article, we provide unambiguous, decisive answers to some of them.

Question 1: “We have an email address in place for whistleblowers. Is this enough?”

While an email address for whistleblowers can be a component of a whistleblower program, it is not enough in isolation. A comprehensive approach that includes secure reporting channels, policies, training and resources is necessary to protect whistleblowers and ensure that their concerns are addressed effectively. 

The reasons why organizations should not rely exclusively on an email address include:

1.    Quality of the whistleblowing report: Whistleblowers often need support and resources throughout the reporting process. An email is initially just a blank page by which a whistleblower can file a report. This can inevitably lead to problems as most whistleblowers forget important information when formulating a whistleblowing report. A whistleblower system that is set up specifically for this purpose, with several processing levels, automation functions and case management, is a sensible alternative. Such systems can provide guidance to whistleblowers and ask them to provide the most important information (5W-questions), offering relevant text fields to ensure that a minimum information requirement is met. It is crucial that the quality of information is high from the very first message, as whistleblowers may no longer be available after submitting the report. In such cases, organizations must be able to rely on the information that was provided by the whistleblower from the start.

2.    Follow-up and feedback: An effective program must include a process for acknowledging receipt of complaints, providing feedback and updating the whistleblower on the status of the case, as well as any investigative measure that may have been initiated. EU Directive 2019/1937[1]  stipulates that feedback must be provided to the whistleblower at the latest two weeks after the report is filed, and feedback on the progress of the whistleblowing report must be provided after three months (or six months in more complex cases). Even if this feedback can also be provided via email, a state-of-the-art whistleblowing system offers more opportunities to communicate with the whistleblower – on progress and status of the case – while bringing transparency to the compliance team. In addition, a whistleblowing system enables a message to be routed directly to the right contact person within the organization through pre-selection, whereas with an email solution, all whistleblowing messages end up in a mailbox.

3.    Record-keeping and reporting: Proper record-keeping and reporting mechanisms are necessary to track issues, investigations and outcomes. Separation and individual case handling are particularly difficult with an email-only based solution. With a well-organised whistleblowing system, all messages, internal notes, feedback and case management are brought together for each case, and can be processed separately while also maintaining the four eyes principle. Centralized processing in a dedicated system makes documentation and subsequent reporting easier and ultimately reliable.
 

Question 2: “Should we offer an anonymous reporting option?”

While not obligatory under the EU directive 2019/1937, providing an anonymous reporting option can foster a more open and ethical organizational environment, encourage the reporting of wrongdoing and protect the organization and its employees by identifying and addressing issues proactively. Organizations should allow for anonymous reporting for reasons including:

1. To encourage reporting: Anonymity can encourage more individuals to come forward with information about misconduct without fear of retaliation or negative consequences to their career or personal life. According to the BKMS Benchmarking Report 2021[2], in 65% of companies, more than half of the initial reports are made without information about identity.
    
2. Protection against retaliation: Whistleblowers are often afraid of retaliation. In this context it is advisable to make whistleblower reports anonymous when they are first recorded. This may be necessary if the whistleblower has not given their name but identification can likely occur, for example because the email address is not blacked out in the report. In this case, subsequent anonymization can be carried out in order to offer the whistleblower the desired protection.
    
3. Public perception and trust: Many global companies adopt anonymous reporting mechanisms as part of their compliance programs. This can be particularly important for companies operating in multiple jurisdictions with varying legal requirements. Stakeholders, including the public, employees and investors may view the inclusion of an anonymous reporting option as a sign of transparency and good governance, potentially leading to increased trust and confidence in the organization.

Question 3: “We fear that people use the channel for false reports. Can we protect our managers and executives from defamation?”

Although this answer may be devastating, it is true. Organizations will never be fully protected of false reports, defamation and slander. However, according to the BKMS Benchmarking Report 2021, 78% of the companies surveyed stated that abusive reports accounted for less than 2% of all reports.

There will always be a risk that someone will misuse the reporting system out of malice, misunderstanding or personal vendettas, regardless of such systems being in place. Instead of trying to prevent false reports and defamation on a technical level, organizations should work on the following three measures:

Internal investigation threshold: In the internal process description, categorize the severity of a violation described in a whistleblowing report. Is it a trivial matter HR-relevant issues compliance or criminal offences Even if every case is unique, clear guidelines will help investigators to quickly assess a case and initiate the appropriate measures (or not).
Plausibility checks: If a case exceeds an organization’s internal investigation threshold, they should carry out a plausibility check based on the facts (especially date, time, location) reported by the whistleblower. For example, if a whistleblower states that their foreman forced them to work without protective clothing yesterday, but this foreman has been on parental leave for six months, there may be no need to pursue the case further. However, when carrying out plausibility checks, it should not be assumed that all the data provided by a whistleblower is 100% correct. Careful consideration is required here.
Cultural measures: Organizations can prevent the misuse of whistleblower systems through training and internal marketing. Organizations should ensure that i) employees understand the purpose of the whistleblower system and that its misuse will be strictly sanctioned and ii) that the whistleblower system provide more transparency while strengthening and enforcing compliance.

In addition to the above three questions, there are other important factors that need to be considered when developing a whistleblower compliance program. Some questions worth noting include:

• How do I measure the effectiveness of an existing or upgraded whistleblowing system?
• Who is the main owner/which function controls the whistleblowing system?
• Is the system compatible with the Whistleblower Protection Act and GDPR?
• What type of whistleblowing channels do I offer in my organization, and which are adequate?
• What and how frequently do I need to run related training?

Conclusion

For many companies, introducing a whistleblower system is a challenge with many potential pitfalls. With the right strategy and approach, the requirement to introduce a whistleblower system through EU Directive 2019/1937 can put organizations on the path to greater compliance, improve corporate culture and uncover blind spots in their risk landscape.