International: ISO 37002 - an effective approach to managing whistleblowing systems
Whistleblowing is an extremely hot topic at the moment and will likely remain a significant focus area for some time. The landscape has evolved in recent years, with social media now providing a platform for people to speak up and deliver damaging messages that could or should have been handled internally. In this article, Nicholas Thorpe and Richard Branson, from Fieldfisher LLP, consider guidelines regarding effective whistleblowing systems issued by the International Organization for Standardization ('ISO'), looking at what they do well and areas that have potentially been overlooked.
In 2019, the EU passed the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), which EU Member States must transpose into national law by December 2021, and has been introduced as a harmonisation process to ensure rigorous protection is afforded to whistleblowers across all Member States.
Thereafter, in June 2021, the ISO published ISO 37002, Whistleblowing management systems – Guidelines ('the Guidelines'). As the name suggests, the Guidelines do not prescribe a minimum standard, rather, they provide guidance on the full lifecycle of a whistleblowing complaint, by setting out how to establish, implement, maintain, and continually improve a whistleblowing management system.
In essence, while the Whistleblowing Directive provides that companies must have an internal whistleblowing policy and channels for confidential reporting, the Guidelines advise on how to actually operate the whistleblowing system in practice. Unlike the Whistleblowing Directive, the Guidelines may be adopted by companies as standalone guidance or along with other compliance management system standards.
The Guidelines are intended to have a wide application and, as such, are not targeted at a particular size of business, sector, industry, or jurisdiction. However, in its attempt to create a 'one size fits all' document, the ISO have failed to include some salient points.
Involvement of various stakeholders
The Guidelines provide that responsibility for operating a whistleblowing system should not fall to just one team. Ensuring that staff can approach management with concerns is the most important step in creating an open culture, and the Guidelines advise employers to demonstrate, through visible leadership across all levels of the business, that they welcome and encourage staff to make disclosures.
This will help to build trust between a company and its stakeholders, providing a strong layer of protection against corruption. The Guidelines will help to bring assurance to management, investors, employees, customers, and other stakeholders that a company is taking reasonable steps to prevent, detect, and appropriately manage concerns about wrongdoing.
Proactive duty to prevent detrimental conduct
Historically, employers have only been required to make it clear that victimisation of whistleblowers will not be tolerated and to deal with such incidences after the event. The Guidelines, however, place a proactive duty on employers, upon receipt of a complaint, to assess the risk of the whistleblower being subjected to any detriment and, where necessary, identify and implement strategies and actions to prevent such detrimental treatment.
This change will require the company to carefully consider all aspects of the complaint, including whether the report involves multiple types of wrongdoing, how the whistleblower obtained the information, and whether it may be necessary to change the workplace or reporting arrangements. While this may seem like a small point, it could have a significant impact on how companies deal with complaints.
Monitoring and continual improvement
There has long been a misunderstanding that a lack of whistleblowing concerns being raised is a sign of an effective whistleblowing system. Rather, this may be the result of staff believing that reporting concerns will compromise their position within the company or, quite simply, not make any difference.
This latter point also highlights that it is not just a case of encouraging people to report wrongdoing, it is also essential that the reports are handled effectively. Failure to do so may result in a demotivated workforce and the continuance of unreported wrongdoing.
With effective whistleblowing procedures in place, employees are also more likely to report prohibited activities internally as opposed to going outside the organisation. This will help companies bolster the culture and ensure staff understand that the business is performing its legal duties to the highest extent possible.
To help achieve a culture in which employees feel comfortable raising concerns, the Guidelines direct companies to continually review and improve the suitability, adequacy, and effectiveness of whistleblowing management systems. This will include reviewing the number and types of concerns which are being raised.
While the Guidelines cover issues in relation to confidentiality and data protection, one of the key areas which they fail to address, is the matter of privilege.
In the UK, it is well established that litigation privilege attaches to documents created for the sole or dominant purpose of adversarial litigation which is in reasonable contemplation at the time of the creation of the document. However, the question of whether documents created during an internal investigation (which will often follow a whistleblowing report) are privileged, has been the subject of high-profile litigation over the last few years.
Privilege is important in this context because businesses want to be able to investigate reports of wrongdoing without creating material that might then have to be handed over to a prosecuting authority or regulator if the company discovers there is an issue.
For example, the Serious Fraud Office ('SFO') in the UK will seek disclosure of internal investigation material from a company that self-reports an issue, including notes of interviews conducted by the company or its lawyers before the SFO was involved. If litigation privilege applies then the documents do not have to be handed over.
Litigation privilege can (but will not always) attach even in the early stages of an investigation, including before any regulator contact or allegations are made. However, it may be a very fine line regarding what the dominant purpose of creating a document is, particularly where it serves multiple purposes. Engaging external lawyers at an early stage to assist with the investigation is likely to assist in demonstrating that litigation is in contemplation.
No public interest requirement
In the UK, for a report to qualify as a disclosure which affords an individual protection under whistleblowing legislation, the individual raising the concern must have a reasonably held belief that the disclosure is made in the public interest. This means that, where a report is made solely out of self-interest, it will not amount to a 'qualifying disclosure' (though case law has shown that a disclosure can be made both in self- and public-interest, with the individual therefore being protected even if partly motivated by self-interest).
In the U.S., the situation is extremely different as a whistleblower actively has the prospect to personally gain from making a disclosure. As long as certain criteria is met, the U.S. Government provide a monetary incentive to reward a whistleblower's disclosure of original information that leads to successful enforcement action.
There are, therefore, a lot of complex areas surrounding whether an individual has raised a concern: (i) out of self-interest or personal motivation; (ii) which affects a wider section of the public; (iii) for personal gain; and (iv) in good or bad faith, or even for malicious reasons. This has been the subject of intense scrutiny in high-profile and lengthy litigation.
While the Whistleblowing Directive requires reports to be raised in good faith, it is silent as to whether they need to be made in the public interest.
The Guidelines unhelpfully define wrongdoing as, 'action(s) or omission(s) that can cause harm,' an extremely wide definition that goes far beyond issues which an individual believes to be in the public interest. Detailed guidance on self-interest and public-interest would help; however, the Guidelines fail to address this.
Earlier this year, the UK's Financial Conduct Authority ('FCA') launched the campaign, 'In confidence, with confidence,' designed to encourage individuals working in financial services to report potential wrongdoing to the FCA, while reminding them of the confidentiality processes in place.
The FCA's whistleblowing rules require firms to have effective arrangements in place for employees to raise concerns, and to guarantee these concerns are handled appropriately and confidentially. It has also introduced a requirement for all firms to appoint a 'whistleblowers' champion' so as to ensure there is a director or senior manager who has oversight over the integrity, independence, and effectiveness of the firm's arrangements. These include those arrangements designed to protect whistleblowers from victimisation, as well as overseeing the preparation of an annual report to the firm's governing body.
The Guidelines, however, do not go as far as the FCA's approach, falling short of advocating sponsorship at board level. Given how serious companies should take whistleblowing concerns, it is disappointing that the ISO has failed to recommend measures as stringent as those already being implemented by regulators.
The Guidelines will certainly make it easier for companies to understand that establishing an effective whistleblowing reporting system should not be an overly onerous undertaking. They represent a very important step in establishing a minimum standard to help build organisational trust by encouraging a culture of openness, transparency, integrity, and accountability.
However, the above omissions mean that the ISO has missed an opportunity to address some key points and remove unnecessary uncertainty. Perhaps the ISO will apply the requirement for continual improvement to its own standards and these points will be rectified in the future.
Nicholas Thorpe Partner
Richard Branson Senior Associate
Fieldfisher LLP, London