• Governance I Risk I Compliance Management

Whistleblowing Management Systems: Breakdown of ISO 37002

ISO 37002 Whistleblowing Management Systems. A whistleblower is someone who exposes information or activities that are deemed illegal, unethical or not transparently correct in an organisation. While whistle-blowers often pay a high price by taking personal risks in reporting suspected or actual bribery and other illegal activities, they must have legal protection in the form of guaranteed confidential reporting and anti-retaliation protections. Whistle-blowers must be protected and not prosecuted to fight corruption. And corruption cannot be tackled without citizens willing to blow the whistle. They must also be given the right to sue the organisation or directors for damages due to discriminatory or retaliatory behaviour.

In 2021, all 28 European Union (EU) members will have to meet the minimum standards, as provided by the EU Whistleblower Protection Directive (2019/1937) on creating free-speech protection for whistle-blowers and employees who challenge illegal practices or abuse of power. This new directive protects whistle-blowers and encourages people to report wrongdoings through whichever route they consider appropriate.

Meanwhile, the International Organization for Standardization ISO/TC 309 Working Group 3 has designed and developed a Whistleblowing Management Systems (WMS) Guidelines standard (ISO 37002 Whistleblowing) published last month (June 2021). This document guides establishing, developing, implementing, evaluating, maintaining and improving a whistleblowing management system through trust, impartiality, and protection throughout the stages of the whistleblowing cycle in an organisation.

The Malaysian Anti-Corruption Commission (MACC) has also indicated a review of the Whistle-blower Protection Act 2010 as there is a need to change and amend it according to certain situations and requirements. Before amending it, the MACC should investigate both the EU Whistle-blower Protection Directive and ISO 37002 for further input. The amendment should be able to protect whistle-blowers if the disclosure is not only made to law enforcement agencies but also any possible avenues, provided the whistle-blower has not received any response from the internal and/or external reporting channels within the set time frame; has reasonable grounds to believe the breach constitutes an imminent danger to the public; fears risk of retaliation; or believes it is unlikely that the wrongdoing would be effectively addressed due to the particular circumstances of the case.

Our ABAC® whistleblowing training will engage you with thought-provoking activities and assessments. The course aims to help its users to learn everything about whistleblowing and provides a comprehensive overview of whistle-blower rights and how should organisations apply whistleblowing management systems.

Find out more about ABAC® ISO 37002 Whistleblowing Training

Using the ISO 37002 Whistleblowing Management Systems

Standard whistleblowing systems begin with testimony coming in. The first phase is a recognition of the report, and the second phase is triage. The question is how do you execute a triage, what are the pitfalls and what are the potential judgments an organisation can make?

It is most decided that an organisation will seek to gain further information, hence resulting in an investigation. When the investigation is over, the organisation has yet another decision to make. Do they correct the action? Is there a need for disciplinary actions? And most importantly, how can they avoid a repeat case. Implementation of the ISO 37002 Whistleblowing standard provides organisations with guidance on all these circumstances. The release of the ISO 37002:2021 aims to eradicate all these questions.

Previously, organisations would have needed to reflect on the scope of the procedure and figure out how to tailor it to their organisational structure. All organisations are distinctive in this aspect due to their supply streams and the different regulatory contexts in which they occur, and organisations would have had to determine the range for their internal whistleblowing system.

The key to the ISO 37002 Whistleblowing standard in determining what portion of the organisation it should be used for and an important component of the ISO 37002 Whistleblowing standard is accessibility; employees should be provided with up-to-date training on the standard but as mentioned before, each organisation previously had to figure out how to tailor it to their organisational structure. The ISO 37002 Whistleblowing Management system works readily across various channels and regions to make the process of reporting efficient and effective. Dr Wim Vandekerckhove, a whistleblowing expert, and Associate Professor of Business Ethics at the University of Greenwich who was involved in the development of the 2021 system stated “There were already a number of national standards and guidelines, for example in Australia, Great Britain, Japan, Canada and France. When we compared these, they weren’t necessarily contradicting each other, but each set of guidelines had its own blind spots, its own style and distinctive emphasis. For this reason, it made sense to create an international standard.”

How are the ISO 37002 Whistleblowing systems beneficial?

With the right whistleblowing protections in place, employees are more likely to report prohibited activities and behaviours internally as opposed to directly going outside the organisation. This in turn would help organisations bolster their company culture from within and ensure employees as well as other members of staff that the organisation is performing their legal duties to the highest extent possible.  There is a pre-existing notion in which members of staff believe that reporting compromises their job position or will not make a difference; this may be because of previous experiences raising concerns with a manager, or that they’ve seen other colleagues do it and nothing happens. Safety and indifference in reporting are perceptions that correlate a lot. In any case, they don’t think the system or the organisation is trustworthy. Proper guidance and training on the ISO 37002 whistleblowing management system allow for this notion to be minimised, if not diminished entirely.

Get industry news delivered to your inbox. Sign up to our newsletter

Case Study

According to Fighting Fraud and Corruption Locally Strategy- A strategy for the 2020s, it is estimated that about one in three of all crimes committed nationally is fraud based and fraudsters are always seeking new ways to take money.

A case Study highlighted by the report is a perfect example as to why you need to implement a  whistleblower policy.

An interim manager hired vehicles for personal use covering at least nine different vehicles and costing more than £18,000. The fraud included various invoice frauds for gardening services and over £20,700 paid to the interim manager’s account. In total the interim manager’s actions resulted in monies, goods or services with a total value of £60,882.16 being ordered or obtained at a cost to the council from seven suppliers, including false invoices purporting to be from a gardening company.

Thirty-one fraudulent invoices were introduced by the interim manager totalling over £48,000 and were processed, authorised and paid using the council’s systems. A further eight invoices totalling more than £7,000 were subsequently authorised by the interim manager’s line manager for liabilities incurred by the interim manager. Employee purchase cards were used to pay for goods worth over £1,270 and the interim manager personally benefited by £4,000 from the compensation payment and over £20,780 from the fraudulent invoices he submitted from the gardening company. The fraud was discovered via a whistleblowing referral to audit services.

The council’s investigation found that the maintenance company with the same bank account as the interim manager’s company did not exist. The council’s audit services department led an investigation with the police to take the matter to Birmingham Crown Court where the interim manager pleaded guilty to Fraud Act offences. He was sentenced to three years’ imprisonment on 25 September 2019.

About ABAC® Center of Excellence

ABAC® is an independent certification body powered by CRI Group. ABAC® Center of Excellence offers a complete suite of services and solutions designed to educate, equip & support the world’s leading business organisations with the latest best-in-practice risk & performance assessments, systems improvement & standards certification. ABAC® programs protect your organisation from damaging litigation & safeguard your business in the global marketplace by providing certification & training in internationally recognised ISO standards, such as ISO 37001 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000 Risk Management Systems. Contact us to discuss your anti-bribery, risk and compliance needs.