One of the biggest miscarriages of justice in Britain’s history, the Post Office Horizon IT scandal has rocked the country, with recent revelations catapulting the saga to center stage in the media spotlight.

An ITV drama brought to life the astonishing accounts of hundreds of innocent people whose lives were ruined after incorrect data from Fujitsu’s faulty IT system had wrongly suggested they stole money. 

The TV programme captured the public imagination and sparked huge national outcry, applying pressure on politicians to act and move forward with proposed new laws to quash the wrongful convictions of hundreds of innocent Post Office sub-postmasters.

Around 900 were prosecuted and more than 200 sent to prison from 1999 to 2015. 

It’s taken a very long time for the truth to surface. But would it have ever emerged without whistleblowers?

The critical role of whistleblowers

The role of those with inside knowledge of what was really happening behind the scenes has been cited as crucial, alongside the incredible efforts of campaigners.

Whistleblower Richard Roll’s crucial contribution in unveiling the truth about the flawed Horizon software was highlighted in the TV adaptation. His testimony was key in the 2019 High Court Case, which helped prove the innocence of many victims.

An ex-Fujitsu engineer, he was part of a team who had access to Horizon terminals remotely. He’s been giving evidence to the ongoing Public Inquiry in recent weeks.

Mr Roll went on camera in 2015 to tell the BBC’s panorama what had happened behind the scenes.

The challenges of speaking up

The dramatisation showed the difficulties for a potential whistleblower of speaking up. It highlighted the fears and anxieties that come with going up against such large organisations.

And as the full details continue to emerge in the glaring spotlight of the ongoing inquiry, further startling revelations emerge.

More whistleblowers have come forward – with the latest via the Guardian newspaper regarding possible destruction of evidence that might have cleared wrongly accused victims.

How could things have been different?

UK Prime Minister Rishi Sunak,  The Criminal Cases Review Commission, and even the Post Office itself, have described the scandal as one of the greatest miscarriages of justice ever seen in Britain.

Could it have all been prevented before it escalated to this stage?

It’s not clear if misconduct reporting systems were in place within the organisations at the centre of this case at the time. But Mr Roll, in his written evidence, describes certain problems being “hushed up” by managers at Fujitsu during his time working there. 

Mr Roll blew the whistle years after leaving the company by going directly to campaigners.

Hugely damaging for businesses

The enormity of the scandal that has engulfed both the Post Office and Fujitsu is unquestionable.

It illustrates that businesses can easily have blindspots to potentially disastrous headline-grabbing business risks. 

The reputational damage is likely to be gigantic, analysts have said.

Fujitsu Europe Director Paul Patterson acknowledged the damage to the firm’s reputation when speaking to UK MPs recently, as he issued a company apology.

Then there’s the financial implications, with compensation claims in this case still far from resolved but estimated at more than £1bn.

The saga offers a sobering case study for all modern day organisations who aren’t actively seeking to uncover risks and misconduct at source.

How can other brands avoid such a scandal?

One study from The US Equal Employment Opportunity Commission estimated up to 75% of workplace misconduct is never formally reported.

And an Ethisphere research paper found nearly half of employees who observed misconduct in the past 12 months failed to report the matter.

So, there could be many problems bubbling under the surface that organisations are not being made aware of.

For companies seeking to avoid a scandal like the Post Office, the key is to uncover wrongdoing and risks early before they escalate into something far larger. 

Developing an advanced Speak Up culture

To achieve this requires developing an advanced Speak Up culture within the business, empowering employees to report misconduct. And backed by a robust misconduct reporting solution.

Traditional one-size-fits-all channels – like legacy hotlines are not fit for purpose and most incidents are either not reported or surfaced through anecdotal feedback.

Businesses risk compliance failings if processes to surface concerns, investigate cases and report progress are not connected and the workflows are inefficient. Instilling a modern, sophisticated, fully equipped modern case management and whistleblowing system is essential.

It empowers everyone in your ecosystem – investors, employees, vendors, customers – to help you uncover unreported incidents, contribute to resolving them faster and enable you to prevent future wrongdoing. 

How can Vault help?

We believe companies can be protected from major risks – perhaps the next big crisis scandal or lawsuit – if their people are protected too. Our platform delivers the true opportunity to Speak Up.

Uncover risks early by: 

– Enabling the people in your ecosystem to gain access and speak up about incidents by offering multiple reporting channels, including the mobile app and Vault Talk, our AI-powered hotline.

– Capturing actionable insights (rather than unstructured reports) that lead to credible investigations through tools that make reporters feel psychologically safe, including anonymous reporting.

Book a call with one of our specialists to find out more.

The post Why brands risk a Post Office scandal without a speak up culture appeared first on Vault.

Why? Because they have potential to hugely damage the company by publicly releasing critical, sensitive information that could have enormous adverse ramifications.

But as we witness the SEC’s expanding crackdown on cyber fraud, CISOs need to rethink their view.  

Whistleblowers are, in fact, an ally and an asset. It’s time to see them as your risk champions. 

As cyber fraud becomes such a key focus for regulators, it’s clear that being able to identify problems and risks early on and stopping them before they escalate is essential. 

Are CISOs equipped to detect cyber fraud?

CISOs play a crucial role in helping to uncover, reporting on and addressing cyber fraud within an organisation. 

As cyber threats continue to evolve, it is essential for the CISO to establish effective reporting mechanisms to detect and mitigate fraud incidents.

But as a CISO, can you be confident of being able to do so?

And, even more pressingly, could you manage to meet the 30 day deadline from identification to reporting to the SEC for cases under cyber fraud disclosures?

It’s all too easy for cyber security fraud risks to fall between the gaps of existing reporting mechanisms for security incidents, vulnerabilities, and risks. Often, this is due to the incidents not being treated as a reportable item for the SEC.

A vague report may arise of a possible fraud risk, referencing, for example, ‘vulnerabilities we shouldn’t have in our system’. But there might be no obvious action for any of the Information Security teams that it’s flagged to, and therefore leads nowhere.

Whistleblowing to the rescue

If your answer to either of the questions above is no, this is where whistleblowing programs can inspire and point towards a solution.

Armed with the right tools, a potential whistleblower can escalate any concerns relating to cybersecurity. And they can do so with assurance that this will reach the CISO’s office and will be reviewed with the severity of its implications in mind. 

After all, direct reports to SEC and an enforcement penalty would be much higher than self-disclosed reports, as seen by Verizon’s case.

Investigations led by anonymity

The CISO’s office needs to be able to receive reports relating to cyber fraud and other issues, and have this investigated, all whilst maintaining a reporter’s anonymity (should they wish to do so).

By doing so, the organisation is able to identify areas of risk at an organisational level and make informed decisions as to reporting, disclosures, and remediation.

By fostering a proactive approach to cyber fraud, the CISO helps to minimize the organization’s exposure to potential threats.

The SEC’s enforcement action in the recent case relating to the Sunburst attack marked a landmark first in terms of civil charges being brought to a CISO. And this demonstrated the need for CISOs to rethink their approach to uncovering fraud. Watch out for more in our next blog where we look at this in more detail.

How can Vault Platform help?

At Vault we provide a platform for uncovering, exposing and investigating misconduct.  

Vault’s Active Integrity platform can help CISOs develop exactly the kind of whistleblowing approach and system described above, enabling employees to anonymously report their cyber fraud concerns. This will help CISOs to stamp out problems before they develop into something far more serious.

Vault Platform enables you to configure rules by roles and groups so that the CISO’s office can receive reports relating to cyber fraud and then investigate, all whilst maintaining anonymity. 

Want to learn more?

Let our specialists explain more to you about how Vault can help CISOs uncover and deal with cyber fraud. Book a call and demo with our team.

The post Whistleblowers: a threat or a risk champion? Time for CISOs to think again  appeared first on Vault.

This week, New York has amended section 740 of its Labor Law to provide additional protection and clarification for whistleblowers. Here’s a breakdown of six key changes that have come into effect.

1. Who is Considered to be a Whistleblower

The changes to section 740 were first signed by New York Governor Kathy Hochul back in October 2021. The law provides better protection for private-sector employees against retaliation for reporting an employer’s activity, policy, or practice that the employee believes violates the law or poses a substantial and specific danger to public health or safety.

Under the new rules, the term ‘employees’ now covers individuals currently employed by the employer, former employees, and self-employed independent contractors. This is a significant expansion on the legislation, which previously only protected those currently employed by the employer.

2. The Activities Being Reported

Prior to this week’s changes, employees were only protected for reporting violations that created or presented a substantial and specific danger to public health and safety. The legislation now prohibits retaliation against an employee who:

• discloses or threatens to disclose an activity, policy, or practice that they believe is in violation of law, rule, or regulation, or that the employee reasonably believes poses a substantial and specific danger to the public health or safety
• provides information to, or testifies before any public body conducting an investigation, hearing, or inquiry into an activity, policy, or practice
• refuses to participate in any such activity, policy, or practice

3. Reducing the Risk of Retaliation

The definition of what is considered ‘retaliatory actions’ now includes actions or threats that would impact a former employee’s current or future employment situation or immigration status as well as adverse actions against current employees (e.g. suspension or demotion).

4. Whistleblowers’ Rights

Section 740 entitles whistleblowers to the possibility of front pay and punitive damages in addition to back pay. Whistleblowers are entitled to a jury trial and can seek injunctive relief, reinstatement, compensation for lost wages and benefits, civil penalties that do not exceed ten thousand dollars, and compensation for emotional distress.

5. Extending the Statute Of Limitations

This week’s changes have extended the statute of limitations from one year to two, giving whistleblowers more time to gather evidence and submit reports concerning misconduct in the workplace or former workplace.

6. Need-to-knows for Employers

Employers are required to inform their employees of their rights under section 740. They are encouraged to adopt or revisit existing internal whistleblower policies to ensure reporting mechanisms are in place and that leadership teams and managers can appropriately deal with misconduct reports.

New York’s decision to expand its whistleblower law highlights the importance and seriousness of whistleblower activities and the retaliation that often accompanies them. Amendments to laws in other states may follow New York’s lead, particularly given the frequent news headlines surrounding companies failing to protect employees from harassment, bullying, and other forms of misconduct.

Ready to revolutionize misconduct reporting and resolution at your business? Book a demo today.

The post New York Expands its Whistleblower Protection appeared first on Vault.

In an article published this week, Michael Volkov of the Volkov Law Group, warned that the Department of Justice (DOJ) would be “tough on corporate crime and compliance,” and advised  companies to “redouble their efforts to implement an effective ethics and compliance program.”

Previous Democratic Administrations have set a precedent of aggressive prosecution of white-collar crime and the Justice Department is pushing companies to elevate the importance of ethics and compliance programs with an emphasis on incorporating corporate culture, continuous monitoring and improvement of the program, and appropriate allocation of resources to ensure the program’s effectiveness.

Volkov also notes that a DOJ focus on COVID-19 pandemic issues will continue “with an increased emphasis on health and safety violations.” 

In a recent podcast where Volkov speaks with Tom Fox, the two experts remind us that the Justice Department has provided extensive guidance on ethics and compliance programs and the key update in June 2020 really shifted the focus from a compliance program that looks good on paper to one that is actually effective in practice. 

“The one people point to the most is the data requirement that Chief Compliance Officers have to have access to data literally across the corporation,” said Fox. “If you don’t you have to explain why the data is siloed and the CCO doesn’t have access to it.”

Fox notes that this data is just part of the information needed to monitor and improve compliance programs and instead of doing a risk assessment every two or three years you need to do one every time your risk changes and have that flow into your cycle. 

There is an acknowledgment that corporate risk profiles are expanding rapidly – The Biden Administration and the Securities and Exchange Commission (SEC) have already fired warning shots over their growing interest in Environment, Social, and Governance (ESG) issues. But one of the key challenges many compliance officers have is exposing these risks, which may have emerged in the silos the regulators are so intent on breaking down.  

According to the DOJ, a “hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.”

The two main reasons employees do not report misconduct are: lack of confidence action will be taken; and fear of retaliation. A common challenge that often occurs in parallel with businesses that have a disconnect between conduct and culture is that the infrastructure is not in place to enable the transition to a more positive culture. Drawing more attention to the Code of Conduct won’t have the desired effect if the tools in place to expose and resolve misconduct are ineffective. 

So, Ethics & Compliance officers are encouraged to ask: 

• Is the reporting channel designed, established, and operated in a secure manner that ensures the confidentiality of the reporter’s identity and that of any party mentioned?
• Have you considered alternatives to traditional hotlines that might be more accessible (apps such as Vault Platform)?
• Is a confirmation of receipt of the report given to the reporting person within an appropriate time frame (even anonymous reporters)?
• Does a competent person or department follow up on the reports? Can this person maintain communication with the reporting person and provide feedback (even anonymous reporters)?
• Is a careful follow-up investigation carried out on the report by the designated person or department?
• Is a reasonable time limit set for giving feedback or closing the loop on the report from the acknowledgment of receipt?
• Does your case management and resolution system give you real-time data on the status of ongoing investigations and specific categories of incidents?

The post The urgency around ethics and compliance effectiveness appeared first on Vault.

Over the last weeks, the activist group Extinction Rebellion has been running LinkedIn ad campaigns targeting employees at big companies such as Shell, Exxon, and HSBC. Physical postcards have also been delivered to London neighborhoods where said employees are thought to live.  

The ads have been directing curious employees to a ‘truth telling’ platform, kind of like Wikileaks for environmental concerns. The tool itself is just a collection of encrypted email and messaging boxes, as well as a snail-mail PO box and the focus is exclusively on anonymous reporting. 

Guerilla campaigns such as this are propelled by the success of previous employee activists and whistleblowers in drawing attention to corporate misconduct. Rio Tinto and Boeing are two recent examples of leaked information hitting the headlines. 

Whistleblowers are ‘disappointed believers’

Whistleblowing, especially external whistleblowing, is often cast in a negative light, as a disgruntled employee with a grudge against their employer. But the author of the FT article, Dr. Margaret Heffernan, a well-known author and expert mentor on business leadership and management, hits the nail on the head with her description of a ‘whistleblower’. 

“While the popular image of the whistleblower is typically an eccentric loner, the truth is more prosaic: whistleblowers are likely to be loyal employees, passionate about high standards, who go outside their organization as a last resort when nobody takes them seriously. They aren’t defiant troublemakers; they’re disappointed believers.”

Among Ethics, Compliance, and Culture professionals, at least the ones we speak to on various ECI Working Groups on a regular basis, there is definitely an acknowledgment that employees are your best first warning system when something isn’t right. Especially the believers. 

But time and again we see exposés of corporate misconduct on the news and social media, not because that was the whistleblower’s first port of call but because they tried to raise the alarm within their organization and got nowhere. 

Now with social movements like Black Lives Matter and MeToo so high on the corporate agenda, as well as a growing focus on Environmental, Social, and Governance (ESG) issues – which is a bucket most of these movements fall into from the business’s perspective, lawmakers are moving to give external whistleblowers greater protection and incentive to comes forward. 

But the laws through which this is happening, such as the incoming EU Whistleblower Directive, also set stricter requirements for internal reporting of misconduct. They just don’t oblige misconduct reporters to use internal channels first. 

So, it’s incumbent on the organization to encourage greater usage of its internal systems, something notoriously tricky with legacy solutions, which don’t encourage trust, transparency, or accountability. 

As Heffernan notes of one internal whistleblower who decided to Speak Up after considering quitting the company and had their investigation conducted effectively, “the whole company watched what happened and began to believe change was possible.”

A misconduct reporting and resolution system that demonstrates transparency and accountability by closing the loop and allowing investigators to communicate with (even anonymous) reporters set a precedent that encourages more people to come forward in the future. 

Silence is a waste of knowledge 

A recent report by Deloitte found that Fraud and whistleblowing are on an upswing as the pandemic continues and the remote workplace has introduced a range of compliance risks. “Many companies have a general ethics and personal conduct policy, with HR on point for internal investigations. But between an uptick in whistleblowing and the ongoing deluge of data post-COVID-19, these measures may no longer be adequate,” the firm says. 

The solution is to make it easier not just for employees to Speak Up, but for organizations to listen and act when people try to draw attention to concerns and been ignored.

“Companies would do better to listen to whistleblowers than try to shut them up. Telling the truth shouldn’t be an exceptional act of courage,” says Heffernan. “Companies targeted by Extinction Rebellion via LinkedIn and other means, or those alarmed by Deloitte’s warning, might rush to tighten up their processes. They would do better to see their workforce as a source of insight and moral compass.”

Vault Platform is helping companies achieve compliance with the EU Whistleblower Directive as well as those organizations seeking to create a culture of trust and transparency. 

You can hear how we’re doing this in a legal and compliance context in this video discussion between Søren Pedersen, Partner, Bird & Bird, and Kate Ash, Global Ethics and Compliance Officer, Neptune Energy.

Watch now

The post Whistleblowers are a golden opportunity appeared first on Vault.

The researchers found that companies with Fortune 500 status were represented nearly four times as often among the firms that had committed fraud. Furthermore, firms that traded on NYSE were over-represented by nearly two to one in terms of fraudulent activity, versus those that trade on other exchanges like the NASDAQ or OTC.

The implication here is that firms going public are exposing themselves to a greater risk of fraud and that risk increases in line with success. 

Listed companies face greater pressure to succeed

“Prestigious companies, those that are household names, were actually more prone to engage in financial fraud, which was very surprising,” said Jennifer Schwartz, WSU sociologist and lead author on the study. “We thought it would be companies that were struggling financially, that were nearing bankruptcy, but it was quite the opposite. It was the companies that thought they should be doing better than they were, the ones with strong growth imperatives–those were the firms that were most likely to cheat.”

Interestingly, the researchers found that white-collar crime in high performing businesses is understudied, perhaps because it depends as much on the company culture from leadership down as it does on the tools and mechanisms used to expose and report misconduct. 

“What these companies were doing was essentially fudging the numbers, lying to investors, other companies and the SEC,” said Schwartz. “Eventually, you have to make up for the money that was lost, that really never existed, so shareholders lose money, people lose retirement plans, people lose jobs.”

All companies filing for an IPO must comply with the Sarbanes-Oxley Act which has sections directly related to establishing whistleblower reporting policies and procedures.

As well as a published Code of Ethics that executives must abide by, Section 301 dictates that an audit committee must be established along with a misconduct reporting process for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters.

Incoming changes to legislation make whistleblowing more rewarding

To date, however, little has been done about the adoption or effectiveness of such systems, leaving it up to the discretion of listed companies to weigh the risk of fines and regulatory intervention against internal processes. 

That said, after a bumper year of whistleblower reports and subsequent payouts, the SEC is making moves to further protect and incentivize potential whistleblowers. This should galvanize risk-averse companies to ensure they put effective tools and processes in place to expose and resolve fraud and corruption. 

Find out more about how Vault Platform can help expose and resolve white-collar crime more effectively than legacy tools such as hotlines. 

The post High flying public companies at greater risk of fraud  appeared first on Vault.

The financial authority’s discrimination counterpart – the US Equal Employment Opportunity Commission (EEOC) – also had a bumper year in terms of payouts. The EEOC secured a record amount of recovery, more than $535m, for victims of discrimination in the workplace. This includes $333.2 million in monetary relief for employees and applicants in the private sector and state and local government workplaces through mediation, conciliation, and other administrative enforcement, and $106m in monetary relief through litigation. The litigation recovery was the highest since 2004. 

Yet the amount of pending cases in EEOC inventory remains a mountain. The body said in 2020 it reduced the private sector charge workload by 3.7% to 41,951 reports, the lowest pending inventory in 14 years.

Incidents of misconduct higher than ever

We know that whether it’s financial misconduct or interpersonal, only a small number of incidents actually get reported, so the numbers revealed by the SEC and EEOC are really just the tip of the iceberg. But they demonstrate the scope of the problem persistent in private enterprise. They also show how external authorities are increasingly favored by reporters and whistleblowers, not just because of the potential payout for a successful claim, but more often than not because internal reporting mechanisms are too frustrating to be effective.

This month the EEOC posted new information on its website giving greater transparency and explaining the use of administrative and litigation tools used to identify and pursue systemic discriminatory practices. It’s a term that became familiar with during the course of 2020 as the Black Lives Matter campaign gathered momentum and systemic is defined as “bias that is built into systems, originating in the way work is organized” and “refers to structures that shape the work environment or employment prospects differently for different types or workers.”

According to EEOC Chair Janet Dhillon, “Systemic enforcement is an important mechanism the Commission uses to remedy discrimination that has broad impacts on industries, professions, or geographic areas.”

The indication is that this will remain a core focus for the authority through 2021 and beyond. 

Examples where the EEOC been successful in systemic enforcement, include:

• Use of background checks
• Denying women jobs in fields such as truck drivers, dockworkers, laborers
• Refusal to hire African American, Hispanics, and older workers for front of the house positions
• Ending staffing agency use of referring applicants based on customer preferences
• Widespread sexual harassment of teenagers in fast food chains
• Racially hostile displays such as nooses and racist graffiti
• Eliminating tap on the shoulder recruiting in favor of job posting
• Challenging policies of issuing attendance points for medical related absences, without accounting for disabilities
• Challenges of deportation made against employees complaining of discrimination
• Challenges to abuse of vulnerable workers who were subject to years of confinement, abuse, deplorable conditions, and reduced pay following charges of discrimination
• Vault Platform believes that modern and effective tools are required to expose discrimination and misconduct at work and to enable companies to resolve incidents quickly and in confidence. 

We look at the discrimination issue in more depth in this issue of Vault Magazine.

The post Misconduct reports to external bodies hit record high appeared first on Vault.

The Financial Conduct Authority (FCA) warned that although many working environments have changed, with more employees working from home, firms are still expected to comply with the obligations in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A).

“Risks from misconduct may be heightened or increased by homeworking. This includes increased use of unmonitored and/or encrypted communication applications (apps) such as WhatsApp for sharing potentially sensitive information connected with work. Use of such apps can present challenges and significant compliance risks, since firms will be less able to effectively monitor communications using these channels,” said the FCA in a statement. 

Under SYSC 10A, firms must take ‘reasonable steps’ to record telephone conversations and keep a copy of electronic communications. 

Out of sight, out of mind

“We have acted against individuals and firms for misconduct which involved the use of WhatsApp and other social media platforms to arrange deals and provide investment advice,” the FCA said. 

As part of this focus, senior managers have an important part to play in establishing and embedding the right culture and governance within firms to continuously improve the standard of conduct at all levels.

In our conversations with a number of senior compliance officers, Vault Platform has also acknowledged an increase in misconduct among WFH employees, not just in instances of white-collar crime against the company, such as fraud and corruption, but also interpersonal misconduct. 

There appears to be a greater temptation for employees to misbehave when ‘out of sight’. But what’s interesting is that cases of external whistleblowing have increased during the pandemic, with evidence suggesting that employees are emboldened to report their company to the authorities from the safety of their homes. 

Optimizing internal reporting

Both of these trends draw attention to the same problem, however, that internal misconduct reporting mechanisms are not suitable or robust enough to expose misconduct and allow businesses to tackle incidents before a third-party authority is involved. 

We keep hearing that it’s difficult to maintain a culture of compliance with a remote workforce. Employees struggle to find information on codes of conduct, they don’t know what the incident reporting channels are, or how to submit a report, and fears of retaliation and inaction on behalf of the company, persist. 

These are exactly the problems we are solving here at Vault Platform. We also go into greater depth on the compliance risks for a remote workforce, in this ebook. 

The post Financial authority warns of misconduct risk among homeworkers appeared first on Vault.

The new rules will see awards increased to the “maximum extent appropriate,” for sanctions of $5 million or less, which in this case is 30% of sanctions obtained. 

The aim is to encourage more prospective whistleblowers to come forward and follows a bumper year for payouts by the SEC, with the office awarding more money to more whistleblowers than ever before in the program’s history. 

The SEC paid out around $175 million in awards to 39 tipsters in 2020 and received a record number—around 6,900—of tips.

Experts in the field have suggested that while the added pressures of COVID on companies and their employees is driving an increase in incidents of misconduct, employees working from home are feeling safer and more confident in external whistleblowing. 

More than one in every five employees feels pressure to compromise their organization’s ethics, policies, or the law, according to the Global Business Ethics Survey 2020, from the Ethics and Compliance Initiative (ECI). Furthermore, employees who feel under pressure to compromise ethics at work are 2x more likely to observe misconduct in their workplace than those who don’t. There’s no smoke without fire. 

Unfortunately, it’s often when the internal mechanism falls short, is ineffective, or even not available, that whistleblowers often decide to take their concerns to an external party. Amends to legislation such as that the SEC is making, and the introduction of new protections for whistleblowers such as through the EU Whistleblower Directive, only serve to make external channels more attractive to potential reporters. 

Optimizing internal reporting 

From both a business benefit and an organizational culture perspective, having prospective whistleblowers use an internal reporting channel first is by far the most desirable approach. Not only does this minimize the risk of financial and reputational damage of an incident going public, it also strengthens trust between the employee and employer even to the point of encouraging more people to Speak Up before concerns boil over. Finally, it sets an example that misbehavior will not be tolerated, making potential corruption or ethical breaches less attractive to perpetrators in the future.

The post Incoming changes to legislation make whistleblowing more rewarding appeared first on Vault.

Every employer with more than 50 employees in the European Union will soon need to comply with the European Union’s Directive for the protection of persons reporting on breaches of Union law, otherwise known as the EU Whistleblower Protection Directive. 

 The Directive was approved in October 2019 to grant greater protection for those who seek to expose corporate wrongdoing. EU member states were given two years to implement it into national law and adoption by enterprises will take a staggered approach. Organisations with more than 250 employees must comply with this legislation from December 2021, and those with between 50 and 249 employees by the end of 2023.

We have a preparation checklist ready to download here:

Download

Or register to download our full report on the impact of whistleblower protections and what this means for your internal reporting program:

What’s new?

Escalation and multiple reporting channels

Under the Directive, a three-tier reporting structure is being introduced. While whistleblowers are encouraged to use internal channels first, there is no obligation to do so, and they will still qualify for protection when reporting internally and externally. While this means that whistleblowers fearing retaliation from internal sources can use an external channel without fear, it raises the risk for companies with ineffective or inefficient internal reporting mechanisms that whistleblowers will immediately opt for more public disclosure. 

Whistleblowers can report their concerns through:

• Internal reporting channels: facilitated by the organisation
• External reporting channels: facilitated by the relevant national authorities or the appropriate EU institutions
• Public reporting channels: such as going directly to the media, or a public forum such as Twitter

Optimising internal reporting

From both a business benefits and organisational culture perspective, having prospective whistleblowers use an internal reporting channel first is by far the most desirable approach. Not only does this minimise the risk of financial and reputational damage of an incident going public, it also strengthens trust between the employee and employer even to the point of encouraging more people to Speak Up before concerns boil over. This also sets an example that misbehaviour will not be tolerated and employees will report it, making potential corruption or ethical breaches less attractive to perpetrators.

Many companies tick a compliance box by buying a hotline but then failing to make it accessible. The ineffectiveness of hotlines is actually highlighted by the hotline providers themselves, with many of the established players reporting a steady decrease in hotline usage, forcing them to rethink their offerings for a world that has moved on. The shift away from telephone hotlines was highlighted as far back as 2012 in the National Business Ethics Survey of Fortune 500 Companies, which revealed hotlines as the least popular channel (used only by 11% or reporters) among the small number of people that do go ahead and report misconduct.

With a multigenerational workforce that largely favours digital communications, the idea of telephoning a call centre somewhere to report misconduct might seem alien. It’s also inconvenient and unengaging, two significant modern trends that legacy reporting solutions have failed to address. Ultimately, hotlines are seen as outdated legacy offerings that really do little to solve a persistent problem and the public financial exposés post 2008, the interpersonal misconduct revelations of 2017, and employee activism of 2020 all support this.

Who needs to comply?

In short, all legal entities with more than 50 employees operating within the EU member states are required to comply with the Directive. This includes European operations of organisations headquartered outside of the EU. The purpose of the Directive is “to enhance the enforcement of EU law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting on breaches”. At the time of the Directive’s adoption, the EU warned that the majority of EU countries did not have effective laws in place, suggesting a significant liability for organisations across the EU Member States. In fact, the EU identified only 10 Member States with a ‘comprehensive law’ protecting whistleblowers: France, Hungary, Ireland, Italy, Lithuania, Malta, The Netherlands, Slovakia, Sweden and the UK. The Directive however, goes beyond these ‘comprehensive’ laws and will likely see adoption as countries seek to retain their pioneering position.

What do I need to know?

Legislation and provisions for employers includes reporting for all people having “Worker Status” plus: Self-employed, Trainees, Volunteers, Shareholders & NEDs; Former & Future employees (such as those who have gone through recruitment/pre-contract); and “Natural Persons” eg. Suppliers, Consultants, Freelancers, Contractors & Subcontractors.

Whistleblowers should be able to submit reports and these reports should be received and acted upon by a “most suitable” person, such as Compliance officer; Head of HR; Legal counsel; Chief Financial Officer (CFO) or other executive manager; or an appropriate external ombudsman.

The identity of the whistleblower must be kept confidential whether the report is submitted anonymously or not and all personal data, both that of the whistleblower and any accused persons, must be handled in accordance with the GDPR.

The company is obliged to confirm receipt of the report to the whistleblower within seven days. The whistleblower must be informed of any action taken within three months, as well as the ongoing status of the internal investigation and its outcome.

The internal reporting system must allow for a physical meeting to be requested and must outline external reporting procedures available to the reporter.

Companies that obstruct or attempt to obstruct the reporting of concerns will face penalties. Retaliatory measures against whistleblowers will also be punished, including a failure to keep the identity of the whistleblower confidential.

What breaches fall under the remit of the EU Whistleblower Protection Directive?

• Public Procurement Rules
• Financial Services Rules
• Product Safety Rules
• Transport Safety Rules
• Environmental Protection Rules
• Nuclear Safety Rules
• Food Safety Rules
• Animal Health & Welfare Rules
• Public Health Rules
• Consumer Protection Rules
• GDPR/Data Privacy Rules
• Breaches affecting the financial interest of the Union
• Breaches relating to the internal market

It should be noted that this list is effectively extended under provisions for protection against retaliation.

What could be considered retaliation under the legislation?

• Suspension, lay-off, dismissal etc.
• Demotion or withholding of promotion
• Transfer of duties
• Negative performance assessment
• Disciplinary measures, reprimands, financial penalty
• Coercion
• Intimidation
• Harassment
• Discrimination
• Failure to convert temporary/fixed term employment or to renew

Although not mandatory, forward-thinking employers are ensuring their whistleblowing solution is also able to capture incidents of retaliation. This makes reporting, attribution, and resolution much easier, as well as reducing the number of separate tools performing similar tasks.

The post EU Whistleblower Directive appeared first on Vault.