09 okt Corporate whistleblowing procedure requirements according to Transparency International

By Evert-Jan Lammers

Do the corporate procedures enable employees and others to raise concerns and report violations (of the anti-corruption programme) without risk of reprisal?

One of the main features of a functioning company whistle-blowing system is security of those raising concerns. Both their jobs and their personal security should be officially protected by the company. A company should publicly declare that each whistle-blower can raise concerns and/or report violations without risk of reprisal. Such policy is usually included in the description of the reporting system and relevant procedures. A necessary condition is the very existence of a relevant reporting channel for company employees. Having only a reporting channel for a selected group, i.e., for managers, is insufficient. If the existing channel does not allow reporting on anti-corruption issues, i.e. it is limited to improper financial management, is also substandard.

Good practice:

If the publicly-available policy specifies that no employee will suffer demotion, penalty or other reprisals for raising concerns or reporting violations (whistle-blowing) Examples:

• “Employees and Business Associates are assured that they are fully protected against reprisals, punishment, intimidation, coercive action, dismissal or victimization for reporting genuine concerns made in good faith even if not proven.”;
• “Those providing information will not be subject to reprisal, including suspension or termination of employment as per company policy”;
• “Retaliation against employees who use the reporting arrangements in good faith will not be tolerated”
• “Adequate safeguards are provided against victimisation”;
• “Employees can report any concerns, including (…) in confidence and without fear of recrimination”;
• “No form of retaliation shall be tolerated against any team member who reports, in good faith, any concern about a Code of Conduct violation”

 
Substandard:

If there is no explicit policy prohibiting such retaliation / if there is no such statement Examples:

• “The company has a Whistle Blower Policy in place since 2004 which is also applicable to group companies to report concerns about unethical behaviour, actual/ suspected frauds and violation of Company’s Code of Conduct or Ethics Policy” (no further details, such as whistleblower protection or confidentiality);
• “All persons subject to this Policy are required promptly to report any instances of noncompliance with this Policy. Failure to do so will be treated as a violation of this Policy, and may result in disciplinary action up to and including termination” (no reference to protection of whistleblowers).

 
Examples of “ambiguous cases”:

• The company has a reporting channel with relevant whistleblower protection. However, the channel is available for top managers only, hence it does not fulfil the very basic criterion for a whistle-blowing channel. This is substandard;
• There is a publicly-available reporting channel for all employees and stakeholders, and the company declares one can report “without fear of retaliation”. Still, the channel is dedicated to accounting irregularities only and not meant for reporting on other ethical issues, such as corruption or bribery. This is substandard.

  
Does the company provide a channel through which employees can report suspected breaches (of anti-corruption policies), and does the channel allow for confidential and/or anonymous reporting (whistle-blowing)?

A company whistle-blowing system should be available to all employees and it should allow for confidential reporting of concerns and violations regarding anti-corruption policies. Moreover, such a system should allow for two-way communication between the whistleblower and those dealing with the reports. The first three features, accessibility for all employees, confidentiality and possibility to report on anti-corruption, are absolutely necessary. If there is a system with limited access, i.e., for managers only, it is considered insufficient. Confidentiality can be basically assured in two ways, first, the system can allow for anonymous reporting, or second, the company can publicly declare that reports will be confidentially treated. Both options are accepted as fulfilling the confidentiality criterion. Some companies may include a restriction that personal data of whistle-blowers will be kept confidential to the extent allowed by the law. Such restriction is acceptable. We assume that all “ethical channels” allow for reporting on anti-corruption issues, unless there is an explicit statement that the channel is only available for certain topic, i.e., only for sexual harassment. The fourth required feature of the whistle-blowing system is the provision of a two-way communication channel, which should allow the whistle-blower to follow-up on the reported case and those dealing with the report to ask for additional information. This feature is an absolute requirement. The existence of the two-way communication channel can be basically verified in two ways. Either, there is a public policy/information which indicates that such channel is in place, or the required feature can be tested by a researcher. For example, many publicly available whistle-blowing systems that allow for anonymous reporting, give the whistle-blower a code (PIN), which allows to follow-up on the reported case. A researcher should submit a simple meaningless test-report and check if the follow-up feature works.

Good practice:

If there is public provision of such a channel in a form that assures full confidentiality and/or anonymity, and two-way communication with the whistle-blower for any needed follow-up on the disclosure: Examples:

• A good example of best practice: https://www.cwiportal.com/;
• There is an online ‘Ethics Line’ on company website. It assures full confidentiality and one can select among different levels of anonymity for reporting. It is possible to file a case without giving any contact details, otherwise all personal data is confidentially treated. If contact details are revealed, the whistleblower will be contacted for follow-up information. Every reported case receives a code, that can be used for further inquiries;
• A company cooperates with an external whistle-blowing portal, where all employees and external stakeholders can report their ethical concerns anonymously. Each reported case receives a PIN code, which opens access to the “case letter box” and to the information on its current status;
• The company has a whistle-blowing channel conducted by the internal audit. The channel is not anonymous, but the company assures confidentiality of reports and whistleblowers. A procedure is described on how each case is dealt with and this procedure includes continuous communication between the whistleblower and the company’s internal audit.

 
Room for improvement:

If there is such a confidential channel, but two-way communication with the whistle-blower is not assured. Examples:

• “The identity of the complainant will be protected” (confidentiality) but no two-way communication;
• “The analysis of the case and the action to be taken may not be communicated to the original complainant”;
• “In case of anonymous submission of issues to the Hotline, the applicant shall realize difficulties associated with further information analysis and review, conducting internal investigations where necessary, and taking appropriate measures, as there is no opportunity to clarify received information and interact with the applicant afterwards” (for non-anonymous reports confidentiality is not assured, but only such reports allow for two-way communication);
• There is a “compliant mailbox” and “information about the complainant is strictly confidential”, however no two-way communication is assured.

 
Substandard:

If there is no such channel or the channel allows for neither confidential, nor anonymous reporting. Examples:

• There is a channel for “complaints and suggestions”, but no confidentiality is assured;
• There is only a channel for customers’ complaints;
• All breaches/ethical violations should be reported to the direct supervisor/ manager.

 
Examples of “ambiguous cases”

• The company declares to have a confidential reporting online mechanism in place that enables two-way communication with the whistleblower, where a code is given for anonymous reporting. However, the links provided by the company lead to a “Speak Up” website that is not functional. It was tested several times without success and the researcher requested the company to clarify the situation, but received no response. This is substandard;
• The company publishes information about a sophisticated whistle-blowing channel and most probably the system allows for confidential or anonymous reporting. However, there is no explicit statement about confidentiality and/or anonymity. This is substandard;
• The company has a very good reporting system but it is only available for suppliers to complain about irregularities in the procurement process. This is substandard.

Brussels, 27 September 2017

Evert-Jan Lammers is a partner at EBBEN Partners (www.ebbenpartners.be) and a member of the Board of Directors at Transparency International Belgium. He has performed reviews on Transparency in Reporting on Anti-Corruption (TRAC) in 2009, 2012, 2015 and 2016 (all review reports are available at www.transparencybelgium.be) applying the above criteria.