The Whistleblowing landscape has evolved significantly over the last few years. High-profile cases have prompted new whistleblower protection regulations and legislation across the globe. Among them, we can recall the Volkswagen Emissions Scandal (2015), involving the use of illegal software to cheat emissions tests on diesel vehicles. Whistleblowers within Volkswagen provided critical information that led to the exposure of the fraud. This scandal led to global regulatory investigation and legal measures. It also sparked talks about enhancing whistleblower protection laws and corporate responsibility. Other cases such as Edward Snowden and NSA Surveillance (2013) or the Facebook Cambridge Analytica Data Scandal (2018) highlighted fatal weaknesses in company culture, whistleblower protection, data privacy, etc.
In Europe, the EU Whistleblowing Directive and its transpositions into local legislation strengthen and harmonize whistleblower protection. Similar laws have been passed worldwide, for instance in the United States, Australia, New Zealand, or Japan.
Following these evolutions, organizations worldwide had to implement new whistleblowing platforms, or re-evaluate the effectiveness of their existing internal reporting systems.
Management has become increasingly aware of the necessity of recognizing and resolving internal concerns. However, many employees still prefer reporting publicly or not at all.
There are several possible reasons for this behavior:
Organizations must put systems, processes, and policies in place to support their whistleblowing program. But more often than not, they have no experience and do not know where to start.
This is where ISO 37002 comes in, providing guidance to implement an efficient and compliant whistleblowing program to address whistleblowers’ real and valid concerns.
Among global standards and certifications, we can highlight three international norms related to whistleblowing:
ISO 37002 → Whistleblowing management systems
ISO 37301 → Compliance management systems
ISO 37001 → Anti-bribery management systems standards
While ISO 37301 and ISO 37001 provide certifications, they only cover specific aspects of whistleblowing management.
ISO 37002 is the first Global Standard to fully address whistleblowing. It applies to any type of organization, whether private, public or non-profit, regardless of size, nature of business, or geographical location.
It is a standard that only contains recommendations and best practices for organizations, it is not a certification.
ISO 37002 is a voluntary standard that organizations can adopt, if desired. However, for certain organizations and industries, compliance with the standard becomes a legal or contractual requirement. This is for example the case for Public Procurement and Supply Chains.
Legislation and ISO 37002 go hand in hand and act as a complement to each other.
Legislation tells you what you need to do, while ISO 37002 gives you a detailed list of specific instructions on how to do it and what good practices look like.
ISO 37002 relies on 3 core principles: trust, impartiality, and protection.
Derived from these principles, the guidelines encompass three primary components:
This standard puts a real emphasis on the way whistleblowers' reports are handled and processed. While receiving reports from employees is encouraging, it is not sufficient in itself.
Myth: as long as you get more people to report wrongdoing, you will improve your business.
Reality: it is not just about people reporting wrongdoings, but also that these reports are handled effectively. If not, it can result in demotivated employees, quiet quitting, wrongdoings escalating, scandals, …
ISO 37002 provides detailed guidelines for implementing, controlling, evaluating, maintaining, and improving a robust and efficient whistleblowing management system. By setting global standards of good practices, ISO 37002 guides organizations in the management of the entire whistleblowing cycle, divided into 4 phases:
1. Reporting of concerns of wrongdoings
Employees must receive the appropriate training and information about their organization’s internal reporting channels. It must be clear and accessible for them to properly submit a report through the whistleblowing system in place.
2. Assessment of reports
Once a report has been successfully submitted, specific procedures must be followed for classifying the communications, taking into account possible conflicts of interest, areas of expertise, and risks that the reported event may entail.
3. Addressing reported wrongdoings
The methods for handling submitted reports, such as creating specialized channels for whistleblowing, are to be implemented within the whistleblowing system.
4. Closure of reported cases
To resolve issues raised by employees or third parties, the whistleblowing system must provide specific investigative rules, as well as adequate protection and follow-up measures for whistleblowers and others who may be involved with the report.
The success factors for corporate whistleblowing lie in getting the trust of the people who have something to report. By providing a common standard on how organizations can build this trust, ISO 37002 makes handling reports internally easier and more efficient.
Whispli is flexible enough to adapt to any organization’s requirements and can be up and running in just a few weeks. Here are some of the features directly meeting ISO 37002 standards, making your compliance with the guidelines as easy as possible:
Whispli provides a safe inbox and anonymous chat features. They ensure a secure way for whistleblowers to report their concerns without fear of retaliation, or other negative consequences they may face by revealing their identity. This intuitive way to communicate with case managers helps you build trust in the whistleblowing system, and start a virtuous cycle of continuous improvement.
The Whispli safe inbox is where informants can report wrongdoing and stay in touch with case managers through a secure, anonymous, and very user-friendly app, available on web and mobile. They can share files, answer additional questions, and support the case managers in their investigations. Most importantly, the case managers can keep them updated about the case's progress and guide them to psychological resources if needed.
Whispli provides the ability to automate many tasks in the system:
Case managers can then save time to focus on the core investigations and streamline their processes.
Depending on local legislation, you may be required to host the whistleblowing system data in a specific location, or several locations. Whispli provides a wide range of options around the world, compliant with GDPR, PIPL, etc.
Security-wise, all Whispli platforms are ISO 27001 and SOC2 Type1 certified.
Whispli offers many more features to optimize whistleblowing, for all types of organizations.
Auchan Retail’s teams have noticed a drastic decrease in the number of reports without resolution and a more fluid exchange with whistleblowers.
- Stéphane Bernardeau | Chief Compliance Officer at AUCHAN RETAIL
30%
before implementing Whispli, almost 30% of the alerts received could not be properly treated due to a lack of sufficient information provided by the whistleblowers.
People trust that the platform is secure, especially the ability to choose to be anonymous or not. It has worked quite well, so much so that when one informant who made a report realized that we were responding through the chat box and taking it very seriously, he spoke with his colleagues and they had the confidence to later send their own reports about the same issue.
- Jean-Baptiste Loriot | Case Manager at DECATHLON
+64%
Trust in the platform can be confirmed by the increase in the number of reports from year to year: +64% on average each year between 2019 and 2023.
Setting up a whistleblowing management system can be tricky. By referring to ISO 37002 standards, organizations can jump-start their whistleblowing program with a clear set of guidelines to quickly and successfully set up their platform.
These standards also provide supporting guidance when benchmarking for a new whistleblowing solution.
By establishing a reliable internal reporting system, organizations can use their whistleblowing platform to encourage a speak-up culture. With employees empowered to raise concerns internally, risks are detected early and can be mitigated before they escalate. Moreover, being transparent about the processes in place and actions taken to resolve reported issues will shine a positive light on your organization, attracting talent and increasing employee retention.
Complying with ISO 37002 guidelines has a positive impact beyond the walls of your organization:
Complying with ISO 37002 standards provides tangible proof of your organization's efforts to prevent, detect, and manage concerns about wrongdoings. By demonstrating your ethics and compliance commitment, you can increase trust and reputation among stakeholders, shareholders, customers, new hires, and investors. The whistleblowing program results can be included in the annual ESG reporting, ultimately leading to a competitive advantage.
Your employees are more likely to report concerns internally if they trust their company’s whistleblowing program. Your speak-up platform helps you mitigate reputational risks to your organization. When you provide clear information about how employees can report, and most importantly, how those reports are processed, you reduce the risk of issues being shared in the press or on social media, protecting your brand image and reputation.
Organizations operating internationally will find the guidance provided by ISO 37002 particularly useful. This standard helps ensure that organizations comply with various local laws and regulations regarding reporting systems. Regardless of the size or industry of your organization, adhering to ISO 37002 straightforward guidelines can help you establish a strong foundation for your whistleblowing system, based on globally recognized standards.
Compliance departments or Ethics committees are usually put in charge of implementing and managing the whistleblowing program, but roles and responsibilities also lie at other levels:
Communication teams are responsible for regularly promoting the program to ensure that all employees:
Setting up a whistleblowing program can be done very quickly, especially when following the ISO 37002 guidelines. A Whistleblowing platform can be operational in a few weeks.
However, compliance with ISO 37002 and other whistleblowing regulations is an ongoing process, not a one-time event. Organizations must reassess their program regularly to adapt to new regulations worldwide and can benefit from progressively improving their practices as they gain experience.
That is all we do! When you trust Whispli with the deployment of your whistleblowing platform, you benefit from years of expertise in the setup of successful speak-up and case management solutions. Whispli has been supporting clients of all sizes, from all over the world, in all industries. We are experts at setting up platforms efficiently, providing best practices, configuration examples, and new features regularly to streamline communication with whistleblowers and report management.
Founded by a whistleblower turned compliance officer, Whispli benefits from this double experience to develop the best features and interfaces.