Whispli's Blog

Implementing an ISO 37002 Compliant Whistleblowing Program

Written by Marinette Monaton | Mar 14, 2024 9:22:55 AM

Why was ISO 37002 created?

Evolution of the legal whistleblowing landscape

The Whistleblowing landscape has evolved significantly over the last few years. High-profile cases have prompted new whistleblower protection regulations and legislation across the globe. Among them, we can recall the Volkswagen Emissions Scandal (2015), involving the use of illegal software to cheat emissions tests on diesel vehicles. Whistleblowers within Volkswagen provided critical information that led to the exposure of the fraud. This scandal led to global regulatory investigation and legal measures. It also sparked talks about enhancing whistleblower protection laws and corporate responsibility. Other cases such as Edward Snowden and NSA Surveillance (2013) or the Facebook Cambridge Analytica Data Scandal (2018) highlighted fatal weaknesses in company culture, whistleblower protection, data privacy, etc.

In Europe, the EU Whistleblowing Directive and its transpositions into local legislation strengthen and harmonize whistleblower protection. Similar laws have been passed worldwide, for instance in the United States, Australia, New Zealand, or Japan.

Following these evolutions, organizations worldwide had to implement new whistleblowing platforms, or re-evaluate the effectiveness of their existing internal reporting systems.

 

Providing a global standard for internal reporting

Management has become increasingly aware of the necessity of recognizing and resolving internal concerns. However, many employees still prefer reporting publicly or not at all.

There are several possible reasons for this behavior:

  • Distrust in their organization’s capacity to respond to their report
  • Unawareness of speak-up policies
  • Uncertainty if the report will be taken seriously
  • Doubts about confidentiality
  • Fear of victimization or retaliation
  • Etc. 

Organizations must put systems, processes, and policies in place to support their whistleblowing program. But more often than not, they have no experience and do not know where to start.

This is where ISO 37002 comes in, providing guidance to implement an efficient and compliant whistleblowing program to address whistleblowers’ real and valid concerns.

 

Whistleblowing guidelines and certifications ecosystem

International certifications

Among global standards and certifications, we can highlight three international norms related to whistleblowing:

ISO 37002Whistleblowing management systems

ISO 37301Compliance management systems

ISO 37001Anti-bribery management systems standards

While ISO 37301 and ISO 37001 provide certifications, they only cover specific aspects of whistleblowing management.
ISO 37002 is the first Global Standard to fully address whistleblowing. It applies to any type of organization, whether private, public or non-profit, regardless of size, nature of business, or geographical location.

It is a standard that only contains recommendations and best practices for organizations, it is not a certification.

 

Legislation and ISO 37002 guidelines: what’s the difference?

ISO 37002 is a voluntary standard that organizations can adopt, if desired. However, for certain organizations and industries, compliance with the standard becomes a legal or contractual requirement. This is for example the case for Public Procurement and Supply Chains.

Legislation and ISO 37002 go hand in hand and act as a complement to each other.

Legislation tells you what you need to do, while ISO 37002 gives you a detailed list of specific instructions on how to do it and what good practices look like.

 

ISO 37002: core principles and guidelines

Key principles and components of the standard

ISO 37002 relies on 3 core principles: trust, impartiality, and protection.

Derived from these principles, the guidelines encompass three primary components:

  • Information Security
  • Assurance of anonymous communications with whistleblowers
  • Safeguarding whistleblowers

This standard puts a real emphasis on the way whistleblowers' reports are handled and processed. While receiving reports from employees is encouraging, it is not sufficient in itself.

Myth: as long as you get more people to report wrongdoing, you will improve your business.

Reality: it is not just about people reporting wrongdoings, but also that these reports are handled effectively. If not, it can result in demotivated employees, quiet quitting, wrongdoings escalating, scandals, …

ISO 37002 provides detailed guidelines for implementing, controlling, evaluating, maintaining, and improving a robust and efficient whistleblowing management system. By setting global standards of good practices, ISO 37002 guides organizations in the management of the entire whistleblowing cycle, divided into 4 phases:

1. Reporting of concerns of wrongdoings

Employees must receive the appropriate training and information about their organization’s internal reporting channels. It must be clear and accessible for them to properly submit a report through the whistleblowing system in place.

2. Assessment of reports

Once a report has been successfully submitted, specific procedures must be followed for classifying the communications, taking into account possible conflicts of interest, areas of expertise, and risks that the reported event may entail.

3. Addressing reported wrongdoings 

The methods for handling submitted reports, such as creating specialized channels for whistleblowing, are to be implemented within the whistleblowing system.

4. Closure of reported cases

To resolve issues raised by employees or third parties, the whistleblowing system must provide specific investigative rules, as well as adequate protection and follow-up measures for whistleblowers and others who may be involved with the report.

The success factors for corporate whistleblowing lie in getting the trust of the people who have something to report. By providing a common standard on how organizations can build this trust, ISO 37002 makes handling reports internally easier and more efficient.

 

How Whispli can help you effortlessly meet the standards

Whispli is flexible enough to adapt to any organization’s requirements and can be up and running in just a few weeks. Here are some of the features directly meeting ISO 37002 standards, making your compliance with the guidelines as easy as possible:

  • Anonymity and communications with whistleblowers

Whispli provides a safe inbox and anonymous chat features. They ensure a secure way for whistleblowers to report their concerns without fear of retaliation, or other negative consequences they may face by revealing their identity. This intuitive way to communicate with case managers helps you build trust in the whistleblowing system, and start a virtuous cycle of continuous improvement.

The Whispli safe inbox is where informants can report wrongdoing and stay in touch with case managers through a secure, anonymous, and very user-friendly app, available on web and mobile. They can share files, answer additional questions, and support the case managers in their investigations. Most importantly, the case managers can keep them updated about the case's progress and guide them to psychological resources if needed. 

  • Advanced automations

Whispli provides the ability to automate many tasks in the system: 

  • Automatic messages to informants: acknowledgments of receipt, requests for more information, follow-up messages, admissibility/inadmissibility messages, etc. 
  • Email reminders to case managers when an informant has not been informed for a specific amount of time, 
  • Automatic triage of reports based on information provided by informants, 
  • Automatic tagging of cases, 
  • Etc.  

Case managers can then save time to focus on the core investigations and streamline their processes. 

  • Trusted and flexible data hosting

Depending on local legislation, you may be required to host the whistleblowing system data in a specific location, or several locations. Whispli provides a wide range of options around the world, compliant with GDPR, PIPL, etc. 

Security-wise, all Whispli platforms are ISO 27001 and SOC2 Type1 certified. 

Whispli offers many more features to optimize whistleblowing, for all types of organizations.

Learn more

 

Auchan Retail’s teams have noticed a drastic decrease in the number of reports without resolution and a more fluid exchange with whistleblowers.
- Stéphane Bernardeau | Chief Compliance Officer at AUCHAN RETAIL

30%
before implementing Whispli, almost 30% of the alerts received could not be properly treated due to a lack of sufficient information provided by the whistleblowers.

 

People trust that the platform is secure, especially the ability to choose to be anonymous or not. It has worked quite well, so much so that when one informant who made a report realized that we were responding through the chat box and taking it very seriously, he spoke with his colleagues and they had the confidence to later send their own reports about the same issue.
- Jean-Baptiste Loriot | Case Manager at DECATHLON

+64%
Trust in the platform can be confirmed by the increase in the number of reports from year to year: +64% on average each year between 2019 and 2023.

 

How do organizations benefit from following ISO 37002 guidelines?

Internal benefits for organizations

Setting up a whistleblowing management system can be tricky. By referring to ISO 37002 standards, organizations can jump-start their whistleblowing program with a clear set of guidelines to quickly and successfully set up their platform.

These standards also provide supporting guidance when benchmarking for a new whistleblowing solution.

By establishing a reliable internal reporting system, organizations can use their whistleblowing platform to encourage a speak-up culture. With employees empowered to raise concerns internally, risks are detected early and can be mitigated before they escalate. Moreover, being transparent about the processes in place and actions taken to resolve reported issues will shine a positive light on your organization, attracting talent and increasing employee retention.

 

External benefits for organizations

Complying with ISO 37002 guidelines has a positive impact beyond the walls of your organization:

 

  • Competitive advantage and tangible proof

Complying with ISO 37002 standards provides tangible proof of your organization's efforts to prevent, detect, and manage concerns about wrongdoings. By demonstrating your ethics and compliance commitment, you can increase trust and reputation among stakeholders, shareholders, customers, new hires, and investors. The whistleblowing program results can be included in the annual ESG reporting, ultimately leading to a competitive advantage.

 

  • Reputational risk

Your employees are more likely to report concerns internally if they trust their company’s whistleblowing program. Your speak-up platform helps you mitigate reputational risks to your organization. When you provide clear information about how employees can report, and most importantly, how those reports are processed, you reduce the risk of issues being shared in the press or on social media, protecting your brand image and reputation. 

 

  • Global Recognition

Organizations operating internationally will find the guidance provided by ISO 37002 particularly useful. This standard helps ensure that organizations comply with various local laws and regulations regarding reporting systems. Regardless of the size or industry of your organization, adhering to ISO 37002 straightforward guidelines can help you establish a strong foundation for your whistleblowing system, based on globally recognized standards.

 

Frequently asked questions about ISO 37002

1. Who in the organization is involved in the implementation and management of ISO 37002?

Compliance departments or Ethics committees are usually put in charge of implementing and managing the whistleblowing program, but roles and responsibilities also lie at other levels: 

  • Leadership is responsible for supporting the program by ensuring that
    • Sufficient resources are allocated to implement the platform
    • Processes are in place to prevent retaliation against whistleblowers
    • All employees are informed of Leadership's support for whistleblowing
  • Communication teams are responsible for regularly promoting the program to ensure that all employees:

    • Know how to report wrongdoings (posters, videos, etc.)
    • Have access to key information on the management of the whistleblowing program (ESG reporting, etc.)
  • HR teams are responsible for training employees per the Code of Conduct and Whistleblowing Policy, both during onboarding and regularly throughout the year.
  • Employees are responsible for complying with the organization's whistleblowing policy, and for reporting any instance of non-compliance.

 

2. How long does it take to be compliant?

Setting up a whistleblowing program can be done very quickly, especially when following the ISO 37002 guidelines. A Whistleblowing platform can be operational in a few weeks. 

However, compliance with ISO 37002 and other whistleblowing regulations is an ongoing process, not a one-time event. Organizations must reassess their program regularly to adapt to new regulations worldwide and can benefit from progressively improving their practices as they gain experience. 

 

3. Can Whispli help me deploy a compliant platform? 

That is all we do! When you trust Whispli with the deployment of your whistleblowing platform, you benefit from years of expertise in the setup of successful speak-up and case management solutions. Whispli has been supporting clients of all sizes, from all over the world, in all industries. We are experts at setting up platforms efficiently, providing best practices, configuration examples, and new features regularly to streamline communication with whistleblowers and report management. 

Founded by a whistleblower turned compliance officer, Whispli benefits from this double experience to develop the best features and interfaces.

Learn more