By Kariuki Kamwene
Introduction to ISO (the International Organization for Standardization)
ISO (the International Organization for Standardization) is a world-renowned standards setting body that develops international standards through its technical committees. ISO 37002:2021 – Whistleblowing
Management Systems Guidelines adopts the harmonized approach developed by ISO meaning that if you have interacted with any other ISO Standard, you will likely find this Standard familiar in terms of design and implementation either as a stand-alone guidance or in alignment with other management system standards you may already be having in place.
It is also note-worthy at this point that ISO Standards can either be for certification or for guidance only. ISO 37002:2021 – Whistleblowing Management Systems Guidelines is a guidance-only Standard.
Legislative Guidance on Whistleblowing.
Whistleblowing is the act of reporting, in the context of the workplace, actual or suspected wrongdoing that could be unethical, illegal or dangerous, and that could have already happened, is presently happening and/or will likely happen in the future. The publication of ISO 37002:2021 – Whistleblowing Management Systems Guidelines provides tactically essential criteria for any organization developing and/or in need of improving whistleblowing policies and related reporting channels.
Prior to the publication of this Standard, one would have had to make reference to the disparate legislative frameworks across the world to try to learn about whistleblowing best practices. A significant inherent limitation of legislative frameworks still remains to be the lack of tactically sufficient guidance to supportthe practical and effective implementation of whistleblowing management systems. Countries around the world apply differing approaches on whistleblowing legislation. Some have dedicated laws addressing the practice of whistleblowing while others have piecemeal clauses in several laws attempting to address the practice.
In Kenya, the latter is the case. The Bribery Act 2016 of Kenya, Section 9(1) requires a public or private entity to put in place procedures appropriate to its size and scale and to the nature of its operation, for the prevention of bribery and corruption. These procedures have been interpreted to include among other things, having a whistleblowing management system in place. An outstanding example of dedicated
whistleblowing legislation is the EU Whistleblowing Directive that came into effect on 17th December 2021. All legal entities in EU member states with 50 or more workers must establish internal reporting channels under the Directive. However, the minimum threshold (of 50+) does not apply to regulated entities in the financial services sector or those vulnerable to money laundering or terrorist financing, which are required to have reporting channels regardless of their size.
Why ISO 37002:2021 – Whistleblowing Management Systems Guidelines.
The Standard defines a management system as a set of interrelated or interacting elements of an organization to establish policies and objectives, as well as processes to achieve those objectives. These elements also include organization structures, roles and responsibilities, planning as well as operations. The guidelines provided are intended to be applicable to all organizations regardless of type, size, nature of activity, and whether in the public, private or not-for-profit sectors. This Standard provides guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection to the business unit concerned,the whistleblower,the subject of the report and other interested parties, in the following key steps:
i. Receiving reports of wrongdoing
The whistleblowing management system should specify how reports can be made and received taking
into consideration the context of the organization, the needs and expectations of interested parties, who can report and what types of wrongdoing are covered,and the outcomes of any compliance risk assessment if available (organizations can refer to ISO 37301 for compliance risk assessment). The types of wrongdoing that can be addressed through the whistleblowing management system, if reported, are important to its scope.
Not all reports made to the whistleblowing management system will be within its scope, and a single report can include information about multiple types of wrongdoing, some within scope and others outside of scope. The organization should identify what other processes, existing or planned, will be used to resolve reported wrongdoing that is not within the scope of the whistleblowing management system (for instance, customer complaints or employee grievances) and how this will be
ii. Assessing reports of wrongdoing
This step is also referred to as the ‘triage’. The whistleblowing management system should specify
the process of assessing received reports, including aspects such as priority, completeness and relevance
of the information. At the same time, the whistleblowing management system should provide for an
assessment of the risk of detriment to and the level of protection and support required for whistleblowers
and others involved (for instance, witnesses and subjects of the report).
Detriment includes any adverse consequence, whether work-related or personal including, but not limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse performance ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services, blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution or legal action, harassment, isolation, imposition of any form of physical or psychological harm.Detriment also includes failure to prevent or minimize the above examples by fulfilling a reasonable standard of care at ay step of the whistleblowing process.
iii.Addressing reports of wrongdoing.
The whistleblowing management system should provide for an impartial and timely investigation, as well as effective and timely protective and support measures and monitoring as appropriate for the whistleblower and others involved. Those protective measures can prevent and contain, as well as remediate detriment. The subject of whistleblower protection has received extensive attention globally considering that the fear of detrimental conduct has been established as the biggest deterrent toward effective whistleblowing. The Organization for Economic Cooperation and Development (OECD) provides expansive guidance on the subject of whistleblower protection and the resources are freely available on its website.
However, popular whistleblower protection strategies include:
- Protecting the identity of whistleblowers, witness, subjects of a report and other interested parties.
Whistleblowing is the act of reporting, in the context of the workplace, actual or suspected wrongdoing that could be unethical, illegal or dangerous, and that could have already happened, is presently happening and/or will likely happen in the future.
1.sharing information on a strictly need-to-know basis.
2.providing support throughout the process, including regular communication with special consideration and systems towards vulnerable people (for example, children, young people, migrant workers, those with mental health issues or learning difficulties and older persons) changing workplace or reporting arrangements.
3. changing workplace or reporting arrangements.
4.warning subjects of the report or other interested parties that detrimental conduct or breach of confidentiality can be a disciplinary offence.
An outstanding example of dedicated whistleblowing legislation is the EU Whistleblowing Directive that came into effect on 17th December 2021. All legal entities in EU member states with 50 or more workers must establish internal reporting channels under the Directive. However, the minimum threshold (of 50+) does not apply to regulated entities in the financial services sector or those vulnerable to money laundering or terrorist financing, which are required to have reporting channels regardless of their size.
iv. Concluding whistleblowing cases
Concluding a whistleblowing case designates the end of the processing of the report of wrongdoing. A
whistleblowing case will move into the concluding phase where no action is considered necessary in response to a report, where fact-finding determines that no further investigation is warranted, where the report is referred to another process to be dealt with, or at the end of any investigation (whether or not wrongdoing is found).
The whistleblowing management system should provide a mechanism to close investigations and take action in response to recommendations and decisions based on the outcomes of the addressing step above. It should also ensure that protective and support measures can continue and will be monitored as appropriate. Outcomes may be used for management reporting, organizational learning and other actions (for instance, mitigation remedies).
As is customary with ISO Standards,the requirement for ongoing performance evaluation of the effectiveness of the management system is provided for in this Standard. This evaluation calls for the conduct of internal audits at planned intervals to provide information on whether the whistleblowing
• conforms to the organization’s own requirements and the recommendations of this Standard.
• is effectively implemented and maintained.
The role of the organization’s Internal Audit function is to provide independent assurance, advice and insights on the design and operating effectiveness of the system of internal control including, the effectiveness of the organization’s whistleblowing management system. If the Internal Audit function is directly responsible for any of the four key steps described above, then consideration for outsourcing an audit of the whistleblowing management system should be made.
Kariuki Kamwene, CRMA, CIA, CFE is a Director at Speak Out Hotline Service Limited.
Email [email protected]