Management Systems Guidelines adopts the harmonized approach developed by ISO meaning that if you have interacted with any other ISO Standard, you will likely find this Standard familiar in terms of design and implementation either as a stand-alone guidance or in alignment with other management system standards you may already be having in place.
whistleblowing legislation is the EU Whistleblowing Directive that came into effect on 17th December 2021. All legal entities in EU member states with 50 or more workers must establish internal reporting channels under the Directive. However, the minimum threshold (of 50+) does not apply to regulated entities in the financial services sector or those vulnerable to money laundering or terrorist financing, which are required to have reporting channels regardless of their size.
into consideration the context of the organization, the needs and expectations of interested parties, who can report and what types of wrongdoing are covered,and the outcomes of any compliance risk assessment if available (organizations can refer to ISO 37301 for compliance risk assessment). The types of wrongdoing that can be addressed through the whistleblowing management system, if reported, are important to its scope.
ii. Assessing reports of wrongdoing
This step is also referred to as the ‘triage’. The whistleblowing management system should specify
the process of assessing received reports, including aspects such as priority, completeness and relevance
of the information. At the same time, the whistleblowing management system should provide for an
assessment of the risk of detriment to and the level of protection and support required for whistleblowers
and others involved (for instance, witnesses and subjects of the report).
iii.Addressing reports of wrongdoing.
The whistleblowing management system should provide for an impartial and timely investigation, as well as effective and timely protective and support measures and monitoring as appropriate for the whistleblower and others involved. Those protective measures can prevent and contain, as well as remediate detriment. The subject of whistleblower protection has received extensive attention globally considering that the fear of detrimental conduct has been established as the biggest deterrent toward effective whistleblowing. The Organization for Economic Cooperation and Development (OECD) provides expansive guidance on the subject of whistleblower protection and the resources are freely available on its website.
However, popular whistleblower protection strategies include:
- Protecting the identity of whistleblowers, witness, subjects of a report and other interested parties.
Whistleblowing is the act of reporting, in the context of the workplace, actual or suspected wrongdoing that could be unethical, illegal or dangerous, and that could have already happened, is presently happening and/or will likely happen in the future.
1.sharing information on a strictly need-to-know basis.
2.providing support throughout the process, including regular communication with special consideration and systems towards vulnerable people (for example, children, young people, migrant workers, those with mental health issues or learning difficulties and older persons) changing workplace or reporting arrangements.
3. changing workplace or reporting arrangements.
4.warning subjects of the report or other interested parties that detrimental conduct or breach of confidentiality can be a disciplinary offence.
An outstanding example of dedicated whistleblowing legislation is the EU Whistleblowing Directive that came into effect on 17th December 2021. All legal entities in EU member states with 50 or more workers must establish internal reporting channels under the Directive. However, the minimum threshold (of 50+) does not apply to regulated entities in the financial services sector or those vulnerable to money laundering or terrorist financing, which are required to have reporting channels regardless of their size.
iv. Concluding whistleblowing cases
Concluding a whistleblowing case designates the end of the processing of the report of wrongdoing. A
whistleblowing case will move into the concluding phase where no action is considered necessary in response to a report, where fact-finding determines that no further investigation is warranted, where the report is referred to another process to be dealt with, or at the end of any investigation (whether or not wrongdoing is found).
The whistleblowing management system should provide a mechanism to close investigations and take action in response to recommendations and decisions based on the outcomes of the addressing step above. It should also ensure that protective and support measures can continue and will be monitored as appropriate. Outcomes may be used for management reporting, organizational learning and other actions (for instance, mitigation remedies).
As is customary with ISO Standards,the requirement for ongoing performance evaluation of the effectiveness of the management system is provided for in this Standard. This evaluation calls for the conduct of internal audits at planned intervals to provide information on whether the whistleblowing
• conforms to the organization’s own requirements and the recommendations of this Standard.
• is effectively implemented and maintained.
The role of the organization’s Internal Audit function is to provide independent assurance, advice and insights on the design and operating effectiveness of the system of internal control including, the effectiveness of the organization’s whistleblowing management system. If the Internal Audit function is directly responsible for any of the four key steps described above, then consideration for outsourcing an audit of the whistleblowing management system should be made.
Kariuki Kamwene, CRMA, CIA, CFE is a Director at Speak Out Hotline Service Limited.