In our previous posts in this series we have covered what considerations you need to make if your organisation is qualifying for the new Whistleblowing directive, and how to determine if your whistleblowing channel is confidential. This time we will talk about how to select the right Whistleblowing solution for your organisation.
Before you go ahead and choose a Whistleblower tool, there are a few considerations you need to make. They are:
- Confidentiality of the information and data submitted with a whistleblower report.
- The threshold of reporting.
- Two-way anonymous communication.
- How to handle the investigation and direct reports to the right people in the right departments.
- Choosing a provider that can help you in the right way.
Let’s go through the points one by one.
The Confidentiality Factor
We know from the directive that the Whistleblowing channel should be 100% anonymised, and secure the confidentiality of the whistleblower reports, so that they can’t be traced back to the reporter unless they explicitly want this.
This means that developing such a solution internally might prove to be difficult. Why? Because developing it internally would mean that one or more people from the IT-department would then have access to the database and critical information such as the contents of the reports and the IP addresses of the reporters. Therefore, organisations need to evaluate really carefully whether the channel they are planning to use is truly complying with the confidentiality requirement in the directive.
Consider two different aspects in this regard:
- The whistleblower’s perspective. Would they find the channel you are planning to implement trustworthy? And do they perceive the solution provider trustworthy?
- IT security perspective. Is the channel completely anonymised and secure? And is the collected data hosted in the EU? Both of these requirements need to be filled in order to comply with GDPR and the EU whistleblowing directive.
When you have the answer to these questions, you have a good baseline for what to look for in solutions regarding confidentiality. The next step would be to look at factors that affect how frequently things are left unreported because of frictions in the workflow.
Lowering the threshold of reporting
Another important aspect to take into account is the ease of reporting the whistleblower cases. Like any other observation, the less friction there is the more cases will be reported. A good example of a high threshold solution is email, which at first glance seems like the most simple way of getting people to report malpractices. However, in order for an email to remain anonymous it would require the reporter to create a separate inbox where they can mask their identity to stay anonymous. This additional step is an inconvenience for the reporters, and it might lead to many wrongdoings not being reported.
What we suggest you to do, is to find a tool that takes anonymity into account, has a clear user interface with relevant guidance and help texts, enables localisations to necessary languages, and works seamlessly on all devices. This would make the process of reporting easier and lower the threshold so that anyone can report misconducts from any device at any time.
Once you have found a low threshold solution, think about how you are going to manage the two-way anonymous communication that is required in the investigation phase.
Enabling two-way anonymous communication
Once you have established a good process for people in your organisation to report, you need to think about the two-way communication process which follows a whistleblower case being reported. As per the EU directive, when a report is made a notice of arrival should be sent to the whistleblower within seven days of the report being sent and feedback on the report should be given within three months. Moreover, the channel should also support follow-up questions and discussions that are linked to the investigation.
Some companies might plan to manage whistleblowing with Google, Microsoft or some other forms, but these run into the same problem we had in the previous section. As all of these forms lack a built-in way of giving the reporter the notice of arrival or more information about the case, enabling the anonymous two-way communication would again require the reporter to create an anonymous email inbox they would link to the report. This would again lead into a higher threshold of reporting and thus a lower volume of reports.
The way to manage this properly is to implement a dedicated whistleblowing solution that has built-in features to support the anonymous communication. An optimal solution automatically creates anonymised credentials for the whistleblowers to sign-in and follow the investigation process. This doesn’t only make it easier for the whistleblower, but also for the company as the respective people who handle the reports will have an easier time interacting and communicating the status of the report from the same platform they use to document the investigation.
Now that you know what steps are needed to take in order to secure the two-way communication flow, let's now focus on how to make sure the reports always reach the right people.
Rooting Reports To The Right People
To make the investigation phase effective, the relevant information about whistleblowing cases should be automatically sent to the right people in the organisation. One way of making this sure is to categorise the cases based on their nature and then using this information to determine where the report should land. For example when an HR related report is made (e.g. about workplace harassment or bullying) it should get rooted to the right people in the HR department. Or when a report regarding financial matters is made it should get escalated to the right people in the Finance department.
To accomplish this, we suggest that you make sure that the solution you are planning to implement has built-in capabilities for categorising the cases. As an added benefit, the structured format can also help you to monitor the quantity of reports made on different topics, analyse and understand which are the most often reported cases, and inspect the close-out times on the reported issues based on their nature.
As a result of all of this, you will have a better understanding of what actions would be needed to lower the risk of the most commonly reported cases happening again in the future.
Choosing a provider that can help you
As we can see, choosing the right provider for your organisation’s whistleblower reports is incredibly important. You need to make sure that the channel is 100% confidential and anonymous so that the identity of the reporters is never compromised, has a low threshold for reporting, enables anonymous two-way communication and helps you forward reports to the right people in your organisation.
The solution provider should also be able to help you crush numbers, get a better understanding of the bigger picture and implement the solution swiftly for your whole organisation and necessary stakeholders. Ideally, the provider would also be able to help your organisation with other observation reporting processes (e.g. in safety, security and quality), so that end-users don't have to be accustomed to a lot of platforms for different reporting needs.
We at Plan Brothers will be able to help you with all of this, so if you are looking for a solution provider who ticks all the boxes and requirements of the EU directive, have a look at our incy.io | Whistleblowing tool and contact us for more information.
We're a tech company with a passion for helping our customers adapt to the fast changing VUCA world. We're doing that by developing easy-to-use SaaS products that make gathering, managing and analysing field information as easy as possible for the end users. Remove gatekeepers, go horizontal and learn from your mistakes before they actually happen. More info at planbrothers.io