With whistleblowing being a hot topic due to the upcoming EU Directive, we interviewed Miikka Karimo, an experienced corporate security, risk management and investigation professional with a versatile background working for organisations such as Europol, Novartis and GSK. In this blog post Miikka will share his views on the whistleblowing topic with examples from his own career.
Introducing Miikka Karimo to our readers
I am a 48-year-old returnee, who has investigated and analysed a variety of crimes and misconducts in more than 30 different countries over the past 20 years. Having worked as an investigator, both in public and in private sectors, I lately set up my own consulting office, which is responsible for managing organisations’ information sourcing needs for risk management.
Before moving back to Finland, I worked as an advisor in Corporate Security at one of the biggest Swiss pharmaceutical companies. My role covered investigations of whistleblowing reports and for the last few years, I was also responsible for internal investigations and audits related to the quality and regulatory compliance of the vaccine manufacturing division.
Why do organisations need whistleblowing reporting channels and for what purposes?
The easiest answer is, of course, the EU directive. The Nordic Business Ethics Survey 2020 (NBES), compiled and just published by Niina Ratsula and Anna Romberg, gives suitable examples that highlight the need for whistleblowing reporting channels. For instance, according to the study, in Finland, about 56% of the organisation's personnel fail to report the wrongdoing they have detected. One of the reasons for this are concerns over their own job security and thus fear of retaliation against the reporter. This same finding is also at the heart of the EU directive. The results of several different studies show that early detection, reporting and handling of whistleblowing cases reduce the costs of wrongdoings.
A whistleblower reporting channel is part of an organisation's overall whistleblowing and follow-up management system (management system for misconducts) and therefore does not in itself meet the requirements of the EU Whistleblowing Directive. When choosing a whistleblowing platform, the requirements set by the entire reporting and follow-up process should be taken into account. For example, if an organisation decides to implement an electronic reporting channel that does not have the features to support the follow-up action procedures, they must be designed and implemented in a secure manner by other means.
How many and what kind of whistleblowers reports organisations can expect to be reported?
Currently, no research has been conducted in Finland that has unequivocally clarified this issue. References can be obtained from the annual reports of listed companies that publish the number of whistleblower reports they have received. For example, Nokia stated in its 2019 report that it received 994 reports of wrongdoings, of which 289 led to an investigation. Nokia employs approximately 100,000 people worldwide, so their number of reports can be estimated at approximately 10 accounts per 1,000 employees, of which three are escalated into an investigation. However, the number may vary depending on the company’s industry, region and level of regulation. However, Nokia’s reporting rate is similar to the U.S. study “Evidence on the Use and Efficacy of Internal Whistleblowing Systems” published in 2020 (approximately 13 per 1,000 employees), which used nearly 2 million cases reported to more than 1,000 companies.
The content of reported misconducts ranges from financial frauds to violations of internal guidelines and discriminations or harassments at the workplace. Not all reports made are likely to fall within the scope of the directive, which should be considered when designing an organisation’s whistleblowing policy.
How to carry out a successful whistleblower driven investigation?
Although the misconduct is often reported by a single whistleblower, there are several others who are aware about the issue and are observing how the situation is been handled by the organisation. An investigation that is generally accepted diligent and perceived fair, shows organisation’s commitment to its values and has a good chance to improve the organisation’s working culture.
If I would have to pick three most important aspects describing whistleblower-driven investigations, those would be confidentiality, objectivity, and diligence.
Confidentiality is of utmost importance for building and retaining trust in the entire whistleblower management system. Therefore, confidentiality has to be maintained throughout investigations.
The whistleblower’s identity should not be revealed without consent neither should it be possible to deduct the identity directly or indirectly from any other information. A situation may occur where further investigation requires disclosure of the source and thus can lead to case suspension unless investigators can find an alternative approach to the issue.
Objectivity increases credibility that the whistleblower management system is fair and free from corruption. It can be achieved by ensuring that investigation processes and reporting lines are transparent, and investigators are perceived as independent, impartial and free from conflict of interests.
Within the framework of objectivity, one of the investigators’ worst enemy is an unconscious “confirmation bias”. It is a person’s general tendency to seek, interpret, favour, and recall information in a way that confirms or supports one's expectations. Professional investigators can take that into account and use specific techniques or arrangements to break this bias.
Diligence improves the whistleblower managements system’s capability to intervene in misconducts. An investigation that is considered to be diligent also increases stakeholder’s and whole staff’s confidence in the results and improves perceived image of the professionalism, objectivity, and fairness of the process.
Diligent investigation starts with careful planning that considers available information, as well as the need for whistleblower protection and given objectives. Investigation itself treats and consults all parties equally, transparently and without prejudice, and assesses the value of gathered evidence on the basis of reliability, integrity, and consistency.
Could you tell us one example investigation from your career?
An anonymous report of misconduct had arrived to the organisation through its whistleblowing reporting channels.
I was assigned to investigate the case and after communicating with the whistleblower, he/she agreed to reveal his/her identity and provided additional information on both of the suspected misconduct and the prevailing working environment (location in Eastern Europe). According to the whistleblower, the head of the department had committed financial embezzlement together with his closest subordinates and was perceived as hostile to his other subordinates, who were not involved in the misconduct.
I knew from experience that as an external investigator, I would only be involved for a short time, so the investigation on the site had to be effective, thus carefully planned and prepared. In the planning, particular emphasis had to be placed on the protection of the whistleblower and a swift finalisation of the case. This is because from the point in time the investigator appears on site, sudden additional interest on the case increases the risk of the whistleblower being exposed. Information had to be obtained discreetly as much as possible in advance, from a wide range of sources and in order to avoid selective reporting preferably from personnel who were unaware of the issue altogether. It also was of utmost importance to identify any external actors involved in the case, mainly who could provide further information either through documentation or interviews.
When I arrived at the location, it was once again clear that awareness of the case was widespread and at least some of the personnel knew about the whistleblowing report. It also became clear that the indicated suspect/s speculated who was/were behind the reporting. This increased the risk of suspects influencing, or taking other measures, against possible witnesses or even destroying the evidence. In this case, these risks became reality.
However, in line with the investigations plan, I had managed to collect most of the written evidence available internally in advance. Therefore, on the site I only needed to further increase my understanding of the events, mainly through documents (receipts) obtained from outside of the organisation and related supplementary interviews. Moreover, all staff members were interviewed in the same manner and in order to protect the whistleblower, the issues found were not cross-used to gain further information.
The personnel interviews were successful, and together with external statements and collected documentation I was able to put together undisputable evidence concerning the misconduct without revealing the identity of the whistleblower to the suspects. Interviews also revealed suspects attempts to influence staff members to give false statements. The result caused immediate dismissal of the perpetrators and the case was transferred to the legal department in order to seek compensation through the court.
Confidentiality > Disclosure of the identity of the person who reported the misconduct would likely have led to some form of retaliation by the indicated head of department, so the crucial testimony was acquired from outside of the organisation, from people who the director in question had no power over. All staff members were interviewed using the same pattern of questions, to make it more difficult to identify the whistleblower.
Objectivity > The case was investigated by an impartial external investigator who interviewed all parties equally and sought comments only on evidence gained from documentation or external interviews. The investigation also ensured that the external service providers would not suffer any harm by giving statements related to the case. This was to ensure that their statements could not be easily influenced.
Diligence > The organisation was committed to investigate the reported misconduct and even though the conditions for the investigation were challenging, it was effectively completed. The importance of the evidence gathered in advance was crucial in solving the case as it ensured that no evidence could be destroyed or modified. The importance of the acquired evidence was assessed together with the organisations 'investigator-in-charge' and other persons responsible of the case.
What advice would you give to organisations that are still considering their options with whistleblowing channels?
Compliance with the EU Directive
When choosing an electronic whistleblowing channel, it must be ensured that the software meets the requirements of the Directive for secure and confidential reporting to all parties, as well as procedures for follow-up. The platform should also allow the acknowledgment and feedback of the report to the whistleblower, as well as two-way protected communication to obtain additional information about the case from the whistleblower.
In addition to the requirements of the directive, the organisation needs to consider how the characteristics, functionality and usability of the whistleblowing platform supports its reporting process. This has to be done in accordance with the organisation's whistleblowing policy and code of conduct and the diligent, impartial and independent follow-up actions, decision-making, reporting and monitoring.
Appropriate software can support whistleblower management system’s confidentiality by ensuring that associated person registers are secure and only the authorised personnel is allowed to access the data. Moreover, objectivity and diligence can be enhanced for example by including software with mandatory checks for breaking “confirmation bias” and guidance for conducting investigations.
Effectiveness of the system
The design and implementation of a misconduct management system should also take into account the reasons that reduce the reporting of detected misconduct. Based on the results of the NBES, the system, and in particular the whistleblower channel visible to the reporter, should send a strong message that:
- whistleblowing concerns everyone and has a clear impact
- Every report is acknowledged and does not cause retaliation or endanger the whistleblower’s job
- The misconduct management system is secure and guarantees the confidentiality of the whistleblower's identity
- The system operates diligently, impartially, and independently (e.g. from the organisation’s own IT department), and allows for the reporting of all individuals, including management and the board of directors.
- The system provides information and advice to identify and report misconduct and to check whether such a case has already been reported or is already known to the organisation.
The findings of NBES on the reasons for non-reporting are broadly in line with, for example, the European Commission's report on corruption, which was used as the background material for the Directive. The main differences of the latter study are the whistleblower’s perception of the difficulty of proving misconducts, and the wrongdoer being left without consequences. Hence the organisation with its misconduct management system should therefore also:
- Assure the whistleblower of its ability to successfully investigate reported misconducts and ensure that wrongdoers receive the perceived fair consequences of their actions.
The misconduct management system can also be associated with other information systems and processes and hence create a ready-made model for the secure reporting, collection, processing, storage, management and reporting of confidential information.
When deciding on the selection criteria for the whistleblower platform, the organisation should assess its need for a multi-purpose solution that can also be used for other types of information collection, management and analysis, for example:
- complaints related to products or services
- events related to occupational safety and near miss situations
- detection and investigation of counterfeit products
- internal and external auditing
- customer feedback
- Other types of observations stakeholders wish to report confidentially
An appropriate system can also be used to gather information about various security incidents from outside the organisation, such as phishing personal and login information via email or telephone.
Exceptional circumstances may create the need to reassess and prioritise an organisation’s known risks and controls, and to quickly identify new risks arising from a crisis. A well-designed and implemented misconduct management system can also be used in crisis management, which often emphasises efficient and confidential data collection and management in fast-paced decision-making.
If you want to contact Miikka, you can visit his website at https://www.exse.fi/. He can help your organisation set up a whistleblowing management system including the required policies and processes.
If you're looking for a whistleblowing solution that is hyper easy-to-use, ticks all the boxes for anonymity, protected dialogue, has built-in workflows for multiple use cases and more, have a look at our incy.io | Whistleblowing module and contact us for more information!
We're a tech company with a passion for helping our customers adapt to the fast changing VUCA world. We're doing that by developing easy-to-use SaaS products that make gathering, managing and analysing field information as easy as possible for the end users. Remove gatekeepers, go horizontal and learn from your mistakes before they actually happen. More info at planbrothers.io