Let’s consider a hypothetical story. You’ve noticed how the CFO of your company has accepted bribery from a vendor in order to favour them in a big tender. You’ve thought about reporting it for a while now but you are afraid of the consequences if somebody hears about it. What makes it more complicated is that the CFO is your manager’s manager and you are pretty sure he’s willing and capable of attacking against the people who may accuse them of any wrongdoings.
Then the CFO does it again and again and you decide you’ve seen enough. You open the web browser, navigate to Ethical Principles sub-page of the website and scroll to the whistleblowing section, if you can find one. After the typical “we value the confidentiality etc.” text, there’s just a simple website form that you need to fill. You fill in the details of your findings, add supporting documents and are about to send the report to ether.
But then you stop to consider a bit. Who is it that actually reads the reports? The page says it’s the Head of Compliance and the General Counsel who receive the reports. But you are pretty sure the IT department manages the form on the website. Will they see the report as well or at least see where and when it has been reported? What if the CFO finds out that such a case has been opened? Can he pressure the IT to check the IP addresses of the report or even remove the report altogether? Now that you think about it again, you are not so sure anymore should you blow the whistle after-all. Would you?
Email and web forms are not compliant channels
Whistleblowing is not a new thing for financial institutions or for a lot of publicly traded companies. What’s new however is how the whistleblower channel should be arranged in order to comply with the new EU Whistleblowing directive. Consider the following facts:
- Email inbox is not a confidential or anonymous channel
- Traditional website form is not confidential either
- Having a Conversation via email is not a protected dialogue
- Shared email inbox is neither trustworthy or IT secure
If you currently have one or more of the following conditions present in your whistleblowing channel, we can assure you that your channel is not compliant with the directive.
The channel must be confidential
The directive clearly requires organisations to protect the identity of whistleblowers through confidentiality. In order for the whistleblower to trust the channel being confidential, nobody else except specifically defined people should have access to the reports.
Why aren't traditional website forms confidential then? Whoever manages the website, can also manage the data where visitors are coming from. Unless your IT department are the ones who receive and investigate the cases, they shouldn’t even have access to view the IP address information of the reports. To protect the confidentiality of the report and the identity of the reporter, the channel mustn’t be controlled by your own IT department and the access to non-authorised staff members should be prevented.
The channel must allow anonymity
Email is not an anonymous channel. Whistleblowers know this and are more willing to report their findings to somewhere else. Even worse is a shared inbox, which provides less security for the reporter who reads the reports and more vulnerability for leaks. Remember, it’s the whistleblower’s choice if they want to stay anonymous or not but the choice has to be there.
The channel must be trustworthy
In case the whistleblowers want to stay anonymous, they need to know who the people that receive the reports are. Thus the receivers must be clearly defined. The directive also requires organisations to name and appoint a person or people with the right competence to manage the whistleblowing cases professionally. Having a shared email inbox or website form without clear instructions who is on the receiving end is not enough.
The channel must contain an option for protected dialogue with anonymous credentials
The confidentiality and anonymity must be provided throughout the lifecycle of the case if the whistleblower so wishes. What this means is that it’s not just the original report that has to stay anonymous but also the further communication with the whistleblower. Email is not for anonymous dialogue.
If you currently have either email inbox, shared inbox, website form or some combination of the three, it’s nearly impossible for you to comply with the directive requirements.
If you're enjoying our content, the easiest way to stay updated is to subscribe to our newsletter in the footer. By doing that, you'll receive a monthly recap with fresh content deliver straight to your inbox.
If you're looking for an electronic whistleblowing channel that is in line with the new directive, ticks all the boxes for anonymity, enables real dialogue, has built-in investigation features and more, have a look at our incy.io | Whistleblowing module and contact us for more information!
We're a tech company with a passion for helping our customers adapt to the fast changing VUCA world. We're doing that by developing easy-to-use SaaS products that make gathering, managing and analysing field information as easy as possible for the end users. Remove gatekeepers, go horizontal and learn from your mistakes before they actually happen. More info at planbrothers.io