More and more organisations around the world decide to implement whistleblower software, which on the one hand is an understandable response to legislative changes, and on the other hand it also reflects the positive attitude of managers, since everybody wants to prevent abuses in their organisations. Whistleblowing in the workplace and whistleblower solutions are beneficial for both the organisations and the employees, and moreover, such systems are gaining more and more emphasis in both the public and private sectors.
In our previous blog post, we explored the concept of whistleblowing and the Whistleblower Directive. In this article, let us introduce the whistleblower software and its relation to organisational integrity.
There are many laws that make the use of whistleblower softwares mandatory, but there is also a wide range of organisations that, at their own discretion, voluntarily undertake to operate according to certain ethical and moral rules and provide the opportunity to report any incidents via a whistleblower system.
Basically, whistleblower software can be divided into two groups.
Internal reporting channels: with the help of these platforms, the user can notify the organisation affected by the abuse, via for example an employer whistleblower software. Depending on the regulations and the decision of the organisation, these whistleblower platforms may be completely closed or available for external reporters as well.
External reporting channels: whistleblower systems in which reports are received by a state body. In such cases, the organisation will not be authorized to conduct an investigation, establish deficiencies or determine the consequences, thus it loses control over the case.
It is clearly in the interest of all organisations that whistleblowers use the internal reporting channel, so that the case and the investigation itself can be kept under control.
What is abuse, organisational integrity, and Code of Conduct?
Different laws and regulations allow different events to be reported; some of them are specialised for reporting abuses, some for breaches in ethics, and some for incidents related to the integrity of the organisation.
What does integrity mean?
In the public sector, integrity is defined as the regular operation of the (state administration) body in accordance with the objectives, values and principles set by the head of the official organisation and the governing body. Of course, this includes operating according to positive moral values, legality, and good faith, which form the basis of everyday operations.
Integrity and ethics are also extremely important in business life, which means that the business organisation believes in fair competition and lawful operation, and it respects its business partners. It means fair conduct in business competition, as well as discreet handling of business secrets, protected data and confidential information.
The reason for the creation of the Code of Conduct is primarily to define positive values that the organisation actually adheres to on a daily basis, and to reflect the attitude of managers and other employees to the world. You don’t necessarily have to think about world-changing things here, just generally useful principles such as non-discrimination or the obligation to resist inappropriate influence attempts.
In summary, any event that deviates from the laws applicable to the organisation, as well as the organisational objectives, values, principles and operation defined by the owner and the managers, violates organisational integrity, and therefore constitutes abuse.
An employee who intentionally, directly or through an intermediary, requests or accepts any advantage, whether for himself or a third party, or accepts the promise of such an advantage in order to avoid acting or abstaining from his duty, violates integrity and commits abuse.
How can employers benefit from using a whistleblower software?
From a manager’s point of view, it is essential to be sure that things within the organisation are running normally and legally. A healthy relationship with employees, as well as the establishment of appropriate organisational culture and personal relationships will help in this, however, these might not be sufficient in the case of large organisations.
Any abuse, if it becomes public, can be fatal from a financial point of view and from the point of view of the public perception (PR) of the organisation, therefore, it is crucial that, if this has already happened, the organization should be the first to be informed of the incident, so that it can be remedied without being seen, in-house, without the organization suffering any damage.
However, if someone experiences abuse as an employee or a contractual partner, it is very difficult to report it personally to the competent authority, even if it is motivated by the greatest goodwill. Usually, when someone reports an abuse that they have personally experienced, they do not want to harm the person who committed it, but act out of sympathy for the organization or its employees that suffered damage. In many cases, the whistleblower also feels uncomfortable about whistleblowing, despite the fact that he has nothing to do with it and only wants to help the organization.
An effective whistleblowing policy and a whistleblower software can help in this, which ensure that a report can be made anonymously and confidentially, thereby avoiding the embarrassing situation that personal whistleblowing would entail.
An important aspect when considering the introduction of whistleblower software is that the possibility of reporting is very dissuasive, since if there is a safe reporting channel, then anyone who plans to commit abuse can realistically count on the fact that if a colleague or business partner notices it, they will definitely report the incident. This is similar to the psychology of security camera systems: they scare the potential perpetrator away from committing a crime.
How can employees benefit from using a whistleblower software?
These platforms have only positive returns for the employees as well, as there are few situations more damaging to workplace morale than honest employees finding their fellow workers receiving undue advantage or resources via abuse.
Employees prefer to work in a healthy, legally functioning organization, whether it is in the private or public sector. This also includes the possibility of reporting employee abuse through a secure whistleblowing channel.
It can be seen that regardless of the legal obligation, the use of whistleblower software has only positive returns for both employees and managers. Only those who want to commit abuses or acts that violate the integrity of the organization are adversely affected by the operation of the platform.
What makes it a “system”?
When we talk about receiving and investigating whistleblowing, we have to think at the system level, because if an organization provides the possibility to report suspicious acts or creates a Code of Conduct, it will not yet function as a system.
In order for the whistleblowing procedure to work effectively, the focus must not only be on receiving and handling reports safely, but also on ensuring that the investigation proceeds in accordance with the law and that all rules are followed.
The main elements of creating an effective whistleblower system:
- Creation of whistleblower channels, which not just enables anonymous reporting but also ensures that personal data are handled confidentially. In order to ensure this, it is necessary to implement a closed, GDPR-compliant system, which, if possible, does not operate on the organization’s resources. For example, compared to a plain e-mail address, it can be objectively ensured that only those authorized have access to the information related to the whistleblowing within the organization.
- Preparation of documentation that precisely defines behavioural and ethical standards, procedural rules related to the investigation of reports and possible sanctions. The preparation of the various procedures is always the most difficult part of the process, however, everything shall be based on strictly defined rules that are familiar to everyone involved.
- During the investigation, full compliance with the legislation and the rules of the area affected by the whistleblowing must be ensured. Because legality can only be ensured if the investigation complies with the procedural laws governing it, as well as with the related professional rules, depending on the subject of the abuse.
- After conducting the investigation, it is necessary to prepare the closing document, to take the necessary actions to eliminate the abuse, and to inform the whistleblower and comply with the administrational obligations.
From the above, it can be seen that the creation of a whistleblowing channel or the setting of regulations alone will not ensure that the organization maximizes the benefits of the whistleblower system, however, Whisly supports all of the above tasks so that organizations are able to receive and investigate reports independently. By using Whisly, there will be no need for outside assistance in operating the whistleblower software.
Whistleblowing in the workplace
The introduction of whistleblowing softwares in the workplace, which provide employees with the opportunity to report, are extremely popular worldwide, even in the absence of a legal obligation. Such ethical and moral rule systems, on the one hand, lay down the principles and behavioural expectations that the organization imposes on its employees, and on the other hand, they contain the related procedural rules.
In addition to the rules of conduct, it is therefore also necessary to define the procedure for reporting and investigating acts that violate the Code of Conduct, as this is the only way to ensure uniform treatment and to make the responsibility system transparent for employees.
Thanks to the EU Whistleblowing Directive, these whistleblowing systems will be mandatory in all larger European organizations in the future, which, according to the expectations of the legislators, will lead to a more transparent business life for the benefit of both employees and shareholders.
How to investigate a whistleblower report?
Organizations that have not previously operated a whistleblower software are in a more difficult position at the beginning because there will probably be no, or only few people who have deep knowledge and experience with regard to the establishment of a whistleblower system or the investigation of reports.
While designing our whistleblower software, our primary goal was to support these organizations as well to provide them with resources to gain necessary experience, so we created our unique task management system.
When someone makes a report through Whisly, a case is automatically created in the admin system, and simultaneously, the following tasks that may be necessary to investigate a report are generated as well:
- Confirm to the whistleblower that the organization has received their report, started investigating it, or rejected it for some reason.
- Examine whether the report was made by a person entitled to do so, and whether the case in which the report was made is actually reportable. In particular, if a law allows for reporting, it is necessary to check whether the reported action falls within the scope of the legislation.
- Examine the available evidence, if necessary, conduct an accounting, financial, legal or other investigation in order to detect possible abuse, take notes of the hearing of the parties involved.
- If necessary, involvement of external authorities.
- Preparation of a closing document and sending the extract to the whistleblower.
- Conduct procedures to establish legal consequences within the organization, if necessary.
- Take the necessary measures to prevent abuse in the future.
- Fulfilment of retention and registration obligations.
After the investigation, it is necessary to record and retain all relevant information, so that the necessary evidence is available during any subsequent official or judicial procedure. In the case of employee abuse, it is particularly important that all related data be available during the statute of limitations, as they may be necessary in an employment lawsuit as proof of the employer’s termination of employment.
Providing the necessary expertise
Depending on the topic of the report, experts in a wide variety of fields may be needed to investigate it in an orderly and discreet manner. Both the legislation and related standards expect an independent person or organizational unit to investigate the reports, as impartiality can be ensured in this way.
In each case, it must be investigated whether it is needed to involve an external professional, or whether all such expertise is provided in-house, which is necessary to carry out the investigations and to ensure compliance with legal and procedural rules.
Our whistleblower software helps with this with its advanced task manager (internal CRM system) that acts as a model for users by providing a sample workflow for investigating each case, identifying the most important tasks. Compliance with the legislation related to the investigation of reports is therefore directly supported by Whisly, so if expertise related to the area affected by the report is available in-house, there is no need to involve an external professional.
In addition to the recommend default tasks, any additional tasks can also be recorded in Whisly, so that tasks that may arise can also be administered in one place. Just like in Trello, Monday or any other trendy task manager programs, each task has its own e-mail address, so e-mails can be sent directly via these addresses. In addition, users can also set reminders for individual tasks or attach files, and we provide sample documents, which can be filled automatically, so Whisly functions as a real whistleblowing one stop shop.
GDPR, and protecting the identity of the whistleblower
It is clear that during the entire procedure, the primary duty of the organization is to keep the identity of the whistleblower confidential, the violation of which will certainly have serious consequences. Based on the EU Whistleblower Directive, the organization can expect to be fined if the identity of the whistleblower is made public, but adverse legal consequences can be expected in case of negligent handling of any report.
The personal data of the whistleblower shall not only be kept confidential in the light of the laws governing the receipt of reports, but in accordance with the GDPR as well. If the reporter’s personal data is handled improperly by the organization and, as a result, its confidentiality is violated, the data controller can most likely expect a fine from the data protection authority.
The protection of the whistleblower’s data must therefore be of utmost importance during the entire process, which Whisly supports by enabling the receipt of reports through an encrypted channel, and by storing the case data encrypted. Since we are considered an external service provider in relation to the organization concerned, we can objectively ensure that only those authorized can access the data.