Encourage reporting and protect whistleblowers
Promote speak-up culture. Establish a culture of free and open discussions. Support open door policy.
Help employees express their thoughts whenever possible.
Train employees to identify retaliation for speaking up.
Train employees to identify fraud and misconduct and how to report it.
Run culture, trust and fraud awareness surveys with a special section on whistleblowing.
Insert whistleblowing and speak-up into staff welcome packs and introduction training.
Establish a tone from the top respecting the importance of ugly truth.
Establish zero tolerance and the most severe disciplinary sanctions for retaliation of whistleblowers or those who openly speak up. Showing a bad attitude towards whistleblowing as a cause should also be considered retaliation.
Protect confidentiality and anonymity
When it comes to whistleblowing the trust of reporters is the key success factor. A company gains the trust by different actions, from secure intake of reports to fair decisions and remediation actions.
All messages should be kept confidential. The confidentiality is the best source of reporters protection and hotline promotion.
The company should:
- guarantee that all information will remain confidential and no-one except for designated investigation team and ethics committee will be informed about the existence of the report, the case or its details.
- train top managers, investigation team to keep confidentiality during investigation, interviews, document requests or reporting.
- establish responsibility for breaching the confidentiality
- establish controls over information assets which store confidential information.
The best way to keep reporters protected is let them stay anonymous. The anonymity is one of the ways to keep confidentiality.
The best way to keep reporters anonymous is to make sure that it will be impossible to trace them (by phone, by digital footprints, by voice, by metadata). This can be achieved engaging an independent third-party like Ethicontrol.
Third-party providers don't depend on the owners, management, security services and any other employees of a company.
Ethicontrol's autonomy allows us to call things by their proper names and not deviate from the main task of our company - preservation of reporters anonymity and confidentiality.
The best way to protect whistleblowers for Ethicontrol is to know nothing about them not being technically to uncover, log or analyse. That is why as a part of Ethicontrol's "Zero-knowledge policy" we came up with the architecture of our system which separates physically reporters' portal from a case management system. The reporters portal does not collect any digital footprints and is script free, meaning that reporters can use identity blockage tools and still be able to use the whistleblowing tool.
Protect reported messages
All incoming reports (100%) must be registered, provided that they contain the minimum information necessary for the next steps.
There is no space for discussions about the risks of spam or a need for filtering of any kind.
The reporters' messages and other info should be protected from deletion and alteration. It should never be deleted. Even wrong or spam messages should be protected from deletion.
To the possible extent, there should be no barriers or intermediaries between a reporter and an investigation team. Most reporting channels should support the direct registration of reports without any human or manual involvement, except for the phone channel. Even for the phone channel, the reporters should have the option to review the original transcript and provide more details on their own.
The best way to ensure the messages are protected is to pass the control over them beyond the company. It is the company which is mostly interested in hiding / altering the information. A reputable third-party whistleblowing provider is a guarantee that a company will not have any control over the data and that most of the risks concerning messages are covered.
Structuring instead of filtering
According to principle No 3, all incoming messages should be registered, provided that they contain the minimum information necessary for the next steps.
But, how to deal with messages:
- with wrongful information;
- with incomplete information;
- with non-understandable rubbish;
- with intentional and unintentional spam?
What if the capacity of a response team is not sufficient to deal with a massive number of unreliable and unclear incoming info?
We believe that our clients should successfully deal with such challenges. And the ideal way is through training reporters.
Such training can be done live or through video explainers, posters, articles, and published policies and manuals.
Also, you can do it via a guided step by step registration of the report. We suggest carefully drafting interview scripts and web intake user experience, ensuring that a poorly trained whistleblower will leave a well structured and useful message.
Continuous dialogue with the reporter and accountability.
Whistleblowing is effective when one side is ensured it will be heard and the other is ready to listen.
Appreciate sincere reporters. The information we get is not always pleasant and serves the interests of the company - still, every report has to be analysed and answered. Regardless of the company's decision, the reporter should feel that the company cares about its employees and takes all concerns seriously. The reporters know their future reports will be considered by getting feedback, so they are more encouraged to report.
Do not forget about the aftercare of those involved. Following up on a reporter should be standard practice. Reporters should be informed not only about the start of the investigation but its closure and results. Let the reporter know if any actions were taken - if not, explain why the company dismissed the report. If any delay takes place, it is normal to inform the reporters, so they understand the approximate investigation time.
This way, you manage the reporters' expectations and train them to be more efficient in the future by uploading relevant information and knowing the process.
Remember about retaliation. After the resolution, you should connect with the reporter after some time and inquire about any indicators of retaliation. Studies suggest that revenge is still very often and happens within the first three months after the case.
Effective communication relies on trust. The lack of transparency can quickly destroy trust, leading to the failure of your ethics management efforts.
Thus, the whistleblowing management system should operate in a clear, understandable and consistent way.
First, the whistleblowing hotline is not an IT system, a mailbox or a phone line. Primarily, a hotline - is the response team - the responsible compliance officers - humans that care about integrity and people. The best hotline is a trusted compliance officer with an open door policy.
It means that reports should know people standing behind the hotline and handling the investigations.
Secondly, reporters should know what will happen after the report submission, what can they expect and what not.
Thirdly, everybody should understand how the allegations will be checked, who will judge, that there will be no subjectivity and that the decision-making process relies on evidence only. In other words, there should be a reasonable assurance that misconduct will be punished while everyone is protected from wrongful prosecution. Finally, the ethical decisions should correspond with the company values and be consistent despite the seniority or significance of involved parties.
Fourthly, company employees should be aware of the results of a whistleblowing management system: report statistics, case outcomes and sanitised case studies.
To summarise, everything about whistleblowing and investigation should be open to reporters except for the information which is protected by privacy laws or may lead to retaliation risks.
Avoid conflicts of interest throughout the process: from registration to ethics decision
The registration of messages and reports should be independent of those responsible for the response.
In addition, there should be protection from the self-review for cases when the reported incident contains information about the response/compliance team. For such cases, Ethicontrol recommends the Escalation procedure helps to bypass the default response team automatically.
The case should be resolved by persons who are not biased and involved in the relevant process, allowing them to objectively and independently define facts and draw investigation conclusions.
Those who investigate cannot be witnesses or narrators of the investigation results.
Next, those who investigated the issue should not decide on the case whether the wrongdoing has taken place or the degree of guilt.
A prioritisation is an important tool in managing reports - you do not miss the urgent ones but also keep track of the less important ones at the moment.
Make sure you have a set of criteria to evaluate the case: it can be reputational damage, a threat to life, financial damage and more. Sorting out the cases will also help you manage your time. You will be given limited days to finish the investigation and submit a report. An assigned priority to a simple case can also ensure that the case is not forgotten and evaluated, so the reporter knows about the estimated timeframe.
Whole event life cycle in a single system
We built a system that allows tracking all the events and keeping a clear focus on them by using three components with one strategy.
Speak up / Whistleblowing communication platform. The reporters can use the platform to file their reports and later track the case's progress. With notifications, the reporter will always be aware of the updates on the case and be ready to provide additional information.
Ethics incident management. Incident management is a transitional step between whistleblowing and investigation. Here you decide how the case will be processed. Based on the internal procedures, the case will be assigned to a specific person within the company's department, following the typical investigation track.
Investigations & case management. The idea of a case management platform is to give you all the necessary tools for speedy and efficient investigation. You can communicate with a whistleblower within a case management system, create and resolve tasks, set up workflows, and delegate cases. To be impartial and investigate, you can build fact trees, check evidence, look up the perpetrator and more. The desired result is an increased rate of reports - trust in the system, and enhanced compliance in the company.
Involve non-compliance users.
You might need people outside of your team to accomplish the investigation and speed up the process in general.
We encourage inviting different professionals from other teams to share the experience and help each other with the case details. Accountants, HRs, managers - anyone can contribute to the process.
An investigation officer cannot be an expert in everything and should not be doing anything - taking care of the best use of own resources. Thus, the officer should focus on his / her core competences: the investigation strategy, methodology and manage the team, leaving the fact finding and number crunching to more applicable staff.
The investigation lead should not do all the job. Most of the investigation tasks can be delegated to non-compliance participants providing that confidentiality measures are taken.
Out platform does allow running investigations compiled of multidisciplinary/multifunctional teams with different access levels. We made this communication secure by creating tasks - it allows compliance officers to invite anyone for the investigation and, at the same time, limit their access rights.
Set due dates control
The reporters cannot wait for the response forever. Therefore, the response time should be reasonable despite deadlines set by legislation.
Overdue response means that the reporter is extremely unhappy and might have been spreading negative emotions within the company or might speak up publicly as guaranteed by laws.
Thus, each report should have a due date set from the moment of registration.
The response team should control due dates for cases with different emergency levels, or it can be done automatically. With the Ethicontrol platform, you can mark the cases as highly prioritized or low priority, and the deadline will be applied automatically.
Deadlines are also crucial for notifying whistleblowers of the case's progress. It is both good practice and a legal requirement in certain countries. Ensure you have a standard follow-up procedure: every time there is a change in the case, you can notify a whistleblower.
When the due dates are set, the Ethicontrol platform will keep your cases organized automatically, and you will be reminded to react to highly prioritized cases. In addition, the efficiency and timeliness of your work will be shown in analytics so you can improve your response rate.
Validate and evaluate evidence
Regardless of their complexity, all cases have to be investigated with the same diligence and have reasonable grounds for taking evidence seriously.
Without evidence, the only choice is to ask a whistleblower for it - otherwise, the case has to be dismissed. Whistleblowers should be able to attach files or upload any other evidence in a suitable format while using the whistleblower's portal.
After getting the evidence, you as a compliance officer have to analyze it and leave only those pieces that are needed for investigation and are reliable (this is also in line with data minimization principles).
What are the steps to work with evidence?
- Set clear criteria for case materials to be considered as evidence.
- Differentiate between levels of evidence reliability.
- Make sure that the case is compiled of reliable evidence.
Only substantiated facts with verified evidence are taken into account.
In each report, you will find something to operate further in the case with - facts. Statements of witnesses or general information from the report include multiple points to rely on - use single statements to formulate facts and evaluate them.
Make sure that final conclusion will be drawn on facts with were supported by reliable evidence.
Ethicontrol case management allows you to structure the facts by building a fact tree. The facts appear in the list progressively as you add them - later, you can use only verified facts for making a decision.
Standardisation and automation to increase productivity and fairness.
Each professional will see consistency in investigation approach reports and find a typical pattern.
When this happens, you may document repetitive tasks in an investigation programme or make a quality checklist. It will ensure the expected quality of your investigations, especially when you operate as geographically distributed teams.
Business rules or automation rules can be used to improve productivity and make sure that your SOPs have been adhered. For example, you can set a standard rule for all the cases related to the same category or coming from the same unit.
Apart from Workflows and Automations, you can also use Procedures and Templates - all the features are available in the Ethicontrol platform and fully standardize your daily work.
Case report ready from the first day.
Make it a regular practice to fill in the case details whenever you get the updates from the whistleblower or come to a new conclusion.
Not only does it structure your work and leaves nothing forgotten, but it eases your tasks later. Everything you document about the case using the Ethicontrol platform later appears in the case report automatically when the case is registered in the system.
If you need to report on case progress regularly, you can download the report at any stage of the investigation and deliver it to your superiors.
Lack of a conclusion is also a conclusion.
The case can be finished only when you have enough information on it - case materials, evidence, facts, involved persons and responsible persons.
If you struggle to make a conclusion on the case, it might be that the case was not substantiated with facts and has to be dismissed.
The other way to overcome decision-making struggles is to go back and find what was missing in the case and what caused the uncertainty. Use lack of information in your favor - collect more evidence and master your investigation skills.
Fair decisions and sanctions
The investigation should lead to real actions so whistleblowers can report knowing the changes will follow.
Make sure you have a procedure to take action and penalize the wrongdoers - everything has to be documented and in line with the company's standard regulations.
You will need administrative and financial resources for fair sanctions and decisions. Additionally, the process of decision making should be free from the conflict of interest.
The decision has to be communicated to the whistleblower and the wrongdoer with all data protection measures taken. Decisions based on unverified facts may negatively affect a company's reputation and whistleblowers' trust - give this part of the investigation needed attention and precision.
Learn from violations
Sanctions on the wrongdoers do not necessarily mean that your company learned the lesson. Try to find the real cause of the event that triggered a violation instead of only penalizing the wrongdoers and reporting on the resources used for investigation.
Was it a lack of controls or personal retaliation motives? Or was it unfair treatment of employees that triggered harmful actions?
Every time you go deep and find the cause of violations, you increase the trust of your employees and learn more about their needs and weaknesses. Simultaneously, you protect your company from future risks.
Report on reports
Use the knowledge you got from the cases to analyze general trends and predict the outcome of future violations. Analytics and single case reports help you see the general picture. If you want to put conclusions into numbers, period reports can be used to report general trends.
With Ethicontrol, you can store all the reports in a single place and later use them to shape a new strategy for compliance.
Make it a habit to review the reports and find what is missing and what could be improved. Record-keeping is a requirement of all whistleblowing and financial regulations - you can rely on templates and keep your work organized at all levels.