Why Whistleblowers Matter
Every board of directors depends on a stream of reliable information to fulfill their oversight role. A whistleblower program is a tool for directors to access information that would otherwise not reach the boardroom.
Whistleblowers give the board a window into what is happening inside the organization. But for whistleblowing to work properly - so that both the whistleblower and the accused person are protected – the program must be handled with care. The board plays an important role in establishing broad guidelines and ensuring that a secure system protects data security and privacy.
If your board is considering implementing a whistleblower program, what should you think about before making a decision to proceed? Let’s explore why and how to implement a whistleblowing program, and what the board can do to oversee it properly.
What’s a whistleblower?
Whistleblowing is the act of reporting suspected wrongdoing, mismanagement, or unethical conduct in an organization. Generally, it involves an individual reporting information they believe reveals activities that are against policy, laws, ethics, safety standards, or other rules and expectations.
The term “whistleblower” describes a person who calls attention to a questionable activity to try to have it brought to an end. Typically, they are inside the organization, but they can also be someone outside the organization who reports on its conduct or that of one or more of its employees.
Whistleblowers and the law
Whistleblowing can be a cornerstone of corporate governance as it allows employees to anonymously disclose questionable matters to help prevent fraud and misconduct. Still, the legal underpinnings are inconsistent and, in some cases, pretty shaky.
The legal environment surrounding the topic of whistleblowing differs significantly according to the type of organization your board serves and the jurisdiction(s) where it’s located. Zeroing in on my own country, I’m sorry to say that Canada is known for having some of the world’s weakest whistleblower protection. The US, UK, Australia, and the EU all have far more stringent statutes and regulations than Canada.
There’s a patchwork of protection provisions for whistleblowers under Canadian law, including the Competition Act, the Public Servants Disclosure Protection Act (PSDPA) , and a securities regulation called National Instrument 52-110 that applies to companies listed on a stock exchange. But there are many gaps in the legislation, leaving Canadian whistleblowers mostly unprotected by statute. As a result, those who speak up about wrongdoing are often left high and dry, as you’ll see if you check out articles in the Resources section of this article.
Practical guidance that goes well beyond what is required in Canadian law is available from standards and guides such as the ISO 37002 Whistleblowing Standard or CSA Whistleblowing Systems – A Guide. And a quick internet search will reveal a number of whistleblower systems available for purchase.
Here’s why whistleblowers matter …
A speak-up culture
With such a weak regulatory foundation, why bother with a whistleblower program at all? It turns out that an effective whistleblower program can deliver benefits such as:
- Identifying potential harm. Whistleblowing has proven to be an effective method for identifying activities that could potentially harm an organization, the public interest, or the environment. With the information gained from whistleblowing, an organization can prevent some of this damage from occurring in the first place.
- Stopping problems from escalating. Whistleblowers are like early warning systems for organizations. The harmful activities might already be underway, but whistleblowing allows the organization to put a stop to them before they get completely out of hand.
- Reducing losses due to fraud. Whistleblowers are the first line of defence against fraud because they are the eyes and ears on the ground. Whistleblowers detect things much sooner and more reliably than a computer system, and they detect behavioral changes that algorithms don’t.
- Promoting a safe workplace. By encouraging employees to report safety violations and workplace hazards, a whistleblower program helps prevent workplace injuries and supports a safer working environment for everyone.
- Encouraging a speak-up culture. The very existence of a whistleblower program supports a culture where employees feel safe voicing their concerns. This kind of “speak-up culture” promotes trust in management and strengthens employee engagement.
- Preventing unwanted media attention. By setting up a whistleblower program that builds trust over time, people will feel safe to speak up internally first rather than posting their concern on social media or going straight to a regulator.
- Sending a message about integrity. Adopting a whistleblower policy and establishing an effective program signals to employees, stakeholders, and the public that your organization is open to hearing concerns, demonstrating that you value transparency and accountability.
Make sure you have an effective program.
“Organizations must understand that the success of their whistleblower system depends upon employee trust. Protecting whistleblowers through anonymity and confidentiality is an essential element in this.” – Sandy Boucher, Grant Thornton LLP
Not all whistleblowing programs deliver the desired results. Before implementing a program, make sure it will address the operational, cultural, and emotional barriers.
- Operational barriers. If employees don’t know what to look for and what to do about it when they see it, the program will be useless. If hotlines don’t work smoothly, no one will use them. If their first report is ignored or gets lost, whistleblowers won’t persist – they’ll simply shut down.
- Emotional and cultural barriers. Whistleblowers are commonly viewed as snitches or gossips. Even though people recognize that reporting what they know would be good for the organization, nobody wants to be labeled as disloyal.
- Fear. Potential whistleblowers often fear the repercussions of reporting what they know. Areas such as legal protection, fear of trouble, and potential dismissal all play a part when a person is considering blowing the whistle.
To help address barriers like these, the most effective whistleblower programs have certain characteristics in common.
- They protect the confidentiality of whistleblowers.
- They define the grounds for a valid whistleblower complaint.
- They establish an investigation and reporting process independent of management.
- They ensure the program is communicated regularly and well-understood.
- They ensure all valid complaints are investigated.
What’s in a whistleblower policy?
A whistleblower policy encourages employees to come forward with credible information on violations, specifies that the organization will protect the individual from retaliation, and identifies the parties to whom such information can be reported. The Resources section below provides links to a couple of sample policies.
As a general guide, your policy should include at least the following provisions:
- Purpose Statement. Connect the policy to the organization’s broader commitment to transparency, accountability, ethical conduct, and legal compliance.
- Responsibility to Report. Make it an affirmative responsibility of employees, officers, and directors to come forward with credible information on illegal practices, violations of organizational policies, or unethical conduct. The policy should encourage reports based on suspected violations, establish there will be no penalty for submitting a good faith report, and prohibit reports made maliciously or in bad faith.
- Designated Person(s). Designate an individual (or individuals) responsible for implementing the policy and investigating claims.
- Confidentiality. Specify how data obtained through whistleblowing, as well as the identity of whistleblowers and accused, will be protected.
- Anti-Retaliation. Protect whistleblowers acting in good faith from harassment, retaliation, or adverse employment consequences, and extend the same protection to those who cooperate in a whistleblower investigation. Specify how instances of retaliation will be dealt with.
- Reporting. Identify the parties to whom reports can be made. Multiple reporting options - including outside parties, a hotline, or web forms - are ideal.
The role of the board
One of the primary ways to promote an ethical culture is to have an effective code of conduct in place. This one step alone can dramatically reduce fraud in organizations. The tone at the top - how senior management adheres to the code of conduct - dictates how healthy the ethical culture is. A whistleblowing program can be seen within the context of the organization’s code of conduct.
As is the case with the code of conduct, the board gives guidance to management on whether they want to see a whistleblower program established, outlines the broad strokes of what the program should look like, and provides oversight of the program once it’s implemented.
Management then goes on to develop and implement the program, with continued oversight from the board. As you can imagine, a successful process relies on a high level of trust between the board and their management team.
In many cases, the board delegates oversight of the whistleblower program to a committee. Audit committees in particular often play an important role in defining clear expectations around systems to mitigate the risk of fraud and misconduct. Relevant policies for audit committee review include code of conduct, anti-fraud, anti-corruption, whistleblowing, and hiring policies.
The board – or the relevant board committee - should probe to determine whether risks are dealt with appropriately, management is engaged in the process, and employees are aware of how they can react if they suspect fraud or misconduct. Board oversight includes receiving reliable evidence that:
- A whistleblower policy has been developed, approved, and implemented.
- The program is compliant with any applicable legislation or regulations.
- The program provides adequate protection for both the whistleblower and the accused.
- Information is properly secured and privacy is protected.
- Thorough investigations take place and follow-ups are made.
- Reports are received and reviewed on a regular basis.
Questions for Savvy Directors
In fulfilling your oversight role, don’t shy away from asking questions about the information you’ve received. There’s no right number of whistleblowing concerns to expect - a low number may indicate a lack of trust while a high number may indicate a speak-up culture.
The following list of questions may be helpful.
- Do we have a robust policy that meets best practices?
- Does our policy make clear that it is safe and acceptable to raise concerns about wrongdoing?
- How were the procedures arrived at? Was it a consultative process?
- How are procedures communicated throughout the organization, not just at the start, but on a regular basis?
- How do we ensure all employees understand the program, trust it, and know how to use it?
- Do management and employees buy into the process?
- How do we ensure management understands that employees and others have the right to blow the whistle, and that they know how to act if a concern is raised?
- How do we ensure that the person to whom concerns are disclosed has the authority and determination to act?
- How might independent advice help to strengthen the program?
- How do we ensure that all reasonable steps are taken to keep the identity of whistleblowers confidential and prevent their victimization?
- What are the multiple channels for raising concerns?
- How many whistleblowers raised concerns openly vs. anonymously?
- How long does it take us to respond to the concerns raised?
- What was the experience of the whistleblowers who used our channels?
- What have we learnt from whistleblowers?
Your takeaways:
- A whistleblower program may be required in your jurisdiction or your industry. Check with your legal counsel to confirm.
- Even if it’s not required, you might want to support a speak-up culture and reduce fraud through a whistleblower program.
- If you do establish a program, make sure it protects both the whistleblower and the accused.
- Even though it’s up to management to implement and administer the program, the board has an important oversight role to play.
- Fulfill your oversight role with a few probing questions.
Resources:
- ISO 37002 whistleblowing standard – what organisations need to know. EQS Editorial Team. Integrity Line. March 2023.
- An ethical workplace culture can prevent corporate fraud by aiding whistleblowers. Richard Fontaine, Hanen Khemakhem, Nadia Smaili and Mahbub Zaman. Canadian Accountant. October 2022.
- Canada needs to get serious about whistleblower protections. Here’s why. Micah Toub. CPA Canada. April 2020.
- Australia has new whistleblowing laws. Now for the governance. Lachlan Colquhoun. CPA Australia. October 2019.
- Towards a New Standard for Whistleblower Protection. Sandy Boucher. ? 2018 Grant Thornton International Ltd.
- Whistleblowing Systems – A Guide. ? 2016 CSA Group.
- Whistleblower Protection Policy Sample. ? 2023 National Council of Nonprofits.
- Sample Whistleblower Policy. September 2020. Deloitte LLC and CPA Canada.
Join the global community of directors who have signed up for the early release of our bi-weekly blog. >> Click here
Thank you.
Scott
Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online hub with hundreds of guideline questions and resources to help directors prepare for their board role.
Experienced Board Director Seeking more Board opportunities, Internal Audit Guru, Entertaining and knowledgeable Educator, Advisor on Governance, Risk, Ethics, and Fraud,
1 年Such an important topic, thanks for raising it.
KBRS Partner and Governance Lead | Board Member and Chair | Non-Profit Founder |
1 年Thank you for this valuable synopsis. It’s a delicate board responsiblity but vital and needs full but discrete attention. Early and decisive attention to issues saves institutional reputation and integrity.