ISO 37002 is the whistleblowing management system guideline planned for release this year. As the first ever ISO standard fully dedicated to whistleblowing management, the guidance is specifically focused on helping organisations set up a whistleblowing system so that they can handle the reports received effectively, and gain long-term value from having such a system in place.
Experts from WhistleB are involved in the development of ISO 37002, guided by ISO convenor Dr. Wim Vandekerckhove. WhistleB’s Jan Stappers interviewed Dr. Vandekerckhove to get his perspective how the standard will help organisations create transparency, trust and an ethical culture through their whistleblowing systems.
“We don’t need more whistleblowers. We just need to be better at listening to the ones we already have.” Dr. Wim Vandekerckhove.
1. Tell us a little about yourself, Wim. I’m a Professor of business ethics at the University of Greenwich in London. My research is on the institutional aspects of whistleblowing and my wider research is on the trustworthiness of processes and procedures in organisational settings. I am a co-director of CREW, the Centre for Research on Employment and Work where I specifically look after the social impact of our research outside of academia. I’m also the Editor-in-Chief of a journal called Philosophy of Management. That is where a lot of inspiration comes from.
2. Why does a professor in business ethics get involved in building an ISO standard for whistleblowing management systems? For me, the impact of research outside of academia is very important. My research interests have always been on the institutional side of whistleblowing – not on the whistleblower, but on the people that receive the reports of whistleblowers. What do they do with the reports? What do they not do with them? So, the ISO 37002 standard really fits that.
There was a lot of discussion on the form the ISO standard should take, and we looked at in the content of a number of existing national guidelines (Australia, Canada, France, Japan, UK) and saw that each had its own emphasis, gaps and style. For ISO 37002, there was consensus that it should be a guidance standard focused on whistleblowing management systems. What do you need to plan? The scope? How do you operate and monitor the system? How do you control it? It’s like the typical management cycle. What does leadership need to do? How do you support it?
3. In your view how does a systematic approach to whistleblowing foster transparency in all kinds of organisations and workplaces? Fundamentally there is an enormous gap between what happens on the work floor and what the top of the organisation knows, not only in terms of ethics, crimes or grievances, but even in operational aspects that go wrong or are problematic on the work floor. It’s sometimes difficult to get that signalled up to decision makers. That’s where you have those gaps in communication.
These kinds of “speak up” systems can actually increase transparency and bridge that gap. You have work floor, middle management and top management. Of course, if top management does not want to hear, these whistleblowing systems will not work either. A lot of organisations – and I would say the majority the top management – do want to hear about the issues, but somehow they get blocked in the middle. Not that middle management intentionally wants to keep it quiet, but they are in between two fires and whistleblowing systems can really help to compensate for that.
So, the systems increase transparency for the top of the organisation, but they also increase transparency for people on the work floor if you implement them well. Because with proper communications around such a system, and the learning you can take from the system, you can actually show people on the work floor that there is an impartial channel, that the organisation is in fact responsive, and that if there is an issue it does get sorted. So, it’s also preventive in that it’s a signal to wrong-doers that they are not going to get away with it.
4. When it comes to corporate misconduct what are the main issues that organisations are facing or will face over the next few years? It will be Covid related. Work is likely going to change – we will go back to the office but perhaps not one hundred per cent. Different working regimes in terms of time and space will impact where and how wrong-doing occurs. How do you detect this wrong-doing through your standard auditing processes, for example? How do you build a culture and an ethical climate to prevent wrong-doing when people work from home? Those are going to be the main issues to deal with.
5. What are the main objectives of ISO 37002? It’s about handling the reports, not the person blowing the whistle. ISO 37002 is guidance for organisations on how they set up a system to handle reports. We specifically focus on receiving reports, assessing reports including triage, addressing reports – some need to be investigated and wrong-doing corrected etc – and closing whistleblower cases. Those are the four steps in handling whistleblower reports.
At the moment ISO 37002 is not a certifiable standard like anti-bribery or compliance, but it is a plug-and-play into those standards. Think of it as a stand-alone standard that can easily be used in conjunction with those related standards.
6. What will make ISO 37002 particularly valuable to me if I am a business leader looking for the best way to implement a whistleblowing system? It provides you with guidance on how to integrate a whistleblowing system into your other systems. Organisations already have grievance systems. In some countries there are specific requirements with regards to bullying and harassment and they already have systems like that. ISO 37002 gives guidance on how to make the whistleblowing system fit with what you are already doing, to strengthen efforts and build integrity into your organisation in other ways. The standard tells you what you need to consider when you plan these systems, how you operate them and also how you review them. What sort of knowledge can you get from these systems? That is really valuable.
7. What organisations have collaborated in this ISO 37002 project? The national standard bodies – we had over 40 countries’ national standard bodies contributing to the work. They each have their own committees – for example in the UK for the BSI standard, we had experts from engineering companies, healthcare organisations, hospitals, people from government bodies and also companies that offer consultancy and guidance and provide services around integrity. I believe you, Jan, were also part of the national mirror committee in the Netherlands.
It was a similar composition in the ISO working group, except that we also had different representatives of the national bodies plus Transparency International, the OECD, the Employee Business Resource Group, theEuropean Trade Union Confederation etc.
8. What has happened so far in the development of ISO 37002? What stage is it at now, when is it expected to be made available and how will it be made available? We are at the final step now. The initial rough draft was done. Then we made the proper second draft for comment and we received hundreds of comments from the national committees. Then the ISO working group worked through a number of further rounds until we arrived at another draft, which was sent out to a vote and more comments. These were resolved and we are now at the final draft stage which is out for final vote and minor edits.
The project is going as planned so we are still aiming for April this year, perhaps May. The standards are made available as documents that can be purchased, and different kinds of licenses that can be obtained.
9. How does the ISO 37002 guidance complement and align with the EU whistleblowing directive? In the EU directive, the requirements on organisations in terms of internal whistleblowing systems are quite minimal, in my opinion. You need to have one and it needs to allow for confidential reporting. But just having an internal system is no guarantee for getting it right. I have often said that we don’t need more whistleblowers we just need to be better at listening to the ones we already have now. Many companies still believe in the myth that more reports are better, that a wrong-doing doesn’t get dealt with if it is not reported. I think that is a mistake very often it does, but it’s not necessarily getting through to the people that can do something about it, or it is just not handled well.
And that is not something that is in the EU directive. Well, indirectly it is as people will be protected if they report externally to a regulator or when they go to the media. So indirectly it means that organisations need to get better at dealing with the reports internally. Research in the UK, US and Australia shows that more than 90% of reporting is initially internal. So organisations have an opportunity to correct wrong-doings that happen within their remits. It’s just a matter of – are you able to hear the whistleblowers? So you need good channels.
What we also know from research from Australia (Whistling while they work, Griffith University) is that when you have a reporting channel, you receive cases that are very clearly a public interest issue, an integrity issue. On the other side you have cases that are very clearly simply a personal grievance. But then you have the majority of cases in the middle made up of the mixed stuff. Perhaps there is friction or previous history evident in the cases, but there is a genuine concern there. How do you handle that? As part of the research, it was both the people that blew the whistle and the people handling the reports that were surveyed, and they both said the same thing. These types of cases are the ones that go wrong, they are the most difficult to handle.
What I take from that research is that we actually dismiss reports too quickly, for example as “Oh it’s just a grievance”. Why is that? Is it because it’s a compliance officer with their compliance hat on saying – “it’s not compliance, throw it out”? It’s a crucial aspect of improving your handling process. Anything you can do to improve the handling is a win. Which is why I’m happy that in the ISO standard there is a lot of attention on the triage stage. The EU directive does not talk about that, but the ISO standard provides guidance where the EU directive stops.
10. The EU whistleblower protection act is set to drive adoption of whistleblowing systems across Europe. How do you see that companies can benefit more broadly from complying with the new law? It will differ depending on the size of the organisation. If you have a substantial sized organisation you will get a number of reports per year and you can do something with that information that in itself, you can read your different corporate cultures. If you run a whistleblowing system and all you get through your system is personal grievances, what does that say about your culture? Don’t blame the system – it is actually saying something valuable about your culture that you can act upon.
So, apart from being able to address wrong-doing very early on, there is additional information that you can get from whistleblowing systems that will help you in becoming a responsive organisation. I’ve seen a number of organisations that have a reporting channel, but they use the same technology to also have a question channel. This allows people to test the system. If they want to report a wrong-doing but they are not quite sure – they can simply ask a vague question around it. These questions are not allegations, so they’re easy to respond to so you can clearly inform people about the company policy. This actually generates trust, and sometimes enough trust for someone to then report. When you filter out the allegations, the questions that come through the question channel can be made available within the whole organisation. So you’re signalling that you welcome questions around ethical issues and that you respond . You’re thinking a lot wider than just complying with the legislation – you’re thinking “what else can this do for us?” This is a huge leverage in building an ethical culture and also in showing that you are a responsible organization.
At the end of the day there needs to be trust between the organisation and their internal whistleblowers. When you investigate and you’ve found wrong-doings you are not always able to communicate all the details of what you’ve found about the investigation to the person that reported it. Your whistleblower needs to trust that you have looked into this and taken action, even if it is not always visible. I think a whistleblowing system can help with this element. This is wider than just complying with legislation. It’s building trust.
11. Do you have a view on the role that technology can play in encouraging people to speak up about misgivings and suspicious activities? Yes I do. IT systems exist that I call two-way anonymous – you can communicate with someone and the person can remain anonymous to you, and you can remain anonymous to them. You can ask further questions and they can still remain anonymous. What we know from research is that people don’t blow the whistle because they’re afraid. And it turns out that they’re afraid that confidentiality will not be kept. Online systems or systems available via an app are a really big support here. Being able to report online via a two-way anonymous system is going to bring whistleblowing forward.
Technology also makes it a lot easier to actually properly handle the report and properly time stamp every action you take in the handling. With the legislations that are coming, it is also going to be increasingly important for organisations to be able to show that they’ve done what can be reasonably expected – accountability. This is built into the ISO 37002 as well. I think that that is a lot easier than phone hot lines – if you can have a two-way anonymous communication then you can also build trust.