Managing whistleblowers fairly and lawfully

Human Resources07 Oct 2024

Professor Wim Vandekerckhove at EDHEC Business School explains the duties that organisations have towards whistleblowers

Recently, a compliance officer for a UK foreign exchange broker was asked by his managers to secure a work visa for someone. Some standard checks on the person hit some red flags with the compliance officer, who reported his concern to the Financial Conduct Authority. He was sacked shortly after for alleged gross misconduct, i.e., reporting to the regulator. He subsequently brought a claim for unfair dismissal to the employment tribunal, using legislation that protects whistleblowers who act in the public interest – the Public Interest Disclosure Act.

The tribunal sided with the compliance officer, and last August awarded him £564,672 in compensation. The number of whistleblowing cases at employment tribunals in the UK has almost doubled over the previous decade. More and more workers claim to have suffered detriment after having raised concerns about suspicious activities, and these “public interest disclosures,” as they are called in UK legal terms, are creating a buzz.

My research shows that most whistleblowing cases start with an employee judiciously raising questions to someone inside their organisation. Dr Jayne Chidgey-Clark, National Guardian for the Freedom to Speak Up for NHS England, says that the increase in the number of whistleblowers at employment tribunals is a direct result of organisations’ poor internal procedures for handling whistleblowing reports.

But what are the key duties that organisations have around whistleblowers? The goalpost on this was recently moved by new regulation on the European continent, which exceeds current legal requirements in the UK but is likely to be a precursor of things to come. In the EU, organisations of 50 workers or more must have a whistleblowing policy and a handling process that meet minimum criteria in four areas. First, you are free to use telephone, email, or web interface for your channel, but workers are entitled to ask for an in-person physical meeting to raise their concerns. If the concern is raised verbally – through telephone, voice message, or physical meeting – you can audio-record, transcribe, or minute this. Still, you must allow the whistleblower to review and amend the transcript or minutes.

Second, you need to provide the whistleblower with feedback. An initial acknowledgment of receipt of the whistleblowing report must be provided within seven days. Further feedback to the whistleblower on the status of their case must be provided within three to six months, the latter date only if justifiable.

Third, the EU Whistleblowing Directive (2019/1937) clearly states that the whistleblower’s identity be confidential. This means that only those managing or working on an investigation should know the whistleblower’s identity. Recently, the head of the Financial Conduct Authority in the UK was slapped on the wrist for forwarding emails from two whistleblowers to colleagues within his organisation. He was not fined and has made it clear that he will not resign. However, if this happened on the European continent, it could give grounds to whistleblowers to sue in court. For example, breaching a whistleblower’s confidentiality under French law can incur a two-year prison sentence.

The fourth area, which could be challenging for many organisations, is data management requirements for internal whistleblowing channels. You must keep records of all whistleblowing reports, actions taken (follow-up, protection, sanctions, informing authorities), and investigation outcomes. You should not store these records longer than necessary, but that does not mean you can delete everything. Once the case is closed, you need to consider what is still required, such as continued protection measures or pending judicial steps. Personal data must be handled carefully, and this data includes the whistleblower’s identity and any data that could be used to identify him or her. It’s best to avoid collecting personal data that is irrelevant for handling a specific whistleblowing report. If such data is accidentally collected, it must be deleted as soon as possible.

Regardless of the increased regulatory specifications for internal whistleblowing channels, organisations need to understand that trust is important not only for workers to report wrongdoing internally but also for the process of handling a report to be trustworthy. My research on good practices in this regard suggests that instead of over-promising protection and anonymity, it can be more ethical to explain the handling process in training and clearly state the limitations of confidentiality and protection. The international standard (ISO37002) on how whistleblower reports should be handled suggests providing feedback to the whistleblower about how you are following up on their report. This shouldn’t include any details of the investigation, but it can include information about progress and next steps. It can also include instructions on receiving support and avoiding public exposure.

Looking at the problems Boeing is having with its ethical culture, there are obvious but important lessons to learn. The review earlier this year into whether Boeing was sticking to the terms of its Deferred Prosecution Agreement found instances where Boeing managers, who oversaw employee performance evaluations, pay decisions, and disciplinary sanctions, also had mandates to investigate safety concerns. This implies that it is the job of Boeing managers to investigate reports made by their team members, which raises questions about how safe an employee feels making such a report to their direct manager, especially if the manager is the report’s focus or is somehow implicated. It seems that we are still learning important lessons about creating effective whistleblower environments.

This is challenging but handling internal whistleblower reports will become even more important in the future. Recently, EDHEC Business School, with the help of leading experts, developed the SUSA – Speak-Up Self-Assessment, a free online tool that anyone managing an organisation can use (anonymously) to measure the quality of their speak-up channels and culture. The SUSA tool is based on international best practices (ISO 37002) and EU requirements (EU Directive 2019/1937) and sees a healthy speak-up culture as driven in large part by an organisation’s internal governance, employee training, feedback, and reassurances of confidentiality and protection.

Wim Vandekerckhove is Professor of Business Ethics at EDHEC Business School

Main image courtesy of iStockPhoto.com and SusanneB