Understanding the ISO Whistleblowing Guidelines in five simple steps
This year, the International Organization for Standardization (ISO) formally enacted International Standard ISO 37002 – Whistleblowing Management Systems – Guidelines (ISO Whistleblowing Guidelines).
The ISO Whistleblowing Guidelines are the first comprehensive guide for companies operating whistleblowing management systems. If your programme meets the ISO Whistleblowing Guidelines in all respects you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.
In ISO speak, ‘guidelines’ cannot be certified by an accredited body as having been met. There is currently no certification process for guidelines, although that may change at some stage in the future. What you can do, however, is engage a company to conduct a review and audit your programme against the ISO Whistleblowing Guidelines to give you some comfort of compliance. Of course, it is always best to engage a reputable compliance expert that understands the ISO Standards and process. Our sister company, ETHIC Intelligence, offers this service to clients globally.
What do the ISO Whistleblowing Guidelines actually intend to do?
The ISO Whistleblowing Guidelines provide advice to organisations for establishing, implementing, maintaining and improving a whistleblowing management system, with the following outcomes:
The ISO Whistleblowing Guidelines assist organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. They are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities. The ISO Whistleblowing Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.
Five steps to understand the ISO Whistleblowing Guidelines
1. Understand the ISO basics
Get your head around the way that ISO standards and guidelines work. They all have definitions at the front and then the substantive elements start at section 4. There are some unique words used in these guidelines and standards, so you might need to check the specialist ISO dictionary (available on the ISO website) to truly catch all the nuances.
Remember that guidelines are not certifiable, so you will see references to ‘should’ throughout them (‘you should do this’, ‘you should do that’), where in a certifiable standard the ISO tends to use the word ‘must’ (because it is mandatory and failure to do the item means you may not pass certification). This is really semantics, so assume that when it says ‘should’ in the guidelines, you need to do what it says to be in compliance.
2. Get moving with scoping, application and stakeholder reviews
As mentioned in step 1, most ISO standards and guidelines, including the ISO Whistleblowing Guidelines, follow the same process and substantially start in section 4. This section supports people to scope out their programme: Does it apply to everyone? Does it apply to all subsidiaries? This is also the place where you work out which laws might apply to you. Are there specific laws in countries that require you to have certain things in place?
Section 4 requires you to establish, implement, maintain and continually improve a whistleblowing management system, including the processes needed and their interactions, in accordance with the guidance’s recommendations.
3. Get management and leadership involved and work out roles and responsibilities
Like all of the ISO standards and guidelines, the ISO Whistleblowing Guidelines require you to have the right level of support from your organisation. If you do not have that support and buy-in, it will be very tough for you to run and operate a successful programme.
The ISO Whistleblowing Guidelines discuss your support from the governing body (i.e. your board) and top management, and also the people that are going to be operating the whistleblowing management system (whether that be HR, compliance, legal or some other group).
At this stage you will also be looking at the roles and responsibilities of all the key stakeholders and working out who is working on which area.
4. Build your whistleblowing programme
Once you have the people sorted out and you have the scope of your programme, the next part of the ISO Whistleblowing Guidelines will guide you on how to build the programme. There is a big focus on planning out the activities that you will be building. These plans must include how to set objectives for the programme and how to then measure those objectives. The ISO Whistleblowing Guidelines – and indeed all ISO standards – are focused on measuring what you are doing against objectives, and you will see this constant focus.
You will also become familiar with the level of detail around the implementation. The ISO Whistleblowing Guidelines will focus on you documenting and detailing actions: Who does it? When? How? What is the objective? How will it be done? How will it be tested against that objective?
5. Operate, support, measure and improve
Once the programme is in place, it is all about operation. Make sure that the right resources are in place to operate the programme. These people need to be properly trained and qualified, and must work according to the clear actions and objectives in the programme. Making people aware of the programme via communication and training is important and is a significant focus of the ISO Whistleblowing Guidelines.
Of course, at some stage, you will actually receive whistleblowing reports from users. The operational aspects will provide guidance on how to receive, triage and investigate the reports. The ISO Whistleblowing Guidelines also discuss how to protect the reporter and not retaliate against them in any way.
The guidelines contain a large section on monitoring, measuring and improving the system that you have developed. There are obligations to audit the effectiveness of your programme to identify weaknesses or non-conformities.
Actions for teams that manage compliance reporting and programmes
For teams that already have established whistleblowing or compliance reporting programmes, the ISO Whistleblowing Guidelines are a great initiative to validate your work and to use as established best practice. We would recommend a gap analysis being done against your programme.
If you are new to the area and are looking for a blueprint by which to build your programme, the ISO Whistleblowing Guidelines are an excellent process to follow.
How to learn more
The ISO Whistleblowing Guidelines are now available to purchase from the ISO stores in each country. Check the ISO website for further details.
If you are interested in building your programme from scratch or for consultative advice on the ISO Whistleblowing Guidelines, please contact us.