Before diving into the value of whistleblower programs and policies, we first need to understand the terminology. Reporting another person’s behavior to a third party can represent an ethical quandary. Whistleblowing can appear heroic in some cases and reprehensible in other cases. For the company employee who becomes aware of co-workers or company non-compliance, the inclination to be honest and do the “right” might be at odds with their long-held “no tattle-telling” mentality. I think all of us can empathize with the internal conflict caused by such a scenario.
In 2022, the U.S. saw highly impactful whistleblower and retaliation events primarily resulting from an active U.S. Securities and Exchange Commission. This was an aggressive approach taken by the Occupational Safety and Health Administration and consequential decisions from federal and state courts around the country. This initiative has only grown, and in May 2023, the SEC awarded a tipster on Ericsson the largest-ever whistleblower award of $279 million. This is more than double the previous record amount of $114mn, which was announced in October 2020.
According to the National Whistleblowing Center, “a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing.“ In most cases, whistleblowers have information about their colleagues’ or company’s inappropriate activities. They are crucial in reducing unethical or harmful activities and promoting integrity. This definition also holds for the cyber whistleblower with a focus on activities associated with cybersecurity, such as data breaches, vulnerabilities, or other cyber misconduct.
Whistleblower policies and related support programs are essential for companies to ensure transparency and accountability. Not only do they create awareness about the policy and encourage employees to report misconduct, but policies and collateral efforts provide guidance on what complaints constitute whistleblowing and establish steps to take when false allegations are made against the company. The policy should guarantee the protection of an individual employee or volunteer who reports on actions deemed to be illegal, unethical, or dishonest. Whistleblower policies are also necessary to protect the employer during the early investigative period.
The bottom line is that organizations who establish and enforce whistleblower policies are helping to:
1) Combat fraud.
2) Avoid reputational damage.
3) Reduce losses.
4) Prevent the escalation of issues by managing breaches quickly and constructively.
5) Foster an open and honest culture that can result in better workplace relationships and productivity.
Here are some steps that organizations can take to strengthen whistleblowing processes and take appropriate actions to detect misconduct. These steps can help organizations enhance their compliance function in defending business resilience and calibrating risk by encouraging whistleblowing as a source of information and feedback on ethical and legal conduct.
1.) Establish a clear and comprehensive whistleblowing policy that defines what constitutes misconduct, who can report it, how to report it, and what protections and support are available for whistleblowers. The policy should also outline the roles and responsibilities of the compliance function and other relevant parties in handling whistleblowing cases.
2.) Provide a secure and confidential whistleblowing system that allows employees and other stakeholders to report misconduct anonymously and without fear of retaliation. The system should also enable confidential two-way communication between the whistleblower and the case handler.
3.) Train and educate employees and managers on the whistleblowing policy and system, as well as the ethical and legal obligations of the organization. Employees should be aware of the benefits of whistleblowing, the types of misconduct they can report, and the channels they can use. Managers should be knowledgeable about these policies and how to foster a culture of trust and openness. They should be trained on how to respond to whistleblowing reports and how to protect whistleblowers from retaliation.
4.) Investigate and act on whistleblowing reports promptly and fairly. The compliance function should have the authority and resources to conduct thorough and impartial investigations of reported misconduct and to take appropriate actions to address the issues and prevent recurrence. The compliance function should work within the structure of the sanctioned procedures to provide regular feedback and updates to the whistleblower and other relevant parties on the status and outcome of the investigation.
5.) Monitor and evaluate the effectiveness of the whistleblowing processes. The compliance function should collect and analyze data on the number, type, source, and outcome of whistleblowing reports, as well as the satisfaction and feedback of whistleblowers and case handlers. The compliance function should also identify gaps or challenges in the whistleblowing processes and implement improvements or corrective measures as needed.
A whistleblower policy is crucial for organizations to ensure transparency and accountability. In the context of cybersecurity, a whistleblower policy is even more critical. With cybersecurity threats becoming increasingly sophisticated and complex, it is imperative to have mechanisms to identify and report potential threats. Having a policy to identify and report potential threats early on enables timely and appropriate action before damage occurs.