Online Exclusive

Drafting ISO 37002 — new global standard on whistleblowing management systems



The International Organization for Standardization (ISO) is developing new guidelines for whistleblowing management systems — ISO 37002. These international standards are scheduled for completion by the end of 2021. This article describes the background of ISO 37002, its scope and its added value for organizations around the globe.

Background

In mid-2016, journalists and investigators were in the middle of assessing the full scope of the 2014 Luxembourg Leaks and 2016 Panama Papers revelations. The unravelling scandals were prominently featured in global media. In September 2016, ISO established Technical Committee 309 (ISO/TC 309) with the goal to address "standardization in the field of governance relating to aspects of direction, control and accountability of organizations."

In November 2016, ISO/TC 309 — building on high-impact whistleblowing cases and the growing attention for whistleblowing in general — formed an ad hoc group to examine the feasibility of a new international guidance standard on whistleblowing. With 34 votes of approval, one vote in opposition and 11 abstentions, TC 309 approved a new work item proposal in June 2018. ISO assigned the work to ISO/TC 309 Working Group 3 (WG3) to develop new international standards on whistleblowing management systems — scheduled for completion by the end of 2021.

The decision to develop an international standard for whistleblowing management systems comes at a favorable time. In recent years, news agencies have covered a range of stories on exposures of wrongdoings, such as the MeToo movement and Cambridge Analytica. The general public endorsed the people who blew the whistle. A growing number of organizations listened to the call for more transparency and recognized the important role of whistleblowers in preventing and detecting corporate wrongdoing. Whistleblowing started gaining momentum.

Country, sector and EU-wide initiatives

A growing number of countries are introducing or revising legislation aimed at protecting whistleblowers. Some examples are Australia’s Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017, Italy’s Law No. 179/2017 and France’s Loi Sapin II.

Branch organizations, incentivized by corruption scandals, introduced or updated their standards addressing whistleblowing. The International Automotive Task Force’s (IATF) new 16949:2016 standard, for the first time, includes an ethics escalation (a whistleblower policy). The Australian Bankers' Association (ABA) commissioned the Review of Whistleblowing Protections by Australian Banks in 2016.

The European Commission made great strides in 2018 when it proposed a new law to strengthen whistleblower protection across the EU. The commission claims that whistleblowers can play an important role in uncovering activities that damage the “public interest and the welfare of our citizens and society.” The proposal includes an obligation for organizations to implement safe channels for internal reporting. The European Parliament adopted the EU whistleblowing directive at its first reading on April 16.

Within two years after adoption, companies with 250 or more employees, private legal entities operating in the area of financial services, or private legal entities vulnerable to money laundering or terrorist financing will be required to set up an internal procedure to handle whistleblower reports. Entities governed by public law, with possible exceptions for municipalities with fewer than 10,000 residents or 50 employees, will also be covered by the new law. Legal entities with at least 50 but fewer than 250 employees have another two years after transposition to comply.

Scope

ISO 37002 will provide practical guidance to organizations on a broad array of whistleblowing management aspects. It doesn’t specify requirements but provides guidance on whistleblowing management systems and recommended practices. ISO 37002 is intended to be adaptable. Its use can differ depending on the size, nature and complexity of an organization’s activities.

ISO 37002 will be written as a “High-Level Structure” (HLS). The HLS is a set of 10 clauses that all ISO management system standards are required to use to ensure consistency and greater integration among systems of different disciplines. The HLS approach involves precise drafting. For example, discussion about the wording of ISO 37002 is ongoing because the guidelines will include generic management system terms and definitions, along with discipline-specific terms.

There’s no known overlap of ISO 37002 with existing or planned standards. WG3 provides an overview of ISO standards that relate to the proposed standard on whistleblowing management systems:

  • ISO 37001:2016 anti-bribery management systems. Requirements with guidance for use.
  • ISO 19600:2014 Compliance management systems — Guidelines.
  • ISO 18788:2015 Management system for private security operations.
  • ISO 28007-1:2015 Ships and marine technology — Guidelines for Private Maritime Security.
  • Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract).
  • ISO/TR 31004:2013 Risk management — Guidance for the implementation of ISO 31000.
  • ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls.
  • ISO 27500:2016 The human-centered organization — Rationale and general principles.

WG3 stresses that these standards don’t include specific guidance regarding processes involved in whistleblowing arrangements, nor do they offer any guidance on how to implement processes.

Organizations that haven’t adopted management system standards will be able to adopt ISO 37002 as stand-alone guidance. Organizations will be able to choose to extend the scope of the whistleblowing management system to include reporting from outside their organizations.

According to ISO/TC 309’s description, ISO 37002 will provide “guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective management system within an organization for whistleblowing.”

The international standard won’t be specific to any sector and will be suitable for organizations of all sizes from small- and medium-sized enterprises (SMEs) to multinational companies.

Based on the principles of trust, impartiality and protection, ISO 37002 is aimed to guide organizations in managing the full cycle of whistleblowing:

  • Identification and reporting of concerns of wrongdoing. 
  • Assessment of concerns of wrongdoing.
  • Means of addressing concerns of wrongdoing. 
  • Closing of whistleblowing cases.

WG3 states that it intends to provide a framework for establishing a clear and robust organizational whistleblowing system. WG3 acknowledges that creating a protective environment where people can confidently report concerns is crucial to effectively preventing and dealing with wrongdoing.

ISO 37002 addresses the need for organizations to protect whistleblowers and other people who might be affected by reporting wrongdoing. Retaliation is mentioned as a specific risk of whistleblowing. This approach shows WG3’s understanding of the complex issue of establishing and managing an effective organizational whistleblowing infrastructure and not limiting itself to an employer’s point of view but also recognizing a whistleblower’s perspective.

Added value

In 2017, the European Commission issued the report, “Estimating the economic benefits of whistleblower protection in public procurement.” The report states that there’s a strong economic case for whistleblower protection. In all of the countries studied, the potential gain from recovering misused public funds was found to exceed the costs of setting up and maintaining such systems in the area of public procurement alone.

According to the ACFE’s 2018 Report to the Nations - Global Study on Occupational Fraud and Abuse, organizations lose an average of five percent of their annual revenue to fraud each year. A secure whistleblowing system is the optimal solution for preventing wrongdoings. The ACFE report also states that there are 50 percent fewer fraud losses at organizations with whistleblowing hotlines than those without hotlines.

Whistleblowing is often seen as a risk for boards, committees directors and an organization's reputation. But with a sound whistleblowing infrastructure in place, whistleblowing provides an opportunity to better understand and manage culture, and solve irregularities internally before they become uncontrollable externally.

Although organizations have many useful reference points, no single, internationally recognized standard on whistleblowing exists. Documentation now is largely focused on legal obligations and what governments should be doing in whistleblowing legislation. While this is important, it isn’t suitable or practicable for organizations to understand whistleblowing principles and how to implement policies and procedures effectively.

Highlights of ISO 37002

The proposed ISO 37002 Management Systems Standard will serve the purpose of:

  • Guiding organizations to establish coherent whistleblowing frameworks that create protective environments and confidently report wrongdoing and address concerns swiftly and appropriately.
  • Helping build trust between an organization and its stakeholders, including staff.
  • Responding to concerns about the reporting of and dealing with wrongdoing in view of the increasing number of cases reported publicly.
  • Supporting good governance and transparency. The intention is that ISO 37002 will be used as a stand-alone document. Equally, the proposed standard could be used in conjunction with other standards, such as organizational governance and anti-bribery, compliance and other management systems.
  • Guiding organizations to foster a culture of transparency, in which people are confident to report concerns of wrongdoing.

The ISO 37002 guidelines are likely to be the future global standard for organizational whistleblowing. Taking into account organizations’ legal frameworks on whistleblowing and related topics such as data protection, issuance of practical guidelines are likely to be a much-welcomed development. Organizations can prepare for future guidelines by mapping the whistleblowing structure they have in place.

Jan Tadeusz Stappers, LL.M, is the legal counsel of WhistleB, a provider of professional whistleblowing systems. Stappers is assisting in the development of the new ISO 37002 standard on whistleblowing management systems. He’s a frequent professional speaker. Stappers is a Certified Information Privacy Professional (CIPP/E) through the IAPP. Contact him at jan.stappers@whistleb.com.