Transparency International defines whistleblowing as the disclosure or reporting of wrongdoing. We use a broad framing of whistleblowing mechanisms to include those arrangements that encourage employees, customers and suppliers to speak up and share information on activities that violate a company’s ethical code of conduct, its legal and regulatory requirements or international human rights standards.

Companies don’t take a one-size-fits-all approach to adopting whistleblowing mechanisms, and some companies are much more advanced in their practices than others. Nonetheless, investors should still expect comprehensive disclosure from their investees. Whistleblowing mechanisms must not be seen by companies or investors as a box-ticking exercise, in which meeting certain criteria would guarantee that the right mechanisms and culture are in place.

Investors should use the presence (or absence) of these mechanisms to assess companies’ risk management and human rights practices as well as their overall corporate culture.

Why engage: the business case for action

Effective whistleblowing mechanisms are a key feature of good governance and anti-corruption systems, as well as being reflective of a healthy corporate culture.

They can help support companies to mitigate the risks associated with unethical or illegal conduct, which if left unchallenged can lead to significant corporate failures and loss of value.

Effective whistleblowing mechanisms can also help address systemic issues, including detecting and preventing bribery and corruption and bringing to light significant cases of tax avoidance, money laundering and human rights violations.

Addressing these issues results in better performance and consequently, better returns for institutional investors and their beneficiaries; while safeguarding public goods such as trust in institutions and helping to achieve the Sustainable Development Goals.

Risk management

Effective whistleblowing mechanisms can be a valuable resource for risk management, protecting companies from financial loss, legal liabilities and lasting reputational harm. They allow companies to quickly identify and manage misconduct and irregularities by employees and across the supply chain. Whistleblowers are often also key actors in developing solutions to address the issues identified, as they tend to be experts in their respective areas.

Respecting human rights

It is vital for companies to minimise harm to people and negative outcomes, particularly as human rights controversies can occur across all sectors, geographies and sizes, from mining and apparel companies to technology and financial firms – implementing strong whistleblower protections, combined with human rights due diligence provisions, can contribute to that.

Corporate culture

Investors can use the presence, and effective use, of whistleblowing mechanisms as a key indicator to assess organisational culture, as they demonstrate a company’s commitment to integrity and social responsibility.

How to engage

Based on our research and interviews with a range of stakeholders and experts, we outline a set of focus areas, disclosure expectations, and questions, to help investors assess companies’ whistleblowing mechanisms, covering the following areas:

  • Governance and oversight
  • Policies and commitments
  • Systems and processes

Based on the quality of companies’ answers, investors can identify areas where they should push for improvements, while challenging the board and senior management to encourage companies to adopt better practices and more ambitious agendas.

Further engagement should be considered necessary when public disclosure does not provide enough evidence or comfort around the adoption and implementation of whistleblowing arrangements. It could also be triggered when other red flags are identified – for example, controversies related to whistleblowers or a lack of disclosure on board oversight.

Next steps for investors

To successfully undertake stewardship activities on whistleblowing, investors should start by:

  • defining minimum expectations for investee companies globally, as well as further expectations by region, sector and size;
  • establishing a set of red flags that would trigger further engagement; and
  • where necessary, requesting expanded data sets from ESG research providers, covering performance indicators on whistleblowing, with appropriate assessment and weighting.

Investors should also form a clear escalation strategy, reflected in voting principles and actions, which they can then communicate to investee companies.

Finally, to ensure that whistleblower protections are embedded into regulation and that there are clear frameworks for companies to follow, investors should also consider engaging with policy makers.

Introduction

Transparency International defines whistleblowing as the disclosure or reporting of wrongdoing, including:

  • corruption;
  • criminal offences;
  • breaches of legal obligation;
  • miscarriages of justice;
  • specific dangers to public health, safety or the environment;
  • abuse of authority;
  • unauthorised use of public funds or property;
  • gross waste or mismanagement;
  • conflict of interest; and
  • acts to cover up any of these.

For the purposes of this report we use a broad framing of whistleblowing mechanisms to include all those arrangements that encourage employees, customers and suppliers to speak up and share information on activities that violate a company’s ethical code of conduct, its legal and regulatory requirements or international human rights standards.

The English term whistleblower cannot be directly translated into other languages. It can also carry pejorative connotations and be associated with misconceptions and social stigma in many regions. Investors should familiarise themselves with any regional or country-specific variances before engaging on the issue.1

Companies do not take a one-size-fits-all approach for adopting whistleblowing mechanisms – they may be influenced by language and cultural differences, regional regulatory approaches and company size, among others.

However, overall, company policies are lagging significantly on this issue. MSCI ESG Research found that of the 2,631 issuers it assessed under its corruption and instability category, only 10% publicly disclosed a whistleblowing policy that allows for anonymous reporting and legal protection, 76% disclosed a whistleblowing policy with no specific details of legal protection, and 14% disclosed no evidence of a whistleblowing policy at all.2

Regional differences are also evident in the strength of whistleblowing policies. According to MSCI, of the issuers assessed on the strength of whistleblowing protections, 16% of companies in the MSCI World Index (representing developed markets) disclosed a best practice policy that included anonymous reporting and legal protections, compared with 7% of companies classified in the MSCI Emerging Market Index (representing emerging markets), as of August 2020. This assessment found that 25% of issuers domiciled in Australia and Denmark disclosed bestpractice whistleblowing policies, while this was true for only 1% of issuers domiciled in South Korea and 4% of issuers domiciled in Saudi Arabia.3

Sectoral differences are also noteworthy. Sustainalytics research shows that industries most exposed to business ethics risks, which encompass whistleblower programmes, include banks and financial institutions, pharmaceuticals and conglomerates in industrial manufacturing and construction. Since January 2018, Sustainalytics has identified 299 separate incidents related to whistleblowers attributed to 217 unique companies and spanning 35 sectors, with the most incidents in the pharmaceuticals and healthcare, banking and aerospace and defence sectors.4

Nonetheless, investors should still expect comprehensive and consistent disclosure from their investees. Public reporting in this instance can indicate if an acceptable structure is in place, or if there is a need to raise concerns, while the absence of appropriate reporting and other red flags should trigger further engagement.

Whistleblowing mechanisms must not be seen by companies or investors as a box-ticking exercise, in which meeting certain criteria would guarantee that the right mechanisms and culture are in place.

Investors should use the presence (or absence) of these mechanisms to assess companies’ risk management and human rights practices as well as their overall corporate culture.

Why engage: the business case for action

Effective whistleblowing mechanisms are a key feature of good governance and anti-corruption systems, as well as being reflective of a healthy corporate culture centred on trust and responsiveness.

According to MSCI’s ESG Research, the strength of an issuer’s whistleblowing policy appears to correlate with the strength of its overall corporate governance practices – issuers that disclosed best-practice whistleblower protections scored an average of 35% higher on a corporate governance assessment than companies that disclosed no evidence of whistleblower protections.5

Whistleblowing mechanisms can help support companies to mitigate the risks associated with unethical or illegal conduct, which if left unchallenged can lead to significant corporate failures and loss of value.

A 2020 global study from the Association of Certified Fraud Examiners revealed that 43% of the cases of occupational fraud analysed were uncovered through tips-offs, whereas only 15% were identified through internal audit and only 12% via a management review.

The COVID-19 crisis has further highlighted that whistleblower reports are important for identifying and addressing malpractice, related to measures directly linked to the pandemic (e.g. fraud in furlough schemes6) and across other key ESG issues (e.g. illegal labour practices7 and the questionable treatment of whistleblowers8).

In addition to mitigating risk and protecting company value and integrity, effective whistleblowing mechanisms can help address systemic9 issues, including detecting and preventing bribery and corruption10 and bringing to light significant cases of tax avoidance, money laundering12 and human rights violations.13

Addressing these issues benefits companies14 (see The advantages of whistleblowing for companies), resulting in better performance and consequently, better returns for institutional investors and their beneficiaries; while safeguarding public goods such as trust in institutions and helping to achieve the Sustainable Development Goals.15

However, companies and investors have often ignored the role of whistleblowers in raising the alarm and protecting value – for example, senior management at financial services firm Wells Fargo dismissed employee reports on the use of fake bank accounts to meet cross-selling quotas.16 Digital payment provider Wirecard provides another example: EY received a whistleblowing report on fraud at Wirecard from one of its own employees in 2016 but mishandled the subsequent investigation.17

The advantages of whistleblowing for companies

Reducing financial losses due to fraud

Reputational damage

Preventing reputational damage

Respecting human rights of all stakeholders

Building

Building a responsible corporate culture

Driving board and senior management accountability

Risk management

Effective whistleblowing mechanisms can be a valuable resource for risk management, protecting companies from financial loss, legal liabilities and lasting reputational harm. They allow companies to quickly identify and manage misconduct and irregularities by employees and across the supply chain. Whistleblowers are often also key actors in developing solutions to address the issues identified, as they tend to be experts in their respective areas.

A survey of over 5,000 companies in 99 territories found that 47% of those organisations suffered economic crimes and nearly half of the reported incidents – resulting in losses of US$100m or more – were committed by insiders; while further research showcases that whistleblowers exposed 43% of fraud incidents – making them more effective than all other measures (corporate security, internal audits and law enforcement) combined.

Not investigating concerns raised by whistleblowers in a timely manner can have significant consequences. For instance, EY was warned by a whistleblower about potential fraud at Wirecard, and an attempt to bribe an EY employee, four years before the company collapsed. As the auditor did not properly investigate the allegations, it is now facing backlash from investors and politicians and potential lawsuits for the mishandling of the whistleblower reports.18

Companies are also facing a rapidly changing regulatory landscape that should inform their risk management approach. Recent regulations have been put in place at the regional and national level to protect and encourage the reporting of illicit activities by employees in public and private sectors. This includes the EU Whistleblowing Directive, which member states are required to transpose into national law by December 2021 (see Appendix B for more details on whistleblowing regulations).

Respecting human rights

As highlighted in the PRI’s recent paper, Why and how investors should act on human rights, investors and businesses have a responsibility to respect human rights. The European Court of Human Rights has applied Article 10 of the European Convention on Human Rights to defend the right of whistleblowers in prominent legal cases, clarifying that whistleblowing is in the public interest and is a tool for exercising the right to free speech.19

Principle 29 of the United Nations Guiding Principles on Business and Human Rights also outlines the importance of effective grievance mechanisms and expectations that “business enterprises should establish or participate in effective operational-level grievance mechanisms for individuals and communities who may be adversely impacted”.

It is vital for companies to minimise harm to people and negative outcomes, particularly as human rights controversies can occur across all sectors, geographies and sizes, from mining and apparel companies to technology and financial firms – implementing strong whistleblower protections, combined with human rights due diligence provisions, can contribute to that.

Trillium Asset Management recently filed a shareholder proposal for Alphabet’s 2020 Annual General Meeting asking the company to issue a report evaluating its whistleblower policies and practices and to assess the feasibility of extending it to cover reports related to public interest and human rights.21

We see companies miss opportunities to get ahead of human rights violations and reputational damage because they failed to listen to whistleblowers – and in doing so they make matters worse. Through shareholder proposals and dialogues, investors can help advance improvements to whistleblower protections which will benefit the board, management, employees, shareholders, and stakeholders.

—Jonas Kron, Trillium Asset Management

Corporate culture

Investors can use the presence, and effective use, of whistleblowing mechanisms as a key indicator to assess organisational culture,22 as they demonstrate a company’s commitment to integrity and social responsibility.23

Industry research indicates that whistleblowing policies, reinforced through clear and continuous communication about whistleblowing’s importance, lead to an increased level of trust within organisations.24

Evaluating the effectiveness of whistleblowing policies can further help investors to assess if a culture of openness (also known as a speak-up culture) exists and is embedded within the company; for example, whether a company publicly discloses relevant data on whistleblowing incidents.25

Investors should ask companies whether they can demonstrate that their speak-up systems are working effectively. Companies should be able to demonstrate that they act on reports and improve their culture as a result.

—Tim Goodman, Federated Hermes

 

Building a speak-up culture

Wendy Addison, Founder and CEO, SpeakOut SpeakUp

Whilst a formal whistleblowing channel offers an opportunity to report wrongdoing, it is only partially effective, as it is sometimes employed too late – when significant wrongdoing has already occurred. Additionally, the act of whistleblowing arouses psychological conflict, going against our innate need for loyalty and cohesiveness.

In contrast, building a permanent, company-wide, informal speak-up culture is a more effective and robust avenue to mitigating unethical slippery slopes.

The following elements provide an indication that a company has an environment in which people feel comfortable to raise concerns – investors should assess if these practices are present and encourage companies to adopt them if they are not:

  • Publicly highlighting good behaviours and affirming shared values
  • Making visible how incidents of misconduct are dealt with to demonstrate organisational justice, while ensuring anonymity
  • Creating diverse teams to ensure that one social identity is not dominant
  • Leadership behaviour – reducing power disparities, soliciting opinions and responding appreciatively, flattening hierarchies and building psychological safety

How to engage: focus areas

To help guide investor stewardship focused on whistleblowing, this section explores what investors should expect from companies, and provides examples of good practice and red flags under the following headings:

  • Governance and oversight
  • Policies and commitments
  • Systems and processes

Governance and oversight

Board oversight

Company boards have a crucial role in creating speak-up cultures and should be accountable for implementing and overseeing whistleblowing mechanisms, as recommended by the International Corporate Governance Network. A Financial Reporting Council report on culture highlights that boards can assess how well a company’s speak-up culture is embedded by measuring the effectiveness of its whistleblowing policy.

A board should receive regular reports on its company’s whistleblowing system. In addition, it should clearly understand the steps taken to resolve issues raised through whistleblowing mechanisms26 and communicate how information received is integrated into the company’s risk management strategy.

Tone from the top

Having buy-in from across a company’s senior leadership and setting the right tone are key for enhancing the credibility of whistleblowing mechanisms. A company’s senior leadership should promote whistleblowing policies and mechanisms inside the organisation and publicly, to ensure the message reaches a wide audience, particularly when operating in several regions which are likely to have different approaches to implementing a speak-up culture. Additionally, senior management and board directors should be available and approachable and behave in a way that encourages workers to speak up.

Information flow

Organisations need to provide the board and decision makers with the right information regarding whistleblowing incidents, so that meaningful results can be achieved. Investors should assess how well information flows between the departments responsible for implementing and monitoring whistleblowing mechanisms, such as human resources, compliance, senior management and audit and risk committees. This should include how they monitor the quality and integrity of that information and determine the appropriate solution for any cases raised.

Performance indicators

Companies should use performance indicators to monitor important aspects of the whistleblowing process, including, for example, the volume of cases handled, the number of cases pending and how long they were investigated, the average time for resolution, conclusions reached and actions taken. The board and executive management can use these to assess the effectiveness of whistleblowing systems and make decisions on potential focus areas and the allocation of resources.

Good practice board

Member whistleblowing champion

The UK’s Financial Conduct Authority (FCA) requires companies to have a whistleblower champion – one manager or director who will be responsible “for ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing, including those policies and procedures intended to protect whistleblowers from being victimised because they have disclosed reportable concerns.”28 (See Appendix B for more details).

The regulator also requires that the whistleblower champion:

  1. may be based anywhere provided [they] can perform [their] function effectively.”
  2. “should have a level of authority and independence within the firm and access to resources (including access to independent legal advice and training) and information sufficient to enable [them] to carry out that responsibility;
  3. may be based anywhere provided [they] can perform [their] function effectively.”
  4. need not have a day-to-day operational role handling disclosure from whistleblowers; and
  5. may be based anywhere provided [they] can perform [their] function effectively.”

Red flag

Inappropriate response by senior management

Not having appropriate escalation systems in place, or senior management being ill-prepared to handle whistleblowing reports, can lead to reputational and financial consequences, as demonstrated by an incident at Barclays, a British investment bank and financial services company.

In 2016, the bank’s board members received an anonymous letter expressing concern over the conduct of a senior bank employee who had recently been hired. The bank’s CEO, Jes Staley, then asked the Group Information Security Department to identify the complainant because he considered it “an unfair personal attack” on the reported employee.29

Barclays and Staley faced censure – including a US$15m fine by the New York regulator – for their attempt to track down the whistleblower and have been subject to special requirements such as reporting annually to the UK regulators on the bank’s handling of whistleblowing.30

Policies and commitments

Developing a policy

Developing and publishing a clear whistleblowing policy is crucial to defining and ensuring a company’s commitment. Either as a standalone document, or as part of a broader code of conduct, the policy should establish what is acceptable conduct and relate to a company’s values.31

Research by ACSI found that 81% of companies listed on the ASX200 mention whistleblowing in their code of conduct, while 30% have a separate document, for example.

Companies should ensure all employees, collaborators and partners are aware of the policy and its scope. Furthermore, it should make provisions – at all company levels – for the reflection, discussion and awareness of the grey areas that may permeate the organisation’s day-to-day activities, including interactions with suppliers, the local community and other stakeholders.

Companies should make their policies easily accessible on websites and publish information on the governance, monitoring and implementation of their whistleblowing systems in publicly available communication, such as annual, corporate social responsibility or sustainability reports.

Commitment to non-retaliation

An adequate policy protecting whistleblowers must provide immunity from any form of retaliation – direct or veiled – in the workplace.32 It should also strictly prohibit any intimidation or retaliation against anyone who assists in the investigation of any complaints.33

Rather than placing the onus on whistleblowers, some countries have adopted a reverse burden of proof, whereby the law requires the employer to prove that the whistleblower was treated fairly and that no retaliatory action was taken.34

Companies should ensure that appropriate disciplinary action is taken against anyone found to have penalised a worker for having reported wrongdoing or refusing to engage in it.

— Stephanie Casey, Transparency International Ireland

Motivation

Some regulations, such as the United Nations Convention Against Corruption or the Inter-American Convention Against Corruption, require that a whistleblower acts in good faith – with a predominantly honest motive – in order to be protected.

However, recent regulations have removed that requirement, establishing that whistleblowers should be protected regardless of their motivation to make a report (see Appendix B for more detail). As such, investors should ensure that companies are committed to protecting whistleblowers regardless of their motivations, so that disclosures are not discouraged.

Too often, company policies stipulate that staff must be acting in ‘good faith.’ Such messaging can cause staff to delay reporting suspicions of wrongdoing for fear of being perceived as having [an] ulterior motive. Investors should make sure organisations remove any cause for hesitation in speaking up, before it is too late to avoid harm or lasting damage.

— Ida Nowers, Whistleblowing International Network

Confidentiality

Whistleblowing policies should respect confidentiality, as building trust and ensuring that employees feel comfortable raising issues is paramount to successful implementation.

Employees should also be able to raise concerns, even when bound by a non-disclosure agreement (NDA), loyalty or confidentiality clause.35The EU Whistleblowing Directive clarifies that such clauses and agreements will be void if it is necessary to provide confidential information to reveal a breach.

Scope and types of concerns

One of the challenges companies face in developing a whistleblowing policy relates to the different types of concerns that can be raised. In most cases, whistleblowing is associated with corruption and fraud, or even health and safety concerns. Company policies should make clear that employees can raise concerns for several other topics, such as discrimination, harassment or environmental damage.

Reporting to outside bodies

Company policies should also make clear to employees that they can report wrongdoing to an outside body. While internal reporting is desirable in the first instance, a policy on reporting channels should highlight that it is preferable to raise a matter with the appropriate regulator than not at all, to inspire a culture of openness and confidence.

Investors should make sure that there aren’t any barriers to employees reporting to accountable bodies. Even when the ability to report externally is clearly advertised to staff, people typically do not choose to report directly outside of their companies. In fact, giving staff this option increases employees’ trust and confidence in the organisation.

— Anna Myers, Whistleblowing International Network

Good practice

Company whistleblowing policy

Colgate-Palmolive, an American multinational consumer products company, has a detailed speak-up section in its Code of Conduct, which provides:

  • information on the reporting channels available;
  • a commitment to non-retaliation;
  • a diagram on how a report is managed and the possible outcomes from that.

It also clarifies the scope of these channels by explaining where examples of cases might be reported (e.g. human resources or compliance)

Systems and processes

Having whistleblowing systems in place is essential for companies of every size and should not only be considered a requirement for larger organisations; the EU Whistleblowing Directive requires companies with more than 50 employees or with an annual turnover of €10m to implement internal reporting channels (for more information, see Appendix B).

Reporting channels

Companies can adopt a wide range of reporting channels, for example, creating a toll-free telephone number for people to communicate their concerns, setting up dedicated e-mail accounts or links, appointing a dedicated contact (potentially within their compliance team), or even by using third-party service providers. A study from the Association of Certified Fraud Examiners indicated that fraud losses were 50% lower at organisations with hotlines than at those without. Regardless of the type of reporting channels employed by a company, investors should consider if they include certain common characteristics (see Reporting channel standards below).

Red flags

The absence of reporting channels

The absence of reporting channels, such as a confidential phone line, should be viewed as a red flag. Indeed, a recent OECD study on corporate anti-corruption measures found that 13% of the businesses analysed do not provide such measures, indicating that it is not yet standard practice to do so.

Low or high report numbers

Investors should not assume that the number of reports a company receives through its whistleblowing channels in a given year are a reflection of their effectiveness, particularly if taken out of context. Having few or no complaints may be a cause for concern, indicating that the whistleblowing systems are inefficient or that the reporting process is not trusted. Equally, a high number of reports (especially relative to peers) should trigger further engagement with investee companies.

Reporting channel standards

Anonymity

Anonymity and confidentiality

Anonymity should always be offered to whistleblowers who do not wish to identify themselves. Companies should be able to highlight the security measures put in place – such as how they will avoid information leakage or a privacy notice clarifying how data will be processed (whistleblowing channels are subject to General Data Protection Regulation rules and fines) – to provide full confidence to potential whistleblowers.

Availability

At least one of the channels offered must be available constantly and continuously (24 hours a day, 7 days a week, 365 days a year) to allow users to communicate concerns when they feel it is comfortable or pertinent to do so.

Language

Language

Support in several languages is an important element of effective speak-up arrangements.36 Whistleblowers should have the option to make complaints in their preferred language, or – as a minimum – in the languages of any regions where the company employs staff.

Coverage 30px

Coverage

Reporting channels should be available to all direct employees, but also contractors and partners. Companies should also be able to assess whether awareness and training is provided across their supply chains – similar policies and systems should be applied throughout, and appropriate channels should be available.

Internal investigation process

External reporting channels do not replace the employer’s obligation to ultimately deal with the complaint and provide a proper solution. Companies allocate the responsibility for receiving complaints and investigating reports to different departments, depending on their size and culture.

For example, in large firms it is common for this responsibility to lie with the compliance department while in smaller companies it lies with the human resources department. Irrespective of the set-up that may be suitable for each company, investors should consider if the investigation process has certain key features (see Investigation process features below).

Investigation process features

Transparency

Companies should provide full transparency around the investigation process – which function is tasked with investigating concerns raised, making recommendations for further action and reporting on progress to the complainant and other departments. They should provide clear information on these actions, and regularly assess whether appropriate resources have been made available. Companies should also ensure that the professional or team responsible for these processes is wholly dedicated to them, or has sufficient time to carry them out, to guarantee that the reports will be given the necessary attention.

Independence

Independence

The investigation of concerns should be conducted by an individual in the organisation that is not connected with the incident reported, to avoid bottlenecks and conflicts of interest, while external independent advice can also complement the investigation process.38 When complaints are raised involving the leadership of the company, an independent board committee should be established to enable a conflict-free assessment.

Follow-up

Follow-up and feedback

To help build credibility and trust in the efficiency of the investigation process, it is essential that employees who raise concerns receive an appropriate response. Whistleblowers should be able to monitor the status of their complaints and receive appropriate feedback from the organisation throughout and at the end of the investigation process, regardless of the outcome.

Good practice

Data on reports received

Eni is an Italian multinational oil and gas company that has faced several corruption allegations in the last few years.39 Each year, it discloses the number of whistleblowing reports received, based on the area (e.g. human resources, procurement) or potential human rights violation (e.g. workers’ rights, impacts on workplace health and safety, impacts on local communities) they relate to. The company also indicates the outcome of its investigations by the actions taken.40

Transparency on why and how whistleblowing mechanisms and processes have been established helps assess whether these are in place to tick a box, or because these mechanisms are of fundamental importance to the company. Existence of controversies and low willingness to elaborate and disclose [those] to investors remain crucial red flags.

— Sondre Myge Haugland, Skagen Funds

Communication and training

Companies must disseminate information around whistleblowing mechanisms to all employees. According to a global survey conducted by Freshfields Bruckhaus Deringer, a quarter of respondents said that although their organisation had a whistleblowing procedure, it had not been publicised – clearly indicating that companies could do a better job in promoting these arrangements.

Targeted campaigns adapted for different regions can showcase how to access the right channels and make a report. Communicating internally in a positive way, for example by highlighting improvements made as a result of concerns raised, can be a useful tool to improve confidence in reporting mechanisms and foster a safe environment to raise concerns.

Training is a key aspect of efficient whistleblowing mechanisms – having policies and processes in place does not guarantee that they will be used. Companies should provide formal training programmes to leadership, employees and third parties, covering what types of concerns can be raised, the means and channels to do so, and the level of information required to enable an investigation.

Individuals with managerial responsibilities should also receive training on how to respond to concerns and what steps should be taken to escalate them appropriately. That is already a requirement for companies regulated by the FCA and the Prudential Regulation Authority in the United Kingdom. 41

Whistleblowers should be adequately supported by managers. They should also feel listened to if they choose to flag an issue to a direct supervisor instead of using a hotline – as 28% of employees do, according to a study by the Association of Certified Fraud Examiners, compared to 14% who turn to the fraud investigation team and 12% who report to an internal audit team.

Good practice

ISO 37002

The International Organisation for Standardisation is developing voluntary guidelines on whistleblowing management systems, which are scheduled to be published in 2021. ISO 37002 will be based on the principles of trust, impartiality and protection, and will provide guidance on the development and implementation of effective and responsive whistleblowing systems. The standards – applicable to public and private organisations of all sizes and in all sectors – will also cover the evaluation, maintenance and improvement of such systems, aiming to bring more credibility and structure to systems for handling complaints.

Red flag

Lack of training on reporting

Training employees on the use of whistleblowing systems can be crucial for detecting wrongdoing, and the absence of training should be considered a red flag by investors. The Association of Certified Fraud Examiners found that training increases the likelihood of fraud detection through the use of reporting mechanisms – 48% of cases were discovered through whistleblowing channels compared to 36% when training was not given. Additionally, reports are more likely to be submitted through mechanisms that employees have been trained to use – 56% compared to 37% where training on a reporting channel was not provided.

Disclosure expectations and engagement questions

Public disclosure around whistleblowing, or a lack thereof, can provide valuable insights into a company’s speakup culture. Based on our research and interviews with a range of stakeholders and experts, we outline a set of disclosure expectations to help investors assess companies’ whistleblowing mechanisms.

These cover basic elements, such as having a publicly available whistleblowing policy, and more ambitious aspects, such as disclosure of performance indicators on whistleblowing, across the following areas:

  • Governance and oversight
  • Policies and commitments
  • Systems and processes

Disclosure is only part of the puzzle and insights on actual implementation might be hard to gain by relying only on publicly available information. Investors should therefore be mindful of the context and data provided by a company. They should also be aware of language which shows that the company is focused on building a healthy culture and speak-up environment (rather than having a narrow focus on compliance).

Further engagement should be considered necessary when public disclosure does not provide enough evidence or comfort around the adoption and implementation of whistleblowing arrangements, such as not having a policy, not guaranteeing anonymity, not making a commitment against retaliation or having few or no reports with no additional context.

In addition, further engagement could be triggered when other red flags are identified – for example, controversies related to whistleblowers or a lack of disclosure on board oversight.

To support investors in their engagement efforts, we have outlined a menu of potential questions for each theme that can be directed at the board members and senior management of investee companies as applicable.

The quality of the answers provided to these questions can enable investors to identify areas where they should push for improvements on whistleblowing mechanisms, while challenging the board and senior management to encourage companies to adopt better practices and more ambitious agendas.

DISCLOSURE EXPECTATIONSQUESTIONS FOR FURTHER ENGAGEMENT
GOVERNANCE AND OVERSIGHT
  • Disclosure of board-level accountability for oversight of whistleblowing.
  • Regular board review of whistleblowing mechanisms and their effectiveness.
  • Information on regular reports of whistleblowing data received by senior management and the board. Reports should include:
    • the type of issues raised;
    • where they arise;
    • how they are resolved; and
    • the number of warnings or dismissals associated with the complaint
  • Information on complaints that have been or may be communicated to the board directly (i.e. at a disaggregated level).
  • Disclosure of performance indicators on whistleblowing
  • In the last few years, has the board been made aware of ethical violations within the organisation?
  • What is the role of senior management, including the CEO, in shaping a speak-up culture?
  • When was the last time that the board reviewed the company’s whistleblowing mechanisms and what actions were taken?
  • How does the assessment of whistleblowing performance indicators inform the company’s risk management strategy?
COLLABORATIVE INITIATIVEQUESTIONS FOR FURTHER ENGAGEMENT
POLICIES AND COMMITMENTS
  • A publicly available whistleblowing policy as a standalone document or in the code of conduct / code of ethics
  • A commitment to protect whistleblowers from retaliation.
  • Mechanisms for protection/non-retaliation for whistleblowers, independent of good-faith considerations
  • Comprehensive information on the scope of policies:
    • the type of reports that can be made;
    • by whom; and
    • in respect of what.
  • What are the actions/mechanisms in place to foster a speak-up culture?
  • What was the rationale for the implementation of whistleblowing mechanisms?
  • How are employees assured that they will not suffer any reprisals for raising a concern?
  • How are employees made aware of the scope of the policy?
  • Do you have remediation policies for reporters who suffer reprisals or other detrimental impacts? Could you provide an example of this being applied?
SYSTEMS AND PROCESSES
  • Disclosure of whistleblowing channels employed by the company and, where applicable, the role of an independent third party.
  • Confirmation that reporting channels offer anonymity and confidentiality, multiple access points, multi-lingual capabilities and 24/7 availability.
  • Assurance that all relevant parties (including contractors and suppliers) can use the channels.
  • Disclosure of the party responsible for receiving and managing the reports (i.e. department or function in charge of the investigation process).
  • An overview of how the escalation process works and information on whether there is a different procedure for reports involving senior executives and board members.
  • Publicly available information on the number of reports received, types/areas of concerns reported and outcomes – including whether issues raised have been resolved or are still under investigation.
  • Disclosure of the feedback process for whistleblowers.
  • The existence of formal training programmes, including information on:
    • their communication, dissemination and review;
    • their uptake; and
    • specific training for those in managerial positions to receive complaints.
  • Do you expect the same level of effectiveness in whistleblowing processes across multiple jurisdictions where you operate? If not, what are the differentiating factors and how do you plan to remedy this?
  • Do the people tasked with managing incoming reports have the authority and resources to do so?
  • Have you ever had a report made to a regulator/ external body and how was this addressed?
  • How long does an average investigation last? Can you provide examples?
  • Has the company ever taken disciplinary action against anyone found to have retaliated against a whistleblower?
  • [When the company has operations in several regions] How are the cultural differences integrated into training programmes
  • Does the company use the outcomes of whistleblowing reports as a learning tool and, if yes, how does that feed into training?

Next steps for investors

To successfully undertake stewardship activities on whistleblowing, investors should start by:

  • defining minimum expectations for investee companies globally, as well as further expectations by region, sector and size;
  • establishing a set of red flags that would trigger further engagement; and
  • where necessary, requesting expanded data sets from ESG research providers covering performance indicators on whistleblowing, with appropriate assessment and weighting.

Investors should also form a clear escalation strategy, reflected in voting principles and actions, which they can then communicate to investee companies. For example, voting principles could indicate a requirement that all companies should have a publicly available whistleblowing policy, meeting a set of minimum requirements. If there is no such whistleblowing policy and the company has not engaged or made progress within one year of engagement, investors should vote against the relevant board director (e.g. the chair of the audit and risk committee).

Finally, to ensure that whistleblower protections are embedded into regulation and that there are clear frameworks for companies to follow, investors should also consider engaging with policy makers.42

Appendix A: examples of investor stewardship on whistleblowing

It is clear from our discussions with participants that a limited number of investors currently engage on corporate whistleblowing mechanisms. However, some examples are emerging – we hope these will encourage peer discussion on how to effectively engage with companies, and ultimately, lead to more engagements.

Robeco

Independent whistleblowing mechanisms in the banking sector

We have been engaging with banks since 2017 to improve their risk governance and culture, by asking them to:

  • provide staff with access to an independent whistleblower mechanism;
  • have clear disciplinary actions in the event of misconduct; and
  • be transparent about the number of incidents logged and resolved through the process.

We found that all banks in the engagement group have whistleblower mechanisms in place, but only a minority were transparent about the incidents being logged.

To demonstrate independence, we found that banks preferred the mechanism to be managed by an external party, but not all companies could provide evidence of an independent process. This was especially evident in one engagement case, where a bank’s senior executive attempted to identify a whistleblower in the organisation. This incident gave companies in the group the necessary impetus to review and improve their whistleblowing processes, including discussing these more openly with us and other investors.

Previ - caixa de previdência dos funcionários do banco do brasi

Integrity programmes in Brazilian companies

Our responsible investment strategy defines integrity (anti-corruption) as a specific pillar to be considered alongside environmental, social and governance factors when investing in any asset class.

Alongside other Brazilian PRI signatories, we are engaging companies on anti-corruption, to:

  • identify best practices in how Brazilian companies implement their integrity programmes;
  • improve the performance of participating companies; and
  • promote better market standards.

To prepare for the engagement, we developed a questionnaire to use during interviews with selected companies. It includes a dedicated section on the existence and operation of whistleblowing channels, as information obtained via these channels can help identify critical risks faced by companies.

Questions include:

  • Is it possible for employees to make whistleblowing reports anonymously?
  • Are whistleblowing reports received and managed by an independent third party?
  • How are the reports received?
  • Does the company have procedures for addressing irregularities promptly?
  • Are there mechanisms to ensure whistleblowers who act in good faith are protected/don’t face retaliation?
  • Is the whistleblowing process independent at all stages (receiving and analysing reports, investigating allegations and applying penalties)?

While the engagement is ongoing, the interviews so far have helped identify some best practices, such as the use of third parties to provide additional protections for whistleblower anonymity.

Futuregrowth asset management

Supporting whistleblowing in South Africa

South Africa has seen an increased prevalence of corporate governance failures, non-compliance, corruption and fraud in recent times. As an asset manager, we cannot ignore the impact that poor governance practices (including fraud and corruption) have on the long-term sustainable performance of companies, which ultimately affects our clients’ pension fund returns.

A key element in exposing and ultimately convicting those guilty of corruption is the role of whistleblowers and any measures intended to deal with corruption must include appropriate protections for them.

In 2016, we started engaging with six South African State-Owned Enterprises (SOEs) on several governance issues, including concerns related to the protection of whistleblowers. We publicly announced that we would suspend all new funding to them until we concluded our due diligence reviews.

During our reviews, we found that although South Africa has regulations in place concerning whistleblowers, the SOEs demonstrated several red flags, including not always having confidential whistleblowing mechanisms in place, lacking whistleblower protections and having poor reporting lines, where an Internal Audit department reported to the Chief Financial Officer, for example.

Based on our findings, we recommended that the SOE boards established social and ethics committees to support SOEs in applying codes of ethics throughout their organisations, and to monitor compliance with applicable policies, such as fraud detection and management, and whistleblowing.

Appendix B: regulatory landscape and recent legislation

Corporate scandals at the beginning of the century, such as Enron and WorldCom44, led to the establishment of laws to protect and encourage the reporting of illicit activities within the scope of public and private-sector employment relationships.

While these laws were initially often focused on financial services, amended or new regulations have broadened the scope across the sectors applicable, the types of people that can raise concerns and the types of reports that can be made, thus expanding the protection of whistleblowers.

Many instruments are sector agnostic, and companies must have whistleblowing mechanisms in place when they have more than a certain number of employees.

In addition to the actions of individual governments and regional blocs such as the EU (see Table 1 below), governments are increasingly working together to set expectations of how organisations should handle complaints and highlight the societal benefits of having proper mechanisms in place.

G20 leaders have also identified the protection of whistleblowers as a priority area in their global anticorruption agenda. As a result, a study conducted by the OECD described the main features of whistleblower protection frameworks in place in G20 countries and provided guiding principles and best practices to support the group in strengthening whistleblower protections.

The establishment of regulation mandating the protection of whistleblowers is critical, as many companies only seek to make a reporting channel feasible when they have a legal requirement to do so. Regulations also hold companies to account and reduce the burden on individuals to prove they have acted correctly.

REGIONLEGISLATION
AUSTRALIA

The 2001 Corporations Act consolidated the whistleblower protection regime for Australia’s corporate sectors. In 2019, the Treasury Laws Amendment (enhancing Whistleblower Protections) Act introduced several changes:45

  • Broader eligibility: more people are eligible to be whistleblowers and recipients of disclosures, including journalists and politicians.
  • Stronger protections: whistleblowers will be protected regardless of whether the reports were made in good faith.
  • Broader scope: concerns can go beyond criminal breaches, including breaches of tax law.
  • Stronger enforcement power: new penalties for employers who breach these protections.
BRAZIL

The Anticrime Law (12.964/2019) provides a set of protections and incentives to whistleblowers reporting criminal activity and administrative misconduct – Brazil did not previously have a legislative framework covering whistleblower protection.46 Protections include confidentiality, protection against retaliation, and immunity from civil and criminal liability. The law also offers a monetary reward to whistleblowers: 5% of what the government recovers from a case.

The law applies to reports concerning public corruption and fraud related to government procurement and contracts, government-owned companies, and government-funded programs, and to criminal activities and administrative misconduct harming what the law identifies as public interest

REGIONLEGISLATION
CHILE

Since 2009 companies are required to have effective reporting channels and must report to the Chilean financial regulator (La Comisión del Mercado Financiero) on how they are complying with corporate governance best practices.47

A recent report by PwC and ESE Business School de la Universidad de los Andes found that 96% of the companies analysed have implemented a formal procedure for staff to raise concerns, including allowing anonymous reporting. Nevertheless, there have been challenges in implementing this mechanism – a 2017 study from BH Compliance found that 97% of Chilean companies have not received any complaints, primarily due to a lack of incentive to report misconduct, as well as unfamiliarity with the reporting mechanisms and potential distrust of the investigation procedures.48

CHINA

In 2019 the Chinese government issued national guidance on a whistleblowing system49, including a mechanism to reward and protect those who report serious violations of laws/regulation and major risks. The financial regulator also announced interim provisions to encourage whistleblowers to report any activities that violate market supervision laws and regulations.50

EUROPE

In 2019, the EU adopted the Whistleblowing Directive to establish protections for whistleblowers and obligations for companies. Member states are required to transpose this into national law by December 2021.

The Directive requires the creation of secure channels for complaints within organisations – private or public – and to public authorities. It also provides whistleblowers with a high level of protection against retaliation, and national authorities will need to adequately inform citizens of the requirements and provide training to public officials on how to deal with complaints. The new rules have a broad scope and will cover reports on breaches of laws in areas such as public procurement, financial services, public health and consumer protection. Those protected by the new rules include anyone who could acquire information on breaches in a work-related context. e.g. employees, including civil servants at national/local level, volunteers and trainees, non-executive members and shareholders.51

JAPAN

The Whistleblower Protection Act was established in 2004. It was amended in 2020 to broaden the scope of whistleblower protections and ensure proper whistleblower systems within businesses.

The Tokyo Stock Exchange Corporate Governance Code, revised in 2018, requires companies to establish whistleblowing frameworks that allow employees to report misconduct and concerns without fear of retaliation. It also requires that boards should be responsible for implementing and overseeing this framework and that there should be a point of contact that is independent from the management, such as a panel of outside directors.

REGIONLEGISLATION
UK

Whistleblowing is regulated by the Public Interest Disclosure Act – PIDA (1998), the Employment Rights Act – ERA (1996) and the Enterprise and Regulatory Reform Act – ERRA (2013). ERRA extended protection to whistleblowers, independent of good faith, and broadened the scope of protection to workers.

The Financial Conduct Authority and the Prudential Regulation Authority, which regulate financial services firms and financial markets in the United Kingdom, have also established rules on whistleblowing policies and procedures. These are applicable to deposit-takers (banks, building societies, credit unions) with over £250m in assets, and to insurers subject to the Solvency II directive in the UK. They are also to be used as non-binding guidance for other regulated firms.

US

The first legislation covering whistleblowing in the US (the Civil Service Reform Act) was adopted in 1978 and was strengthened through the 2012 the Whistleblower Protection Act. Specific sectorlevel rules also protect whistleblowers, established through the Clean Air Act and the Food and Administration Modernization Act.

The US also provides the most substantial monetary awards to whistleblowers. Among the federal laws with whistleblower protection provisions that include monetary awards are:

  • The False Claims Act, referring to fraud and gross loss of public resources: Under this provision, whistleblowers can be rewarded for confidentially disclosing fraud that results in a financial loss to the federal government.
  • The Securities Exchange Act of 1934 (amended by the Dodd-Frank Act in 2010): Awards can be provided to individuals who come forward with high-quality information that leads the Securities Exchange Commission to enforce sanctions regarding fraud and illegal acts in the securities market.
  • The Internal Revenue Code (IRC): The American tax code allows for awards to eligible whistleblowers who provide the Internal Revenue Service with information about the underpayment of tax or other violations of the IRC.