CHAPTER 7: BLOWING THE WHISTLE

ISO 37001 talks about raising concerns, or ‘whistle-blowing’ as it is more commonly known.

Whistle-blowing has been in the media recently, where it has been suggested that even when genuine concerns are reported, the whistle-blowers receive little or no thanks and may even face allegations themselves or are ostracised.

This guide cannot change the world but it does explain how an effective whistle-blowing process can be established. Whistle-blowing is like many aspects of an ABMS, where top management really do need to lead from the top. The organisational culture needs to be one where malpractice and wrongdoing are not accepted at any level.

Whistle-blowing is a much wider issue than bribery and corruption. For example, whistle-blowing often relates to HR and security issues: allegations of bullying and victimisation, allegations of misuse of company time, and allegations of fraud or theft of physical property. Similar allegations can also be made against contractors or customers’ representatives.

Allegations might purely relate to non-adherence to internal procedures that have no external or legal bearing whatsoever.

Whistle-blowing can generate a mixed bag of investigative strands and there needs to be clear management responsibility for who investigates what. Investigations are covered in the next chapter.

Whistle-blowing processes have been with some organisations for a very long time. However, in the UK there was little or no legal need for them until the Bribery Act 2010 came into force, and the Ministry of Justice recommended that whistle-blowing hotlines be part of the ‘adequate procedures’ for protecting against bribery, outlined in Section 7 of the Bribery Act. This section introduced the offence of failure to prevent bribery. Businesses that either must follow or voluntarily accept the US Sarbanes-Oxley requirements also need to have whistle-blowing hotlines. It is also a requirement of ISO 37001.

What is a hotline?

Initially, whistle-blowing is confidential to protect the whistle-blower, to protect the individuals(s) whom the allegations are being made against and to protect the reputation of the organisation itself. Confidentiality also protects any other stakeholders involved, including customers, from mistaken or malicious allegations. If the allegations relate to criminal activity, then further evidence may be needed, and the perpetrators should not be put on notice that their activities have been reported.

Most whistle-blowing hotlines will be telephone-based services but may also be web or email based. There are obvious data protection issues and a risk that individuals will be tipped off that allegations have been made against them. Some organisations would say that none of their senior staff would ever tip off friends in the organisation, but with an AMBS the concept of trust is different and needs to be seen as such.

In any event, those who receive the whistle-blower’s information are at risk of suspicion if there were any subsequent leaks, even if they did not instigate them. Someone could also be whistle-blowing in the contractor’s or customer’s organisation, and if their investigations emerge at a later date then allegations of tip-offs might also arise from these external sources.

All these factors lead to why many organisations now use outside security or HR companies to manage their whistle-blowing hotlines, which only report to a few very senior individuals within the organisation. Sometimes the same company will carry out investigations directly or give advice on their ongoing management, especially if there is police involvement, or if contractors or customers need to be contacted. Sometimes a skilled outsider will manage the initial contacts better than those with much invested in the relationship already.

With ISO 37001, it is typically the compliance manager who is the point of contact with the security company, but it could be directly to the chairman or chief executive where there are allegations of fraud or bribery. With HR-related issues, such as allegations of bullying, these would probably go to the HR director in the first instance. However, all allegations should be fully examined and any patterns of conduct discerned.

For example, there may be an allegation of bullying that then develops into an allegation of, say, the individual suggesting that their line manager is bullying them because they have become aware of that manager’s corrupt behaviour. There is a case to be made for ensuring that all allegations come into one central point until the full extent of any emerging issues are known.

As part of the management review process, trends and outcomes of whistle-blowing should be reported for data protection and confidentiality reasons, although ongoing investigations would not be discussed. The security company’s reliability, service levels and consistency of ongoing advice should be monitored like any other contractor.

The issue of what should happen with whistle-blowers who make malicious or otherwise unfounded allegations is complex. If an organisation wants to avoid dealing with an issue, it is very simple to say the whistle-blower had an axe to grind or had a history of unsatisfactory performance.

Genuine misunderstandings can arise and, of course, at all levels of management there may be varying degrees of personal friction between direct reports and their line management, which may have coloured perceptions of events. Many organisations prefer to believe their own publicity material about being ‘one big happy team’ but it is not always as simple as that. To pretend otherwise is creating bigger problems at a later date.

The guiding principle should be to investigate the allegation first and then come to a determination, rather than to automatically believe or doubt the whistle-blower. If this isn’t done, you end up investigating a whistle-blower before the allegation. The exception might be when a preliminary investigation suggests that the allegation has a different primary motivation.

A genuine whistle-blowing allegation should always be actioned. Whistle-blowing is sometimes about comparatively mundane issues.

Apparent dishonesty by contractor or customer representatives can be especially tricky to deal with. If you don’t inform on your customer then it may be later alleged that you were colluding with them, which may mean police involvement. Whistle-blowing often means that proper legal advice has to be taken before deciding how to proceed.

If it is discovered that the allegation was malicious, then that is likely to be dealt with as a disciplinary matter.

Where an allegation was genuinely made but found to be without foundation or there was insufficient evidence, then that is more difficult. HR policy and individual circumstances may dictate what needs to be done. Mistrust between individuals is often indicative of interpersonal barriers or wider business challenges that need to be managed by the organisation. Being an ostrich on such matters could simply set up deeper challenges later.

ISO 37001 expects it to be a disciplinary offence to retaliate against someone who raises a concern in good faith.

This should be clearly outlined as part of your corporate ethics and whistle-blowing policy: whistle-blowers will not be retaliated against (not fired, demoted, receive a worse performance report, etc.) for truthfully reporting misconduct. Management must firmly adopt this philosophy towards whistle-blowers, who might otherwise be unpopular within the organisation.

Whistle-blowing can be a powerful, if unwelcome, tool in an organisation. Yet welcome it should be. Its purpose is to improve controls and show continual improvement – the organisation and its future are always bigger than individual miscreants who may be highlighted through the whistle-blowing process.