Whistleblowing abuse reports are made when someone notices an organization’s operator doing something unethical, against regulations or even illegal inside or outside the organization. The purpose of the EU Whistleblowing Directive is to make reporting them as safe as possible for the whistleblower. The notifier can make the report completely anonymously. According to the EU’s Whistleblowing Directive, organizations will be required in the future to have a whistleblowing notification channel available to employees for whistleblowing abuse reports. In addition, all parties outside the organization must have a channel for reporting abuse. The Whistleblowing Directive also requires that an anonymous whistleblowing notification channel must be provided for reporting misconduct. If, however, the identity of the informant emerges from the abuse report, the directive protects this person from countermeasures. Organizations must define processes for monitoring, handling and investigating whistleblowing reports, and reserve the necessary resources for them. In addition, the whistleblower must respond within three months of submitting the report.
Who does the directive apply to?
- The directive, which enters into force in 2021, will apply:
- all municipalities and cities with more than 10,000 inhabitants, as well as
organizations with either more than 50 people or a turnover of more than 10 million.
The scope of the EU Whistleblowing Directive also automatically includes state administration, public law actors and all organizations in the financial services industry. The implementation of the anonymous notification channel has its own transition periods. An example case of abuse could be that the company’s accountant suspects that the finance manager may have made travel invoices for his own vacation trips, and disguised them as business trips. The accountant may be either an internal employee of the company, or he may belong to an external stakeholder group of the company, i.e. the accounting has been outsourced to an accounting firm. Accountants should have a safe channel to report misconduct or suspected misconduct, regardless of whether they belong to an internal or external stakeholder group, and also without fear of losing their job or having their contract terminated.
Whistleblowing with Granite Whistleblow?
An example whistleblower works at a nail factory and discovers abuse. He wants to bring it to the attention of the nail factory. There is a link on the nail factory’s website through which he can leave a notice. By clicking on the link, the notifier goes to Granite’s service and can enter the information on the notification form. It is possible to fill out the whistleblow form completely anonymously, or the informant can optionally provide his contact information and define the processing of his personal data in relation to the case. In this example case, the informant wants to remain anonymous. The form has a text field for describing the event and the option to leave attachments. After the notifier has recorded everything, he sends the notification for processing by clicking the send button. After sending, a new page opens confirming that the notification has been sent for processing. There is also a link and a PIN code on the page, with which the notifier can log in to the form again. With the help of the link and the code, the person can act in the direction of the handler anonymously, the form can be used to continue the conversation about the event.
How are whistleblowing reports handled?
The handler receives an e-mail message about the new announcement and can directly access the announcement using the link in the message. An e-mail about a new announcement can be sent to several people. The main form itself is divided into nine parts. The information in the notification includes the information recorded by the notifier. The processing section of the report contains the start date of the report, the title of the report, the handler field, the source of the report, where it is defined which channel the report came from, the appropriateness of the report, whether the report is justified or unjustified and the type of abuse, which can have several options, is assessed from one to three, and it has processing deadline. The fourth section is the so-called investigation memo section, which has a discussion field where you can add issues that occurred during the investigation. The recorder and the recording time are entered automatically in the discussion field, making it easy and effortless to take notes. In the action section, action forms are added, which define the necessary tasks and those who perform them for the investigation of the report. The persons involved in the investigation is also a form field, where you can enter the persons appearing in the investigation or the information of persons otherwise related to it on their own forms. In the External entities related to the investigation section, there is a similar form field where you can add the contact information of external entities to your own forms. In the risk management section, it is defined whether the abuse in question has been taken to the risk management processes for evaluation, and in addition, it is possible to justify why this has been done or why this has not been done. The notification status field defines the status of the investigation.
An example of the stages of the investigation
In this case, the first recipient and processor of the notification is the Researcher himself. The researcher reads the content of the notification and starts the actual processing of the notification. The researcher sets the date of the reading moment as the start date of the processing. After this, he gives the handling notification a descriptive title and defines himself as the handler for this matter. The source of the notification in this case is the notification channel. The notification could have come to the company’s attention through other means as well, and then a suitable selection would have been made from the menu. Based on the existing information, the researcher assesses that the notification is appropriate and requires further clarification.
The type of abuse is selected from the multiple-choice field, and several options can be selected for the field. The severity of the event is assessed on a scale of 1-3, from the mildest to the most serious. The deadline for processing is automatically set seven days after making the notification. The researcher defines the first procedure forms for the notification. Procedure forms are used to determine which procedures are to be performed and whose responsibility is assigned to perform them. In addition, a deadline is set by which the measures are to be completed. The researcher appoints the Foreman as the person responsible for the measures. The foreman receives a notification of the action from the form in his own e-mail and can thus start the necessary actions. After recording the procedure forms, the Researcher sends a message to the informant via an anonymous chat channel and waits for a reply.
In the best case, the conversation can be held in real time. The foreman reads in the e-mail that he has been defined as the responsible person for the action form and logs into Granite to view the information. The supervisor takes the measures under work and marks their status as in progress. The procedure forms have a discussion field that can be used for communication between the investigation team regarding a single procedure. In this case, the Foreman asks the Investigator if there is more detailed information about the incident. Next, the Investigator sends a message to the anonymous informant via the chat channel to find out more precisely the location of the incident, as well as the identifying marks of the person who was there. At this point, the notifier is interested in knowing whether his notification has been answered and goes to check the matter. To log in, he needs the link he saved and the pin code. The announcer answers the questions. The researcher has been waiting for a response from the notifier and is going to check the notification. The notifier has responded and the Investigator updates the information on the action form. At the same time, the Researcher thanks the informant for the information. The supervisor takes the steps and updates the step forms.
The foreman can see the manager’s updates to the action form in Granite. At the same time, the foreman updates the action forms as completed and records the information obtained in the actions. The investigation has revealed the vehicle and its driver, as well as the location of the incident. The investigator receives information about the execution of the measures. The investigator orders a new procedure for interviewing the driver and the Foreman to carry it out. The foreman performs the procedure and interviews the Driver. Ajo Mies says that he was there during a break and noticed a barrel in the field, which he then collected and delivered to the waste station. The researcher sees in Granite that the procedures have been carried out and goes to check their results. The researcher is naturally relieved to learn that the worst has been avoided and a reasonable explanation has been found for the events.