The EU Whistleblowing Directive is coming, are you ready?

What is whistleblowing?

It means that if a person notices or suspects abuse in the organization, he can, so to speak, report it by “blowing the whistle”. That is, for example, by telling your supervisor about it, or by giving information to the organization through such a notification channel. Misconduct can be, for example, criminal or unethical activity. It is human that people often think before raising such a matter that it will be bad for them if they tell about it? The new EU directive on the protection of whistleblowers aims to influence exactly this issue. In Finland as well as in the world, we have seen situations where the organization has tried to silence the whistleblower. One such example that was widely covered in different media was the Danske Bank money laundering scandal where the whistleblower told about his findings in the Estonian unit from inside the house. The organization had not really reacted to it in any way. If you think about the damage done to the organization, even 40 percent of the value of Danske Bank’s shares melted away at that point. The challenge in Finland is that we generally have a culture of silence. When we’re little, we’re often taught that the complaining goat poops. And that is somehow seen as a bad thing. This has also been studied in the Nordic Business Ethics Survey, where more than half of the respondents who had witnessed something criminal or unethical did not report it.

  • 20% of Finns said that if they notice a problem, it is none of their business.
  • Correspondingly, more than 20% said that it would not change anything.
  • More than 15% feel that they fear for their own position when they report wrongdoing.

That is, if there is a good culture in the organization, then the employees dare to raise grievances and it has a favorable effect on the entire business. The Council of Europe approved new regulations on the protection of whistleblowers in October 2019, which means that the directive should come into force nationally by the end of 2021.

EU Whistleblowing Directive

The ultimate purpose of the Whistleblowing Directive is to ensure that a person who reports a violation of EU law can be confident that he will not be subject to negative measures. What is meant by violations of EU law is an extremely broad definition. It includes, for example, the fight against corruption and fraud, public procurement and the prevention of money laundering. The Whistleblowing Directive starts from the fact that the possibility of anonymous reporting should be guaranteed. The whistleblower can also provide his information if he wishes, but it should be an optional option. The Whistleblowing Directive imposes a prohibition on countermeasures and a reversed burden of proof on employers. As individual withdrawals, it is taken into account that the rights according to the directive cannot be limited by contracts, for example in the loyalty clause of the employment contract. The employer is obliged to give an acknowledgment of receipt when such a notification has been received. In addition to that, feedback must be given to the whistleblower over a longer period of time about what kind of actions have been taken as a result of the report. The Whistleblowing Directive applies to people working in both the public and private sectors. The nature of the tasks is by no means decisive, i.e. the coverage is broad.

Who does the whistleblowing directive apply to?

  • Municipalities with more than ten thousand inhabitants,
  • organizations with at least 50 employees, and
  • companies with a turnover of more than ten million euros.

And in addition to these, the state administration, regional and provincial administration and other legal entities under public law.

Who is covered by the whistleblowing directive?

Current and former employees, also job seekers and self-employed persons, as well as persons belonging to the company’s shareholders and the company’s management bodies. The Whistleblowing Directive equally protects voluntary workers and unpaid interns, as well as from persons who work under the supervision and management of contractors, subcontractors and suppliers. In other words, the whistleblowing directive has guaranteed protection for a very large group of people. This should be taken into account when introducing whistleblowing notification channels.

Whistleblowing notifications – a threat or an opportunity?

The Whistleblowing Directive strongly protects whistleblowers. It also has enormous positive effects for organizations that implement a whistleblowing reporting channel. The American Association of Fraud Investigators ACFE investigates real-life abuse cases very comprehensively every two years. From there, the “Report to Nations” report comes out. The 2018 report tells us that more than 40% of abuse cases in the USA are revealed with the help of a tip. According to the study, organizations that have a whistleblowing notification channel for suspected abuse in use survived with half the damage. This is perhaps also due to the fact that they have received significant information about what happened earlier in order to be able to intervene. Organizations employing less than a hundred people typically suffer almost twice as much damage compared to larger organizations in cases of abuse. The reason why bigger damages are suffered in smaller organizations is that there are generally weaker internal controls. In other words, the importance of the tip has also been emphasized through the fact that the organization can be informed about its possible risks of being exposed to abuses before anything more catastrophic than this has happened. That is, if, for example, the reporting channel receives information about unethical activity, which is however not criminal, then the organization can improve controls and especially continue staff training in a more targeted manner.

The directive imposes many obligations on organizations

The Whistleblowing Directive itself imposes many other obligations on organizations. Employees should know about it. A large part of the notifications come from employees and from within the organization, but an equally significant part comes from various external factors, which can be customers, suppliers and former employees. The company should therefore consider whether to open up the channel to people other than employees. Staff training as a one-time training is not sufficient, but it should be made repetitive. The staff must be reminded of its existence, as well as review the common rules of the game and remind them that reporting is an obligation. Especially in the Nordic countries, there is a lot of trust in others. We trust that everyone understands how to act correctly and everyone understands where the line between right and wrong is. The employer’s responsibility is to guide the development of people’s perception and to encourage them to boldly intervene if they notice something. The whistleblower must truly trust that the information he gives will be processed in such a way that it is not possible for him to be exposed if he does not want it.

How do we make sure that the notifications are genuinely followed and that they are reacted to?

If notifications are received, they must be processed without delay. The announcements tell a lot about where the training should be targeted. Do the announcements fall into the category that has been predicted? Regarding the investigation process, you should think about whether the organization itself has the resources to investigate reports? Is the know-how available in-house, can it be done truly independently and professionally, or does it need outside help? When a more significant abuse is revealed to the organization, it is often the site of a major crisis. At that point, the resources should be made available quickly to start the investigation work. The companies should think about this in advance. Information about the follow-up action must be given to the notifier within three months of receiving the notification. So the matter cannot be left lying on the table, but measures must be taken and the reports must be investigated. In addition to this, the directive obliges the notifier to receive a notification of receipt within seven days of receiving the notification. The investigation process is the employer’s protection if there are claims, for example, that the employer has taken some countermeasures against the notifier. Countermeasures can be, for example, that one has been fired or dismissed, has been transferred to a lower job position, or has been intimidated or bullied in some other way. This is where the employer has a reversed burden of proof that reporting this is in no way the reason for such actions or that the person does not have not been promoted within the normal process, for example. In this sense, an independent, professional investigation process is what is needed.

The operation of the whistleblow notification channel in practice

Let’s imagine a situation like this, for example, Kiista-Kaisa, a summer assistant at Sirkka-Liisan Saha, is surprised when she notices that the shift manager seems to be wheeling an aspen panel sawn to size from time to time without making any kind of written note about it, which is Sirkka-Liisan Saha’s official operating principle. As a vigilant citizen, Kiista- Kaisa decides to take it upon herself to make a whistleblow, i.e. a report of abuse, in accordance with the instructions, and she uses the Granite Whistleblow tool used in the organization to do so. Using either a link created on the website or a QR code, Kiista can open the abuse report form, in which she records her observation. In Granite’s Whistleblow tool, the report doing so does not require separate credentials or logging into the system, and it can be done on any terminal device. By retrieving the unique link and PIN code, Kiista can complete its answers to possible future questions and then read the feedback it received from the handler. He receives an anonymous whistleblowing notification in his email. Following his organization’s process, he records the necessary information in the system and evaluates whether this notification is justified or not. In the discussion field section of the notification, he leaves an acknowledgment of receipt for the anonymous notifier, and if he feels it is appropriate, he requests more detailed information. Granite Whistleblow does not store any identifiable information about the whistleblower, and even with the root user role, it is not possible to dig them out of the system. You will then give these additional details about the Dispute in your own head if you consider them appropriate, but read the acknowledgment of receipt nonetheless.