Understanding the ISO Whistleblower Guidelines in five simple steps

The ISO 37002 – Whistleblower Management Systems – Guidelines (ISO Whistleblower Guidelines) are the first comprehensive guide for companies operating whistleblower management systems. If your programme meets the ISO Whistleblower Guidelines in all respects you have a leading-edge system that meets the best international standards and you should feel very comfortable that it is fit for purpose.

In ISO speak, ‘guidelines’ cannot be certified by an accredited body as having been met. There is currently no certification process for guidelines, although that may change at some stage in the future. What you can do, however, is engage a company to conduct a review and audit your programme against the ISO Whistleblower Guidelines to give you some comfort of compliance. Of course, it is always best to engage a reputable compliance expert that understands the ISO Standards and process. ETHIC Intelligence offers this service to clients globally.

What do the ISO Whistleblower Guidelines actually intend to do?

The ISO Whistleblower Guidelines provide advice to organisations for establishing, implementing, maintaining and improving a whistleblowing management system, with the following outcomes:

  • encouraging and facilitating reporting of wrongdoing
  • supporting and protecting whistleblowers and other interested parties
  • ensuring reports of wrongdoing are dealt with in a proper and timely manner
  • improving organisational culture and governance
  • reducing the risks of wrongdoing.

The ISO Whistleblower Guidelines assist organisations to create whistleblowing management systems based on the principles of trust, impartiality and protection. They are adaptable, and their use will vary with the size, nature, complexity and jurisdiction of the organisation’s activities. The ISO Whistleblower Guidelines can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.

Five steps to understand the ISO Whistleblower Guidelines

1.Understand the ISO basics

Get your head around the way that ISO standards and guidelines work. They all have definitions at the front and then the substantive elements start at section 4. There are some unique words used in these guidelines and standards, so you might need to check the specialist ISO dictionary (available on the ISO website) to truly catch all the nuances.

Remember that guidelines are not certifiable, so you will see references to ‘should’ throughout them (‘you should do this’, ‘you should do that’), where in a certifiable standard the ISO tends to use the word ‘must’ (because it is mandatory and failure to do the item means you may not pass certification). This is really semantics, so assume that when it says ‘should’ in the guidelines, you need to do what it says to be in compliance.

2. Get moving with scoping, application and stakeholder reviews

As mentioned in step 1, most ISO standards and guidelines, including the ISO Whistleblower Guidelines, follow the same process and substantially start in section 4. This section supports people to scope out their programme: Does it apply to everyone? Does it apply to all subsidiaries? This is also the place where you work out which laws might apply to you. Are there specific laws in countries that require you to have certain things in place?

Section 4 requires you to establish, implement, maintain and continually improve a whistleblowing management system, including the processes needed and their interactions, in accordance with the guidance’s recommendations.

3. Get management and leadership involved and work out roles and responsibilities

Like all of the ISO standards and guidelines, the ISO Whistleblower Guidelines require you to have the right level of support from your organisation. If you do not have that support and buy-in, it will be very tough for you to run and operate a successful programme.

The ISO Whistleblower Guidelines discuss your support from the governing body (i.e. your board) and top management, and also the people that are going to be operating the whistleblower management system (whether that be HR, compliance, legal or some other group).

At this stage you will also be looking at the roles and responsibilities of all the key stakeholders and working out who is working on which area.

4. Build your whistleblower programme

Once you have the people sorted out and you have the scope of your programme, the next part of the ISO Whistleblower Guidelines will guide you on how to build the programme. There is a big focus on planning out the activities that you will be building. These plans must include how to set objectives for the programme and how to then measure those objectives. The ISO Whistleblower Guidelines – and indeed all ISO standards – are focused on measuring what you are doing against objectives, and you will see this constant focus.

You will also become familiar with the level of detail around the implementation. The ISO Whistleblower Guidelines will focus on you documenting and detailing actions: Who does it? When? How? What is the objective? How will it be done? How will it be tested against that objective?

ISO 37002

5. Operate, support, measure and improve

Once the programme is in place, it is all about operation. Make sure that the right resources are in place to operate the programme. These people need to be properly trained and qualified, and must work according to the clear actions and objectives in the programme. Making people aware of the programme via communication and training is important and is a significant focus of the ISO Whistleblower Guidelines.

Of course, at some stage, you will actually receive whistleblower reports from users. The operational aspects will provide guidance on how to receive, triage and investigate the reports. The ISO Whistleblower Guidelines also discuss how to protect the reporter and not retaliate against them in any way.

The guidelines contain a large section on monitoring, measuring and improving the system that you have developed. There are obligations to audit the effectiveness of your programme to identify weaknesses or non-conformities.

Actions for teams that manage compliance reporting and programmes

For teams that already have established whistleblower or compliance reporting programmes, the ISO Whistleblower Guidelines are a great initiative to validate your work and to use as established best practice. We would recommend a gap analysis being done against your programme.

If you are new to the area and are looking for a blueprint by which to build your programme, the ISO Whistleblower Guidelines are an excellent process to follow.

How to learn more

The ISO Whistleblower Guidelines are available from ISO stores in each country. Check the ISO website for further details.

ETHIC Intelligence is offering courses on the ISO Whistleblower Guidelines, including how to implement them in your programme. We will also be offering solutions for companies to test their programmes against the ISO Whistleblower Guidelines and support annual check-ups and validation. For further details, please contact us here.