Developing Roadmaps and Frameworks based on the new ISO 37002 and the impact of the recent ISO 37301 on compliance management systems
rganizational Factors: The Role of Ethical Culture and Relationships
The critical understanding of the health of corporate ethics and compliance programs
09:40 – 10:00
Whistleblower and Sarbanes Oxley Act: Mandates for “whistle-blower protection.”
Code-of-Conduct, Oversight Reporting and monitoring compliance
10:00 – 10:30
Confidentiality and protection of the identity of the whistle-blower.
Network for receiving reports to ensure the privacy of the whistle-blower and prevent access to non-authorised persons.
10:35 – 10:55
Introduction to the implementation and the scope of the EU directive components
11:00 – 11:30
Response times: Establish procedures to follow-up the report within a seven-day acknowledgement
11:35 – 11:55
Independent receiver(s) with the competence to follow up and communicate
12:00 – 12:30
Due Diligence: Thorough follow-up within a reasonable timeframe to provide feedback to stakeholders
12:30 – 13:00
Communication: Establish the conditions and procedures for disclosing the results and inform the oversight authorities.
13:00 – 13:30
GDPR compliance: Processing of personal data must be carried out to comply with the GDPR.
13:35 – 13:55
Record keeping: Companies must document each report received and ensure compliance
Confidentiality, transparency and accountability.
14:00 – 14:30
Deletion: Disposing of the privacy data must be deleted according to the GDPR and other relevant mandates in the right manner.
14:35 – 14:55
Procedures for internal reporting and whistleblower management
15:00 – 15:30
Overcoming challenges in implementing the requirements of the Directive
15:35 – 15:55
Developing Roadmaps and Frameworks based on the new ISO 373002 and the impact of the recent ISO 37301 on compliance management systems
16:00 –
16:30
Whistleblower Current Legal Landscape Around the World
Protections and rewards for whistleblowers vary widely around the world
16:30 –
Whistleblower Online Certification Exam
5. ISO 37000 > Governance of
organizations (Q3 2021, high level
structure)
ISO 37301:2021 > Compliance
management systems
37002 > Whistleblowing
management systems (Q4 2021)
6. The missing relatives
ISO 10002:2018 > Quality
management, customer
satisfaction, guidelines for
complaints handling in
organizations
8. ISO 37000 Draft
Governance of organizations
Whistleblowing as a channel of information
The governing body should ensure
• its controls and internal and external assurance
• Its process to receive, assess, monitor and react
9. ISO 37301:2021
Management system
• Organization to meet compliance objectives
• Interration with internal and external parties
• Policies, procedures, people, platform
• Governance of tasks and controls to document
10. ISO 37301:2021
Compliance management systems
Whistleblowing as a requirement to raise concerns
The governing body should
• consider anonymity or confidentiality
• cover the reporting and guidance
• communicate to employees and agents
• prevent fear for retaliation
11. ISO 37301:2021
Requirements for investigations
• for allegations and misconduct suspicions
• by employees and third-parties
• policies for investigation protocol, disciplinary
actions and addressing remediation measures
• independent and complete
• escalation of the reporting of findings
12. ISO 37301:2021
Requires to identify root causes on non-
compliances
• extent and impact
• pervasiveness of internal controls
• number and level of the personnel involved
• duration
• frequency
13. ISO 37301:2021
Requires to incorporate data and trends of
whistleblowing channels in assessing the
effectiveness of the compliance systems
• internal and externa reporting (e.g. police)
• by source > employee, third parties
• emerging issues
15. ISO 37301:2021
Requires to ensure anti retaliation controls
• Implement a leniency program
• Have an independent investigative team
• Prevent risks in the complaint ramifications
• Monitor peer pressure, bullying and exclusion
16. ISO 37301:2021
• Approve changes in work conditions
• Include the impact on family members
• Provide financial and emotional support
• Protect whistleblowers from 3 to 5 years
20. ISO 37002 wrongdoing
Harm to
• human rights
• environment
• public health and safety
• safe work-practices
• public interests
21. ISO 37002 wrongdoing
Action or omission
• unethical behavior
• fraud, and corruption
• breach of law
• breach of code of conduct or
policy
22. ISO 37002 wrongdoing
• gross negligence
• discrimination, bullying and
harassment
• unauthorized use of public funds
• abuse of authority
• conflict of interest
• gross waste or mismanagement
23. ISO 37002 whistleblowing
Reporting of wrongdoing by
a whistleblower who has
reasonable grounds to
believe that the information
reported is true at the time of
reporting
25. ISO 37002 whistleblowing
• open > whistleblower identity
and report disclosed
• confidential > whistleblower
identity and report not disclosed
until consent or legally required
• anonymous > whistleblower
identity unknown
26. ISO 37002 whistleblowing
• confidential >
• incentive to increase the
reporting (reference 3/5
reports a year per 10k
employees)
• better protocols and practices
• strong data security controls
27. ISO 37002 Step 1
Understand the context
• Public complaints from external stakeholders
• Past complaints from staff
• Non compliances and integrity breaches
• Past threats to whistleblowers
• Relationship with compliance systems
28. ISO 37002 Step 1
Scope
• Size
• Structure
• Locations
• Culture
• Staff needs
• Business model
• Associates
• Regulations
• Exposure to
public interests
• Stakeholders´
expectations
29. ISO 37002 Step 1
Who can report?
Past, current or future:
• Employees
• External parties
• Associated people
• Union representatives
30. ISO 37002 Step 2
Plan objectives for whistleblowing
• Assess compliance risks > ISO 31000/37301
• Implement and communicate the policy with
given principles, responsibilities
• Monitor by top management
• Ask and receive information about the
efficiency of the whistleblowing system
31. ISO 37002 Step 2
Data protection
• Identify who can manage and approve
accesses > need-to-known and consent
• Implement security controls > enhanced
controls on personal data
• Ensure data retention and rules for deletion
• Log activities
32. ISO 37002 Step 2
Policy
• Implement timely and comprehensive non
retaliation measures
• Enable and simplify the reporting
• Ensure the integrity and confidentiality
• Assess capabilities and resources
• Train employees and third parties
33. ISO 37002 Step 3
Acknowledge the report
• Provide a receipt to the whistleblower
• Cover all channels > emails, web, phone, app
• If decided, secure anonymity > no capture Ips
• Ensure two-way anonymous exchanges
• Include the case of referrals
34. ISO 37002 Step 3
Acknowledge the report
• What > facts, impact, already reported
• Where > jurisdiction of wrongdoing
• When > past, ongoing, future
• Who > accused, may know, seniority levels
• How > evidence, submit documentation, risks for
whistleblower or others
35. ISO 37002 Step 4
Decide what to do > triage
• Assess the impact of the potential wrongdoing
on the whistleblower, staff, organization and
stakeholders
• Categorize/prioritize to allocate resources
• Start preliminary measures such as protecting
the whistleblower and the evidence
36. ISO 37002 Step 4
Assess if the case is
• reportable under the policy
• involving a criminal offence
• posing health, safety, operational continuity and
reputational risks
• able to be corroborated > firsthand or hearsay
• reported previously
37. ISO 37002 Step 5
Address the report
• Execute the investigation protocol
• Coordinate with HR, legal, audit, finance, etc
• Contain the potential impact > suspend staff
• Involve external parties > forensic consultants
• Monitor the investigation
38. ISO 37002 Step 6
Conclude the report
• Facilitate the decision with recommendations
• Report to internal and external parties >
whistleblower, law enforcement, regulators
• Identify lessons learned
39. ISO 37002 Step 6
Remediate vulnerabilities
• Take corrective actions to address causes of
non-conformities
• Follow up the remediation plans
40. ISO 37002 Step 7
Audit the whistleblowing system
• Conduct regular internal audits to evaluate
the system
• Verify the effective implementation
• Review the documentation against policies,
objectives and controls
41. ISO 37002 Step 7
Audit the whistleblowing system
• Conduct regular internal audits to evaluate
the system
• Verify the effective implementation
• Review the documentation against policies,
objectives and controls
42. ISO 37002 Step 7
Improve the system
• Assess the suitability and adequacy
• Evaluate the impact of changes
• Ask for regular and consistent feedback
• Compare results against objectives
• Change the system with improvement
opportunities
43. There are four types of employees
• those who would expose the truth,
• those who would suffer serious
consequences for exposing the truth,
• those who would know the truth but kept it
for their safety, and
• those who wouldn´t stand for what is the
truth
Two and Two Short
by Babak Anvari