Developing Roadmaps and Frameworks based on the new ISO 37002 and the impact of the recent ISO 37301 on compliance management systems rganizational Factors: The Role of Ethical Culture and Relationships The critical understanding of the health of corporate ethics and compliance programs 09:40 – 10:00 Whistleblower and Sarbanes Oxley Act: Mandates for “whistle-blower protection.” Code-of-Conduct, Oversight Reporting and monitoring compliance 10:00 – 10:30 Confidentiality and protection of the identity of the whistle-blower. Network for receiving reports to ensure the privacy of the whistle-blower and prevent access to non-authorised persons. 10:35 – 10:55 Introduction to the implementation and the scope of the EU directive components 11:00 – 11:30 Response times: Establish procedures to follow-up the report within a seven-day acknowledgement 11:35 – 11:55 Independent receiver(s) with the competence to follow up and communicate 12:00 – 12:30 Due Diligence: Thorough follow-up within a reasonable timeframe to provide feedback to stakeholders 12:30 – 13:00 Communication: Establish the conditions and procedures for disclosing the results and inform the oversight authorities. 13:00 – 13:30 GDPR compliance: Processing of personal data must be carried out to comply with the GDPR. 13:35 – 13:55 Record keeping: Companies must document each report received and ensure compliance Confidentiality, transparency and accountability. 14:00 – 14:30 Deletion: Disposing of the privacy data must be deleted according to the GDPR and other relevant mandates in the right manner. 14:35 – 14:55 Procedures for internal reporting and whistleblower management 15:00 – 15:30 Overcoming challenges in implementing the requirements of the Directive 15:35 – 15:55 Developing Roadmaps and Frameworks based on the new ISO 373002 and the impact of the recent ISO 37301 on compliance management systems 16:00 – 16:30 Whistleblower Current Legal Landscape Around the World Protections and rewards for whistleblowers vary widely around the world 16:30 – Whistleblower Online Certification Exam

1. 2021 Global Whistleblowers Day
ISO 37002 Roadmap
Prof. Hernan Huwyler

2. The compliance think
tank in the Nordics
and beyond
Certifications Compliance Privacy InfoSec Risk

3. ISO 37301
First global
certifiable
standard

4. Improves
corporate
defense and
board buy-in

5. ISO 37000 > Governance of
organizations (Q3 2021, high level
structure)
ISO 37301:2021 > Compliance
management systems
37002 > Whistleblowing
management systems (Q4 2021)

6. The missing relatives
ISO 10002:2018 > Quality
management, customer
satisfaction, guidelines for
complaints handling in
organizations

7. The missing relatives
Disclosure 102-17 of the
Global Reporting Initiative>
Mechanisms for advice and
concerns about ethics

8. ISO 37000 Draft
Governance of organizations
Whistleblowing as a channel of information
The governing body should ensure
• its controls and internal and external assurance
• Its process to receive, assess, monitor and react

9. ISO 37301:2021
Management system
• Organization to meet compliance objectives
• Interration with internal and external parties
• Policies, procedures, people, platform
• Governance of tasks and controls to document

10. ISO 37301:2021
Compliance management systems
Whistleblowing as a requirement to raise concerns
The governing body should
• consider anonymity or confidentiality
• cover the reporting and guidance
• communicate to employees and agents
• prevent fear for retaliation

11. ISO 37301:2021
Requirements for investigations
• for allegations and misconduct suspicions
• by employees and third-parties
• policies for investigation protocol, disciplinary
actions and addressing remediation measures
• independent and complete
• escalation of the reporting of findings

12. ISO 37301:2021
Requires to identify root causes on non-
compliances
• extent and impact
• pervasiveness of internal controls
• number and level of the personnel involved
• duration
• frequency

13. ISO 37301:2021
Requires to incorporate data and trends of
whistleblowing channels in assessing the
effectiveness of the compliance systems
• internal and externa reporting (e.g. police)
• by source > employee, third parties
• emerging issues

14. ISO 37301:2021
Excludes
incentives for
reporting

15. ISO 37301:2021
Requires to ensure anti retaliation controls
• Implement a leniency program
• Have an independent investigative team
• Prevent risks in the complaint ramifications
• Monitor peer pressure, bullying and exclusion

16. ISO 37301:2021
• Approve changes in work conditions
• Include the impact on family members
• Provide financial and emotional support
• Protect whistleblowers from 3 to 5 years

17. ISO 37301:2021
Excludes
incentives for
reporting

18. ISO 37002 process
Assess
Address
Close
Report
Concerns

19. ISO 37002 wrongdoing
Current of past action
or omission causing
harm

20. ISO 37002 wrongdoing
Harm to
• human rights
• environment
• public health and safety
• safe work-practices
• public interests

21. ISO 37002 wrongdoing
Action or omission
• unethical behavior
• fraud, and corruption
• breach of law
• breach of code of conduct or
policy

22. ISO 37002 wrongdoing
• gross negligence
• discrimination, bullying and
harassment
• unauthorized use of public funds
• abuse of authority
• conflict of interest
• gross waste or mismanagement

23. ISO 37002 whistleblowing
Reporting of wrongdoing by
a whistleblower who has
reasonable grounds to
believe that the information
reported is true at the time of
reporting

24. ISO 37002 whistleblowing
Channels
• verbal
• in person
• in writing
• in electronic format
• in digital format

25. ISO 37002 whistleblowing
• open > whistleblower identity
and report disclosed
• confidential > whistleblower
identity and report not disclosed
until consent or legally required
• anonymous > whistleblower
identity unknown

26. ISO 37002 whistleblowing
• confidential >
• incentive to increase the
reporting (reference 3/5
reports a year per 10k
employees)
• better protocols and practices
• strong data security controls

27. ISO 37002 Step 1
Understand the context
• Public complaints from external stakeholders
• Past complaints from staff
• Non compliances and integrity breaches
• Past threats to whistleblowers
• Relationship with compliance systems

28. ISO 37002 Step 1
Scope
• Size
• Structure
• Locations
• Culture
• Staff needs
• Business model
• Associates
• Regulations
• Exposure to
public interests
• Stakeholders´
expectations

29. ISO 37002 Step 1
Who can report?
Past, current or future:
• Employees
• External parties
• Associated people
• Union representatives

30. ISO 37002 Step 2
Plan objectives for whistleblowing
• Assess compliance risks > ISO 31000/37301
• Implement and communicate the policy with
given principles, responsibilities
• Monitor by top management
• Ask and receive information about the
efficiency of the whistleblowing system

31. ISO 37002 Step 2
Data protection
• Identify who can manage and approve
accesses > need-to-known and consent
• Implement security controls > enhanced
controls on personal data
• Ensure data retention and rules for deletion
• Log activities

32. ISO 37002 Step 2
Policy
• Implement timely and comprehensive non
retaliation measures
• Enable and simplify the reporting
• Ensure the integrity and confidentiality
• Assess capabilities and resources
• Train employees and third parties

33. ISO 37002 Step 3
Acknowledge the report
• Provide a receipt to the whistleblower
• Cover all channels > emails, web, phone, app
• If decided, secure anonymity > no capture Ips
• Ensure two-way anonymous exchanges
• Include the case of referrals

34. ISO 37002 Step 3
Acknowledge the report
• What > facts, impact, already reported
• Where > jurisdiction of wrongdoing
• When > past, ongoing, future
• Who > accused, may know, seniority levels
• How > evidence, submit documentation, risks for
whistleblower or others

35. ISO 37002 Step 4
Decide what to do > triage
• Assess the impact of the potential wrongdoing
on the whistleblower, staff, organization and
stakeholders
• Categorize/prioritize to allocate resources
• Start preliminary measures such as protecting
the whistleblower and the evidence

36. ISO 37002 Step 4
Assess if the case is
• reportable under the policy
• involving a criminal offence
• posing health, safety, operational continuity and
reputational risks
• able to be corroborated > firsthand or hearsay
• reported previously

37. ISO 37002 Step 5
Address the report
• Execute the investigation protocol
• Coordinate with HR, legal, audit, finance, etc
• Contain the potential impact > suspend staff
• Involve external parties > forensic consultants
• Monitor the investigation

38. ISO 37002 Step 6
Conclude the report
• Facilitate the decision with recommendations
• Report to internal and external parties >
whistleblower, law enforcement, regulators
• Identify lessons learned

39. ISO 37002 Step 6
Remediate vulnerabilities
• Take corrective actions to address causes of
non-conformities
• Follow up the remediation plans

40. ISO 37002 Step 7
Audit the whistleblowing system
• Conduct regular internal audits to evaluate
the system
• Verify the effective implementation
• Review the documentation against policies,
objectives and controls

41. ISO 37002 Step 7
Audit the whistleblowing system
• Conduct regular internal audits to evaluate
the system
• Verify the effective implementation
• Review the documentation against policies,
objectives and controls

42. ISO 37002 Step 7
Improve the system
• Assess the suitability and adequacy
• Evaluate the impact of changes
• Ask for regular and consistent feedback
• Compare results against objectives
• Change the system with improvement
opportunities

43. There are four types of employees
• those who would expose the truth,
• those who would suffer serious
consequences for exposing the truth,
• those who would know the truth but kept it
for their safety, and
• those who wouldn´t stand for what is the
truth
Two and Two Short
by Babak Anvari

44. @hewyler
/hernanwyler
mydailyexecutive.blogspot.com