How does the EU Whistleblower Directive protect companies from reputational damage?

How to avoid reputational damage with a whistleblower protection system

According to a 2019 study by the University of Applied Sciences Graubünden, almost 40 percent of all companies are affected by unethical and illegal behavior, and the number of unreported cases is likely to be much higher.

With enormous economic consequences: Corruption and fraud cost companies an average of 10,000 to 100,000 euros, not to mention the damage to their reputation. The costs of introducing a whistleblower system therefore quickly pay for themselves.

How to proceed with the introduction

I would recommend the following steps:

1. Take the EU Whistleblower Directive seriously

First things first: Take the EU Whistleblower Directive seriously.

Yes, that sounds trivial.

However, unlike the GDPR of April 27, 2016, which regulated the use of personal data in a way that many European companies had already broadly complied with anyway, the EU Whistleblower Directive cannot be easily complied with.

This is all the more important as the introduction of a whistleblower system will be legally binding in Germany and the other member states as of December 17, 2021. This is already the case for companies with 50 or more employees and for municipalities with 10,000 or more inhabitants.

But this obligation is not an investment without a return for two reasons:

1. They can avoid reputational damage with such reporting points in the event of unethical and criminal behavior by employees. Because at least 72 percent of all whistleblowers first try to address the observed violations - whether against compliance regulations or laws - internally. Only if they are not listened to do they turn to the authorities or the public. With devastating consequences for the company. An open corporate culture and a functioning whistleblower system is therefore a worthwhile investment.
2. A series of studies shows that a strong whistleblower culture helps companies to be more financially successful in the long term. In this way, the costs that are naturally associated with setting up a whistleblower system are amortized.

For these reasons, you should not view the implementation of the Whistleblower Protection Act as a burdensome requirement, but rather as an opportunity to effectively protect your company from reputational damage and gain a financial advantage over your competitors.

2. Promote a culture of integrity in your company

It is well known that it is of little use to specify structures and processes that are not really supported by employees.

This is why it is essential for a functioning whistleblowing system that top management stands behind the system and establishes and promotes an open "culture of integrity" in the company. This strengthens employees with integrity in particular, who define harmful behavior such as fraud or misuse of company property as a personal no-go.

To this end, you should establish a culture in which all types of transgressions, from interpersonal misconduct to fraudulent acts, can be reported without fear. This includes ensuring that violations are appropriately sanctioned and trigger follow-up measures.

In this way, you promote the goal of a whistleblower system to protect whistleblowers from reprisals. And establish the culture that is necessary for the success of the system.

3. Implement a digital whistleblower system

Although the EU Whistleblower Directive provides for three variants of its implementation, namely the establishment

• of a channel to report infringements by post or e-mail,
• a telephone hotline, free of charge for the caller, or
• the possibility of meeting in person with a representative of the company.

But with these channels, paradoxically, it becomes difficult to meet the legal standard.

The basic problem remains the lack of anonymity: postal items or emails are easy to trace, a telephone hotline does not guarantee anonymity, and the meeting can be associated with a high level of personal risk.

But there are even more problems: Letters and emails make it difficult to exchange documents securely, and language skills can be a problem on an international level. A telephone hotline makes it practically impossible to submit evidence, is not staffed 24 hours a day and may also pose a language problem. A legal ombudsman is not available internationally and is tied up with deadlines.

This means that only a digital whistleblowing system effortlessly and cost-effectively meets all the requirements of the EU Directive on data security and whistleblower protection 100 percent and still offers the opportunity to enter into a dialog with the whistleblower and, if necessary, ask follow-up questions.

This means that only a digital whistleblowing system effortlessly and cost-effectively meets all the requirements of the EU Directive on data security and whistleblower protection 100 percent.

4. Define processes for handling whistleblowing

The EU Directive provides, among other things, for the reporting system

• that the reporting person receives a confirmation of receipt of the report within seven days,
• that they are informed of the status of the report within three months, and
• that the four-eyes principle is strictly adhered to during processing.

This is another reason why you should have already defined the processes for handling incoming reports before you start implementing the whistleblowing system. This includes at least the following:

• a description of the actual processing steps,
• a definition of access rights and escalation levels and
• training the responsible employees in how to use the system.

As part of the process definition, you should also be sure

• to set up a reporting office upstream of the company.

The involvement of an external and therefore neutral reporting office in the processing of reports has the advantage that the company is not directly involved in the evaluation of incoming reports and the subsequent legal assessment and formulation of recommendations for action. In this way, the company is immune to any suspicion.

5. Always involve all stakeholders

When implementing a whistleblower protection system, there are first of all technical hurdles to overcome. However, there is also the management task of involving all employees in the organization during the introduction and convincing them of the benefits of the system.

You should expect that individual employees or members of the works council will sometimes be sceptical about a whistleblower system. If the purpose of the system, to protect whistleblowers or to uncover fraudulent acts and other transgressions, is not completely clear, it is easy to consider it a form of organized denunciation.

To counter such reservations, you should therefore involve central stakeholders at an early stage. This includes not only management or its first and second management levels, but also employee representatives, the data protection officer and strategically important departments such as HR or IT.

One tool can be company-wide workshops in which employees are sensitized to the fact that whistleblowers are not nest polluters, but contribute to this,

• exposing fraudulent actions and criminal acts and
• preserving the ethical and moral values of the corporate culture.

Both affect the continued existence of the company and are therefore in the employees' own interests.

6. Plan the implementation in subsidiaries and foreign companies

If your company has a more complex structure, you should plan the integration of subsidiaries from the outset - especially since with a digital reporting system, every wholly owned subsidiary can be integrated with relatively little effort.

Local languages are not an obstacle. After all, any language can be integrated into a digital whistleblowing system. However, the focus should always be on the most important company languages and locations.

However, the measures used to establish the structures and processes can only be successful if they are supported by the company culture. Therefore, you should again make sure to sensitize managers and key employees to the objectives of the whistleblowing system.

This also has the significant additional benefit that a culture of integrity can be established, so to speak, especially in foreign subsidiaries, where many violations are seen as trivial offenses in their culture.

7. Communicate the roll-out of the whistleblowing system comprehensively

After an internal test of the whistleblowing system and receipt of a test report by the designated processors, nothing stands in the way of an official roll-out.

The roll-out should be accompanied by an information campaign that pursues two goals: to communicate the purpose of the whistleblowing system and to place access.

Communicating the purpose

In order to communicate the purpose of the whistleblowing system, the purpose should be made clear in a concise message that summarizes the most important points:

• that whistleblowing is something fundamentally positive,

• that unethical/criminal behavior/conduct

  is something fundamentally positive.

• that this serves the continued existence of the company and is therefore in the interests of the employees.

In order to convince effectively, not only the message or the content should be tailored to the stakeholders who were involved in the planning. Rather, the manner of communication must also be aligned with them.

The latter includes, above all, target group-specific adaptation. Here, culture-specific communication methods must be taken into account. This is particularly important for foreign companies, and all the more so the further away the subsidiary's culture is from your company's headquarters.

Placing access

The other aim of the information campaign is to make access to the reporting system as well-known and simple as possible. Care should be taken to ensure that potential whistleblowers can easily find access, especially by placing the link prominently in all relevant places.

These include

• the Code of Conduct,
• the intranet,
• the company website and,

not to forget,

• all supplier platforms.

In addition, you should not only use digital channels: For example, you should also use notices in places where many employees often spend time, such as canteens, break rooms, changing rooms, leisure facilities, etc.

8. Subject the whistleblowing system to regular audits

Finally, you should integrate the whistleblowing system into your company's quality management and carry out regular internal audits, the results of which you can use to specify the regulations and follow-up measures, close process gaps and optimize procedures.

You can only reduce the reputational risks for your company to a minimum if your whistleblowing system works as intended.

After all, the system will only have its deterrent effect if employees or suppliers who are tempted to cross the line into unethical or fraudulent behavior are informed.

On the other hand, only a reliably implemented whistleblowing system is an early warning system for impending reputational damage. After all, the easier it is to submit reports and the more protected they are from reprisals, the less likely it is that grievances will leak out. As a result, reporting channels make an important contribution to protecting against reputational damage as well as fines and other sanctions from the authorities.

And if you are ever affected by the worst-case scenario, it will certainly go more smoothly than without a whistleblowing system.