ISO 37002:2021 Whistleblowing management systems

Introduction to whistleblowing

Nelson Mandela once said, “We can change the world and make it a better place. It is in your hands to make a difference.”

James Thomas Webb, a former employee of The Boeing Company, decided to make a difference by blowing the whistle on the wrongdoing he witnessed in the organization. Mr. Webb reported that The Boeing Company violated the terms of a defense contract by charging the United States (US) government improperly for aircraft maintenance. Mr. Webb alleged that the company’s mechanics were being paid for lunch breaks and other extended breaks — a condition which was not included in the contract. Mr. Webb won the case and was rewarded $3 million, while The Boeing Company paid $18 million to the US government to settle these allegations¹.

Another similar case was when a former employee of MB2 Dental Solutions reported the company for falsely claiming that they provided pediatric dental services and other wrongdoings. In the end, MB2 Dental Solutionsand 21 affiliated pediatric dental practices agreed to pay $8.45 million to resolve allegations that they violated the False Claims Act. The whistleblower also received a share of the recovered money².

Individuals who disclose any information on unethical and illegal practices within their organization, such as fraud, corruption, and abuse of power, are called whistleblowers.

Whistleblowing can be internal, i.e., an employee reports wrongdoing using the reporting channels within the organization, or external, i.e., an employee reports wrongdoing to parties outside the organization. Research shows that employees are the primary source of fraud exposure³. By reporting wrongdoing, they protect the customer’s interest and may save organizations a lot of money by preventing further losses.

However, people still hesitate to expose fraud and other wrongdoings because of the challenges they may face when doing so. Common factors that hinder people from reporting include fear of retaliation, social status (e.g., lower income, lower job position, and lower education), the nature of the wrongdoing (e.g., infrequency and triviality of the wrongdoing), cultural barriers (e.g., disapproval from colleagues and the acceptance of unethical practices), or organizational barriers (e.g., lack of appropriate internal channels and unethical leadership). 

A major issue regarding whistleblowing is the lack of legal protection and support for whistleblowers. In the past, there were only a few laws that protected whistleblowers. However, many conventions were held around the world which presented laws for protecting, supporting, and encouraging whistleblowers.

In 1989, the US passed the Whistleblower Protection Act to protect federal whistleblowers. Other countries, such as the United Kingdom (UK), India, Japan, Jamaica, Australia, and South Africa have laws for protecting and supporting whistleblowers. Having said that, such laws come with limitations, e.g., the South African Protected Disclosure Act 26 of 2000 includes only people with an employment relationship and excludes other citizens who want to report wrongdoing.

In 2019, the European Union (EU) enacted the Whistleblowing Directive which requires all EU countries to create whistleblowing laws or improve their existing ones. From December 2023, companies with more than 50 employees, operating in any of the EU countries, are required to establish internal reporting channels through which employees can report breaches of Union Law.

However, laws address situations of individual countries or regional groups and they do not provide guidance on how to meet the requirements. Even though countries like Japan, the UK, Canada, and France have some national guidelines and standards regarding whistleblowing, there is still a need for global synchronization on this topic. This is one of the gaps that ISO 37002 aims to cover.  

An Overview of ISO 37002

In July 2021, the International Organization for Standardization (ISO) published ISO 37002 Whistleblowing management systems — Guidelines. This standard provides guidelines for establishing, implementing, maintaining, and continually improving a whistleblowing management system (WMS).

ISO 37002 enables organizations to identify, address, and prevent wrongdoing, create and demonstrate ethical governance practices, and ensure compliance with regulations and organizational requirements. The standard aims to help organizations establish, maintain, and improve internal reporting procedures. This enables organizations save money, avoid lawsuits and scandals, and enhance their credibility.

ISO 37002 is a Type B standard that provides guidelines for implementation and is not meant for certification. The standard follows the “harmonized structure” sharing a common terminology with other ISO management system standards and the same clause sequence. It consists of 10 main clauses, where clauses 4 to 10 provide guidelines written in a suggestive language using the verb “should.”

These guidelines are applicable to any organization in the public, private, and not-for-profit sectors, regardless of the type, size, and nature of activity. The standard covers the whole process of WMS implementation, including planning (context of the organization, leadership, resources), operation (receiving, assessing, and addressing reports and concluding whistleblowing cases), review (internal audit and management reviews), and improvement. 

A WMS based on ISO 37002 can be implemented as a stand-alone management system or integrated with other management systems based on ISO standards. Integration is enabled due to the same clause structure that most of the ISO management system standards share and the use of the PDCA implementation approach.

A WMS based on ISO 37002 can be helpful when integrated with an anti-bribery management system (ABMS) based on ISO 37001 to fight bribery and other unethical practices. It is also beneficial with a compliance management system (CMS) based on ISO 37301, as it enables organizations to meet organizational and legal requirements regarding whistleblowing.

Some of the benefits of integrating management systems include harmonizing and optimizing practices, reducing the amount of documented information and costs, formalizing informal systems, and improving communication. 

Whistleblowing Management System and Its Principles

An effective WMS enables organizations to receive, assess, and address reports of wrongdoing, and treat whistleblowing cases based on the principles of trust, impartiality, and protection. Organizations can follow a Plan-Do-Check-Act (PDCA) cycle when implementing a WMS. This cycle follows a process-based approach aimed at improving processes and facilitates the implementation of a WMS in the organization.

Figure 1 provides an overview of the elements of a WMS. 

Figure 1 — Overview of the elements of a whistleblowing management system (WMS)⁴

As can be seen in the figure above, in order to be effective and achieve its objectives, a WMS based on ISO 37002 should be built upon the three main principles: trust, impartiality, and protection.

Figure 2 — Principles of WMS

According to the guidelines of ISO 37002, the top management and whistleblowing management function are critical in the effectiveness of the WMS based upon these three principles. The organization’s top management should establish a whistleblowing policy that includes a commitment to trust, impartiality, and protection. In addition, the organization’s employees should be trained on the processes that ensure the integration of the aforementioned principles in the WMS. 

According to research5, the greater the trust of employees in the organization, the higher are the chances that they decide to report wrongdoing. This includes trusting a supervisor and perceiving the structures of the organization and its reporting channels as fair and impartial. Implementing a WMS based on ISO 37002 enables organizations to build this trust and assure employees that their reports will be handled properly and with confidentiality throughout the entire process of a whistleblowing case.

When employees do no trust that the top management will address their report ethically, they choose to report to parties outside the organization6  which may bring unwanted and unnecessary scandals, lawsuits, and financial losses.

According to ISO 37002 guidelines, organizations should ensure that the people managing a whistleblowing case are trustworthy, feedback is provided to the whistleblowers to build trust, secure reporting channels are established, and surveys are conducted to verify employees’ trust in the whistleblowing management system.

ISO 37002 suggests organizations to guarantee the impartiality of the people dealing with a whistleblowing case and to address and investigate reports and detrimental conduct with impartiality. This can be done by ensuring that the persons dealing with a whistleblowing case are objective and fair in decision-making.

Furthermore, all possible or actual conflicts of interest, which may lead to biased processing, should be addressed appropriately. In addition, organizations should assure employees that no matter what job position they have, their reports will be addressed without any bias. Organizations may also provide anonymous reporting channels or outsource whistleblowing reporting channels to create the conditions for impartiality and increase trust. 

Fear of retaliation and detrimental conduct prevents many people from reporting wrongdoing. For this reason, organizations should assure their employees that they will be protected from any potential harm when they report wrongdoing, for as long as needed.

The guidelines of ISO 37002 suggest organizations to define the degree of protection that they can provide, take the necessary actions to protect whistleblowers and interested parties from detrimental conduct, and validate whether people who are responsible for protecting whistleblowers have the necessary competence to ensure protection. Furthermore, organizations should make sure that documented information related to a whistleblowing case is protected from damage and misuse. 

Alongside protection, ISO 37002 also suggests supporting whistleblowers. ISO 37002 guidelines recommend providing emotional, financial, legal, and reputational support to whistleblowers and other interested parties involved in the process of a whistleblowing case.

Organizations should make sure that employees maintain the same job position and professional reputation that they would have if they never reported the wrongdoing. They should treat them equally when providing any organizational benefits, support them throughout legal procedures (if needed), and provide them with an apology and compensation for detriment and any damage they may have suffered. As another form of support, offering tokens of appreciation and financial rewards has proven to be extremely effective in generating high quality reports7.

However, there is a dichotomy of opinions regarding financial rewards. One group thinks that if people are making money through fraud and corruption, then people should also be rewarded for doing the right thing and reporting wrongdoing. This will encourage people to establish ethical practices. On the other hand, the other group thinks that these rewards may lead to an increase in false reports. However, studies conducted by Transparency International, the Stockholm Institute of Transition Economics, and the Booth School of Economics have proven this theory wrong, claiming that rewards are only provided after a report is proven to be true.

The Speak-up/Listen-up Culture 

Having a speak-up/listen-up culture in the organization means providing a safe space that encourages employees and enhances their confidence to report and disclose wrongdoing occurring within the organization.

Organizations can ensure this by providing safe and secure reporting channels and demonstrating commitment to receive, assess, and address reports of wrongdoing, and concluding whistleblowing cases. A speak-up/listen-up culture is considered as a dialogue. For an employee to speak up, there has to be someone from the management who is willing to listen, as well.

According to the guidelines of ISO 37002, a speak-up/listen-up culture should be established and promoted within organizations in various stages of the WMS implementation process.

For example, clause 5.1.2 Top management recommends for the top management to demonstrate leadership and commitment to the WMS by promoting and practicing a speak-up/listen-up culture within their organization. Organizations can do this by conducting training sessions in which speak-up/listen-up culture is emphasized and by commending whistleblowers in meetings for their contribution (without exposing their identity), in order to encourage others to speak up as well. In addition, clause 5.2 Whistleblowing policy states that the top management should establish a whistleblowing policy that promotes a speak-up/listen-up culture. 

Hence, ISO 37002 recommends that the top management should take the first step in establishing and promoting this culture by creating a safe and comfortable environment in which employees’ opinions and reports are appropriately considered and appreciated.

Consequently, this will enhance employees’ trust in the organization and will encourage them to contribute by blowing the whistle for wrongdoings they have witnessed or experienced in the workplace. 

Confidentiality as a Part of the WMS

Many organizations have established whistleblowing policies that proactively protect the confidentiality of information and the organization’s intellectual property. If employees disclose confidential information, legal action can be taken against them by their employers.

In terms of whistleblowing, whistleblowers sometimes have to disclose the confidential information of the organizations in which they work, because that information may prove that organizations are committing wrongdoings and their actions are damaging to the public interest. When whistleblowers report wrongdoings against organizations, their identity should be kept confidential. 

In 2018, the CEO of the British bank Barclays was fined over £600.000 for using the bank’s security team to try and uncover the identity of a whistleblower who made an anonymous report that the CEO was recruiting people inappropriately. However, in many countries, the confidentiality of whistleblowers’ identity is at risk. There are only a few countries that provide channels for anonymous whistleblowing. Countries such as India, Canada, and Australia, have laws that protect the confidentiality of the employees working in the public sector only8.

Sometimes the confidentiality of whistleblowers’ identity is at risk due to organizations’ lack of data protection measures and lack of control of documented information. This, as a result, decreases employees’ confidence and trust to report the wrongdoings they witness in their workplace. ISO 37002 emphasizes these aspects and provides guidelines on protecting and controlling documented information and ensuring the confidentiality of whistleblowers and relevant interested parties.

Clause 5.2 Whistleblowing policy of ISO 37002 states that the top management of an organization should establish a whistleblowing policy that protects confidentiality for those who report wrongdoing. In addition, ISO 37002 recommends not to reveal whistleblowers’ personal information to anyone beyond a need-to-know basis without their permission.

Clause 7.5.5 Confidentiality suggests that in cases where the law requires the disclosure of the identity of the whistleblower, they should be informed in advance and proper measures need to be taken to protect them from harm. Organizations should ensure the confidentiality of the whistleblowers’ identity throughout the whole process of a whistleblowing case. The organization should also define the disciplinary measures that will be taken against anyone who commits a breach of confidentiality.

Clause 6.1 Actions to address risks and opportunities suggests organizations to define the degree of confidentiality that they can provide within the WMS. In addition, clause 7.2 Competence recommends organizations to ensure that the people working in the investigation group display confidentiality.

Whereas, clause 7.3.3 Training for leaders and other specific roles suggests organizations to train relevant people that are part of the WMS regarding the importance of confidentiality and how to maintain it when handling reports of wrongdoing.

Furthermore, regarding documented information, the guidelines of clause 7.5.3 Control of documented information state that the documented information required by the WMS should be controlled to ensure that it is properly protected from loss of confidentiality and integrity, or from improper use. Technological tools can be useful in ensuring confidentiality of personal information of the reporter. 

Lastly, the need for confidentiality is emphasized in clause 8 Operation for all four processes of the whistleblowing management system: receiving, assessing, and addressing the reports of wrongdoing, and concluding whistleblowing cases. Figure 2 illustrates the aspects of confidentiality covered above.

Figure 3 — Confidentiality

The importance of providing and assuring confidentiality for all relevant interested parties involved in the process is highlighted throughout the guidelines of ISO 37002.

Therefore, an effective WMS established in accordance with the ISO 37002 guidelines enables organizations to address and handle reports of wrongdoing properly by ensuring the confidentiality of everyone involved in a whistleblowing case. This encourages employees and other interested parties to blow the whistle and report wrongdoings. 

The Benefits of a WMS based on ISO 37002 

Organizations that implement a WMS based on the guidelines of ISO 37002 obtain several benefits (see figure 3). 

A WMS based on ISO 37002 facilitates the process of reporting wrongdoing and, subsequently, encourages employees to blow the whistle by providing trustworthy reporting channels. An effective WMS encourages whistleblowers to speak up and assures them that their reports will be appropriately addressed and that they will be protected from any type of retaliation.

This, as a result, will help organizations to identify, prevent, and address risks of wrongdoing as early as possible, consequently minimizing costs, loss of assets, and reputational damage. Organizations will also be able to support and protect whistleblowers, and prevent detrimental conduct toward them by ensuring their confidentiality.

Lastly, organizations that have established an effective WMS based on ISO 37002 are able to deal with whistleblowing reports appropriately and in a timely manner.

Furthermore, implementing a WMS based on the guidelines of ISO 37002 will promote and foster a culture of openness, transparency, and integrity within and outside of the organization. As a result, the organization will maintain a positive reputation and build trust and confidence with relevant interested parties. In addition, implementing an effective WMS ensures compliance with legal and other requirements.

Figure 4 — Benefits of implementing an effective whistleblowing management system

Finally, a WMS based on the guidelines of ISO 37002 can be easily integrated with other management systems based on ISO standards. This enables organizations to harmonize and optimize practices, formalize informal systems, reduce costs, and improve communication. 

Conclusion

Whistleblowers are one of the main sources of information for exposing fraud and other illicit or unethical activities in organizations worldwide. However, the fear of retaliation, the lack of psychological and financial support, the lack of safe internal channels to report wrongdoings, and the lack of proper frameworks for managing reports of wrongdoing are discouraging and daunting to many employees who want to blow the whistle when they witness or experience wrongdoings.

ISO 37002, published in July 2021, provides guidelines for establishing, implementing, maintaining, and improving a whistleblowing management system (WMS), based on the principles of trust, impartiality, and protection.

Organizations that establish a WMS based on ISO 37002 are able to effectively receive, assess, and address reports of wrongdoing, and conclude whistleblowing cases. A WMS based on ISO 37002 enables organizations to facilitate and encourage reports of wrongdoing, provide support and protection for whistleblowers, establish appropriate procedures to deal with reports, decrease risks of wrongdoing, and improve their organizational culture.

Moreover, the high-level structure of ISO 37002 enables organizations to implement the WMS as an independent entity or easily integrate it with other management systems based on ISO standards.

ISO 37002 suggests organizations to implement a WMS following the PDCA cycle and ensure that the principles of trust, impartiality, and protection are reflected throughout the elements of the WMS.

Organizations should assure their employees that the organization’s structures will remain impartial throughout any whistleblowing case and will protect and support them from any potential harm. This increases chances that employees will use internal reporting channels, rather than risking scandals and lawsuits by reporting externally.

A WMS based on ISO 37002 will promote and foster a speak-up/listen-up culture, through which the management encourages employees to speak up by assuring them that they will be heard and their reports will be handled appropriately.

Additionally, a WMS based on ISO 37002 will ensure the confidentiality of whistleblowers and other interested parties involved in a report of wrongdoing. These actions will enhance whistleblowers’ confidence and trust and encourage them to blow the whistle regarding wrongdoings committed in organizations.

Authors:

Arte Prebreza

Djellza Krasniqi

Contributors:

Ahmed Nabil Mahmoud (Egypt)

Arturo Salazar, Nexa Resources S.A. (Perú)

B M Zahid ul Haque, BRAC Bank Limited (Bangladesh)

Brian Henry, The Caridon Group (South Africa)

Carlos Flores Roca, CONCEPTA TRAINING (Perú)

Dale Ko (Hong Kong )

Damilola Disu, Training Heights Limited (Nigeria)

Dwi Siska Susanti, Sustain (PT Mitra Juang Mandiri) (Indonesia)

Edgar Felisberto, AprendAQ - Results Delivery (Angola)

Edwin Concepcion, Straits Interactive Pte Ltd (Philippines)

Egzon Bunjaku

Eustace Onuegbu, International Network for Corporate Social Responsibility (IN-CSR) (Nigeria)

Fernando Cevallos, F&C Consulting Group (México)

Francisco Santana, F&C Consulting Group (México)

Freda Kiberu Sentongo, Spedag Interfreight Uganda Limited (Uganda)

G. Jean Sylvestre Araba, SIL2 (Bénin)

Henri Haenni, Abilene Advisors (Switzerland)

Huck Hai Lim, Baker Tilly (Malaysia)

Igor Ćika, PDCA KONSALTING LTD., NOVI SAD (Serbia)

Jacob McLean, Kaizen Training and Management Consultants Limited (KTMC) (Jamaica)

Jacques III Achiaou, HAUTE AUTORITE POUR LA BONNE GOUVERNANCE (Ivory Coast)

James Ampah-Korsah, FCMS Consulting (Ghana)

Johan Opperman, Ristco (Pty) Ltd (South Africa)

Juan Pablo Rodríguez, RICS MANAGEMENT (Colombia)

Kerry Keating, STEER (United States)

Liezl Groenewald, The Ethics Institute (South Africa)

Matthew Demicoli (Malta)

Mfon Essien, DTRT Apparel LTD (Ghana)

Michele Magri, Michael Slim International (Italy)

Nadia Sarah, PT. Mitra Prakarsa Cemerlang (Bright Initiatives Partnership) (Indonesia)

Clement Bantar Nyong, CSS-International (Cameroon)

Patrick Oche, Impact Synergy Consult Limited (Nigeria)

Orlando Olumide Odejide, Training Heights Limited (Nigeria) 

Olivier Lévy, KYRON (France)

Pauline Arifin, SustaIN (Indonesia)

Pedro Roberto Chale Páucar, Prime Profesional (Perú)

Pedro Solis Fernandez, QROMA (Perú)

Novian Amrah Putra, NQA Indonesia (Indonesia)

Raúl Vicente González Carrión, UEES – Deloitte (Ecuador)

Raymon Ram, Graymatter Forensic Advisory Sdn Bhd (Malaysia)

Sharon Kisinde, Uganda Railways Corporation (Uganda)

Silvija Vig, CODUPO Compliance (Croatia)

Sreechith Radhakrishnan, Global Success Systems Fz LLC (Dubai, UAE)

Tiwalade Adeniyi, Coronation Group (Nigeria)

Vincent Mokaya, Diverse Management Consultancy Ltd (Kenya)

Pui Tak Wong, (Hong Kong)

Yaou Hounkpati, QPLI CONSULTING (Togo)

¹ USA Today. No free lunch: Boeing pays government $18M for breaks workers charged the Air Force for the C-17. 2015. https://www.usatoday.com/story/news/2015/10/14/boeing-settlement-air-force-c-17-globemaster-justice-department-james-thomas-webb/73950172/

² United States Department of Justice. Texas Dental Management Firm, 19 Affiliated Dental Practices, and Their Owners and Marketing Chief Agree to Pay $8.45 Million to Resolve Allegations of False Medicaid Claims for Pediatric Dental Services. 2017. https://www.justice.gov/usao-ndtx/pr/texas-dental-management-firm-19-affiliated-dental-practices-and-their-owners-and

³ Association of Certified Fraud Examiners. Report to the Nations: 2020 Global study on occupational fraud and abuse. 2020. https://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf

⁴ ISO 37002:2021, Whistleblowing management system – Guidelines, Figure 1

⁵ Binikos, Elli. “A sociological case study of the relationship between organizational trust and whistleblowing in the workplace.” MA diss., University of Johannesburg, 2006.

⁶ Groenewald, Lizl. Whistleblowing Management Handbook. South Africa: The Ethics Institute, 2020. 

⁷ National Whistleblowing Center. “The Importance of Rewards: Whistleblower reward laws are the key to successfully combating fraud and corruption.” Whistleblowers. Accessed February 14, 2022. https://www.whistleblowers.org/the-importance-of-rewards/

⁸ For more information, please visit: Whistleblower Laws around the World—National Whistleblower Center (whistleblowers.org).