Public and private sector must establish reporting channels soon
By introducing a reporting channel, you support your organization in conducting responsible business and promoting corporate social responsibility.
Responsible corporate culture and ethical practices are expected from companies and corporate responsibility often grants companies a competitive advantage. At EU level companies are steered towards corporate responsibility e.g by Directive 2019/1937 (i.e whistleblower-directive). The substantial change brought by the Directive is its obligation set to public and private sector operators to establish a reporting channel enabling reports of breaches and responding to such incidents. The Directive aims for a more uniform protection of the whistleblowers and reflects the expectations of developing a responsible corporate culture in the Member States, in which breaches are to be identified and addressed.
The organization’s own employees play a key role in preventing breaches, as they often become first aware of suspected breaches or misconducts within the organization. However, an employee might not want to disclose such breaches in the organization if he/she cannot disclose them without concern for potential retaliation from the organization. The legislation has not sufficiently considered the protection of persons disclosing suspected breaches. Obligations regarding reporting channel and protection of the whistleblowers have so far mainly concerned the financial sector and other operators regulated by the Anti-Money Laundering Directive, as well as listed companies regulated by the market abuse regulation. Now, the whistleblower-directive’s scope expands to include all other industries as well.
When should organization establish a reporting channel?
All public and private organizations with 50 or more employees will have to implement an internal reporting channel regardless of the nature of its business.
According to the Directive, legal persons in the public sector are not exempt from the obligation based on their number of employees, but the EU legislature has left it possible to provide an exemption by law to the obligation for taking the reporting channel to use in municipalities of less than 10 000 inhabitants or 50 employees or in other public organizations.
In addition, the Directive obliges the competent authorities of the Member States to introduce essentially similar independent reporting channels for receiving and processing of reports.
Reporting channel’s requirements
The reporting channel and protection system shall meet the minimum standards for (i.a.) independence, confidentiality and data protection… It shall be possible to make a report orally or in writing, or in both ways in the reporting channel. It shall be possible to make a report completely anonymously. Minimum requirements have also been imposed on the processing of reports – for example, an acknowledgement of receipt shall be delivered within seven days of submitting a report. Feedback shall be provided to the whistleblower within three months from the delivery of the acknowledgement of receipt. Reporting channel shall provide clear instructions to the whistleblower how to make an external report to the national authority and when needed, to the institutions and organizations of the EU.
As protective measures, the Directive prohibits retaliatory measures and threats of such against employees or self-employed persons. Reporting shall not negatively affect the position of the whistleblower within the organization, or in any other way. Protective measures extend to other entities that may be subject to retaliation for their connection to the whistleblower, such as assistants, colleagues and relatives and similar legal entities.
Reporting channel can be outsourced
An organization may implement a reporting channel in its own systems or acquire reporting channel from an external provider. By outsourcing, the organization ensures confidentiality and impartial investigation of the reports when reports are handled by an expert specialized in suspected breaches.
The Directive requires clarity and consistency from organizations in the processing and investigation of reports. To function as desired, the reporting channel requires clear and up-to-date guidelines and ground rules (code of conduct guidelines and policies) to ensure that the conditions for code of conduct and ethics can be achieved. Communication and training are emphasized in the implementing of the reporting channel. The organization must inform its employees of the purpose of the reporting channel and what matters can be reported through the channel. Employees shall also be informed of the channel’s location and how the reporting process functions in practice.
The compliance program refers to the internal policies and guidelines of the organization to ensure the appropriateness of its activities in terms of legislation and ethical practices. Taking care of organization’s compliance program is a significant responsibility of the management and requires a high level of risk management skills. Contact our experts if your company has not established a reporting channel or if your compliance program should be updated. We support your company in creating and implementing a reporting channel that fulfills all legal obligations.
The provisions of the whistleblowing-directive shall be put into force nationally by 17.12.2021 – therefore, ensure your organization’s compliance now.
What is compliance?
Compliance refers to the process to ensure that an organization follows relevant laws, regulations and business rules that apply to the organisation. The core of compliance includes company’s own internal operating guidelines (ethical guidelines, code of conduct) and the prevailing compliance culture within the company.
Contact Mäkitalo’s Compliance-experts