‘Speak up’ and ‘whistleblowing’ are often used to describe an individual raising a concern about something, usually occurring in the workplace, that they perceive as an illegal, regulatory breach, non-adherence to processes, non-compliance with an organisation’s policies, not engaging with shared values, creating danger or wrongdoing to customers, stakeholders or members of staff. The allegation is often made, in the first instance, to their line manager, human resources or staff representative group but may also be made publicly to a regulator or the press or via social media.
In April 2018, the EU introduced directives to protect whistleblowers; these are at different levels of embedding across member states. In the UK, whistleblowers are protected by law (Public Interest Disclosure Act 1998 [PIDA]) and shouldn’t be treated unfairly because they report concerns. The Protected Disclosures Act 2014 protects whistleblowers in Ireland. If, however, concerns are reported directly to the media, whistleblowers can lose many of their legal rights. Under the Public Interest Disclosure Act 1998, whistleblowing is an employee raising a concern about an alleged wrongdoing including corrupt, illegal or unethical behaviours in a public or private sector organisation.
To be covered by whistleblowing law, an employee blowing the whistle must reasonably believe two things:
While PIDA grants protection to employees and some ‘workers’ eg agency staff and contractors (as specified in the PIDA 1998 Part IVA Protected Disclosures, Section 43K), there are gaps meaning that some do not qualify for protection including job applicants, volunteers, interns and independent non-executive directors. It has been criticised for no longer being fit for purpose as it is too complicated and does not protect all citizens.
Recent high-profile media coverage highlighted the importance of speaking up, anonymously or not, and how seriously this should be taken by the organisation, media, individuals and stakeholders.
There are many examples of positive whistleblowing experiences, but unfortunately many where processes are not sufficient, information is reported inappropriately, data is misused, or anonymity is not maintained.
Barclays was fined $15m by the New York State Department of Financial Services for violating banking law. In the UK the CEO was fined over £600k (jointly by the Financial Conduct Authority and Prudential Regulation Authority) after being judged to have failed to comply with Code of Conduct (COCON), Individual Conduct Rule 2 (ICR2) – you must act with due skill, care and diligence.
World Whistleblower Day occurred on 23 June 2019, and the G20 declared whistleblowing a priority for their 2019 anti-corruption work. 4.7 billion people live in countries represented by the G20.
There are examples of where companies have not acted ethically when under pressure to deliver.
Wells Fargo reached settlements with the city of Los Angeles totalling $190m following allegations of improper activity including opening accounts and transferring funds without customer consent, opening lines of credit and issuing credit and debit cards. 5,300 employees were terminated in connection with these activities, one of whom is quoted in US media as acting to 'survive' rather than access lucrative bonuses – 'to say we were under pressure is an understatement'.
During the trial of three Tesco executives, following the overstatement of profit forecast by £250m, a whistleblower told the court that he prepared financial reports showing the growing gap between actual performance and planned which had reached £240m. He described the intense pressure, 'constant reviews and… how Tesco had to do better'.
The 2012 LIBOR (London Interbank Offered Rate) investigation involved a whistleblower who traded immunity from prosecution in exchange for providing information. The group of interest-rate derivative traders had colluded/manipulated the rate to aid their trading positions for the purpose of gaining profit.
In 2017 the government introduced a nationwide pilot Whistleblowers Support Scheme offering a range of services for NHS staff who have suffered detriment as a result of raising concerns. A key recommendation from the Stafford Hospital inquiry (involving concerns over poor care and high mortality rates amongst patients) stated that whistleblowers needed to be protected. One of the main findings was that people had known about poor levels of care but did not speak-up.
While there is no legal requirement to have a whistleblowing/speak up policy, having one demonstrates a commitment by the organisation to listen to concerns raised by customer, stakeholder and employees. The UK Corporate Governance Code July 2018, (Board Leadership and Company Purpose, Provision 6) requires a 'means for the workforce to raise concerns in confidence and – if they wish – anonymously.'
Organisations may have differing definitions of what counts as speaking-up – criminal offences, health and safety violations, environmental damage, miscarriage of justice, or unethical behaviour to meet targets. The following provides some examples of what public and private organisations have in their policy documents:
From a whistleblower’s perspective, there can be various motivations for speaking-up. People can feel that it is morally right to report something that they have seen or been a part of. People can also trade information for their own protection once a scandal has been uncovered. There have been examples of people not realising that they are speaking-up and therefore can be protected.
The culture of the organisation needs to be open and accepting of people speaking-up for it to be seen as a positive and an opportunity to address a wrongdoing.
Internal audit can offer assurance over controls in place to make sure that whistleblowing/speak-up arrangements comply with local legislation as well as being suitable for and applied properly within the organisation to enable people to report poor practices.
Employers may be keen to create an open, supportive and transparent working environment where employees feel comfortable to raise concerns. Organisations also must be cautious not to treat an employee any differently because they spoke up, blew the whistle or raised a concern.
Organisations must comply with relevant legislation or regulatory requirements in the jurisdictions in which they operate – be aware of this during global internal audits and testing across jurisdictions.
Each internal audit should be planned individually but some areas of risk to consider:
Speaking-up crosses into other areas of an organisation that might be subject to an internal audit: organisational culture, the shared values of the organisation, record keeping, reporting and governance, HR and legal agreements, social media and traditional media monitoring.
Having a whistleblowing/speak up policy in place sets the tone from the top, reinforcing the standards expected; provides an opportunity to educate staff and management, encouraging a culture where concerns are reported early, which makes it easier for employers to address concerns and potentially reduce risk.
UK Government - Whistleblowing for employees
Department for Business Innovation and Services - Whistleblowing - Guidance for Employers and Code of Practice
NVCO/Knowhow - Whistleblowing
Chartered IIA - Whistleblowing in the US and the EU blog
Financial Conduct Authority & Prudential Regulation Authority - press release re Chief Executive of Barclays Group
Safecall - Case studies
Information Commissioner's Office - 'Speak up' the ICO's whistleblowing policy and procedure
Protected Disclosures Act 2014 - Protection for Whistleblowers