Diligent One Platform World tour ad April 2024

Forgotten password?

Whistleblowing

Background

The terms ‘whistleblowing’ or 'speak up' typically refer an individual raising a concern about something (often on behalf of a group of people) that they perceive as an illegal, unethical or unprofessional. Actions such as regulatory breaches, non-adherence to processes and/or non-compliance with organisational policies, as well as wrongdoing to customers, stakeholders or members of staff, along with on-conformance to organisational values.

Whistleblowing is defined by the UK Government as ‘workers reporting certain types of wrongdoing that are in the public interest’. The allegation is often made, in the first instance, to a line manager, human resources or staff representative group but may also be made publicly to a regulator or the press or via social media. More commonly, an organisation’s non-executives are also being included in Whistleblowing Policies as a route to receive whistleblowing concerns; for example the Chair of Audit Committee (or equivalent committee).

In 2018 and 2019, the EU introduced directives to protect whistleblowers. These are at different levels of embedding across member states – see our blog post on the implications of the 2019 directive here. In the UK, whistleblowers are protected by law (Public Interest Disclosure Act 1998 [PIDA]) and shouldn’t be treated unfairly because they report concerns. The Protected Disclosures Act 2014 protects whistleblowers in Ireland. If, however, concerns are reported directly to the media, then whistleblowers can lose many of their legal rights. Under the Public Interest Disclosure Act 1998, whistleblowing is an employee raising a concern about an alleged wrongdoing including corrupt, illegal or unethical behaviours in a public or private sector organisation.

To be covered by whistleblowing law, an employee blowing the whistle must reasonably believe two things:

They are acting in the public interest (i.e. not for personal/private gain)
The allegation shows past, present or future wrongdoing

While PIDA grants protection to employees and some ‘workers’ e.g. agency staff and contractors (as specified in the PIDA 1998 Part IVA Protected Disclosures, Section 43K), there are gaps meaning that some do not qualify for protection, including job applicants, volunteers, interns and independent non-executive directors. It has been criticised for no longer being fit for purpose as it is too complicated and does not protect all citizens.

Why should organisations take action and how should internal audit assist?

The ability for a person to be able to blow the whistle is fundamental, as well as the need for the organisation to have appropriate investigation protocols in place and ensure that there is adequate management reporting to relevant governance groups; such as the board, audit committee and others.

Internal audit should play an important role in regularly reviewing the whistleblowing arrangements in place (unless internal audit is involved in the procedures for whistleblowing, in which case a separate, independent mechanism should be in place to provide assurance on the effectiveness of the whistleblowing procedures).

The scope of an internal audit review of Whistleblowing arrangements should include:

Whistleblowing policy and procedures

The design of the whistleblowing policy and process, including:

Ownership and accountability with respect to its requirements
Processes through which it has been communicated to staff, contractors, volunteers and other prospective whistle-blowers as defined in the policy
The appropriateness of the scope of individuals that the policy covers
Whether the policy is aligned with and referenced through other relevant corporate policies intended to manage concerns raised internally and externally (e.g. complaints and grievances)

Governance, monitoring and reporting arrangements

The robustness of governance mechanisms and oversight controls in place to ensure adequate oversight of and decision making around whistleblowing
Whether logs or registers of reported concerns/incidents exist and processes for tracking the resolution of these incidents to completion
The design and accuracy of reporting provided to management, specifically assessing whether senior management and the Trustees have adequate visibility over whistleblowing reports made

Awareness

Awareness raising activities and communications provided to staff regarding the whistleblowing policy, and how to report concerns through whistleblowing channels
Training provided to line managers and other relevant recipients of whistleblowing concerns on how to receive and respond to concerns/disclosures
The inclusion of whistleblowing as a specific topic within the induction process

Mechanisms for reporting

The definition of channels through which individuals can raise concerns to validate that robust reporting channels are in place which provide sufficient independence and anonymity for those making a report and to understand whether external third party managed) or internal independent (e.g. Chair of Audit and Risk Committee) channels have been considered or established
Whether clearly defined processes and controls, including approvals, exist relating to external reporting of issues arising through the whistleblowing process to relevant bodies such as the Charity Commission, police or HMRC

Investigation of reported concerns

Whether a robust investigation procedure exists, and appropriate documentation is retained to evidence the decision-making process and outcomes
Whether concerns are fully resolved in line with the internal procedure

Continuous improvement

Mechanisms for capturing and analysing staff attitude and feedback with regards to whistleblowing (e.g. a staff survey)
Whether previously identified actions have been completed and lessons learned exercise performed

Confidentiality

Processes and controls in place to maintain the confidentiality, anonymity and integrity of sensitive and personal information resulting from concerns raised through the whistleblowing process
Processes in place to ensure the security and integrity of information and documentation gathered as part of a whistleblowing investigation

Sector-specific guidance

The UK government provides guidance and a code of practice on whistleblowing for all employers. There are additional considerations for specific sectors:

Public sector

In 2017 the government introduced a nationwide pilot Whistleblowers Support Scheme offering a range of services for NHS staff who have suffered detriment as a result of raising concerns. A key recommendation from the Stafford Hospital inquiry (involving concerns over poor care and high mortality rates amongst patients) stated that whistleblowers needed to be protected. One of the main findings was that people had known about poor levels of care but did not speak-up. The Care Quality Commission as regulator provides guidance on whistleblowing to providers and to those raising a concern.

Financial Services

The Financial Conduct Authority (FCA) places responsibility on the firms it regulates to implement effective whistleblowing arrangements, including written procedures, protections of employees, escalations of disclosures, training, annual reporting on effectiveness of controls, and nominating a whistleblowers’ champion. More detail is available within the FCA handbook.

Private sector

While there is no legal requirement for those organisations not regulated by the Financial Reporting Council (FRC) to have a whistleblowing/speak up policy, having one demonstrates a commitment by the organisation to listen to concerns raised by customer, stakeholder and employees. The UK Corporate Governance Code July 2018, (Board Leadership and Company Purpose, Provision 6) requires a 'means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation. It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.' Employees may raise whistleblowing concerns with the FRC, but disclosures will only be protected in certain circumstances.

Third sector

The Charity Commission, as the statutory regulator of charities, states that charity workers and volunteers can report incidents that have happened, are happening or likely to happen that could cause serious harm to a charity’s beneficiaries, its staff and volunteers, the services it provides, its assets and reputation. In 2019, the Charity Commission updated its guidance in relation to Whistleblowing for the sector and commenced a trial of a confidential advice line, specifically for charity whistle-blowers, in response to what it observed as a systematic underreporting of incidents throughout the sector.

The ‘Public Concern at Work’ organisation who assisted in the creation of the PIDA has been renamed to ‘Protect’ and is also a registered charity (Protect - Speak up stop harm (protect-advice.org.uk))

Conclusion

Having a whistleblowing policy in place (and accompanying procedure to robustly investigate) is fundamental to any organisation. The policy should be clear, well understood, easily accessible and regularly refreshed and championed; and importantly communicated to all levels within an organisation.

Whistleblowing

Background

Why should organisations take action and how should internal audit assist?

Sector-specific guidance

Conclusion

Further reading