Whistleblowing is the act of reporting suspected or threatened wrongdoing. A large number of incidents of misconduct are reported to organisations or other authorities by employees within an organisation. According to the ACFE (Association of Certified Fraud Examiners) 2020 report, 43% of employment fraud was detected through whistleblowing, with half of these coming from employees.
This has prompted many organisations to consider improving their whistleblowing policies, creating secure channels for whistleblowers, and ensuring they are protected and supported. The ISO 37002 guidelines for WMS aim to provide just that.
Whistleblowing Management System based on ISO 37002
The international standard ISO 37002 guides the establishment, implementation, operation and improvement of a whistleblowing management system (WMS) based on trust, impartiality and protection principles. The standard guides a four-step process: receiving whistleblowing allegations, assessing them, resolving them and closing whistleblowing cases.
ISO 37002 adopts the ‘harmonised structure’ developed by ISO to improve the alignment of international standards for management systems. Organisations can apply the standard alone or with other management system standards, such as ISO 37001, defining requirements for anti-bribery management systems. ISO 37002 is a Type B management system standard and is therefore not intended for certification.
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law
The main purpose of the Directive is to ensure a minimum level of protection for whistleblowers of unlawful activity or abuse of European Union law in defined areas.
Benefits of whistleblowing management systems
The potential benefits of implementing a WMS according to ISO 37002 include:
- Enabling the organization to identify and address unfair practices as early as possible.
- Supporting the organisation in preventing or minimising losses
- Ensuring compliance with legal and societal requirements
- Attracting and retaining employees who do not want to be exposed to unfair practices
- Demonstrating good and ethical governance of the organisation
An effective whistleblowing management system builds trust in the organization by:
- Demonstrating management’s commitment to preventing and addressing misconduct
- Limiting and preventing adverse treatment of whistleblowers
- Promoting a culture of openness, transparency, integrity and accountability
Subject of our professional services
1 | Analysis of the existing system and WMS project planning
Analysis of the context of the organisation and gap analysis of the current state • Development of an WMS project plan
2 | Establishment and implementation of the WMS
Identification and description of the boundaries and scope of the WMS • Definition of the organisational structure, roles and responsibilities of individuals and relevant committees • Design of the whistleblowing policy • Setting up and documenting WMS processes
3 | Bribery risk management and controls management
Selection and documentation of whistleblowing management methodology • Identification, analysis and evaluation of whistleblowing risks • Selection of whistleblowing risk treatment options and controls • Management of whistleblowing risk treatment plans
4 | Documentation of topic-specific policies and procedures
Design and documentation of topic-specific processes and measures for adoption, assessment, resolution and closure • Implementation or outsourcing of a notification management system • Design and performance of training and awareness-raising activities
5 | Internal audit and supplier audit
Draft and documentation of the WMS internal audit charter • Draft WMS audit programme and planning of audit activities • Implementation of internal audit and supplier audit • Support follow-up activities and actions after the audit
Quality of our services
During the provision of consulting services, the standards of quality of service consultancy based on ISO 20700, information security based on ISO/IEC 27001 and project management based on ISO 21500 are applied.
Competences of our consultants:
- Certified ISO 37001 Lead Implementer
When conducting an internal audit (first-party audit) or second-party audit, the best practice of auditing management systems, as defined in ISO 19011 and other relevant standards, is applied.
Competences of our auditors:
- Certified ISO 37001 Lead Auditor