ISO 37002:2021 Whistleblowing Management System PDF

ISO 37002:2021 WHISTLEBLOWING MANAGEMENT SYSTEM STRUCTURE OF THE COURSE 1. Introduction to the whistleblowing management system 2. The context of the organization (clause 4 of ISO 37002) 3. Leadership (clause 5 of ISO 37002) 4. Planning (clause 6 of ISO 37002) 5. Support (clause 7 of ISO 37002) 6. Operation (clause 8 of ISO 37002) 7. Performance evaluation (clause 9 of ISO 37002) 8. Improvement (clause 10 of ISO 37002) A WHISTLEBLOWING MANAGEMENT SYSTEM Demonstrates transparency and ethical conduct WHISTLEBLOWING MANAGEMENT SYSTEM Whistleblower Person who reports actual or suspected wrongdoing and who has reasonable belief that the information is true at the time of reporting. Wrongdoing Action or omission that can cause harm (e.g., breach of law, breach of organizational policies, gross negligence, bullying, harassment, discrimination, unauthorized use of resources, gross waste, mismanagement, conflict of interest, abuse of authority, etc. Principles: - trust - impartiality - protection MANAGEMENT SYSTEM Set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve the objectives. EXPECTED OUTCOMES FOR A WHISTLEBLOWING MANAGEMENT SYSTEM (WMS) Encourage and facilitate the reporting of wrongdoing Protect whistleblowers from negative consequences Deal with the reports received in a proper and timely manner Enhance organizational culture and governance Expect a reduction of the risk of wrongdoing PLAN-DO-CHECK-ACT Plan – establish objectives, identify and address risks and opportunities Do – receive, assess and address reports of wrongdoing and conclude whistleblowing cases Check – monitor, measure, analyze and evaluate performance; audit internally the management system; conduct management reviews Act – improve continually the WMS and manage nonconformities From ISO 37002:2021 ISO 37002:2021 International standard First edition Includes guidelines, not requirements ISO 37002:2021 Clauses Subclauses 1 Scope - 2 Normative references - 3 Terms and definitions - 4.1 Understanding the organization and its context. 4.2 Understanding the needs 4 Context of the and expectations of interested parties. 4.3 Determining the scope of the organization whistleblowing management system. 4.4 Whistleblowing management system 5.1 Leadership and commitment. 5.3 Whistleblowing policy. 5.3 Roles, 5 Leadership responsibilities and authorities 6.1 Actions to address risks and opportunities. 6 Planning 6.2 Objectives and planning to achieve them. 6.3 Planning of changes 7.1 Resources. 7.2 Competence. 7.3 Awareness. 7 Support 7.4 Communication. 7.5 Documented information 8.1 Operational planning and control. 8.2 Receiving reports of wrongdoing. 8 Operation 8.3 Assessing reports of wrongdoing. 8.4 Addressing reports of wrongdoing. 8.5 Concluding whistleblowing cases 9 Performance 9.1 Monitoring, measurement, analysis and evaluation. evaluation 9.2 Internal audit. 9.3 Management review 10 Improvement 10.1 Continual improvement. 10.2 Nonconformity and corrective action CONTEXT OF THE ORGANIZATION INTERNAL ISSUES EXTERNAL ISSUES Size and structure Business associates Locations Controlled entities Business sector(s) Related organizations Organizational culture Legal, statutory or regulatory requirements Scale of operations Contractual obligations Business model Exposure to public Nature of personnel interest obligations Identify stakeholders and their requirements (relevant for the whistleblowing management system) THE SCOPE OF THE WHISTLEBLOWING MANAGEMENT SYSTEM (WMS) Determine the boundaries and applicability of the WMS to establish its scope. The scope should be documented. Consider the types of wrongdoing that can be reported, the regions from where reports can be submitted and the parties who can submit reports. Concerns and complaints from Compliance issues the public or interested parties Integrity violations Personnel and workplace grievances Detrimental conduct against whistleblowers and other parties Other organizational Whistleblowing processes and systems management system GOVERNING BODY & TOP MANAGEMENT Governing body GOVERNING BODY Oversees the whistleblowing management system (WMS) Approves the whistleblowing policy Communicates clearly about the existence, importance and use of the whistleblowing policy Defines objectives and monitors the top management with respect to these Reviews information about the WMS Ensures that appropriate resources are allocated TOP MANAGEMENT Communicates on the importance of effective whistleblowing Makes the WMS accessible and encourages its use in the organization Approves the whistleblowing policy and communicates on its importance Makes the necessary resources available Ensures that the WMS achieves the intended results Promotes a speak-up/ listen-up culture in the organization Ensures that whistleblowers do not suffer detriment Ensures that impartial investigations are conducted Promotes continual improvement Supports others to demonstrate their leadership Reviews reports about the operation of the WMS WHISTLEBLOWING POLICY Established by the top management Developed with the participation of personnel Documented Available to interested parties Communicated within and outside the organization Reviewed at planned intervals Appropriate to the purpose of the organization Provides a framework for setting objectives WHISTLEBLOWING POLICY Includes a commitment for continual improvement and to meet requirements Explains the scope of the WMS Prohibits detrimental conduct Promotes the speak-up/ listen-up culture Includes a commitment to trust, impartiality and protection Offers guidance on how to report wrongdoing Outlines the key steps of whistleblowing Provides for the protection of confidentiality Provides information on the data retention policy Does not restrict reporting based on contractual obligations Explains the consequences of noncompliance Makes reference to applicable law and to alternative reporting channels Explains the authority and independence of the whistleblowing function WHISTLEBLOWING MANAGEMENT FUNCTION Responsible for the WMS (design, implementation, operation) Ensures that the reports of wrongdoing are properly received and assessed Ensures there are no negative consequences for the whistleblowers Provides advice and guidance on whistleblowing Reports to the top management and to the governing body about the WMS WHISTLEBLOWING MANAGEMENT FUNCTION Appointed by the top management. Properly resourced Assigned to persons with competence, integrity, authority and independence Has direct, unrestricted and confidential access to the top management and to the governing body WHISTLEBLOWING MANAGEMENT FUNCTION Does not require a dedicated person Can be outsourced (but with internal supervision) RISKS AND OPPORTUNITIES Determine risks and opportunities to: - prevent or reduce undesired effects, - give assurance that the WMS can achieve the intended results - achieve continual improvement RISKS AND OPPORTUNITIES Examples of risks: Examples of opportunities: retaliation against whistleblowers improvement of corporate governance confidentiality breaches customer loyalty malicious and false reports ability to attract and keep talent toxic atmosphere legal compliance legal noncompliance early detection of problems overreliance on the WMS… improved organizational culture… ADDRESSING RISKS AND OPPORTUNITIES Evaluate the effectiveness of actions to address risks and opportunities Address the situation where wrongdoing is reported outside the organization Provide feedback to and collect feedback from whistleblowers (and other relevant parties) WHISTLEBLOWING OBJECTIVES Consistent with the whistleblowing policy Measurable (if practicable) Consider applicable requirements Ensure the early detection and prevention of wrongdoing Monitored, evaluated and updated or revised Documented and communicated PLANNING FOR THE ACHIEVEMENT OF OBJECTIVES What will be done? What resources are needed? Who is responsible? When objectives will be completed? How results are monitored, evaluated and communicated? How are the objectives updated? PLANNING OF CHANGES Changes to the whistleblowing management system should be carried out in a planned manner Define the purpose of the change Evaluate possible consequences Assign responsibilities Establish the extent of the change and the time frame for implementation If possible, test the change on a sample Prepare for how to reverse an unsuccessful change Make resources available Communicate to those involved or affected Review the change after implementation RESOURCES Determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the whistleblowing management system Certain functions of the whistleblowing management system can be outsourced COMPETENCE Identify the necessary competence Ensure that persons are competent (based on their education, training and experience) Act to acquire and maintain competence Maintain an appropriate level of impartiality The persons responsible for investigation, protection and support should display trustworthiness, emotional intelligence, diplomacy, integrity, leadership, confidentiality, sound judgement. AWARENESS Persons who work under the organization’s control should be aware of the whistleblowing policy, the whistleblowing management system objectives, their personal contribution to the WBS and the implications of noncompliance TRAINING FOR PERSONNEL Provide awareness measures and training to all personnel Personnel should understand that: - in some situations, it may be desirable or necessary to report wrongdoing via other channels (than the direct manager) - the whistleblowing policy is not a substitute for managers taking responsibility for the workplace - managers are instrumental for the implementation of the WMS - the whistleblowing policy does not prevent reporting to authorities - the WMS is not a substitute for local legal obligations to report to authorities TRAINING FOR LEADERS The governing body, the top management, the whistleblowing management function, managers and others who hold roles, responsibilities and authorities within the WMS should be trained on the operation of the whistleblowing policy and on how to handle reports of wrongdoing INTERNAL AND EXTERNAL COMMUNICATION The organization should determine the communications relevant for the whistleblowing management system, including on what to communicate, when, how, with whom, who communicates or the language for communication. COMMUNICATION When the whistleblowing policy is introduced or updated: - personnel should be briefed on the key points/ changes - a communication should be sent from the governing body or top management New personnel should be informed about the whistleblowing policy, when joining the organization DOCUMENTED INFORMATION The whistleblowing management system documentation should include: - the documents recommended by ISO 37002 - documents not recommended by the standard, but determined as being necessary by the organization CREATING AND UPDATING DOCUMENTS When creating and updating documents consider the following: identification and description format and media review and approval data protection measures CONTROL OF DOCUMENTED INFORMATION Objective: to ensure that documents are protected, available and suitable for use. The controls refer to: - distribution, access and retrieval - storage and preservation - control of changes - retention and disposition The controls apply to the documents elaborated internally, but also to external origin documents necessary for the WMS DATA PROTECTION Aspects to consider: access to data data management data protection rights notice regarding collected data permitting anonymous reporting CONFIDENTIALITY Establish processes to protect confidentiality and to address the situations where confidentiality is breached WHISTLEBLOWING PROCESS Operational steps of the whistleblowing management system (source ISO 37002:2021) OPERATIONAL PLANNING AND CONTROL Provide feedback to whistleblowers Generate documented information during each step of the whistleblowing process Control externally provided processes, products and services RECEIVING REPORTS OF WRONGDOING Establish visible, accessible and secure reporting channels At least one reporting channel distinct from the management hierarchy RECEIVING REPORTS OF WRONGDOING Suggest a structure for the report Train managers about how to deal with the reports received Agree channels for future communication Do not ask the whistleblower to proactively gather further evidence ASSESSING REPORTS OF WRONGDOING Process for the impartial assessment, triage and management of reports. Prioritize reports based on risk. ASSESSING REPORTS OF WRONGDOING The wrongdoing falls within the scope of the WMS? Is the wrongdoing a criminal offence? When did it happen? Is it about to happen? Is there an immediate need to stop a business activity? Will business continuity be impacted by the investigation? Is there an immediate risk to health and safety? Is there an immediate risk to human rights or to the environment? Is there an immediate need to protect evidence? Is there a risk to the organization’s functions, services or reputation? Could the media be interested? Is this a wrongdoing that has been reported before? How did the whistleblower obtain the information? POSSIBLE DECISIONS FOLLOWING THE ASSESSMENT Engage with other functions Gather further information Take preliminary measures (e.g., secure evidence, suspend the subject) Inform relevant authorities Start the investigation Conclude the case … The decision and the reasons should be communicated to the whistleblower RISKS OF DETRIMENTAL CONDUCT Assess the risk of detriment to the whistleblower and to other relevant interested parties Protect whistleblowers and other parties by protecting their identity, sharing information on a need-to-know basis, changing workplace arrangements or communicating that detrimental conduct can lead to disciplinary actions INVESTIGATING WRONGDOING Impartial investigation conducted by qualified investigators PRINCIPLES FOR THE INVESTIGATION Adequately resourced Clear terms of reference and scope Robust process to withstand any review All subjects are presumed innocent Should not interfere with a judicial investigation Secure and protect evidence Manage personal data adequately Protect information that could identify subjects Able to scale and adapt Clear, concise communication Provide feedback and updates to whistleblowers PROTECT THE WHISTLEBLOWER Protect whistleblowers from detriment, considering the risks identified Provide support, as necessary (emotional, financial, legal) ADDRESS DETRIMENTAL CONDUCT Detrimental conduct should be reported using the same reporting channels. An investigation may be necessary. Stop and address detrimental conduct. Remediation can be needed. PROTECTING THE SUBJECT(S) OF A REPORT Protect their identity Share information on a need-to-know basis Presumption of innocence Timely and impartial investigation Remedial measures (possible) Assistance and support (as needed) PROTECTION FOR OTHER PARTIES Witnesses, investigators, family members and others may need to be supported by the organization and protected from negative consequences CONCLUDING WHISTLEBLOWING CASES A whistleblowing case moves into the concluding phase when: no action is considered necessary fact-finding determines that no investigation is warranted the report is referred to a different process the investigation is completed CONCLUDING WHISTLEBLOWING CASES Concluding the investigation and communicating conclusions Acting in response to recommendations Collecting feedback Identifying lessons Improving controls, policies, procedures Retaining documented information CONCLUDING WHISTLEBLOWING CASES When wrongdoing is found: - act to resolve wrongdoing and monitor effectiveness - administer appropriate sanctions - refer matters to authorities, if necessary MONITORING, MEASUREMENT ANALYSIS AND EVALUATION - Determine what needs to be monitored and measured - Assign responsibilities - Define methods for monitoring, measurement, analysis and evaluation - Determine when the monitoring and measuring will be performed - Determine when the results of monitoring and measuring will be analyzed and evaluated - Establish to whom and how the information will be reported INDICATORS FOR EVALUATION Number of reports of wrongdoing received Nature of wrongdoing reported Time taken to acknowledge receipt Average time for investigation Proportion of reports sustained by an investigation Proportion of reports falling outside the scope of the WMS Proportion of reports resulting in corrective actions Proportion of reports with knowingly false information Seriousness of the issues reported Level of trust in the whistleblowing process Proportion of whistleblowers who depart … INTERNAL AUDIT The organization should conduct internal audits of the whistleblowing management system at planned intervals INTERNAL AUDIT PROGRAMME Establish, implement and maintain an audit programme, including frequency, methods, responsibilities, planning and reporting requirements. Consider risks and the results of previous audits, when establishing the frequency and scope of internal audits. AUDITING THE WHISTLEBLOWING MANAGEMENT SYSTEM Define objectives, scope and criteria Document the audit plan Consider auditor objectivity and impartiality Present the results to mangers Keep documented information MANAGEMENT REVIEW The top management should review the WMS at planned intervals and report the findings to the governing body MANAGEMENT REVIEW INPUTS Actions and decisions from previous reviews Changes in the internal and external issues Changes in the needs and expectations of stakeholders Information on the WMS performance Opportunities for improvement and learning MANAGEMENT REVIEW RESULTS Decisions related to continual improvement opportunities and any need for changes to the whistleblowing management system CONTINUAL IMPROVEMENT The organization should continually improve the suitability, adequacy and effectiveness of the whistleblowing management system. Changes should be carried out in a planned manner. CONTINUAL IMPROVEMENT Aspects for consideration: - training and awareness; - confidentiality protection; - impartiality of investigations; - speak-up/ listen-up culture; - whistleblower recognition and reward … NONCONFORMITY MANAGEMENT Nonconformity = non-fulfilment of a requirement NONCONFORMITY AND CORRECTIVE ACTION ✓ React to the nonconformity, correct the situation and deal with the consequences ✓ Determine the cause(s) of the nonconformity ✓ Implement corrective actions ✓ Evaluate the effectiveness of corrective actions ✓ Keep documented information OVERVIEW OF THE WMS ACCORDING TO ISO 37002:2021 ✓ Identify the context ✓ Determine the scope of the management system ✓ Have the support of the leaders ✓ Develop and communicate a whistleblowing policy ✓ Appoint a whistleblowing management function ✓ Determine risks and opportunities in relation to the WMS ✓ Establish whistleblowing management objectives ✓ Carry out changes to the WMS in a planned manner OVERVIEW OF THE WMS ACCORDING TO ISO 37002:2021 ✓ Determine and make available the necessary resources ✓ Ensure adequate competence and awareness ✓ Provide training about the WMS ✓ Establish effective communication processes ✓ Control the documents of the WMS ✓ Protect data according to the legislation and best practice ✓ Ensure that relevant parties are afforded confidentiality OVERVIEW OF THE WMS ACCORDING TO ISO 37002:2021 ✓ Establish visible, accessible and secure reporting channels ✓ Assess reports impartially and prioritize them based on risk ✓ Assess and prevent the risks of detriment ✓ Follow the principles of investigation management ✓ Protect and support whistleblowers and other parties ✓ Formally close whistleblowing cases ✓ Establish indicators to monitor and measure the WMS ✓ Conduct internal audits at planned intervals ✓ Conduct management reviews ✓ Improve continually the WMS ✓ Manage nonconformities with effective corrective actions

ISO 37002:2021 Whistleblowing Management System PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue