ISO Standard 37002, on whistleblowing systems

Mihaela Pop, Project Manager

Public institutions and private companies with over 50 employees will be required, starting from December 2021 and December 2023, respectively, to establish dedicated whistleblowing mechanisms and procedures that guarantee, among others, high safety standards, anonymization procedures for whistleblower data, and a proper management of whistleblower reports. These requirements are part of the European Directive no. 1937/2019 on whistleblower protection, that must be transposed during this period in the Romanian legislation.    

In the EAT project, we had conversations with over 70 representatives from public institutions or big private companies. One of the main conclusions was that the subject of safe whistleblowing mechanisms is a „miscellaneous” subject, far from being a real concern at this time. One of the reasons for this comes from the challenges faced by organizations in the context of the Covid-19 pandemic. But even without this current crisis, whistleblowing safety is not a priority for Romanian managers, either from the public or private sectors. 

During these talks, there were a lot of questions regarding the proper implementation of the new dispositions. Most of them concerned the specific types of whistleblowing mechanisms that are to be implemented, who will manage them, what are the details of „clear management procedures” for these channels, what sanctions are to be applied for breaking them, and by whom, what „independent authority” will coordinate the implementation of the transposed norms, etc. 

Among the instruments able to help those that will have to implement the regulations of the new directive is the ISO 37002 standard, dedicated to whistleblowing.

We interviewed Radu Răuță (R.R.), member of two working groups in the Technical Committee 309 of the International Organization for Standardization, on the ISO Standard 37002 as a guiding instrument in the whistleblowing debate.

What is ISO and what do we need to know about the standards it provides?

R.R.: ISO is the International Organization for Standardization, a network of 165 national standard bodies, headquartered in Geneva, that sets international standards. Since 1974, it has published over 15.000 standards for various industries.

Standards are a market necessity, coming from a need of maintaining a certain level of quality and performance of a good or a service. As such, they are never mandatory, because ISO has no powers to legislate. They are designed to meet a market requirement. Member states nominate experts for our working groups, but ISO also has collaboration protocols with employers’ organizations from the various industries we work with and consult when setting a standard. The ISO standards do not impose or require a certain way of doing things, and member states have the freedom of transposing, or not, a certain standard in their national legislations. A good example is, for Romania, the ISO 9001 standard, regarding public procurements. Other institutions want standards for environmental, health or food safety regulations. Moreover, organizations can advocate for or propose standards as a commercial recognition. 

What is ISO standard 37002?

R.R.: ISO 37002 is a standard for management systems dedicated to whistleblowing. It sets instructions for the management of the whistleblowing channels, but it cannot be certified. We must note that it is not the first whistleblowing standard, but a continuation and an improvement of a British standard. 

In September 2016, ISO set up the Technical Committee no. 309, with multiple working groups. The goal of this committee is to offer standards for governance – direction, control and responsibilities for organizations. In November 2016, as the subject of whistleblowing was becoming increasingly important, with a rising number of public interest reports on wrongdoings, it started the process of developing this new standard (37002) for whistleblowing. A special working group (WG 3) was set up in 2018, for developing the ISO standard for whistleblowing, with a deadline at the end of 2021.  

The working group is coordinated by professor Wim Vandekerckhove, a well-known international expert and author on whistleblowing. The group collaborated with numerous representatives from various industries, from consulting companies, IT, state authorities, and many other stakeholders, involving them in the elaboration process for this integrity standard.    

At what stage of development is this new standard for whistleblowing?

R.R.: Our own self-imposed deadline would be the later part of 2021. Currently, the standard came out the draft stage. In the first days of January 2021, we sent the final draft for the standard and we’re preparing to present it for the vote of member organizations in the ISO network. At this stage, we’re no longer accepting proposals, changes, or amendments to the text. The standard needs a positive vote from two thirds of the permanent members of the ISO network (national and employers’ organizations), but with no more than a quarter of negative votes. If we do not meet these criteria, the project is then sent back to the Technical Committee for reassessment. But if it passes the vote, it is published and becomes an ISO standard.      

The standard 37002 is meant to act as a guide of good practices. You will not be able to say that you have a certificate for ISO 37002. Instead, this guide can apply for several standards, like the anti-graft standard and the conformity management standard – which means that if you want to implement a compliance internal system you can apply the guide offered by ISO 37002 in order to learn how to build a whistleblowing system, proper safety instruments, risk management procedures, etc.

What are the recommendations of standard ISO 37002?

  • The recommendations from ISO 37002 place an emphasis on the protection of whistleblowers, and also on the protection of the person that’s the subject of the report, to ensure that there will not be cases of malicious reporting or damages to innocent persons. We need to protect all the people involved, until all the evidence is analyzed.
  • The standard details the aspects related to the various roles, responsibilities and specific authorities involved in the whistleblowing process. It specifies the actions required from the top management or the governing body, like a board of supervisors, and makes recommendations to ensure a smooth functioning of the whistleblowing mechanisms. 
  • It mentions that each organization that sets up a whistleblowing system should have a Whistleblowing Management Function, a specific role, even if it’s not a dedicated position, with responsibilities for the administration of the whistleblowing system. For example, it may be someone from the legal or human resources departments  – not necessarily someone from the ethics committee or from the working group that’s implementing the national anti-corruption strategy. In the case of complex organizations, there can be multiple people with duties concerning the whistleblowing mechanism. ISO 37002 clearly states that these persons must have the necessary competences, must be properly trained in the management of the whistleblowing system, and must show integrity and impartiality. The standard describes such competences as emotional intelligence, diplomacy, impartiality, leadership, confidentiality and clear judgement.  
  • It describes the procedures that must be followed after receiving a report, by the manager of a whistleblowing system, and the staged handling of each case, with recommendations for transparent policies and procedures, that everyone can consult. The process is divided into different stages, from the reception of the reports, preliminary checks, the start of the internal investigation, the efforts to ensure confidentiality, etc.   
  • It also recommends maintaining a clear track of all the documentation and actions, in order to constantly improve the system.   
  • It stipulates mandatory trainings for the employees, for awareness and practical purposes, because the system does and can not work if the employees are not aware of it or do not know how to use it.
  • It includes recommendations for the architecture of the whistleblowing system, to ensure that only valid reports are sent through it, without it becoming overloaded. An important factor is the “speak up” culture in an organization and its internal communication channels and rules. For example, if an employee sees a problem he or she must have the possibility of talking about it in the organization, to check if it really is a problem and a reasonable complaint, that then can become a whistleblowing report. In Romania, we have a culture of corporate silence and of not speaking up. So I would not be very worried that Romanian institutions will be flooded with complaints and reports, at least not in the first few years, until we will have several big cases that are properly handled and bring change, proving that the system works. If the Directive is properly publicized and communicated, it will take a few years to produce the desired effects and for the system to actually start working.
  • It includes the obligation of ensuring the confidentiality of all the data in the system. We did not elaborate too deeply on this aspect, in order to not seem that we recommend or favor any of the whistleblowing systems out there in the market.

All the recommendations made in the ISO 37002 standard have a high degree of adaptability, in order to be applicable in all sorts of organizations, from small ones, with under 10 employees, to large ones, with over 5,000. And its stipulations are not specific to a single sector or type of organization. They also offer interoperability, so organizations that already have a quality management system, environmental system, or any internal management control system will find it easier to integrate them with the ISO 37002 standard.

This standard can prove to be a very useful instrument to efficiently enforce the new regulations.