ISO 37002 & Certification FAQ: Whistleblowing Management System
ISO 37002
ISO 37002 is an international standard that provides clear guidelines for establishing, implementing, and maintaining a whistleblowing management system within organisations.
The standards assist organisations to create a safe and effective environment for reporting wrongdoing, protecting whistleblowers and ensuring proper handling of reports.
ISO37002 is based on three core principles, trust, impartiality and protection:
- Trust: The whistleblowing system should be designed and operated in a manner that instills trust in the process and the organisation's commitment to addressing reported concerns.
- Impartiality: The system should ensure that all reports are handled fairly, objectively, and without bias, regardless of the identity or position of the whistleblower or the person(s) involved in the alleged wrongdoing.
- Protection: The organisation must take appropriate measures to protect whistleblowers from victimisation (i.e. any form of retaliation, discrimination or harassment) as a result of their reporting.
ISO37002 was designed to be adaptable to a range of organisations and business types, irrespective of the nature, size, geography, and jurisdiction of the organisation.
ISO 37002 is a Type B standard, meaning it provides guidance and recommendations rather than specific requirements for certification. Instead, organisations can use the ISO 37002 standards as a tool to benchmark their existing whistleblowing management system or to develop a new one aligned with international best practices.
ISO 37002 is closely related and can fulfill requirements in Type A ISO standards:
- ISO 37001: Anti-bribery Management Systems is a standard that helps organisations prevent, detect, and address bribery and other forms of financial crime. It provides a framework for implementing an effective anti-bribery management system, which includes policies, procedures, and controls to mitigate bribery risks.
By establishing a whistleblowing system, organisations can encourage employees and other stakeholders to report suspected instances of bribery and financial crime. This increased reporting can help organisations detect and address these issues more effectively, reducing the risk of legal and reputational damage. - ISO 37301: Compliance Management Systems offers a framework to design, implement, evaluate, maintain, and enhance a robust compliance management system within an organization. It helps organisations ensure that they are meeting their legal and regulatory obligations, as well as their own internal policies and procedures.
A secure whistleblowing system can serve as an early warning mechanism, allowing organisations to identify and address potential compliance issues before they escalate into more serious problems.
It is also closely related to a number of important guidance standards under the umbrella of ISO/TC 309 Governance of Organizations:
- ISO 37008: Internal Investigations of Organizations is a new international standard that provides guidance on planning and scoping an internal investigation, collecting and preserving evidence, interviewing witnesses, and reporting findings.
- ISO 31000: Risk Management offers organisations a set of guidelines, frameworks, and processes designed to improve risk management strategies.
The related standards can be used in conjunction with ISO 37002 to create a comprehensive framework for promoting ethical behavior, best practices and compliance within organisations committed to good governance.
ISO 37002 is not a replacement for applicable whistleblowing legislation.
While the guidelines are generally consistent with Australian requirements, they do not replace compliance with specific local laws.
As an international standard, ISO 37002 offers a comprehensive set of guidelines for managing a whistleblowing system. It acknowledges the needs of organisations to tailor their systems to their unique business and regulatory contexts. However, the stringent Australian legal requirements for whistleblower protections necessitate more rigorous processes than those suggested in the guidelines.
What is the purpose of ISO 37002?
The development of ISO 37002 was driven by the changing whistleblowing landscape in recent years. High-profile cases have prompted the introduction of new whistleblower protection regulations and legislation across the globe, leading organisations to reevaluate the effectiveness of their internal reporting systems.
Many employees still face barriers to reporting misconduct within their organisations. Despite an increased awareness about the importance of speaking up, many employees still face barriers to whistleblowing, such as:
- Distrust in the organisation's ability to respond to reports effectively
- Uncertainty about whether the organisation will take a report seriously
- Doubt that information will be treated in a confidential manner
- Fear of victimisation or retaliation
Adopting ISO 37002 allows organisations to show their dedication to ethical practices, transparency, and accountability. This standard serves as a strategic tool, reassuring stakeholders of the organisation's proactive efforts to prevent, identify, and resolve issues related to misconduct and safety.
In the event of an investigation, adherence to ISO 37002 may also be taken into account as evidence that an organisation has taken proactive measures to identify and mitigate wrongdoing while protecting whistleblowers and other stakeholders.
Key aspects of ISO 37002
Some key aspects addressed in ISO 37002 include:
- Developing a clear whistleblowing policy
- Establishing secure and confidential reporting channels
- Defining roles and responsibilities for managing the WMS
- Investigating and addressing reports of wrongdoing
- Protecting whistleblowers from retaliation
- Providing training and communication to employees and stakeholders
The table of contents and introduction can be read here.
How to implement an effective whistleblowing management system based on ISO 37002 standards
Developing an effective whistleblowing management system with ISO 37002 involves a systematic, step-by-step approach. Below is a guide to help organisations create a robust WMS that aligns with these standards.
1. Assess current practices and identify gaps
Begin by evaluating your organisation's existing whistleblowing policy, practices and procedures. Identify any gaps or areas for improvement in relation to the guidelines provided in ISO 37002. This assessment will help you determine the scope of work required to align your WMS with the standard.
2. Develop a comprehensive whistleblowing policy
Create a clear and comprehensive whistleblowing policy that outlines the purpose, scope, and procedures of your WMS. The policy should:
- Define what constitutes reportable wrongdoing
- Explain how to make a report
- Emphasise the organisation's commitment to protecting whistleblowers and other interested parties from retaliation
- Outline the investigation process and potential outcomes
- Ensure that the policy is easily accessible and communicated to all employees and relevant stakeholders.
3. Establish secure reporting channels
Provide multiple secure and confidential channels for individuals to report suspected wrongdoing, such as:
- Dedicated hotline
- Web-based reporting platform
- Email address
- In-person reporting to designated personnel
These channels should be designed to ensure the confidentiality and, if desired, anonymity of the whistleblower, and to protect the information provided.
4. Define roles and responsibilities
Clearly define the roles and responsibilities of individuals involved in managing the WMS, including:
- Whistleblowing coordinator or committee
- Investigators
- Senior management
- Board of directors
Ensure that these individuals have the necessary skills, training, and resources to effectively carry out their duties.
5. Implement robust investigation procedures
Establish well-defined procedures for assessing, investigating, and addressing reports of wrongdoing in a proper and timely manner. This should involve:
- Trained and impartial personnel
- Consistent investigation protocols
- Documentation and reporting requirements
- Corrective action and follow-up measures
6. Protect whistleblowers from retaliation
Put in place strong measures to protect whistleblowers from any form of retaliation, discrimination, or harassment as a result of their reporting. This may include:
- Confidentiality and anonymity provisions
- Anti-retaliation policies and procedures
- Disciplinary action against those who engage in retaliatory behavior
Regularly communicate these protections to employees and demonstrate the organisation's commitment to supporting whistleblowers.
7. Provide training and communication
Develop and deliver regular training and communication programs to ensure that all employees and relevant stakeholders understand:
- The importance of reporting wrongdoing
- How to make a report
- Their rights and protections as whistleblowers
- The organisation's commitment to ethical behavior
Training should be tailored to different roles and responsibilities within the organisation and reinforced through ongoing awareness campaigns.
8. Monitor, review, and improve
Continuously monitor the performance of your whistleblowing system and conduct regular reviews to identify areas for improvement. This may involve:
- Analysing reporting data and trends
- Seeking feedback from whistleblowers and other stakeholders
- Conducting internal audits or assessments
- Benchmarking against industry best practices
Use these insights to make necessary adjustments and enhancements to your WMS, ensuring that it remains effective and aligned with ISO 37002 guidelines.
By following these steps and adhering to the principles of trust, impartiality, and protection, organisations can establish a robust and effective WMS that encourages the reporting of wrongdoing, protects whistleblowers, and promotes a culture of integrity and ethical behavior.
How Elker can help your organisation align with the ISO 37002 standard
Elker is a whistleblowing system featuring the highest grade security, consistent with ISO 27001 standards. Elker features:
- Anonymous reporting tools: encourage employees to report concerns with encrypted messaging
- Pulse surveys: collect anonymous employee feedback
- Response templates and guidance: assessing critical disclosures without compromising the identity of the reporter
- Comprehensive case management tools: small companies to large corporations can efficiently manage cases
- Real-time analytics and reporting dashboard: identify trends and risks in real-time
- Compliance regulations: For Australian organisations, Elker assists with compliance with the Corporations Act 2001, Sex Discrimination Act 1984 (positive duty), Fair Work Act 2009, the new Aged Care Act and more.
By partnering with Elker, organisations can streamline the implementation of an effective whistleblowing system that meets the ISO 37002 standard.
For more information how Elker can assist your organisation, send us a message. For a look at all the features on offer, book a demonstration of the platform.