Due to the approaching date of approval by the Polish Parlaiment of the Directive on Whistleblower protection, employers who are subject to its provisions are required to implement an internal reporting channel in their organizations. To develop and implement a transparent, user-friendly, and effective reporting system, they can use the ISO 37002:2021 standard.
What is ISO 37002:2021 about?
In 2021, the International Organization for Standardization published the standard "Irregularity Reporting Management System". Its purpose is to help organizations implement Whistleblowing practices and procedures and meet their obligations under the directive. In this case, it is important that the guidelines of the standards are general and employers may apply them regardless of the type or size of the business. Moreover, the aforementioned regulations apply to the private, public and non-profit sectors.
The ISO 37002:2021 standard contains a set of guidelines for all elements of the implementation of the ticketing management system, which include:
- Planning, including reacting to risk, planning changes, and setting goals.
- Measures of support, consisting of assets, training, knowledge, competencies, data protection, and confidentiality issues.
- Control and operational planning, i.e. all measures to prevent retaliation, Whistleblower protection, managing and processing of reports, as well as violation management.
- Assessment of results, which includes verification, analysis, monitoring as well as system audit.
- Continuous improvement, which includes managing the process of managing non-conformities and taking remedial actions.
How does ISO 37002:2021 relate to the Whistleblower Directive?
The European Union's directive on the protection of Whistleblowers states that reporting channels must be kept confidential. The ISO 37002 standard specifies that it is the responsibility of the organization to define, implement, communicate and maintain reporting channels that must be safe, accessible, and visible to all persons who, covered by the directive, can report violations without fear of potentially taking retaliation against them. Moreover, the standard indicates that for the security and confidentiality of Whistleblowers' identities, at least one of the channels should not depend on the management hierarchy.
Another guideline of the Whistleblower Directive is the 7-day deadline for acknowledging receipt of the notification. The standard indicates that the acknowledgment of receipt should be timely, and if for some reason it is not complied with, the Whistleblowers must be informed with an updated time.
The situation is similar in the case of the deadline for informing Whistleblowers regarding the examination of their applications, which should not exceed 3 months. According to the provisions of the standard, feedback messages must be provided at every stage of the Whistleblowing process.
According to the European Union Directive on the Protection of Whistleblowers 2019/1937, it is important to exercise due diligence when taking follow-up actions. According to the standard, it is the responsibility of the organization to define, implement and maintain processes that guarantee the impartiality of the evaluation, selection, and management of reports. Professional and reliable handling of investigations is also important, which includes issues such as compliance with personal data management in accordance with the GDPR as well as transparency and unambiguous communication.
In summary, according to the provisions of ISO 37002, the task of the Whistleblower management system is to support processes such as:
- Receiving and managing reports of irregularities with the use of an internal system, such as a Whistleblower.
- Assessment of the authenticity and levels of threats of the reported violations.
- Effective and impartial response to reports of irregularities.
- Concluding and preparing summaries of reported cases.