Whistleblowing management systems

Belgium, like many other EU Member States, is finally making strides to transpose the EU Whistleblowing Directive into national law. On 8 July 2022, the Federal Council of Ministers approved (in second reading) draft legislation for private companies proposed by the Cabinet of Minister Dermagne (Minster of the Economy and Employment). While the final legislation is still being fine-tuned, the law is expected to be voted on in the Belgian Parliament by the end of this year and come into force during the first months of 2023. As a result, many organizations across Belgium have begun evaluating their current situation regarding whistleblowing and are taking steps to ensure their procedures comply with the upcoming legislation. Curious to learn how your organization can commence its journey to compliance (and beyond)? Find out below!

• On 23 October 2019, the European Council of Ministers formally adopted Directive 2019/1937 on the protection of persons who report breaches of EU law, commonly referred to as the “EU Whistleblower Directive”.
• The deadline for transposing the Directive into national law was set for 17 December 2021, but almost all EU Member States – including Belgium – failed to meet this deadline.
• On 27 January 2022, the European Commission sent a letter of formal notice to Belgium, demanding transposition of the Whistleblower Directive.
• On 25 February 2022, the Belgian Federal Council of Ministers approved (in first reading) a preliminary draft law for the private sector.
• On 3 June 2022 the Council of State provided a formal advice in relation to the draft law for the private sector.
• On 8 July 2022, the Federal Council of Ministers approved (in second reading) a revised draft law for the private sector (for more information regarding the content of the draft law in Belgium and in other EU Member States, please refer to the following whitepaper).
• The law is expected to be voted on in the Belgian Parliament by the end of this year and enter into force two months after being officially published in the Annexes to the Belgian Official Gazette, meaning that organizations in the private sector will likely have until mid to late February 2023 to ensure compliance with the regulatory requirements. 

Even though the legislation is still being fine-tuned, it is fair to say that the basic regulatory requirements are clear and that the revised draft, as approved by the Council of Ministers on 8 July 2022, is likely to be very similar to the final version of the text. As a result, many organizations have recently started to prepare themselves for the upcoming legislation.

In order to make sure your organization does not merely comply with the minimum requirements, but is also able to reap the full benefits of having an effective whistleblowing program in place (see below), it is crucial to apply a structured and comprehensive approach from the start. Such an approach should contain, at the very least, the following phases:

1. Assessing the as-is situation: in order to build a comprehensive whistleblowing program, organizations will firstly need to assess and understand their current situation and identify the gaps between what is in place and what should be in place. It is therefore crucial that the as-is assessment includes the following four aspects: policies and procedures, processes and services, people and organization, and data and technology. These elements – and their subcomponents – are summarized in the KPMG Whistleblowing Navigator as shown below.

• Captures insights & experience garnered through hundreds of global whistleblowing engagements.
• Underpins our thorough whistleblowing enhancement methodology.
• Used as an overarching taxonomy against which we assess the performance of an organization’s whistleblowing programme.
• Built around four main elements:
  • Policies & procedures: do you have adequate policies in place and are these translated properly into operational procedures?
  • Processes & services: how do you practically manage the whistleblowing process (from reporting to follow-up and protection)?
  • People & organization: are stakeholders sufficiently made aware of the Whistleblowing programme? Does your organization possess the necessary skills to run the operational processes?
  • Data & technology: have you sufficiently taken into account data privacy and information protection considerations? What data is gathered throughout the whistleblowing lifecycle and how do analyze this data for the improvement of the programme?

2. Designing the whistleblowing program: once the current situation has been mapped out and the gaps have been identified, organizations will need to design or fine-tune their desired whistleblowing program (considering the organization’s business context and specificities, as well as regulatory requirements). Once again, it is crucial that all four elements of the KPMG Whistleblowing Navigator be taken into account at this stage.

Specific questions that might need to be addressed in this step of the process include:

a. Which reporting mechanism(s) will the organization put in place? (The 2022 ACFE (Association of Certified Fraud Examiners) Report to the Nations finds that whistleblower reporting by e-mail is on the rise – 40% of all reports in 2022 compared to 26% in 2018 – with web-based platforms coming in second for the first time)

b. Will whistleblowers be allowed to operate anonymously?

c. How will external stakeholders (e.g. ex-employees, suppliers, subcontractors, etc.) be informed on how and when to report?

d. Which concrete measures will the organization put in place to protect whistleblowers?

e. Who will handle incoming reports? How will the organization ensure the assigned party is sufficiently independent and skilled to handle reports?

f. In which cases, how and by whom, will investigations into potential instances of fraud or misconduct be conducted?

g. [In case the organization has an international footprint] Are there any differences in the regulatory requirements of the various countries in which the organization operates? If so, what are the practical implications of these differences on the design of the whistleblowing program?

3. Implementing the whistleblowing program: during the implementation phase it is important for all employees and other relevant (internal and external) stakeholders to be introduced to the organization’s whistleblowing program and made aware of its relevance to them and the organization. In this regard, the 2022 ACFE Report to the Nations finds that training increases the likelihood of fraud detection through tips by up to 8%. Be advised, however, that awareness and training sessions should not only be given to potential users of the whistleblowing program, but also to those responsible for operating and maintaining the program (e.g. line managers who might receive reports during day-to-day operations, report handlers who assess incoming reports, investigators, etc.).

4. Operating and maintaining the whistleblowing program: after the initial implementation or “go live” of the whistleblowing program, it is essential that the program be effectively operated and maintained and that trust in the program is monitored and evaluated in order to ensure its success. With that in mind, it is important to consider, amongst others, the following actions:

a. making sure that sufficient capacity is available for handling incoming reports and conducting investigations;

b. testing the available whistleblowing mechanism(s) on a regular basis (e.g. biyearly);

c. sending yearly reminders to stakeholders of the existence and availability of the (various) whistleblowing mechanism(s);

d. verifying the continuous adherence to internal and regulatory requirements (such as confirming receipt of a report within seven days, providing a due response within three months, etc.); and

e. measuring the level of trust from internal and external stakeholders by means of (anonymous) surveys and focus groups.

In addition to mitigating the risk of sanctions (e.g. fines) for non-compliance with regulatory requirements, organizations can actually reap financial benefits from having a strong and effective whistleblowing program in place. The ACFE’s Report to the Nations (2022) has once again confirmed that tips remain the most common fraud detection method (42% of all incidents of fraud) and that hotlines can limit the impact/loss of fraud cases by as much as 50% on average. Additionally, whistleblowing systems are an expression of an organization’s values and belief in promoting a culture of integrity and honesty. KPMG’s 2020 Whistleblowing Survey revealed that the percentage of organizations that have been the victims of fraud in the past is almost 10% higher for organizations that did not have a formal whistleblowing policy in place than for those that did.

As experts in the fields of Forensic, Compliance and Law, KPMG can guide and assist your organization in its objective to build a comprehensive, integrated and effective whistleblower program. We can advise you in all steps of the process, as follows:

• Assessment: applying KPMG’s Whistleblowing Navigator – which not only takes into account regulatory requirements (i.e. requirements specified by the Directive and/or national legislation), but also elements from the ISO 37002 standard on Whistleblowing Management Systems and other market leading practices – to assess your organization’s current situation with regards to whistleblower protection and reporting;
• Design and implementation: providing support in drafting whistleblower policies, choosing a whistleblowing platform suitable to the business, designing report handling processes and procedures, providing training to internal and external stakeholders, etc.; and
• Maintenance: providing outsourcing solutions whereby KPMG assists in handling incoming reports and investigating potential issues on a call-off basis, if the need arises.

Together with you, we can ensure that your organization’s whistleblowing program goes beyond the regulatory minimum and helps reap the benefits of whistleblowing in order protect your organization and create value for it.