What can you report?
The directive focuses on infringements of EU regulations. Examples include the rules on money laundering, public procurement, environmental protection, public health, consumers or privacy. However, many companies extend the scope of application and include reports of fraud or unethical behaviour in their internal regulations.
Our survey (2019) on fraud in companies shows that 21% of the companies surveyed were victims of fraud over the past 5 years, with an average loss of about 200,000 EUR. When asked how the fraud was discovered, the majority of the respondents revealed that it was as a result of a declaration or report.
By introducing a code of conduct and a hotline, managers send out a clear message that illegal or unethical behaviour is not tolerated. At the same time, they protect themselves, and they try to limit financial losses in the event of fraud.
Which reporting channels?
The reporting channels can take different forms – ranging from an internal employee or service that receives the reports verbally or in writing, to more sophisticated forms, such as a hotline, voicemail service or online platform. In any event, the channels must guarantee the confidentiality of the reporter’s identity and that of each third party mentioned, and only authorised persons may have access to the reports.
“Rolling out a compliant reporting system often takes months.”
The disadvantage of appointing a person or internal service is that complete anonymity of the whistleblower is impossible. As a result, it is more difficult to disclose the content of the report, and access to the information must be closely monitored. Thanks to the more sophisticated channels, the whistleblower can communicate anonymously. He/She is allocated a case number and password when submitting the initial report, which allows him/her to log in anonymously to the external platform to monitor the handling of the report.
The directive stipulates that the organisation can alert its employees when a report is submitted. However, you can also inform other stakeholders as well (customers, suppliers, shareholders, etc.).
Should you manage a reporting system internally or outsource it?
You can roll out and manage the reporting system yourself or outsource it to an external provider. Outsourcing has various advantages:
You are provided with a tool that ensures reports are followed up correctly and within the imposed deadlines and that the confidentiality of the reported information is respected.
An external provider also offers a better guarantee of anonymity, and cases are handled by neutral professionals.
Outsourcing is often more cost-effective. After all, you do not have to train someone to be the reporting point and provide him/her with the necessary time to handle the report. Moreover, in the case of illness or absence of that reporting point, you must also provide a trained back-up. And what do you do if the person serving as the reporting point is also involved in the reported case? All these concerns are addressed by the external provider.
An external provider can process a report in multiple languages, which is more difficult if an internal employee serves as the reporting point.
Finally, the content of the report related to the persons involved (including the whistleblower) must be stored in compliance with GDPR rules. That, too, is specialist work.