Whistleblower Directive and Corporate Compliance
The EU Whistleblower Directive enters into force at the end of 2021 and will be binding on all EU Member States. The Directive emphasizes the importance of public interest and responsible corporate culture. As we wrote in our previous blog, the Whistleblower Directive obligates all private companies and public sector organizations with more than 50 employees to establish a whistleblower channel – a channel to which observed misconduct can be reported.
The Directive also requires clear procedures for processing and investigating the received reports, as well as for the protection of employees who report misconduct they observe at their workplace. It should be noted that the Directive and the reporting channel form only a part of a company’s compliance program and are a one tool in the building of responsible corporate culture. To function properly as a tool for early intervention, the reporting channel must be backed up with a complete compliance program.
Compliance & Ethics - Aspiring for a Culture of "Doing the Right Thing"
Compliance means conformity with requirements, i.e. complying with laws and other regulations as well as with the company's internal codes of conduct and policies. Ethical corporate culture, in turn, refers to company’s core values which aim to promote ethical and responsible conduct and bring real added value to the company’s business. Compliance is a broad term which in practice covers all legal regulation. It includes, among others, codes of conduct, anti-bribery and anti-corruption laws, competition laws, securities market legislation, data protection and privacy, environmental legislation, supplier codes of conduct, human rights, anti-money laundering legislation as well as health and occupational safety legislation.
There is no “one size fits all” in compliance. Each company must define what compliance means to them, which areas of compliance are the most essential for the company’s business and which areas are most likely prone to compliance risks. The risk assessment is affected by the company's line of business, geographic location and operational environment, markets and competition, customers, business partners and possible actions with authorities. Understanding the big picture as well as ability to prioritize are both essential. Above all, compliance is about building trust and ensuring that the company and its management and employees are committed to do the right thing and run the company’s business in compliance with laws and regulations as well as company’s internal policies and guidelines.
Well-Functioning and Effective Compliance Program – Tone from the Top and Key Elements of Compliance
Corporate compliance is a continuous process. The key elements of a compliance program include management and corporate governance, risk assessment and controls, internal policies and processes, communication and training, confidential reporting of suspected misconduct and related investigations, remediation, as well as continuous assessment and improvement of the compliance program. The company's top management must be fully committed to the compliance program and to the company's internal rules of the game, act as an example and actively monitor that the company and its employees act in accordance with the compliance program. The Board of Directors has the ultimate responsibility for the company’s compliance program. It is also vital that the company has a Compliance Officer or a compliance team responsible for compliance matters, and they have enough authority and resources. Risk assessment and risk mitigation should be regarded as a continuous process to identify the company's key priorities and development needs.
The compliance program should not exist in a silo. It should be built to support the company’s business operations and designed together with the company’s business units considering their needs. It is also essential to prepare clear guidelines and policies, inform the employees thereof and organize training. Also, shareholders, investors and other stakeholders expect responsible and transparent compliance and follow up how it is managed.
Each of the above-mentioned areas are important and necessary as companies prepare themselves for the EU Whistleblower Directive. The reporting channel provides companies with an opportunity to obtain information about issues at early stage and to address them. Companies will miss out on this opportunity, if they do not have a suitable compliance program in place and their employees do not know what kind of behavior is expected of them and what results in intervention. Therefore, prior to setting up the reporting channel and investigation process companies should also consider the other elements of an effective compliance program. To many companies this means building a compliance program from the scratch. To others this means updating their existing compliance program and policies in accordance with the Whistleblower Directive. A well-functioning reporting channel and investigation process also provide companies with valuable information how well the compliance program functions and is complied with as well as how it should be developed further.
Corporate Responsibility, Compliance and the Whistleblower Directive
Corporate responsibility is a larger area than compliance. Corporate responsibility considers the company’s values, actions and corporate culture as whole. Key areas of corporate responsibility include, among others, financial responsibility, environmental responsibility and social responsibility. Financial responsibility means long-term profitability and sustainable business operations, which create the preconditions for other areas of corporate responsibility. Environmental responsibility refers to the company's responsibility for climate, commitment to conservation of biodiversity and prevention of pollution. Social responsibility considers the impact of business operations to people, such as employees, customers and nearby residents, as well as the company's responsibility for human rights. Many companies invest increasing amounts in responsibility and sustainability, and actively communicate these actions to their stakeholders. Corporate responsibility as become a competitive advantage and a brand management tool. On the other hand, also stakeholders, such as employees and customers, suppliers and business partners as well as investors expect corporate responsibility.
Compliance is one area of corporate responsibility which has had a legal focus. Currently, however, responsibility thinking is becoming more and more trending also in the field of compliance. Companies no longer settle for mere compliance with laws and regulations but emphasize ethics and corporate responsibility and are willing to do more than what the law requires. Corporate responsibility has traditionally been based on voluntary actions and self-regulation. Nowadays legislation relating directly to different areas of corporate responsibility is increasing and corporate responsibility and compliance are becoming more intertwined. The EU Whistleblower Directive is a good example of this. The objective of the Directive is to ensure that employees and other stakeholders can safely report misconduct which are harmful to public interest and which they observe at their workplace. As the Whistleblower Directive enters into force, companies will have to pay more attention social responsibility and take responsibility for the public interest. In addition to public interest objectives, the Whistleblower Directive sets forth requirements as to how the companies should organize their compliance matters. The relationship between corporate responsibility and compliance could be summarized as follows: corporate responsibility means going beyond traditional legal compliance and having a broader perspective than legal/not legal.