Whistleblower protection laws are proliferating around the world, and one of the most significant examples this year is the EU Whistleblower Protection Directive—going into effect at the end of 2021, and likely to sweep up hundreds of thousands of organizations across Europe.
That expansion of whistleblower protection raises an interesting question: What compliance challenges will franchise businesses in Europe face? And how can they implement a whistleblower solution that meets their needs?
After all, the idea of whistleblower hotlines is relatively clear. A company should have a hotline that’s easy for employees to use, allows anonymous reporting, and protects whistleblowers from potential retaliation. Compliance professionals have grasped those basics for years.
For franchise businesses, however, the details of implementing a solution can be tricky. So today let’s consider what should go into a whistleblower solution—both the hotline itself, and the policies and procedures that should support it.
Choosing a Whistleblower Hotline Provider
For just about every business, the best course of action is to outsource the operation of your whistleblower hotline to a vendor. Your compliance function should oversee the whistleblower program, and respond to the reports that come to you through the hotline. But the actual operation of the hotline itself—answering calls, acknowledging email submissions, logging data about the nature of the complaint, and so forth—is best left to a vendor that specializes in those tasks.
My only advice here is to choose a vendor that can meet the specific needs of your business. For example, U.S. businesses with extensive franchise operations in Europe or elsewhere in the world will likely have a pre-existing compliance program, including a whistleblower system for U.S. operations. In that case, you’d want a hotline provider that can fit into your enterprise-level operations, including whatever data analytics and key risk indicators you already have.
Meanwhile, your franchisees are likely not compliance experts. They might have a human resources function and lawyer on call but most will not have an existing compliance program in place. Businesses in that category might need a “plug-and-play” sort of solution, where a cloud-based provider can get a hotline running in short order and at a low cost.
In other words, think about the type of technology partner you need, as much as the specific capabilities you want your whistleblower program to have. Speaking of which…
Features Franchises Should Look For
Regardless of your company’s specific policies and procedures, all whistleblower programs should address a few basic capabilities.
Reporting Channels
Your hotline will need to offer multiple ways for employees to submit reports. This is especially true for franchisees, which often have higher employee turnover than other businesses and whose employees often work in non-office settings (behind a retail counter, for example) where ease-of-use is important. Think about online submissions and mobile-friendly reporting apps so employees can easily use their smartphones.
Security and Data Privacy
Whistleblower reports will often contain sensitive data, such as corporate financial information or personal information about other employees, so the security and privacy of the report is a paramount concern. That’s true for compliance reasons (you don’t want personal data to leak and lead to a retaliation complaint) as well as risk management reasons (you don’t want a complaint that mentions trade secrets or financial projections spilling into public view).
So as you select a hotline provider and build a whistleblower program, assure that privacy and security of the report as a whole, and all the data within it, is always a high priority.
Supporting Technology
At headquarters, your whistleblower hotline should be only one part of a larger corporate ethics and compliance program, so be sure that it fits well with the rest of your compliance technology. For example, all hotline reports should feed directly into a case management tool. Hotline reports should also include descriptive data about the general nature of the complaint (whether it’s about accounting fraud or harassment, for example) so that data can feed into analytics programs that study issues coming through the hotline at scale. What you don’t want is a hotline that exists wholly separate from other technology, where you’ll then need to build a data integration project to make everything fit together.
However, this is less of a concern for your franchisees who don't need to have a robust compliance program but rather need to focus on complying with a single regulation. Your franchisees need a turnkey solution that doesn't require a complicated implementation.
A Good Process
You also want a whistleblower hotline that works for both you and the whistleblower. For example, whoever answers your hotline should have staff that speaks the language of your employees likely to call the hotline. Your whistleblower program should also acknowledge receipt of online submissions, and even allow the individual reporter to submit additional information in the future. Ideally, your team should establish an ongoing conversation with the whistleblower, so he or she feels invested in rooting out the misconduct in question.
A good process also means having a consistent, methodical way of handling reports. For example, you should develop procedures to route certain complaints to certain people (accounting fraud goes to outside counsel, the CFO, and audit; harassment complaints go to HR and legal), and have procedures for evidence collection and investigation in a timely manner. Your headquarters might have a more nuanced process for routing requests where your franchisees might have a simple process due to the size of their organizations. However, having workflow options sets everyone up for success.
All of those capabilities are necessary for an effective whistleblower system, no matter what your specific industry or business size. Be sure they’re all present no matter what solution you ultimately choose.
What Should a Whistleblower Policy Contain?
Your policy should contain several elements.
Mandatory reporting. Your policy should spell out for employees that if they suspect some sort of misconduct, they are required to report it. Allow them to report their concerns anonymously, but the message should be that if they witness something amiss at the business, part of their job is to alert senior managers.
Why? Because without such a clause, you allow a “not my job” perception about internal reporting to creep into the workplace culture. Then misconduct might fester and worsen over time—and when that bad news inevitably does come to light, regulators, the public, and your board will ask a far worse question: “So people knew about this and didn’t speak up?”
A description of the misconduct to report. Not everyone will know what qualifies as a conduct concern they should bring to supervisors’ attention. Use examples such as accounting fraud, corrupt payments, theft of goods, sexual harassment, cybersecurity risks, and whatever other primary risks your business has.
One good rule of thumb: if you have a policy to encourage certain behavior (no sexual harassment, no antitrust behavior, no leaking trade secrets, and so forth), you should also have a policy that employees must report violations of those norms. At the franchise level, training on these topics and how to report misconduct should become an essential part of onboarding new team members.
Anti-retaliation. This may be the most important provision of your whistleblower policy. It should expressly state that the identity of a whistleblower will be protected at all times; and that no person should take retaliation against any whistleblower if that person’s identity is known.
Be sure to define the types of retaliation, too: no threats or acts of violence; no demands for new duties without clear, objective need; no denial of expected pay raises, promotions, or lucrative work assignments. Include a warning that acts of retaliation will trigger a disciplinary response.
How Franchises Can Protect Whistleblowers
Foremost, train your senior and middle managers to talk about the importance of reporting concerns and of protecting whistleblowers. Management should reframe the entire discussion here to emphasize that speaking up about misconduct is a good thing; that it’s something to be welcomed, and that helps the business to build a culture where problems are solved quickly rather than repressed and ignored.
Managers are the ones most likely to receive a complaint, or to see instances of retaliation and should be trained to understand when an employee is submitting a concern. They should be trained to notice retaliation, and you should have a policy specifically for managers that they’re obligated to stop retaliation they see and to report those incidents.
And for everyone generally, from the CEO at global headquarters to the newly hired employee working in a franchise location at the outer perimeter of your geographic markets: tell them that whistleblowing isn’t about ratting out coworkers. It’s about making their organization unafraid to confront problems.
You know, an organization people would actually want to work for.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.