We are delighted to share the results of the 2018 edition of our WhistleB annual customer study on organisational whistleblowing.
This has been a year during which whistleblowing has truly been in the spotlight, receiving largely more positive attention from the media, organisational leaders and regulators alike. The main findings of this year’s customer survey reflect this more favourable view on whistleblowing.
Knowing that a compliance officer or other leader in the company will say “no” to a high-risk proposal, gives you the confidence to move faster in the business decision-making process.
To ensure that the company Compliance Officer becomes an internal business partner, it is important to advise on “how” things can be done instead of just placing obstacles by saying “no”.
Ledgers have always been used to keep track of operations and were stored in specific locations (accountant's office, banks, etc.). Following the computerization of data, ledgers were transferred into a digital format to improve efficiency and workload. But even digitalized ledgers were often concentrated in specific locations (local server or computer, etc.) .
What do others do? Where do I stand as compared to other companies in my sector? Can you provide me with benchmark data? Those were recurrent questions that I was asked as a Paris-based FCPA lawyer and academic.
Whistleblowers are key tools to uncovering unlawful activities and preventing corporate misconduct. However, according to the 2017 Eurobarometer on Corruption, 81% of individuals experiencing or witnessing corruption indicated that they have not reported it. Moreover, only 47% of the respondents knew where to report a case.
Many compliance managers have asked me if the fact that their business associates were certified ISO 37001 would relieve them of the responsibility of conducting further due diligence.
It is a relevant question which requires a detailed response.
The French National Prosecutor’s office recently concluded a deferred prosecution agreement with the Société Générale bank to settle suspicions it had paid bribes to foreign public officials. Société Générale was issued fines of 250,150,755 euros. For the first time since the entry into force of the Sapin II law, this resolution was coordinated with the US Department of Justice which also concluded a deferred prosecution agreement with the French bank based on the same facts.
Every act of corruption involves a conflict of interest. The receiver or corrupted individual acts in his own interest and not in that of the organization he represents.
At its core, anti-corruption is about your company’s values. What is the value that drives your company: that you have superior products and/or services that would improve your customers’ lives, or you need to cheat one deal at a time? Are you looking to a long-term future for both your company and the communities where it does business, or do you just want to make sure you get through today? I believe companies that have clear sense of their mission and long-term vision would be more competitive than those that focus on short-term deals and quick growth, because the long-term mission focus compels strategies and investments consistent with sustainable business growth.
Is it necessary to conduct due diligence on clients, and if so, how? I have been asked this question frequently over the past few months.
Conducting due diligence on third parties who work for or with the company is manifestly necessary and useful. If the third party represents a corruption risk, the risk can be mitigated with anti-corruption clauses, modifications to working conditions, anti-corruption training, more intensive monitoring or by demanding audit rights and subsequent controls.
The imminent general data protection regulation (GDPR) will be one of the most influential frameworks in the data privacy sector. Throughout Europe, data privacy will soon be harmonized by law. The regulation was adopted in April 2016 and its enforcement will be mandatory from May 2018 for companies processing personal data.
Compliance officers will be obliged to follow very specific procedures when handling personal data particularly as it pertains to issues of whistleblowing.
Modern working conditions rely heavily on digitally displayed workflows which produce huge amounts of data, forcing compliance officers, following the regulation, to handle and control European citizens’ personal data to prevent abuses.
France’s Supreme Court recently determined that double jeopardy isn’t a viable defense to prevent the prosecution of a company that had entered into a plea agreement for charges tried in another country
The decision by the Cour de Cassation, rendered on March 14, involved Swiss oil trader Vitol, which allegedly bribed the government of Iraq to obtain oil under the United Nations' Oil-for-Food program that ran from 1996 to 2003. Under that program, Iraq could sell oil on the open market to purchase humanitarian supplies for its citizens.
At WhistleB, we applaud a more positive view of the value of whistleblower tips. The UK-based Financial Times1 and Sweden’s Dagens Nyheter2 have published pieces in the last month related to high-profile whistleblowing matters and their articles highlight that whistleblowers need the strictest protection. We could not agree more. Organisations should offer a safe environment for reporting misconduct and protecting the anonymity of people who dare to report.
Carrying out due diligence on third parties which is not based on a risk assessment is counterproductive for the following reasons:
A whistleblowing system is now an incontrovertible tool for compliance.
But it is not enough to have a whistleblowing system; it must be one that works….one that raises alarms on suspicion of fraud or corruption effectively.
If the whistleblowing system results in very few alerts being raised, the Compliance Officer is faced with a paradox:
Either the compliance program is particularly effective
or – the opposite – the whistleblowing system is ineffective
In other words, is a procedure which raises very few alerts reassuring or...alarming?
Whistleblowing has been recognized as playing a crucial role in the fight against corruption, fraud, mismanagement, and various other crimes. The Council of Europe underlined that whistleblowing can act as an “early warning to prevent damage as well as to detect wrongdoing that may otherwise remain hidden”.
Some countries, including Italy, have already implemented laws to protect whistleblowers, however whistleblowing is far from being used as a real instrument to detect crimes. The OECD Foreign Bribery Report (2014) describes how very low the percentage is – only close to 2 % of the concluded foreign bribery cases were detected through whistleblowing.
ISO 37001 is an international standard which specifies the procedures which an organization should implement to assist it prevent bribery, and identify and deal with any bribery which occurs. It requires organizations to implement these procedures on a reasonable and proportionate basis according to the type and size of the organization, and the nature and extent of bribery risks faced. It is applicable to small, medium and large organizations in the public and private sector, and can be used in any country. It cannot provide absolute assurance that no bribery will occur, but it can help establish that the organization has implemented reasonable and proportionate anti-bribery procedures.
Yes. This agreement is the first Convention Judiciaire d’Intérêt Public (“CJIP”) – which stands for Judicial Agreement in the Public Interest – concluded by the French National Financial Prosecutor (“NFP”) since the adoption, in December 2016, of the “Law regarding transparency, the fight against corruption and the modernization of economic life”, better known as the “Loi Sapin II”. The CJIP and the Paris Court’s decision became binding and public on November 24, 2017 after a 10 day opt-out period left to the Bank.
Why mapping corruption risk is important ?
It is important for three reasons:
The first reason is because compliance is efficient only if it is tailored to the organization’s specific corruption risk.
If corruption risks are not evaluated sufficiently, underestimated or overestimated, a compliance program will not be effective.
If underestimated, corruption risks will not be properly mitigated.
A lot has been written and said during the past year about protecting whistleblowers. International legal instruments require countries to protect people prepared to report wrongdoing within their organizations; however, we have yet to see any significant increase in either the number of whistleblowers coming forward or in the quality of their reports.