The EU Whistleblower Protection Directive sets out minimum standards for how organizations should handle whistleblowers’ reports, respond to these reports, and protect the whistleblowers. Because Member States are obligated to adopt this Directive into their national legislation by December 17, 2021, organizations should already ensure that their whistleblowing strategy is compliant with the Directive — while closely monitoring the adoption of the Directive in the EU countries where they operate.
By creating an “Ombuds” function, organizations in the scope of the Directive may appropriately tackle one of the key principles in the Directive: if structured properly within the organization, the Ombuds function can ensure that reports are followed by “competent” personnel that maintain a significant level of “independence” and “neutrality” in relation to other functions in the organization.
An Ombuds function can provide many other advantages to organizations, including:
- Instilling more trust in the system: as part of its responsibilities, this independent and neutral function fosters the organization’s speak-up culture and ensures confidentiality and non-retaliation, thereby encouraging whistleblowers to report internally rather than externally
- Allowing better management of whistleblower reports (if channeled centrally to the Ombuds function)
- Providing better information to management and the Board on compliance and cultural risks, and
- Advising the organization on how to improve its policies, processes, systems, and governance.
When creating its Ombuds function, an organization must be careful in establishing the governance and operation of the function.
In particular, the Ombuds function must:
- Be independent and neutral – in practice, anyone working for the Ombuds Office must be free of any conflict of interest and, therefore, preferably not have any other role or duty within the organization. Also, as an independent and neutral function, the Ombuds personnel should make recommendations to the organization but not be involved in any decision-making linked to a report
- Have adequate authority: the Ombuds function must have full support from senior management and the board of directors as well as a reporting line to the CEO and the board
- Ensure confidentiality and non-retaliation – it should be the Ombuds function’s responsibility to ensure the confidentiality of a reporter’s identity in relation to a report or an investigation and to protect reporters from retaliation, and
- Have the necessary competence and resources to perform its duties – in particular, the organization should implement an end-to-end digital tool allowing submission of reports, structured case management, and comprehensive statistics and data analysis capabilities.