Making the case for companies to create ‘Ombuds’ function to meet EU whistleblower rules

In Europe, the EU Whistleblower Protection Directive sets out the foundations for a more harmonized approach to whistleblower protection among the member states. Whereas the minimum standards under this Directive must still be transposed into national legislation (with a deadline set for Dec. 17, 2021), organizations in scope of the Directive should already start preparing their journey to compliance by either designing a new speak-up program or assessing their current program to identify any gaps toward the requirements under the Directive.

Below we summarize how the creation of an “Ombuds” function may be used to appropriately respond to certain key requirements in the Directive and how this function could be effectively designed and organized.

Organizations based in the EU should start designing or revisiting their speak-up program

In the European Union to date, whistleblower protection legislation is very scattered: certain sectorial legislations at EU level include specific provisions to protect whistleblowers (in particular in the financial services area), and only 10 of the 27 member states have implemented comprehensive legislation protecting whistleblowers (in most of the other countries, the legislation is either sectorial or partial).

The Directive should bring some harmony to this fractured framework as it sets out common principles for reporting and minimum requirements for the protection of whistleblowers across the European Union, including standards on the different reporting channels and how organizations should handle and respond to reports made by whistleblowers.

Harmonization will not be total, though, as member states have some flexibility when transposing the Directive into national legislation; they may, e.g., decide to widen the scope of reporting (which is even encouraged by the Council of Europe in its press release), implement stricter requirements, or set different sanctions. In Sweden, for example, the proposed draft legislation widens the scope of whistleblower protection to the reporting of any wrongdoing that is of public interest and stipulates sanctions in the form of fines or prison in case of an unauthorized disclosure of information that can reveal the identity of any person linked to a report (the reporter or anyone else). European countries that have already implemented comprehensive legislation protecting whistleblowers (i.e., France, Hungary, Ireland, Italy, Lithuania, Malta, Slovakia, Sweden, the Netherlands, and the United Kingdom) will have to ensure their legislation is aligned with the minimum standards set out in the Directive.

Notwithstanding the uncertainties linked to the transposition of the Directive into national laws, the Directive already sets out clear requirements, such as: establish internal reporting channels and processes that are secured and compliant with the General Data Protection Regulation (GDPR); implement strict confidentiality and need-to-know principles; prevent retaliation; and appoint impartial and independent personnel to receive, manage, and diligently follow up on the reports.

As noncompliance with these requirements will be sanctioned, organizations in scope of the Directive should:

• Establish or revisit without delay their whistleblowing strategy in order to, at least, ensure compliance with the Directive; and
• In parallel, closely monitor how the Directive is transposed by the member states in which they have operations and adapt their speak-up program as needed.

In addition, whereas it encourages the use of internal reporting channels first, the Directive also gives whistleblowers the right to choose to report directly to competent European or member state authorities (or publicly in certain circumstances) if there is no internal reporting channel or if they reasonably fear the internal reporting channels will not function properly (for example if there are concerns regarding confidentiality or fear of retaliation). In practice, this means organizations have a strong incentive to create an efficient speak-up program (or improve their existing program) and put in place a governance structure that ensures trust in the system. With an effective and reliable speak-up program, whistleblowers are more likely to turn to internal reporting channels rather than reporting externally.

In this context, European organizations should consider creating an “Ombuds” function in order to not only foster their speak-up culture but also answer the Directive’s requirement for companies to appoint a “competent and independent” function to receive and follow up on reports.

The benefits of an ’Ombuds’ function in light of the Directive

Among the requirements set out in the Directive is that organizations must appoint “competent” and “independent” personnel to manage the reports received by the organization:

“The choice of the most appropriate persons or departments within a legal entity in the private sector to be designated as competent to receive and follow up on reports depends on the structure of the entity, but, in any case, their function should be such as to ensure independence and absence of conflict of interest.”

The creation of an “Ombuds” function would be fit for this purpose.

Whereas the notion of Ombudsman first appeared 200 years ago in Sweden to designate an individual in charge of monitoring the activities of the government, the role has evolved, and nowadays all kinds of organizations may appoint and use an Ombuds function: corporations, universities, and governmental/nongovernmental entities.

In private organizations, an Ombuds person is usually appointed in relation to a complaint system, in order to provide independent, impartial, and confidential support and advice to reporters and more generally to the organization´s stakeholders (employees, business partners, customers, or any other stakeholder).

The roles and responsibilities of the Ombuds function can differ widely, depending on the nature, history, and governance of the organization, but independence and neutrality are key characteristics of the role. According to the International Ombudsman Association, an Ombudsman is “a designated neutral who is appointed or employed by an organization to facilitate the informal resolution of concerns of employees, managers, students and, sometimes, external clients of the organization.”

In Europe, this function is not widely used. Yet, an Ombuds function would certainly allow organizations to answer the requirement under the Directive to appoint “independent” and “impartial” personnel to receive and follow up on reports from whistleblowers.

In addition, the creation of an Ombuds function that is independent and neutral (in both appearance and fact) would allow an organization to foster its speak-up culture by creating more trust in the system, as it would provide a neutral, independent, legitimate, and safe point of contact where stakeholders can raise concerns, be heard, and be given guidance in order to understand their options.

In essence, a properly established Ombuds function managing all whistleblower reports:

• Would encourage not only whistleblowers to report internally rather than externally (thereby limiting the risks related to external reporting), but also foster reporting of breaches or other wrongdoing. Whistleblowers can be reluctant to report misbehavior to their manager or other regular internal channels for fear of retaliation or lack of follow-up; therefore, employees may be more likely to report to an internal neutral and independent function, especially if the information they disclose is managed effectively and treated confidentially.
• Can provide support to reporters raising (or considering raising) issues and provide guidance on the different options available.
• Allows more effective management and oversight of whistleblower reports. In many organizations, reporters can use different internal reporting channels depending on the matter reported; consolidating the various reporting channels into a single internal reporting system managed by the Ombuds function would lead to more efficiency and reduce the risk of information leakage and retaliation as a result thereof.
• Can provide management and the board of directors with better information about organizational trends, risk areas, cultural issues, and patterns of misbehavior, thereby enhancing and facilitating internal communication, information sharing, and dissemination.
• Is a key resource for the organization when reviewing and improving its policies, processes, systems, and governance.
• Plays a critical role in promoting the organization´s speak-up culture by widely and proactively providing awareness and training to employees (and, more broadly, to business partners and other stakeholders). Awareness and training should include information about what can be reported, the different reporting channels, the investigation process and its alternatives, the measures in place to ensure confidentiality and nonretaliation, and the sanctions in case of breach. Specific training should also be given to the organization´s investigative function(s) and any other functions potentially involved in an investigation.

Thus, the benefits for an organization to create an Ombuds function (or enhance its existing function) are manifold. However, in order to perform its duties in an effective manner and achieve the different purposes of the role, the function must be adequately designed and organized.

Adequate governance for the ‘Ombuds’ function

In order to promote a speak-up culture and effectively manage reports, the Ombuds function must be independent and neutral (in both appearance and fact), have adequate authority, ensure confidentiality and non-retaliation, and have adequate resources. Taking each requirement in turn, there are a number of key considerations to ensure that the Ombuds function is designed appropriately to best fulfil these characteristics.

 Independence and neutrality

In order to be viewed as a credible route for reporting, independence and neutrality are key characteristics of the Ombuds function: The function must be free of any conflict of interest.

In practice, any person working in the Ombuds function should withdraw from a case if there is a conflict of interest with the whistleblower or anyone mentioned in the report. Similarly, if the Ombuds function is outsourced, the third party should not work on any other matter with the organization.

In order to be independent and neutral, the personnel working in the Ombuds function should have no other role or duties within the organization. In practice, this means that a separate in-house function would be more likely to exist in medium and large organizations that have sufficient resources.

In smaller organizations, creating an independent in-house function could be costly. According to the Directive, “this function could be a dual function held by a company officer well placed to report directly to the organizational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.” With this setup, however, the Ombuds function will likely be seen as an extension of the function to which it is connected, and reporters may be less inclined to speak up due to a perceived lack of independence. Hence, to maintain the utmost independence and preserve the notion of neutrality, small organizations should aim to connect the Ombuds function to the most independent function possible, i.e. a board member, the chief compliance officer, the integrity officer, or the chief audit executive.

Another option could be to outsource the Ombuds function to a third party as it may further guarantee its independence. This option may even be preferred for small organizations rather than connecting the role to another function. On the other hand, in organizations with adequate resources, even if an external Ombuds function may be perceived as more independent and neutral, an internal function would likely be the preferred option—provided it can act independently—as it will likely handle reports and follow up in a more efficient manner thanks to a better knowledge of the organization, its culture, and its policies and processes.

As an independent and neutral function, the Ombuds personnel should not be involved in the decision-making in respect of any disciplinary actions or other remedial actions or changes to be made in the organization as a result of a report. Rather, the Ombuds function should receive the reports and ensure a diligent follow up by assigning the operational responsibility of the investigation to the relevant function within the organization, depending on the issue raised (very often in larger organizations, several functions have investigative resources). However, even if the operational responsibility to investigate is assigned to another function, the responsibility to ensure a diligent follow up includes an overarching responsibility for the Ombuds function to launch and manage all investigations in observance with the principles of impartiality, fairness, and confidentiality toward all parties involved. Based on the results of the investigation, final decisions regarding any disciplinary actions or other remedial actions or changes to be made in the organization (e.g., to a policy or a process) should remain with the relevant decision-making function(s) within the organization (being understood the Ombuds function may make recommendations that should preferably be followed).

In all cases, the principles of independence and neutrality do not imply the Ombuds function will perform its tasks in a silo: It is of the utmost importance the Ombuds function coordinates with other functions where a report requires immediate actions or remedial measures.

Finally, in order to ensure independence, the Ombuds function must be protected against retaliation from the organization to which it belongs, even if it is outsourced (e.g., the external Ombuds function must not be terminated for performing its duties). Any attempt to hinder the Ombuds function’s work (including the work performed by another function under the Ombuds´ supervision) should be sanctioned.

Authority 

The Ombuds function requires a high level of authority to fulfill its tasks, as it must be fully empowered to manage the relationship with whistleblowers, ensure fair and independent investigations as well as nonretaliation, and follow up on changes recommended to the organization. Thus, the Ombuds function must have total support from both senior management and the board of the organization. In practice, it should report to the CEO and/or the board (e.g., through the compliance or audit committee of the board).

To further strengthen authority and independence, organizations may consider appointing an external individual that is independent of the organization as part of the Ombuds function, whenever feasible from a governance standpoint.

In the day-to-day operations, the Ombuds function should have the full authority to:

• Delegate the operational responsibility to conduct an investigation to any appropriate function (with a corresponding obligation to investigate and report back); and
• Engage external consultants—e.g., external legal counsel and/or external investigators, if deemed appropriate or required.

Finally, organizations may further strengthen the authority of the Ombuds function by implementing a “comply or explain” principle in relation to the recommendations made following an investigation.

Ensure confidentiality and nonretaliation

In order to remain trustworthy, the Ombuds function must ensure the strictest confidentiality throughout the lifecycle of a report and prevent retaliation.

One of the main responsibilities of the Ombuds function is to ensure adequate safeguards are in place in order to warrant the confidentiality of a reporter´s identity. This responsibility applies in particular:

• When the case is assigned to another function for investigation: Information on the report and the reporter must be shared only with the employee(s) in charge of the investigation, on a strict need-to-know basis; in practice, non-authorized employees should not be able to access the case management system;
• When the case is investigated: The Ombuds function should ensure anyone involved in an investigation (e.g., individuals interviewed or those whose help is needed for the investigation, such as IT personnel in case of a forensic request) is informed on a strict need-to-know basis only, and that they receive adequate information about their confidentiality obligations and the sanctions in case of breach; and
• When reporting out about cases: The Ombuds function´s reports should be made on a no-name basis as much as possible.

Similarly, the Ombuds function must work to ensure reporters and those assisting them (e.g., a colleague or relative) are not retaliated against by the company or any employee that may know of the report. In particular, the Ombuds function should ensure anyone informed of a report receives adequate information about their non-retaliation obligations and the sanctions in case of breach.

As the Directive reverses the burden of proof regarding retaliation (it belongs to the organization to show it did not retaliate), the Ombuds function should make a thorough follow-up of the reporter´s situation on a regular basis (preferably over a period of no less than 18 months following receipt of the report) to identify any action taken that may constitute retaliation against the reporter.

When transposing the Directive, member states should define sanctions (such as fines and/or prison) in case of an unauthorized disclosure of a reporter´s identity or retaliation.

Adequate resources

The Ombuds function must have adequate resources to perform its duties. This doesn´t necessarily relate to the number of staff members (the Ombuds function can consist of one individual) or the authority to request assistance from other employees/other functions but rather to the financial and digital capabilities.

For example, the Ombuds function must have sufficient budget for the use of translators or to engage external consultants as needed.

The Ombuds function should also be supported by an adequate digital system, i.e. an end-to-end digital tool that is secure and compliant with relevant data privacy legislation. The system should allow: submission of whistleblower reports, communication between the reporter and the Ombuds function (e.g., acknowledgement of receipt of a report and feedback to the reporting person), allocation of reports to relevant function(s), case management for follow-up and investigation, non-retaliation follow-up with the reporter, durable and secured (e.g., encrypted) storage of information, and statistics and data analysis capabilities to provide management and the board of directors with anonymized information about matters reported and risk areas. This system should preferably be shared among the Ombuds function and the investigative functions in the organization, as long as it is configured to allow compartmentalization and the strictest confidentiality.

Editor’s note: Cédric Dubar is the Chief Compliance and Ethics Officer for Volvo Corp., a former winner of Compliance Week’s “Top Minds” award, and a member of the CW Advisory Board.