Business Risk Services

What UFOs will you discover in your organisation this year?

By:
Maarten Van Knippenberg
insight featured image

In July, David Grusch, a former US Air Force intelligence officer, turned whistleblower and claimed that alien spacecraft have been hidden by the government for decades. Just as UFOs vary in shape and colour, there are unidentified elements inside your organisation to which you would do well to pay attention. So let’s talk about the UFOs that may appear within your own organisation this year. 

The new Whistleblowers Law, which entered into force this year, allows anyone within your business – it could be an employee, a self-employed person, a contractor, or someone else – to identify a regulatory breach and report it. The two basic principles of this law are that the whistleblower must be able to report a breach in a safe and anonymous manner and also benefits from wide-ranging protection against reprisals. 

What can be reported by a whistleblower, and how can reports be made?

This immediately raises several questions: What can be reported by a whistleblower? And how can reports be made?

On the question of ‘what’ can be reported by the whistleblower, the legislators have opted for a thematic approach: any breach of the rules in a number of policy areas can be reported. The list of these areas in the Whistleblowers Law is impressive and includes breaches relating to public health, product safety, prevention of money laundering, combating tax fraud and combating social security fraud. 

Regarding the ‘how’, there are points to note which should be on the radar of every organisation this year. Anonymous reports can be submitted in three ways: internally, externally or publicly.  

First, a report can be made within your own organisation, to a ‘reporting manager’, also known as a whistleblowing officer. This is the ideal scenario: the organisation immediately learns of the alleged breach and can conduct an internal investigation, and the whistleblowing officer understands the organisation’s culture. Within this context, the whistleblowing officer can be a member of the organisation’s personnel who is independent enough to handle these reports and the investigations potentially resulting from them in a confidential manner. Having the CEO as the whistleblowing officer is not a good approach, in other words. It’s also an option to outsource this function to a third party such as a consultant who has the right expertise and the necessary independence, and this can be more economical.  

The second possibility is to submit the report to a ‘competent authority’. For this purpose, a long list has been drawn up of actors that can receive whistleblower reports and also investigate them, such as the FPS Finance, the FPS Economy, the Belgian Competition Authority, the Data Protection Authority, and the Financial Services and Markets Authority.  

The third option is to make a ‘public report’. This means that the breach is reported via the press or social media. There are additional conditions attached to this option for benefiting from protected status, as there are additional risks involved in this context. For example, the whistleblower will not always be able to properly assess whether or not the breach has occurred, meaning that a misplaced public process is set in motion for the organisation without all the evidence being available. The organisation involved and the government will usually no longer have the opportunity to conduct an investigation quietly, which means that reputational harm and other consequences cannot always be avoided. 

So what happens when a report is made? And what are the consequences?

First and foremost, an investigation is launched following an internal report. The investigation may consist of a brief review of certain data, for example if the report concerns non-compliance with the overtime regulations. As an organisation, you can of course investigate such matters most efficiently yourself. Other reports, for example concerning a fraudulent employee, can be investigated by forensic auditors. Naturally, the choice lies with the organisation itself, which decides how it can use its people and resources most efficiently.

When a report has been made externally, the investigation will be carried out by the ‘competent authorities’. As an organisation, you currently have little influence over the way in which the government will conduct this investigation. In other words, the speed and of the investigation and its impact on your company depend on how the report was made.  

The second consequence of a report is that protected status is activated for the whistleblower, who is safeguarded against negative measures being taken against him or her. For example, the organisation will not be allowed to dismiss the person as a result of the report, change his or her working hours, withhold training, give a negative performance assessment and so on. In other words, the organisation will have to demonstrate thoroughly that any adverse measure taken against the whistleblower is unrelated to the report.

So what exactly should you do as a business owner?

The Internet doesn’t always provide a clear answer, which is why we are giving you an overview of what you need to know as a business owner – because it is important to make a distinction between the obligations of the business and the rights of the whistleblower. 

The obligation to set up a reporting channel within your organisation from 17 December 2023 only applies to businesses that employ 50 or more people. 

In addition, whistleblowers may always make a report, even if the business has fewer than 50 employees. So if a business chooses not to set up a reporting channel, the whistleblower will have no choice but to make his or her report to the government or publicly. Depending on the organisation’s choices, there may therefore be very good reasons to set up a reporting channel in a small organisation.  

We therefore advise organisations to work systematically and follow a number of steps:

Step 1: What is the situation of your company?  

Depending on a company’s roots, there are different ways to construct a reporting system. Assess the situation in your organisation.  

Step 2: What do you want from the reporting channel?  

Is your aim to ensure minimal compliance or do you want to use the channel as a lever to bring about a shift in your organisational culture? 

Step 3: Who can report and what can be reported?  

The business can make the reporting channel open to employees only, or it can go further, choosing to accept reports from suppliers, for example. A decision will also have to be made as to whether reports should be accepted about breaches of the company’s code of conduct, for example, in addition to the legal policy areas.

Step 4: Involve your employees in this process.  

This is not only a gesture of confidence but also a legal obligation. 

Step 5: Create a clear whistleblowing policy and procedure. 

Ensure that this is validated by your organisation. 

Step 6: Who will be the whistleblowing officer for your organisation?  

You will obviously want your whistleblowing officer to be efficient and cost-conscious. Will you manage the reports yourself, will you be assisted by an external service provider or will you decide to outsource the entire process? The answer will depend on the ambitions and culture of your organisation. 

Step 7: Be responsible for the consequences.

Make sure you have an action plan for the different types of reports you may receive. Will you have all investigations handled internally or do you want to have an external investigation team standing by in case it is needed?  

Step 8: Communicate, communicate, communicate. 

It’s essential for your employees (and anyone else you choose to involve) to understand what is and isn’t covered by the whistleblowing policy.  

Step 9: Evaluate the process. 

Put in place a system for clear periodic reporting and evaluation of your reporting channel.

 

As a Flemish entrepreneur, you may be more pragmatic and inclined to take a wait-and-see approach. That’s understandable, but we should warn you of the risks. There are the serious consequences of breaching the Whistleblowers Law, of course, but the real danger lies in reputational damage – a lesson that many CEOs in Belgium have learnt this year. 

In the absence of a clear policy and procedures, employees may report their ‘UFOs’ elsewhere, including to external reporting channels. These bodies are ready to receive and investigate private reports. In other words, in the absence of an internal reporting channel, something that could have stayed within your organisation becomes a matter for the government, which will investigate any breaches within three to six months. 

We see this not just as a compliance issue, but as a unique opportunity to transform your business. Businesses that embrace this obligation demonstrate their commitment to integrity and accountability. Abuses will be tackled more quickly, leading to a positive corporate culture and growth. 

 

Maarten Van Knippenberg
Director, Business Risk Services
Contact Maarten

Whether you’re striving for a streamlined system focused on cost efficiency, or want to make integrity and accountability core characteristics of your business, contact our expert Maarten Van Knippenberg today and start tackling the hidden UFOs within your organisation. Read more about the services here.