Broad responsibilities to follow up with reporters. The Directive codifies good investigatory practices for internal reports, including following up with reporters within a reasonable time frame—specifically defined as not more than three months later—about the action(s) taken in response to their report. It affirms an obligation to inform the reporter of “the investigation’s progress and outcome,” and sets an expectation that a response will be provided to an initial report inside of seven days.
This should trigger a review of your current processes to both launch and close an investigation. How personalized is your response to an employee? Does it name the person who will be following up? If you rely on the reply from your third-party hotline provider, what’s your follow up protocol to that? When it comes time to close an investigation, how do you notify the known reporter? Do you have a process whereby the closure of an investigation requires going back to the person who started the inquiry to say thank you, we’re finished, and find out how their experience went? If not, consider implementing such a process.
Broad burden-shifting in the event of allegations of retaliation. This may be the biggest piece of the Directive in terms of impact. Due to the difficulty of demonstrating retaliation, once a reporter demonstrates prima facie that she reported breaches and suffered a detriment, “the burden of proof should shift to the person who took the detrimental action, who should then be required to demonstrate that the action taken was not linked in any way to the reporting or the public disclosure.” In other words, if I raise a concern, and after something happens to me that falls within the Directive’s very broad definition of retaliation, that is all I must show to claim retaliation. The burden then shifts to my company to show that what happened to me wasn’t retaliation.
This shift should trigger a long conversation about how managers need to be prepared to watch for indications that employees who raise a concern are experiencing negative effects from that act of courage (remember: the definition of retaliation is very broad, and your managers are best suited to prevent all of it). If you are not already training managers specifically on how to prevent retaliation in their parts of your business – beyond merely noting in harassment training that retaliation is prohibited – this should be a high priority.
Bottom line, if you operate in the EU, now is the time to look at your investigations process and make sure you have established protocols to follow up with reporters both at the beginning and the end of an investigation. You should also review your average days to close and make sure you are under 90 days in most cases, so that your follow up is reasonable. You also need to review how you are talking to your managers about retaliation prevention, since managers are in the best position to prevent the kinds of actions the Directive contemplates, especially ostracism. Finally, carefully review how you are monitoring for indicia of retaliation like negative performance evaluations; does your system automatically flag known reporters when their performance evaluations change?
About the Expert:
Erica Salmon Byrne is Executive Vice President for Ethisphere , where she has responsibility for the organization’s data and services business and works with Ethisphere’s community of clients to assess ethics and compliance programs and promote best practices across industries. Ms. Salmon Byrne also serves as the Chair of the Business Ethics Leadership Alliance; she works with the BELA community to advance the dialogue around ethics and governance, and deliver practical guidance to ethics and compliance practitioners around the globe.