Free, confidential whistleblowing advice
Get In Touch

DONATE

Can a whistleblowing policy help prevent fraud and strengthen cyber security?

Cybercrime is one of the most disruptive frauds that organisations face so we need tools that improve protections for businesses – and indeed for customers, clients and the wider public affected by fraud. PWC’s global economic crime survey 2020 revealed fraud and economic crime are at record highs in the UK, and FCA and others have warned of the impact of the pandemic creating new risks.  Though 57% of frauds were external, PWC found 24% were committed by insiders to the organisation, with a further 17% by collusion between the two.

While a whistleblowing policy on its own is of limited help, it is the first building block in creating a speak up culture that allows you to minimise fraud and ensure your organisation is protected from insider and outsider threats.  Effective whistleblowing arrangements can help organisations prevent wrongdoing across a range of areas.  According to the Principles for Responsible Investment, whistleblowing is a key feature of good governance: it is one of the best indicators of implementation of anti-corruption systems and codes of ethics, as well as being reflective of a healthy corporate culture.

Whistleblowers perform a vital early warning system. The Association of Certified Fraud Examiners found 43% of all fraud was detected by tip off, and 50% of those came from employees.  They found that organisations with a strong Code of Conduct can reduce the average time taken to detect fraud by 50%.

But why do you need whistleblowing, if you already have anti-fraud policies and cyber security processes in place?  There are many reasons why your staff might not use other policies.

First, uncertainty.  Does what they’ve seen meet the definition of fraud in your policy?  Accounting frauds can be very complex.  What do you want your employees to do if they’re not sure?  Keep quiet or raise it as a possible concern?  And what about a risk of fraud – it hasn’t occurred yet, but they think it might if you don’t act – should they report this via the fraud policy?

A much bigger reason not to use the fraud policy may be that they are fearful.  The fraud may be conducted by someone higher up in the organisation who can determine their future in the company.  According to PWC ‘s survey 78% of internal fraud in UK was conducted by senior or middle managers.

Staff may fear that if they raise their concerns they will lose their jobs, or be treated badly.  They may think that no one will listen, because all the senior managers are involved.  Your fraud policy may not talk about the protections that you have in place for those who come forward, but your whistleblowing policy certainly should.  It is, after all, unlawful to treat a whistleblower badly or dismiss them for raising concerns in the public interest.

If you want to tackle cyber threats from both inside and outside your organisation, you may want to consider how wide to draw your whistleblowing policy.  Do you want to hear from your suppliers and people you work with, as well as your internal staff?  As 57% of UK fraud is committed by outsiders it may be that your external contacts are the best people to let you know that wrongdoing is occurring.

As well as a policy, your communications are vital.  Leadership matters when it comes to setting the tone from the top. During the pandemic it is more important than ever to re-enforce that senior management and those responsible for whistleblowing arrangements are still engaged with the issue, and regularly promote speaking up.

You need to train all staff on how to raise a concern, but also train line managers separately. Line managers are most likely to be the recipients of concerns and need training in how to handle concerns effectively.  Our research shows whistleblowers are not persistent – most will raise a concern only once – so the first interaction is crucial.

How you treat the whistleblower will determine the success of your arrangements, so protecting them against victimisation, ensuring their confidentiality as far as possible, and feeding back on any investigation should all be factored in to your processes.

Whistleblowers have two fears – first, that they’ll be treated badly and second, that nothing will be done.  If they think they’ve uncovered a cybercrime or a fraud, and have no internal routes to raise concerns they may then take the matter externally before you’ve had an opportunity to address it.

We don’t pretend that getting whistleblowing right is easy for organisations, but Protect is here to help.  Our Whistleblowing Benchmark allows you to test the effectiveness of your arrangements across the areas of governance, engagement and operations.  Whistleblowing is a vital tool for businesses to protect against fraud – can you afford not to get it right?