The role of whistle blowing in business continuity and risk management

Published: Thursday, 24 March 2016 09:50

Whistle blowing has negative connotations in many organizations but, if encouraged by management and handled sensitively, it can be an important tool for business continuity and risk management. David Honour explains why…

During every day, in every organization, corners are being cut, mistakes are being made and risky behaviour is taking place. Most of this is of little consequence but sometimes the risk-taking becomes systemic, with corporate reputation and even business survival threatening consequences.

Normally this every-day risk taking does not come to the attention of senior managers; it is seen only by those who work with the risk-takers on a daily basis. These risks and their potential impacts are also invisible to the organization’s business continuity team. They don’t appear in the risk register and don’t become visible during the business impact analysis. But they exist. And they can have serious consequences. So the question is how to gain visibility of such risks once they reach a systemic level or when they threaten safety and security systems?

If you’re not convinced, consider the Volkswagen emissions scandal. Hugely risky behaviour was taken by a team of people to install ‘defeat device’ software to ensure that emissions tests produced favourable results. There was always a risk that the software would be discovered; and this proved to be the case when in September 2015 the US Environmental Protection Agency uncovered the issue. The result has been hugely damaging for VW, both reputationally and financially. At what stage VW’s top management knew of the defeat device software is unclear; but what seems certain is that they did not know at an early stage when the problem could have been resolved with much less pain for the company.

The key to gaining insight into such ‘invisible’ risk taking is having a well thought through whistle blowing process established. Whistle blowing is seen negatively by many people but it can be a very positive feedback process when handled well.

BSI’s ‘Whistleblowing Arrangements Code of Practice’ PAS summarises the key benefits and concerns about whistle blowing well, stating that:

“Every organization faces the risk that something will go badly wrong and ought to welcome the opportunity to address it as early as possible. Whenever such a situation arises, the first people to know of the risk will usually be those who work in or with the organization. Yet while these are the people best placed to raise the concern before damage is done, they often fear they have the most to lose if they do speak up.”

An internal whistle blowing process is vital if organizations are to get early notice of developing organizational risks, however, it is critical that employees see the process as encouraged and safe. Encouraged in that top management makes it clear that whistle blowing is seen as a good thing; and safe because the whistle blower has to work with the people they are reporting about. Considerations about protecting whistle blowers’ anonymity are extremely important. How the whistle blowing process is termed is also an important consideration. Calling it an ‘improvement feedback’ process, for example, may be more acceptable and less negatively nuanced.

Done well, establishing an internal whistle blowing system not only allows the organization to gain insights into the risks being taken in secret corners and the associated hidden business impacts; it also makes employees feel valued, empowered and listened to.

A business continuity plan is only as good as the latest information that informed it. All business continuity managers know that the business impact analysis provides the base-level information needed to create business continuity strategies; but the BIA process will be flawed if employees and managers work in an environment where they feel under pressure (real or imagined) from others in the organization not to reveal areas where safety is compromised, or where processes and behaviours are actually riskier than they should be. Whistle blowing can lift the lid on these things.

The BIA process itself could include a clear whistle blowing element: allowing participants the opportunity to input information anonymously or under conditions of extreme confidentiality.

Whistle blowing can also help with the ‘BIA-gap’: the time between BIAs, when new threats and risks may have arisen, but have not yet been brought into the business continuity plan. The establishment of an ongoing internal whistle blowing process can flag-up new threats as and when they occur.

Business continuity and risk managers shouldn’t write whistle blowing off as something negative aimed at reporting issues from within the company to external regulators and authorities; instead it should be welcomed and used as an important aspect of the business continuity and risk management process.

The author

David Honour is editor of Continuity Central. Contact him at