Back

Establish mechanisms for whistleblowers to report compliance violations.


CONTROL ID
06806
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an ethics program., CC ID: 11496

This Control has the following implementation support Control(s):
  • Establish mechanisms to maintain the anonymity of whistleblowers., CC ID: 12859
  • Establish, implement, and maintain a training program to report compliance violations., CC ID: 11835


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Companies in the supply chain should develop a way for third parties to let them know about concerns about gold extraction, handling, export, and trade in conflict-affected and high-risk areas. (Supplement on Gold Step 1: § I.E.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should provide a direct way, collaborative arrangements, or an external body for the grievance mechanism. (Supplement on Gold Step 1: § I.E.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Define opportunities for obtaining stakeholder views about action and control weaknesses, performance variances, incidents or suspicions of legal noncompliance, violations of company policies, and concerns or perceptions about perceived unethical conduct. (OCEG GRC Capability Model, v. 3.0, P7.1 Establish Multiple Pathways to Obtain Information, OCEG GRC Capability Model, v 3.0)
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (§ 3 Principle 15 Points of Focus: Provides Separate Communication Lines, COSO Internal Control - Integrated Framework (2013))
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (§ 3 Principle 14 Points of Focus: Provides Separate Communication Lines, COSO Internal Control - Integrated Framework (2013))
  • report compliance concerns, issues and failures. (§ 5.3.6 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • developing and implementing processes for managing information, such as complaints and/or feedback by means of hotlines, a whistle-blowing system and other mechanisms; (§ 5.3.4 ¶ 2 f), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • specific arrangements for identifying, reporting and escalating instances of noncompliance and risks of noncompliance. (§ 8.2 ¶ 5 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • An effective compliance management system should include a mechanism for an organization's employees and/or others to report suspected or actual misconduct or violations of the organization's compliance obligations on a confidential basis and without fear of retaliation. (§ 10.1.2 ¶ 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Employees should be encouraged to respond and report noncompliance with the law and other incidents of noncompliance, and to see reporting as a positive and non-threatening action without fear of retaliation. (§ 9.1.7 ¶ 6, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); (§ 6.10.3 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). (§ 6.4.3.3 ¶ 2 Bullet 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • report compliance concerns, issues and failures; (§ 5.3.4 ¶ 1 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that a system for raising and addressing concerns in accordance with 8.3 is established. (§ 5.1.1 ¶ 2 bullet 7, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • encourage the raising of concerns and prohibit any form of retaliation; (§ 5.2 ¶ 2 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure its communication process(es) enables personnel to raise concerns (see 8.3); (§ 7.4 ¶ 2 bullet 8, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • establishing a system for raising concerns and ensuring that concerns are addressed. (§ 5.3.2 ¶ 1 bullet 8, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement and maintain a process to encourage and enable the reporting of (in cases of reasonable grounds to believe that the information is true) attempted, suspected or actual violations of the compliance policy or compliance obligations. (§ 8.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • encourage the raising of concerns and prohibits any form of retaliation; (§ 5.2 ¶ 2 e), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • establishing a system for raising concerns and ensuring that concerns are addressed. (§ 5.3.2 ¶ 2 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • report compliance concerns, issues and failures; (§ 5.3.4 ¶ 1 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall establish, implement and maintain a process to encourage and enable the reporting - in case of reasonable grounds to believe that the information is true - of attempted, suspected or actual violations of the compliance policy or compliance obligations. (§ 8.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Decision-making oversight. The governing body should ensure that there is adequate oversight, that controls are implemented to ensure effective decision-making capabilities and that there is appropriate visibility of both conformity of decision-making to organizational policies and any exceptions. F… (§ 6.3 ¶ 6 Bullet 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.2 ¶ 3 Bullet 3 Provides Separate Communication Lines, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.3 ¶ 3 Bullet 4 Provides Separate Communication Lines, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity that demonstrates open communication and transparency provides a variety of channels for both management and personnel to report concerns about potentially inappropriate or excessive risk taking, business conduct, or behavior without fear of retaliation or intimidation. The entity also pr… (Keeping Communication Open and Free from Retribution ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In addition to the list above, separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters requiring heightened attention. Many organizations provide a means to communicate anonymously to the board of directors or a board delegate - such … (Methods of Communicating ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.2 Provides Separate Communication Lines, Trust Services Criteria)
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.3 Provides Separate Communication Lines, Trust Services Criteria)
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.2 ¶ 3 Bullet 3 Provides Separate Communication Lines, Trust Services Criteria, (includes March 2020 updates))
  • Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. (CC2.3 ¶ 3 Bullet 4 Provides Separate Communication Lines, Trust Services Criteria, (includes March 2020 updates))
  • Is there an internal compliance and ethics reporting mechanism and training program for employees to report compliance issues? (§ L.13, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • if the counsel or officer does not appropriately respond to the evidence (adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation), requiring the attorney to report the evidence to the audit committee of the board of directors of the issuer or to another comm… (§ 307 ¶ 1(2), The Sarbanes-Oxley Act of 2002 (SOX), July 30, 2002.)
  • Coordinate with the Corporate Compliance Officer regarding procedures for documenting and reporting self-disclosures of any evidence of privacy violations. (T0876, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Coordinate with the Corporate Compliance Officer regarding procedures for documenting and reporting self-disclosures of any evidence of privacy violations. (T0876, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)