Should whistle-blowing be an essential aspect of a good business continuity management system?

Get free weekly news by e-mailWhy encouraging employees to report risky processes and behaviours supports business continuity. By David Honour.

The US Labor Department’s OSHA division is currently requesting public comments on new regulations that will help protect whistle-blowers: workers who voice safety, health and security concerns. Explaining the rationale behind the new rules, Assistant Secretary of Labor for OSHA Dr. David Michaels says, “When workers believe their employers are violating certain laws or government regulations, they have the right to file a complaint and should not fear retaliation. Silenced workers are not safe workers."

This gives food for thought from a business continuity perspective. Should whistle-blowing be an essential aspect of a good business continuity management system? By giving workers a voice could we gain better insights into our organization; into the risks being taken in secret corners and the associated hidden business impacts?

Whistle-blowing has often been seen as a threat, particularly a reputation threat, by boards: it is usually thought of as internal employees reporting their organization to an external regulator or government body. This should be the whistle-blowing of last resort! Establishing internal whistle-blowing opportunities and structures is much more effective. Done well, it not only makes employees feel valued, empowered and listened to, but it can also play a huge role in business continuity management systems.

A business continuity plan is only as good as the latest information that informed it. All business continuity managers know that the business impact analysis provides the base-level information needed to create business continuity strategies; but the BIA process will be flawed if employees and managers work in an environment where they feel under pressure (real or imagined) from others in the organization not to reveal areas where safety is compromised, or where processes and behaviours are actually more risky than they should be. Whistle-blowing can lift the lid on these things.

The BIA process itself could include a clear whistle-blowing element: allowing participants the opportunity to input information anonymously or under conditions of extreme confidentiality.

Whistle-blowing can also help with the ‘BIA-gap’: the time between BIAs, when new threats and risks may have arisen, but have not yet been brought into the business continuity plan. The establishment of an ongoing internal whistle-blowing process can flag-up new threats as and when they occur: especially if employees are *actively* encouraged to whistle-blow.

If internal whistle-blowing is to be successful it needs strong top-down support, with managers pointing out that it is the employee’s duty to whistle-blow, and something which is seen as a career-enhancing move, not one which will be detrimental. In order to ensure the latter, much thought needs to go into making the process as confidential as possible and promises to reward and support genuine whistle-blowers must be followed through.

Author: David Honour is editor of Continuity Central.

Make a comment

Reader comments

Whilst I wholeheartedly approve of the principle involved here, i.e. the need for feedback from everyone at every level – I do have reservations about using the term ‘whistle-blowing’ which has such negative connotations.

I remember when I worked for IBM back in the 70s we had what was known as an ‘Open Door’ policy. Everyone was encouraged to voice their concerns with their seniors, bypassing their immediate superiors if necessary. Although it was rarely used, it did give us all a reassuring feeling that our bosses were ready to listen.

In the business continuity context I tend to use the ‘Chatham House Rule’ in informal workshops where risks and tentative solutions are discussed on a regular basis within each department. This has proved to be quite successful and is a means of engaging all parties in the BCM process – as required by the BCI’s Good Practice Guidelines and Standards such as BS 25999.

According to Wikipedia:-
The Chatham House Rule is a principle that governs the confidentiality of the source of information received at a meeting. Since its refinement in 2002, the rule states: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”

Jim Burtles, FBCI


I fully concur with your proposal to include a mechanism for encouraging employee feedback when risky activities are observed.

Dr. Robert Chandler recently published a book about a new category of threat: ethical misconduct disasters - EDMs. His premise is based on the Enron/Andersen Accounting debacle, which brought both firms to an end. In Enron, a pronounced culture of back-stabbing had been created after Ken Lay retired from his CEO position. The new order was a performance review program wherein those who ranked in the bottom 20 percent were laid off each year. The resulting atmosphere was toxic, from an ethics perspective. By the time things got so bad, Ken Lay was asked to come to the company's rescue. Unaware of this lurking iceberg of ambient employee distrust and misbehavior in the name of performance, Lay found himself at the helm of a sinking ship when the house of cards, including employees holdings of Enron stock, plummeting to the bottom.

Clearly, company boards of directors must protect shareholders and stakeholders, and a well-crafted process for gathering evidence of untoward risk-taking should be established in all publicly-traded enterprises.

Gregg Jacobsen, MBA, CBCP
President, Association of Contingency Planners, Los Angeles Chapter


Enjoyed your article re: whistleblowing. May I offer some thoughts?

The mere mention of whistle blowing suggests a negative. We learn that as kids on the playground and on the soccer field. Adult learners however, respond better to positive reinforcement so I would submit that – with the goal of better resilience – observed weaknesses should be rewarded instead of the observed risk resulting in someone’s outing or punishment.

Most people are inherently good, so risky conditions and risky actions are usually not the result of malfeasance as much as poor training.

A model that rewards improvement suggestions will likely engender greater support than ‘catch the bad guy’.

Just food for thought from the gallery.

Mike McKenna

•Date: 28th Sept 2010 • Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help