Category: Issue 11.8

Whistleblowing is currently a hot topic in Poland. After nearly three years of delay, Poland has finally implemented the EU Whistleblowing Directive 2019/1937.

The Polish Whistleblower Law comes into force on September 25, 2024, and applies to all entities employing at least 50 people (with some exceptions). As a result, many organizations are now focused on setting up their internal reporting systems. A well-prepared plan is key to ensuring a smooth implementation process.

Decisions to Be Made

Entities required to comply with the new Polish Whistleblower Law must first address the following decisions:

1. a) Who should be authorized to receive and follow up on reports of breaches? This role can be assigned to a department or an individual within the organization, with HR, Legal, and Compliance departments or their heads being natural choices. When designating these roles, it’s advisable to assign functions to them rather than specific individuals to avoid frequent updates to authorizations.
2. b) Should the process of receiving reports be outsourced to a third party? Outsourcing can be beneficial, particularly if the organization lacks the resources to manage the process effectively. In such cases, an outsourcing agreement should be prepared.
3. c) Will anonymous reports of breaches be accepted and followed up on? If yes, the internal whistleblowing procedure must outline the steps for handling such reports. Accepting anonymous reports increases the likelihood that the organization will learn about breaches early, so consider this option carefully when designing your system.
4. d) Should an incentive scheme be applied for using the internal reporting system?
5. e) Should the organization allow reporting of breaches related to internal policies, ethical standards, or other areas (e.g., discrimination, mobbing) beyond those specified by the Polish Whistleblower Law? If so, these areas must be included in the internal whistleblower procedure, which should also link to the relevant policies, standards, and regulations.

Establish Internal Reporting Channels

The law requires organizations to provide at least verbal or written channels for internal reporting:

1. a) Verbal reports can be made by phone or voice messaging systems, as well as during face-to-face or online meetings.
2. b) Written reports can be submitted on paper (e.g., via traditional letters or physical complaint boxes) or electronically (e.g., through dedicated email addresses, website forms, or online platforms). If you are concerned about completeness, the last two methods allow you to include a set of relevant questions.

Reporting channels may be managed internally or provided by a third party. If opting for external tools (such as online platforms), ensure they guarantee the confidentiality and security of whistleblower information through, e.g., data encryption and strict access control. Additional helpful features include report management, automatic notifications, automatic creation of a report register, and a built-in system or chat for ongoing communication with the whistleblower. Consider whether the tool has a user-friendly interface, supports the entire report life cycle (from receipt to investigation and corrective action), allows anonymous reporting, and accommodates communication in multiple languages.

Prepare an Internal Whistleblower Procedure

Once the key decisions are made and reporting channels established, the next step is to prepare an internal whistleblowing procedure. The new Polish Whistleblower Law outlines the required content of this procedure. Aim to keep it concise and straightforward. The procedure should be reviewed in consultation with trade unions or employee representatives (note that it may be necessary to elect such representatives beforehand). The finalized procedure must be announced to the organization at least seven days before it comes into force.

Maintain a Register of Internal Reports

The Polish Whistleblower Law specifies the information that must be included in the register of reports and the retention period for this information.

Why is it important to have an effective internal reporting system?

An effective internal reporting system encourages whistleblowers to report issues internally rather than to public authorities or through public disclosures. Gaining early knowledge of breaches allows the organization to manage the situation internally, often avoiding legal, financial, and reputational risks. Additionally, such a system strengthens the ethical work environment. Therefore, investing in and promoting this system within the organization (e.g., by integrating it into the onboarding process and offering internal training) is highly beneficial.

By Ewa Swiderska, Lead Regional Counsel CEE

Wonga Director of the Legal, Compliance, and HR Department Zuzanna Kopaczynska Grabiec discusses what systems needed to be set up to align with new Polish legislation on whistleblowing and how her team did so.

CEELM: What new whistleblowing systems did you need to introduce in your organization as a result of new regulations?

Kopaczynska Grabiec: Poland has recently implemented legislation in alignment with Directive (EU) 2019/1937, which the European Parliament and Council adopted on October 23, 2019. This directive mandates that EU member states, and consequently, employers within these states, establish legal frameworks to protect whistleblowers. It also sets out clear procedures for reporting breaches of union law and outlines how employers and public authorities should respond. To comply with these new regulations, companies need to take several critical actions to ensure both compliance and the effectiveness of their whistleblowing systems.

The first step involves policy and procedure development. Companies like Wonga must ensure that their existing whistleblowing policies are updated to reflect the new regulations. This includes clearly defining the reporting process, identifying the types of issues that should be reported, and detailing the protections available to whistleblowers. Comprehensive procedures must be established for managing whistleblowing reports, from initial intake through to investigation, follow-up actions, and resolution. Additionally, offering multiple secure and anonymous reporting channels – such as a hotline, an online platform, and a confidential email address – is essential.

Next, we should focus on employee awareness campaigns. It is crucial to educate employees about the new whistleblowing systems, their rights under these systems, and the importance of reporting any misconduct. Training sessions for both employees and management are vital to ensure that everyone understands how to identify, report, and appropriately handle whistleblowing cases.

Protecting whistleblowers from retaliation is a key concern, which brings us to the non-retaliation policy. Companies need to reinforce their commitment to protecting whistleblowers from any form of retaliation. Employees must feel confident that they can report their concerns without fear of negative consequences. Support systems, such as access to counseling or legal advice, should also be established for whistleblowers if needed.

On the investigative side, we have established a dedicated investigation team responsible for thoroughly and impartially investigating any whistleblowing reports. Having a specialized team ensures that reports are handled with the necessary expertise and care.

These measures are crucial for fostering a transparent and ethical workplace. The goal is to create a culture where employees feel safe and empowered to speak up when something isn’t right, ensuring not only compliance with the law but also strengthening the integrity of the organization.

CEELM: Are you relying on a global solution within your organization or local ones? Why?

Kopaczynska Grabiec: Our company has chosen a local solution, which in our opinion is more attuned to the cultural and legal nuances of the region. Since we are providing services only in Polish, whistleblowing channels in the local language ensure better understanding and accessibility for employees, reducing barriers to reporting. Local solutions are tailored to comply with specific national and regional regulations, ensuring that the organization meets all legal requirements. In my opinion, local tools also facilitate smoother communication and coordination with local regulatory bodies, which can be crucial in handling and resolving cases. Implementing a local solution can be also more cost-effective than deploying a global system, particularly for organizations with a significant presence in one region.

CEELM: Did you opt to use in-house resources or externalize whistleblowing? Why?

Kopaczynska Grabiec: We decided to use an integrated whistleblowing system. Using both in-house and external resources for whistleblowing processes offers a balanced approach that leverages the strengths of each to create a comprehensive, effective, and credible system. By using a combination of in-house and external resources, the organization can create a more robust, effective, and trusted whistleblowing system that not only meets regulatory requirements but also fosters a culture of transparency and accountability. External resources bring an impartial perspective, which is crucial for maintaining the integrity of the investigation process and ensuring that all reports are handled fairly and without bias. The in-house resources are well-versed in the organizational culture, values, and internal processes, making them better equipped to handle sensitive issues with an understanding of the internal context.

CEELM: For the external component, are you using an off-the-shelf solution or a tailor-made one?

Kopaczynska Grabiec: We have decided to use an off-the-shelf solution. Developing a custom solution can be costly and time-consuming. With off-the-shelf solutions, the costs are more predictable and often include support and maintenance as part of the package. Off-the-shelf solutions generally require a lower initial investment and can be more affordable in the short and long term. Off-the-shelf solutions can be implemented much faster than custom-developed systems. This is crucial for meeting regulatory deadlines and quickly establishing a functional whistleblowing system. These solutions are often built around industry best practices and standards, ensuring that the organization benefits from up-to-date and effective whistleblowing processes. What is very important from my perspective, providers of off-the-shelf solutions often update their products to remain compliant with new regulations, which helps organizations stay current with minimal effort.

CEELM: To what extent is the legal function in your organization involved once a report is received?

Kopaczynska Grabiec: In our company, the legal team is the owner of the whistleblowing process. By involving the legal function at every stage of the whistleblowing process, the organization ensures that it handles reports in a manner that is legally sound, protects the rights of all parties involved, and maintains compliance with relevant laws and regulations. My team coordinates with internal or external investigators to ensure the investigation is conducted thoroughly, impartially, and in compliance with legal standards. The team provides legal advice to ensure that the investigation and subsequent actions comply with relevant laws, regulations, and organizational policies, ensures that the rights of all parties involved, including the whistleblower and the accused, are protected throughout the process, and maintains comprehensive and confidential records of the investigation process, findings, and any legal advice provided.

CEELM: How have you been promoting the whistleblowing channels throughout your organization?

Kopaczynska Grabiec: The concept of a whistleblower, particularly in Polish culture, can have a pejorative connotation as it is associated with informants. Therefore, it is extremely important to create an environment where employees feel empowered to speak up, knowing that their concerns will be taken seriously and handled appropriately. Promoting whistleblowing channels within an organization requires a thoughtful and strategic approach to ensure employees are aware, feel safe using them, and understand their importance. First of all, leadership should visibly endorse the whistleblowing channels, emphasizing their importance in fostering a transparent and ethical work environment. Regular communications from senior leadership (such as emails, town hall meetings, or video messages) should underscore the value of whistleblowing, reassure employees of their protection, and encourage its use.

We have also created a dedicated section on the company intranet that provides detailed information about the whistleblowing process, including FAQs, case studies, and contact details. With the implementation of the new Polish regulation, we are planning to distribute brochures or flyers that outline the whistleblowing procedure, ensuring that all employees, including those without regular internet access, are informed.

“Plan twice to implement once” is Teqball Group Legal Director Marianna Erdei’s approach to implementing new whistleblowing regulations in a manner that is not compliant only with Hungarian law but takes into account the local needs of other jurisdictions.

CEELM: What are the biggest challenges in your view in implementing the new whistleblowing regulations?

Erdei: What is very important to note is that the EU regulation on it is something that needs to be implemented in a way that the country’s own law will be respected. In my case, several of the group companies and the sports federation itself are located in Hungary, meaning that we need to keep the Hungarian law in mind. There are differences between EU and Hungarian legislation and you need to overcome those obstacles.

For example, look at anonymity. Under Hungarian legislation, it is not a necessity – which adds an interesting spin to EU legislation. That said, working for an international group of companies, you have many local subsidiaries that have other local flavors. However, using the same system is pretty much a requirement for any international body, giving rise to questions on how to set up a system that takes these differences into.

And that is just one example of the challenges of finding a system that will be both good for the company and the whole set of companies in the international group. Keep in mind that, the goal is to have independence locally to be able to investigate any reports on a local level while also sharing any findings in compliance with local rules. If it is against the rules to share them abroad, you need to find a chain of investigators who can be involved but are independent enough to be able to have an independent result.

Another consideration when looking at an international group is language. It is a requirement for reporting opportunities to exist in a language that the whistleblower understands – i.e., local language. As such, you need to both localize reporting lines while also ensuring you have processing capabilities in the local language.

CEELM: How do you recommend tackling these challenges?

Erdei: Use internal resources if you are a big enough organization or look for off-the-shelf solutions that can be localized. The latter have their limitations, of course. If you have something that is already available, you can then use local resources to adjust to your local needs.

There is of course always a question as to who is independent enough but also possesses the internal knowledge and expertise to cover the investigation. Most of the companies that operate in sensitive areas already have some systems in place but now have a specific set of requirements that they need to adjust to. If your organization is rather small, you’ll need to start spending money to either externalize or train internal resources. Of course, not only one responsible person is needed because if they are tainted by any info received, you need to be able to deal with those conflicts. Having an efficient compliance department is important in light of the new legislation but not all can afford a whole compliance team.

CEELM: What are the options if there are no internal resources then?

Erdei: My approach would be to see what would be most efficient in all instances – both in terms of time and money. There is no one good path, but an evaluation of the company’s situation is needed – to see if the cost of external services, or the cost of training of an available and appropriate team member(s) is more suitable for the company. In a lucky scenario, the company can rely on the already existing compliance teams (and even IT internal resources).

I believe that in most cases a combination of the available solutions would work. My advice would be to find the simplest setup as well. Ultimately, I asked myself what was the most important message from the legislator that should be considered when implementing the whistleblowing system. My answer would be to have appropriate ways that people can submit a complaint efficiently. I propose to identify the channel that complies and do our best to make it available to all concerned persons (i.e., ensure access).

CEELM: Which function is best positioned in your view to receive and process complaints?

Erdei: May this be a little bit extraordinary view, but I think almost either – IT, compliance, legal, HR – you need to look more at the personal set of skills needed to carry out the relevant investigation. Compliance is likeliest to have those skills the most by virtue of what they do but, for smaller companies, my choice would probably be to look at individuals rather than functions per se. Probably look at HR or legal but I wouldn’t rule out any department (or its member) that might have the necessary skill set and training. Ensuring independence for the investigator might mean you need to consider outsourcing, should the internal circumstances not allow unquestionable independence for the internal resource.

CEELM: If the skill set is more important then, what are the skills you’d look out for?

Erdei: First and foremost: analytical thinking – to be able to gather and analyze the facts for any complaint. Second, probably some legal knowledge or background would be useful, and to be familiar with the code of ethics (or equivalent) you wish to enforce. Third, strong communication skills are definitely needed – whoever is in charge of this needs to be able to tactfully and efficiently communicate with the reporter and witnesses. Last but not least, good problem-solving skills are needed to propose appropriate measures at the end of the investigation.

CEELM: What are the most effective channels for reporting issues?

Erdei: In the era of the internet, probably online is the easiest to set up channels (through your intranet or website or the like). Also, to gather info and evidence, it makes more sense to have it written down as well. I wouldn’t rule out email either as a very common communication channel.

CEELM: Once the new system is set up, how do you communicate it best internally?

Erdei: Like any other compliance matter – it is all about raising awareness and training, showing how team members can use it or what options are available, but they should also be made aware of the potential consequences (good faith vs bad faith reporting) because it is not something that should be taken too lightly. It’s a great tool to have and important for any organization to know if there is something wrong internally, but you need to make sure it is used wisely and ethically.

CEELM: Do you have any tips for the actual setup?

Erdei: It is important to collect information on what works best for your organization. Starting a system not well suited for you will probably mean losing time and money, so you need to plan it out well before you go for any option. Also, if you have a procedural framework and templates in place, you will not be surprised by the first few submissions. You should practice it out – what everyone does under varying scenarios. Working out templates will ensure you have a methodology in place both in terms of how you react to and how you engage the whistleblower. That way you can focus on engaging with the substance of a received report, not the form of how to connect. Bottom line: Plan it out well and build up templates while testing.

If you think about it, it is ultimately a compliance exercise. We’ve had the GDPR and the like before, so we are used to incorporating a new system. And, if you are lucky, you already have a similar system in place. It is important to look at it from a positive perspective and internalize it as an opportunity for the organization to be in control over its operations. Having used it wisely, under certain circumstances, this system can ensure competitiveness for the company, not to mention, that in other cases it can spare the organization a lot of headaches by preventing a problem from getting bigger.

With the Whistleblowing Directive implemented into local legislation, whistleblowing has become an essential topic in companies. As national interpretations of the directive on whistleblowing have made it mandatory for organizations to introduce reporting channels and protective measures, businesses must navigate a more stringent and complex legal landscape.

Implementing a whistleblowing system in a company is a crucial step toward fostering transparency, accountability, and ethical behavior. Even more, this will improve the company’s image and gain the trust of business partners, clients, and investors.

It is known that the EU Whistleblower Protection Directive mandates that organizations with 50 or more employees must establish secure reporting channels.

However, each EU member state may implement the directive with additional or more stringent requirements.

Operating a business across multiple countries can indeed present challenges when it comes to implementing and managing a whistleblowing system, particularly given the varying legal requirements and cultural differences in each jurisdiction.

Designing and implementing a whistleblowing system is a highly sensitive process that requires careful consideration of the unique legal, cultural, and behavioral nuances of each country. The success of such a system hinges on its ability to resonate with local employees and stakeholders while maintaining the integrity and consistency of the organization’s ethical standards.

Each country has its own legal framework governing whistleblowing, which can range from very robust protections to limited or no specific regulations. Understanding these nuances is critical to ensuring that the system is compliant and offers the necessary protections to whistleblowers.

The system must be designed to comply with not only the most stringent legal requirements globally but also the specific legal obligations in each country. This means adapting policies, reporting mechanisms, and investigation procedures to align with local laws.

In some cultures, whistleblowing may be seen as a betrayal or as dishonorable, which can deter individuals from coming forward. Conversely, in other cultures, it may be viewed as a civic duty or an act of integrity. The system must be sensitive to these perceptions and designed in a way that encourages participation in a culturally respectful manner.

Trust is a cornerstone of an effective whistleblowing system. Employees must believe that their reports will be handled confidentially and that they will be protected from retaliation. Building this trust requires a deep understanding of local attitudes toward authority, privacy, and fairness.

Understanding what motivates employees in different countries to speak up – or to remain silent – is key. This might include considerations of loyalty, fear of retaliation, concern for the company’s reputation, or personal ethics. The system should be designed to address these motivations in a way that encourages honest and open reporting.

While maintaining a consistent global framework, it is important to allow flexibility in how the system is implemented and operated in different countries. This might mean offering multiple reporting channels, adapting the investigation process, or customizing training programs to fit local needs.

Fostering an organizational culture that deeply values transparency, accountability, and ethical behavior is essential for creating an environment where a whistleblowing system is not just a compliance tool, but a reflection of the company’s core values. When these principles are ingrained in the company’s DNA, employees are more likely to trust and use the whistleblowing system, viewing it as an integral part of their commitment to maintaining the organization’s integrity.

However, despite all differences and local adaptations, the core ethical standards of the organization should remain consistent across all jurisdictions. This ensures that the organization’s commitment to integrity and transparency is clear, regardless of location.

Designing and implementing a whistleblowing system that respects the unique characteristics of each country is indeed a delicate and intimate process. By approaching it with cultural sensitivity, legal awareness, and a deep understanding of local behaviors, businesses can create a system that not only complies with the law but also resonates with employees and encourages them to speak up without fear. This thoughtful approach helps build a stronger, more ethical organization that is capable of navigating the complexities of a global business environment.

When transparency, accountability, and ethical behavior are deeply embedded in a company’s culture, the whistleblowing system naturally aligns with the organization’s broader commitment to integrity. It becomes more than just a compliance mechanism – it is a vital part of the company’s ethical framework that employees trust and value. By fostering this culture, companies not only protect themselves from risks but also build a strong foundation for long-term success and a positive reputation.

By Minerva Ionita, Head of Legal & Compliance, Beko Romania

An act of “whistleblowing” is usually defined in different vocabulary within the frameworks of management sciences and law perspective. A whistleblowing act happens when a person within or outside an organization, holding sensitive information regarding illegal, unethical, or abusive activities, or any action creating a risk to harm the organization, decides to speak out, to internal or external authorities. Whistleblowers are essentially the messengers who convey the information they have somehow acquired.

Two controversial approaches emerge when it comes to positioning whistleblowers in the psychology of an organizational environment: the first considers whistleblowing as an activity that benefits the organization and community; the second considers it as an inappropriate behavior of spying that is not ethically correct, has negative consequences and may put the organization or the individuals working in the organization in a difficult situation.

According to the Occupational Fraud 2024: A Report to the Nations prepared and published by the Association of Certified Fraud Examiners, the most effective method of detecting internal fraud and corruption was whistleblowing, with a rate of 43%. In institutions where training is organized on how to prevent and detect corruption and abuse, the rate of abuse detected through whistleblowing mechanisms increases to 56%. Judging by the data, it is no secret that whistleblowers play an active role in revealing non-conformities and that it is required or, at least, it would be beneficial to include whistleblowing in the scope of corporate governance in one way or another.

So, how can we use this system in the most effective manner and not shoot the messenger?

In the act of whistleblowing, there are three actors who have their personal agendas: the whistleblower raising the report, the authority receiving the report, and the person(s) related to the subject of the report.

A whistleblower is expected to be acting in ethical concerns or pursuit of justice; however, they as well might be driven by humanistic motives such as jealousy or competition. The authorities receiving a report may tend to stay silent on it for various reasons. Finally, the person(s) who is/are related to the subject matter of the report may come back with a hostile reaction. In order to make whistleblowing – a human behavior-centered mechanism – well-functional and useful, it becomes an important issue to create solid and easy-to-understand rules balancing the roles among the actors, though it is evident that human motives cannot be completely eliminated or managed.

In Turkiye, specific legal regulations on whistleblowing may not exist at all, or exist only within the required scope in terms of positioning the whistleblower within corporate governance, evaluating data confidentiality, whistleblower protection conditions, and similar perspectives. The first step would, therefore, be to select and implement a legal regime by evaluating all the unique characteristics of the organization. It is important to clearly set out standards, simple and easy-to-understand content of the subject matter actions, identify the assigned authority and a step-by-step explanation of procedures on how to reach them, procure the security or protection of the whistleblower by providing the option to raise a concern in complete confidentiality, reflect a clear view “against retaliation,” ensure whistleblowers understand that any reports that do not reflect the truth or are made in a hostile grievance are not welcome, and, finally, implement rewards. All these would help in enabling and promoting individuals to take part in the mechanism.

Could “having created the perfectly formulated policy and a mechanism” be sufficient to embed whistleblowing implementations into the organizational environment? As the Bartleby column describes in How to Read Corporate Culture in The Economist, “culture eats strategy for breakfast, runs the aphorism. It also projectile vomits employees who don’t fit in.” Without integrating the whistleblowing mechanism into the company culture – which is no different than the other implementations – its success, unsurprisingly, will likely be a long shot. Commitment to whistleblowing by the high-level organizational members, training enabling the participants to understand how and when to use the whistleblowing mechanism, proper, consistent, and sincere follow-up of the applications, and providing feedback to the whistleblowers in a consistent manner.

Thanks to whistleblowing, organizations have the opportunity to avoid potentially harmful acts and transactions before incurring any damage to their reputation and financial situation. At the same time, whistleblowers gain a place in corporate governance. Thus, whistleblowing works bidirectionally toward creating a healthy corporate culture that benefits all.

By Miray Gunes, Head of Legal, Energo-Pro Turkiye

Whistleblowing transcends being a mere procedural checkbox – it is a lifeline for organizational integrity and accountability. It serves as a crucial mechanism for employees, business partners, and third parties to report unethical practices, illegal activities, or violations of company policies within their organizations.

As the first line of defense against internal misconduct, whistleblowing plays a pivotal role in maintaining organizational integrity. When implemented effectively, it ensures that potential issues are addressed early, preventing them from escalating into full-blown crises. However, as an experienced legal and compliance professional, I must emphasize that the success of a whistleblowing system demands more than just policies and legal frameworks – it also requires a well-structured, top-to-bottom approach in which leadership actively champions transparency and ethical behavior.

At the heart of whistleblowing lies the principle of accountability and transparency. Employees, business partners, and third parties involved with an organization are often the first to notice when something is amiss – be it financial fraud, regulatory violations, or workplace harassment. By establishing a safe environment where these stakeholders can report their concerns without fear of retaliation, organizations can mitigate risks early on. This proactive approach not only protects the organization from legal liabilities, financial losses, and reputational damage but also fosters a culture of trust and engagement. Employees and partners who believe their concerns will be taken seriously are more likely to contribute positively, enhancing overall morale and productivity.

The effectiveness of any whistleblowing system hinges on leadership commitment. A top-to-bottom approach is crucial, where ethical behavior is not merely encouraged but mandated from the highest levels of the organization. This commitment starts with senior executives and the board of directors, who must visibly support whistleblowing initiatives and embody the organization’s commitment to transparency. Leadership must go beyond simply having a whistleblowing policy – they need to actively promote it as a core value. When leaders set the tone from the top, that commitment filters down through the organization, reinforcing the expectation that ethical behavior is non-negotiable at every level.

For a whistleblowing system to truly be effective, it must be supported by clear and comprehensive policies. These should specify what can be reported, the process for reporting, and the protections available to whistleblowers. Policies must be easily accessible and regularly updated to reflect changes in laws and company procedures. Crucially, organizations should offer multiple channels for reporting concerns, including anonymous hotlines, online platforms, and in-person meetings with designated legal and compliance professionals. Providing various options increases the likelihood that employees and partners will come forward, especially if they can do so confidentially.

Confidentiality and protection from retaliation are fundamental to any effective whistleblowing system. The fear of retaliation – whether in the form of dismissal, demotion, harassment, or ostracism – often deters individuals from reporting misconduct. Organizations have a legal and ethical obligation to protect whistleblowers from these consequences. Many countries have established robust legal frameworks to safeguard whistleblowers and require legal protections and establish secure reporting channels.

However, legal protections alone are not enough. Organizations must also cultivate a culture where whistleblowing is not just tolerated but encouraged and valued. This cultural shift starts with leadership. Executives and senior managers need to actively communicate that whistleblowing is a positive and necessary contribution to maintaining ethical standards. Regular communication about the importance of ethics and transparency helps to reduce the stigma associated with whistleblowing, making it clear that reporting concerns is both safe and encouraged.

Middle management plays a critical role in this cultural transformation. Managers must be trained to handle whistleblower reports with professionalism and sensitivity, ensuring confidentiality and support throughout the process. A poorly handled report can erode trust in the system, so managers need the right tools and training to manage these situations effectively.

A strong whistleblowing system must also commit to thorough, impartial investigations. Once a report is received, the organization must take it seriously, assigning independent investigators to assess the claims and gather evidence. The investigation process should be transparent, with whistleblowers kept informed of the progress where appropriate. Acting on the findings – whether through disciplinary measures, policy changes, or other corrective actions – demonstrates the organization’s commitment to upholding ethical standards.

Continuous evaluation and improvement are necessary for the long-term success of whistleblowing systems. Leadership should regularly review the system’s effectiveness by analyzing metrics such as the number of reports received, investigation outcomes, and employee trust levels. Feedback from employees and partners can provide valuable insights for refining the system, ensuring it remains effective and responsive to organizational needs.

In conclusion, whistleblowing is integral to creating a culture where ethics and transparency are not just buzzwords but are embedded in the organization’s fabric. By adopting a top-to-bottom approach, supported by robust legal protections and well-implemented systems, organizations can empower employees, business partners, and third parties to speak up without fear. This proactive stance not only protects the organization from potential harm but also reinforces its reputation as a trusted, ethical entity. Whistleblowing, therefore, is not just a compliance requirement but a critical component of an organization’s long-term success, fostering a culture of integrity that benefits everyone involved.

By Aslihan Evcimen, Country Legal Director, Saint-Gobain

ESG has long been considered a niche concept, especially in Bosnia and Herzegovina. However, over time the picture has completely changed and the market has not only mastered the meaning of ESG, but a large number of companies have adapted their business to all or rather most of environmental, social, and governance principles.

Both under the influence of globalization and due to the influx of investments, the concept of ESG is becoming an increasingly important topic for every legal entity on the market, and those businesses that fall behind will risk staying behind.

If we take into account that EOS Bosnia and Herzegovina is a member of the EOS Group, which is a leading technology-driven investor in receivables portfolios and an expert in the processing of outstanding receivables, operating on the global market for 50 years, the question of whether to implement ESG principles in practice is a no-brainer. It is easy to conclude that the mastery of this concept and its implementation for our local company was certainly under the great influence of our owner – the Hamburg-based EOS Group. To substantiate the level of seriousness of this topic, I will mention that, in 2023, EOS Group received an ESG rating from the renowned rating agency Morningstar Sustainalytics and was given a risk of 10.2, which puts EOS Group among the top 2% in the consumer finance sector.

Belonging to a large family that operates on the global market certainly exposed the local team to solid know-how and sharing of experiences and best practices. Research has shown that more than 80% of investors take into account the company’s ESG standard when considering potential investments, so I can certainly conclude (looking at the emerging interest banks and local companies on the Bosnian market show for this topic) that nowadays companies that do not adapt their operations and business to environmental and social standards cannot expect to be successful in any serious market. ESG has left the sphere of “nice to have” and has become a “must have.”

Our company has recognized the importance of ESG for a long time, and in this direction, we established a compliance department a few years ago that independently, and under the influence of our group’s good practices, implemented many concepts in the company’s management that support ESG principles.

Despite our company not being a financial institution or an entity that must implement certain systems prescribed by the Law on Prevention of Money Laundering and Financing Terrorist Activities, we decided to – although we have no strict legal obligation – implement appropriate systems and procedures that support this legislation. We have an internal system of records of all business entities and third parties that are subject to checks before business cooperation can be established. At the same time, we have a system of flagging certain transactions that, given the nature or identity of the participants, require additional checks that may result in a ban on entering into a business relationship.

Our group is a member of the UN Global Compact (UNGC) – a framework in which companies engage in order to safeguard and enact universal principles in the areas of human rights, labor, environment, and anti-corruption. As such, we especially take care to apply without exception principles of the UNGC, and this includes, among other things, our self-imposed aspiration to only work with partners and clients who pass our KYC checks and for which we have no indication of any human rights violations.

We also undertook certain activities in order to support the “E” (environmental) aspect to the greatest extent possible. We fully implemented the qualified electronic signature within the company last year. The e-signature implementation, in addition to simplifying day-to-day work, significantly reduces the use of paper. Unfortunately, the legislative system in BiH does not currently support solutions for electronic communication with courts and the use of paper in that regard is still present, however, the plans of our compliance department for this year include an initiative to engage a paper recycling company that would deal with the recycling of paper. At the same time, the previously mentioned KYC/BPS checks are fully automated and paperless.

Our compliance department plans to implement a system by which existing technical equipment (e.g., computers) whose depreciation period has expired but that are still in working condition would be donated to charitable organizations or those who may need computers (e.g., schools). Going “green” was also marked this year with the donation of a solar bench to the town and citizens of the city of Ljubuski, which is environmentally friendly and at the same time shows our company’s efforts to demonstrate the application of good standards required by ESG with practical examples.

Lastly, I cannot help but point to the Finlit foundation as the first non-profit organization of the EOS Group. The Finlit ManoMoneta educational initiative has already reached more than 100,000 children aged 9 to 13 with the aim to make children more aware of the right way to handle money and, in doing so, help counter excessive personal debt.

To finish as I have started: ESG implementation is no longer simply “nice to have,” but rather a “must have,” and I am personally grateful for the great work our local compliance team is doing in this segment.

By Mirza Kahvedzic, Executive Director for Legal Affairs, EOS Matrix Bosnia and Herzegovina

mBank Deputy General Counsel Pawel Szczepaniak talks about how the rise of ESG has shaped in-house legal role but also how his organization literally puts its money where its mouth is when it comes to ESG.

CEELM: How has the rise of ESG impacted your organization as a whole to date?

Szczepaniak: In recent years, Environmental, Social, and Governance (ESG) factors have gained significant importance in corporate strategy and operations. Companies worldwide are recognizing the importance of sustainable and ethical practices not only to meet regulatory requirements but also to align with stakeholder expectations.

Throughout the last several years, the Polish banking sector proved to be particularly important in the context of financing the transformation of the whole economy into a more sustainable one. In 2023 alone, mBank’s offer related to the financing of renewable energy sources and investments in large RES plants made it possible to generate 641 megawatts of energy from renewable energy sources. At the end of December 2023, mBank’s RES portfolio reached almost PLN 4 billion. Furthermore, based on data from the end of 2023, we invested over PLN 5.3 billion of our own capital in sustainable finance initiatives. This includes sustainability-linked loans and green loans. We also acted as arranger/dealer of corporate bonds, facilitating the placement of our customers’ green bonds.

As one of the first Polish financial institutions, we also publish information on the carbon footprint of our portfolio (especially scope 3 – portfolio emissions). For that purpose, we use well-established, standardized international methodologies and, as part of our membership with the Science Based Targets initiative, we are developing an effective plan for decarbonizing our activities. Moreover, we were the first bank in Poland to join the Partnership for Carbon Accounting Financials.

However, ESG considerations are not only environmental challenges. There are also a number of examples of our social and employee-related activities. I will only mention the aspects that are important to us, such as improving the effectiveness of human rights verification in the group value chain and maintaining the pay gap below 5%. We are also consistently implementing social involvement programs, such as the Great Orchestra of Christmas Charity.

And, as part of our drive to promote ESG considerations in the financing world, we also introduced a new service line whereby we act as a so-called sustainability agent – an agent in syndicated SLL financing that verifies that the reporting of KPIs of our clients are in line with regulatory and documentary framework. It might seem like a small role but it is a significant one as it helps to set a market standard in the country.

Ultimately, a green transformation is reflected in mBank’s ESG strategy. It includes a decarbonization strategy based on SBTi objectives, which is our current priority in the area of sustainable development. mBank is a good example of the companies that successfully integrate ESG principles into their operations, which often allows them to enjoy a competitive advantage, attracting investment, talent, and customer loyalty.

CEELM: What about your in-house legal function – how has it been shaped by this focus on ESG?

Szczepaniak: The in-house legal function has been particularly affected by the rise of ESG. Traditionally focused on legal risk management and regulatory compliance, legal teams are now tasked with a broader mandate that includes advising on ESG-related issues. This shift has required legal departments to expand their focus beyond traditional legal risks to encompass environmental, social, and governance factors.

One significant impact on the legal function is the need to stay abreast of evolving regulations related to ESG. It is worth mentioning that currently there are over 600 ESG-related regulations in the regulatory database, and one-third of them are regulations from Europe. Legal teams must monitor changes in environmental laws, human rights regulations, labor practices, and corporate governance standards, all of which are increasingly being codified into law. This requires a deeper understanding of the ESG landscape and a proactive approach to compliance.

Additionally, the legal function is often called upon to advise on the development and implementation of ESG policies, strategies, and documentation standards. This involves working closely with other departments, such as sustainability, human resources, and corporate governance, as well as with other market participants and public sector representatives to ensure that the organization’s ESG initiatives are legally sound and align with best practices.

Furthermore, regulatory bodies are increasingly mandating ESG disclosures and compliance. This heightened regulatory scrutiny means that organizations must be proactive in their ESG strategies, ensuring that they not only meet legal requirements but also exceed them to safeguard against future risks.

CEELM: Is ESG compliance something you are looking to incorporate into your legal function? If so, how?

Szczepaniak: Incorporating ESG compliance into the in-house legal function is essential for organizations seeking to navigate the complexities of sustainable business practices. Legal teams play a pivotal role in ensuring that ESG principles are embedded into the organization’s operations and that compliance with ESG-related regulations is maintained.

To incorporate ESG compliance effectively, legal teams must first assess their current capabilities and identify any gaps in expertise or resources. This may involve conducting a thorough review of existing policies, procedures, and training programs to determine how well they align with ESG requirements.

Once gaps are identified, legal teams can take several steps to integrate ESG compliance into their functions. These steps may include:

1. Developing ESG Policies and Procedures: Legal teams can lead the development of comprehensive ESG policies that outline the organization’s commitment to sustainability, social responsibility, and ethical governance. These policies should be aligned with regulatory requirements and best practices and should be communicated clearly to all stakeholders.

2. Training and Education: Educating employees about ESG compliance is critical for fostering a culture of accountability. Legal teams can conduct training sessions to raise awareness about ESG regulations and ensure that employees understand their roles in achieving compliance.

3. Cross-Functional Collaboration: ESG compliance requires collaboration between legal, compliance, sustainability, and operational teams. Legal departments should work closely with other functions to integrate ESG considerations into business processes and decision-making.

CEELM: What new expertise does your team have to develop to incorporate all of this? Will you be looking to rely on internal resources or external expertise?

Szczepaniak: The rise of ESG necessitates the development of new expertise within the in-house legal function. Legal teams must be equipped to address both existing legal frameworks and emerging challenges related to ESG. At mBank we have ESG experts in every major legal support section, who lead workstreams within their respective product lines. There is one in the investment banking team, one in capital markets and M&A, one in the corporate clients’ department focusing on loan financing, one in retail, and another one in the brokerage house.

The required set of competencies entails, in particular:

Environmental Law Expertise: As environmental regulations become more stringent, legal teams need to deepen their knowledge of environmental law. This includes understanding regulations related to carbon emissions, waste management, and resource conservation, as well as staying informed about global environmental agreements and treaties.

Social Responsibility and Human Rights: Legal teams must also develop expertise in social responsibility and human rights issues. This includes understanding labor laws, diversity and inclusion requirements, and ethical labor practices. Legal professionals should be prepared to advise on policies that promote social equity and protect human rights.

Governance and Compliance: Governance is a critical aspect of ESG, and legal teams must be well-versed in corporate governance principles, compliance requirements, and risk management strategies. This includes understanding disclosure requirements, anti-bribery and corruption laws, and stakeholder engagement practices.

Organizations can choose to build this expertise internally by training existing legal staff or hiring new professionals with specialized ESG knowledge. Alternatively, they may choose to rely on external expertise, such as law firms or consultants with deep experience in ESG matters.

At mBank we chose a hybrid approach, combining internal development with external support, which in my opinion may offer the most flexibility and breadth of expertise. While we are very much focused on building up the necessary competencies internally, it is not sufficient given the depth of it all. We already have a panel of law firms in place focused on ESG as we’re bound to continue cooperating with external lawyers. We are also big on constant learning from the market – may it be in exchanging best practices with the Polish banking association and running or attending educational events with our clients. I see the latter as a mutual learning opportunity since we also get to learn from our clients in terms of what their expectations and the market standards are.

CEELM: What are currently the main unknown variables for your in-house legal function when it comes to ESG?

Szczepaniak: Several unknown variables present challenges for in-house legal teams when it comes to ESG.

Regulatory Uncertainty: The regulatory landscape for ESG is rapidly evolving, with new laws and regulations being introduced regularly. As I mentioned earlier, there are hundreds of regulations in the ESG area currently in place and many others are to come. Legal teams must stay vigilant in monitoring these changes and be prepared to adapt their strategies as new requirements emerge.

Variability in ESG Standards: There is currently a lack of uniformity in ESG standards and reporting frameworks. This variability can make it challenging for legal teams to ensure compliance across different jurisdictions and industries. Common standards are critical because, in lieu of them, banks need to rely on their own which ultimately means you might need to justify or defend them in front of a regulator down the line. That said, I do see a positive trend of aligning these standards. I see the unification exercise as an ongoing one and think most of the market is generally positive about its outlook.

Stakeholder Expectations: Stakeholders, including investors, customers, and employees, have varying expectations regarding ESG performance. Legal teams must navigate these expectations and advise on strategies that balance compliance with stakeholder demands.

To explore answers to these challenges, in-house legal teams can take several approaches. In my opinion, the most efficient solutions include continuous monitoring of regulatory developments, collaborating with external experts, engaging with stakeholders, and investing in training and education.

CEELM: How do you believe ESG will evolve going forward?

Szczepaniak: It is already noticeable that ESG will have a profound impact on the future of the in-house legal role. Legal teams will increasingly be viewed as strategic partners in shaping corporate ESG strategies and ensuring that organizations meet their sustainability goals. There will be a growing demand for legal professionals with expertise in ESG, and the skill set required for in-house legal roles will expand to include a deeper understanding of environmental science, social responsibility, and governance practices.

Key developments to watch include the ongoing evolution of ESG regulations, the rise of investor activism on ESG issues, advancements in technology for ESG compliance, and changing stakeholder expectations. By staying informed about these trends and proactively addressing ESG challenges, in-house legal teams can play a crucial role in driving sustainable business practices and safeguarding their organizations against legal and reputational risks.

I am convinced that effective sustainability management, such as shown in mBank’s example, is an expression of concern for the interests of the shareholders, customers, and the whole financial ecosystem. We will follow this path in line with our ESG strategy in the coming years. 

Environmental, Social, and Governance are no longer mere buzzwords. ESG has become integral to corporate strategy and operations. Companies are now under increasing pressure from regulators, investors, and the public to adhere to ESG standards. The role of in-house counsel in ESG and the implementation of the Corporate Sustainability Due Diligence Directive (CSDDD) requires a balance of legal expertise, strategic thinking, and proactive risk management.

As ESG and CSDDD continue to grow in importance, in-house counsel will play an increasingly critical role in ensuring that companies comply with these regulations. By staying informed, collaborating across functions, and engaging with stakeholders, in-house counsel can help companies navigate the complexities of ESG and CSDDD, emerging as leaders in this rapidly evolving field.

What are the key responsibilities of in-house counsel under ESG and CSDDD?

Advise on Implementation

In-house counsel must be deeply involved in both the company’s ESG strategy and the specific implementation of CSDDD requirements. This involves advising on the legal and business risks associated with ESG and CSDDD, ensuring the company’s goals align with the directive’s requirements, and helping integrate these considerations into business operations. In-house counsel must work closely with the departments involved in implementation, such as compliance, human resources, and sustainability to ensure that both ESG and CSDDD initiatives are legally sound and effectively implemented.

Navigate the Regulatory Landscape

The regulatory environment surrounding ESG, particularly with the introduction of CSDDD, is rapidly evolving. In-house counsel must stay abreast of these developments, ensuring that the company is compliant with all relevant regulations. This includes understanding the specific requirements of CSDDD, such as the need for comprehensive due diligence across the entire value chain, and advising on potential legal risks associated with non-compliance, including litigation and reputational damage.

Review the Contracts

Collaborate closely with various functions to incorporate precise ESG and CSDDD-related clauses into contracts, ensuring that the company not only meets but exceeds regulatory requirements. It is the in-house counsel who can reinforce the company’s commitment to sustainability and human rights, drive accountability across the supply chain, and mitigate potential legal risks associated with non-compliance.

Ensure Accurate Reporting

Transparency is crucial for ESG. In-house counsel plays a critical role in ensuring that the company’s ESG reporting and disclosures, including those required by CSDDD, are accurate, transparent, and compliant with regulatory requirements. This involves reviewing ESG reports and CSDDD-related disclosures, ensuring all statements are substantiated by evidence. In-house counsel must be aware of the risks of greenwashing (where companies make misleading claims about their ESG performance) and take steps to mitigate these risks by ensuring all ESG and CSDDD communications are honest and accurate.

Managing ESG and CSDDD-Related Risks and Litigation

As ESG and CSDDD issues gain prominence, the risk of related litigation increases. This includes lawsuits related to environmental damage, human rights violations, and corporate governance failures. In-house counsel must proactively identify potential ESG and CSDDD risks and develop strategies to mitigate them. This may involve conducting regular audits, implementing robust compliance programs, and advising on best practices for managing these risks. This also goes hand in hand with contractual safeguards and their effectiveness.

In-house counsel are currently navigating a steep learning curve to manage the expanding scope of ESG-related responsibilities. So, what practical tips can help them effectively handle these new challenges?

1. Invest in understanding the principles of ESG and the specific requirements of CSDDD. This may involve attending ESG and CSDDD-focused training programs, participating in industry forums, and staying updated with the latest developments in ESG and CSDDD law.

2. Make sure you hire a consultant you can rely on. ESG and CSDDD involve a complex set of rules. Do not miss the full picture and onboard an expert who would be able to help you navigate and find the right track.

3. Collaborate across functions. ESG and CSDDD are multidisciplinary issues requiring collaboration across different functions. In-house counsel should work closely with other departments to ensure a coordinated approach and leverage the expertise.

4. Engage with stakeholders, including investors, regulators, and customers. This is essential for ensuring that the company’s ESG and CSDDD strategies meet their needs. In-house counsel might be also a good fit to facilitate stakeholder engagement and ensure the company’s initiatives align with stakeholder expectations.

5. Monitor and adapt. Regularly review the company’s ESG and CSDDD strategies and make necessary adjustments to ensure continued compliance and alignment with business objectives.

Summing up, ESG is about corporate strategy, risk management, and reputation. Companies are expected to go beyond compliance to proactively manage their environmental and social impacts while ensuring strong governance practices. This shift has placed in-house counsel at the forefront of ESG strategies, requiring not only legal expertise but also a deep understanding of the broader business implications of ESG.  

By Pawel Borowski, Head of General Legal, Zentiva