One of the greatest threats to any organization is the "rogue" employee who — for reasons of need, greed, threat or manipulation — finds themselves undertaking actions that are inappropriate, disreputable, dishonest or criminal, including fraud. If the rogue has a high level of authority, the risks are significantly increased.
Of course, none of us want to think that the man or woman next to us, whom we might deal with on a regular basis, is performing insidious acts. There can be a real fear of disclosing our concerns in case we are wrong, and destroy our relationship with the alleged perpetrator or others around us. We may even fear being victimized by others, and damaging our career prospects, especially if the perpetrator is in a position of authority.
Changing organizational culture to promote healthy challenge without retribution has long proven difficult. The Jimmy Savile review concluded that the BBC had for decades operated a culture within which certain practices, however distasteful or illegal, were tolerated because to challenge them would have been considered foolhardy and career-limiting. But the failure to redress the cancerous situation has, in the long run, blighted not only the BBC's reputation and destroyed the lives of victims.
Whistleblowing, or public interest disclosure, has become de rigueur in recent years for organisations keen to promote openness and honesty, whilst also preserving the rights - and in some cases the anonymity - of an employee who has concerns about the conduct of those about him. The problem is in determining what to do with intelligence that is passed on: who to trust, how to investigate inclusively, what action to take in mitigation, etc. Many organizations are still not doing a great job in managing these internal revelations.
Countless whistleblowers have found themselves the subject of criticism, ridicule, harassment or even dismissal because of their decision to disclose on others. Yet more have seen their disclosures fail to be investigated thoroughly enough, leaving perpetrators in office and untouched. This suppresses other disclosers who feel that "nothing will be done". That cannot be allowed to continue.
In a fraud management context, I have often indicated that the only way to know whether a transaction is or is not fraud is to ask someone who is directly involved in the transaction: the customer (preferably), but in certain instances the criminal (who may be foolish or brazen enough to admit their misdemeanour) or someone who witnessed what truly happened (this could be a merchant who has seen suspicious behaviour on their site). People are part of the layered defence that helps us assure that the criminals are challenged and prevented from realizing the proceeds of crime.
Across sectors, we fail to take account of people and their views at our collective peril. A whistleblowing policy is an important step to embracing internal information about potentially damaging insider acts, but the effective maintenance and fulfilment of whistleblowing processes and investigations are also crucial.