Internal whistleblowing system
In 2018, EDF group updated its internal whistleblowing system, managed by the DECG, to bring it into line with all regulatory requirements and receive reports, submitted in good faith, on a secure and confidential platform:
- In accordance with the Sapin 2 law, the whistleblowing system is avai-lable to all Group employees in France and elsewhere (excluding subsi-diaries operating in the regulated sector), as well as to any other temporary employee, to report breaches that could be considered:
- a crime or offence;
- a serious and patent violation of the law or regulations;
- a serious and patent violation of an international commitment appro-ved or ratified by France;
- a serious violation of a unilateral action of an international organisation taken on the basis of an international commitment approved or ratified by France;
- a serious threat or harm to the public interest;
- a breach of the Ethics and Compliance Code of Conduct.
- To meet the requirements of the Duty of Care Law, EDF group's whist-leblowing system is also available to third-parties wishing to report the existence of risks or serious violations of human rights, fundamental freedoms, health and safety, the environment, which may be attributable to activities of the company or companies under its control, as well as the activities of EDF group subcontractors or suppliers.
- Lastly, the Group's whistleblowing system also takes account of the requirements of Europe's General Data Protection Regulation (GDPR): security and confidentiality have been strengthened.
To meet all these requirements, EDF issued a tender and acquired a system that enables all employees and third parties to report cases within a com-pletely secure environment, and guarantees the confidential processing of their data internally. The system is totally disconnected from the Group's information systems.
The input interface is a page of EDF's website(1), available 24/7 in several languages (French, English, Italian, Portuguese, Dutch and Mandarin Chinese) in France and elsewhere. Individuals wishing to report a breach can do so in the language of their choice. This system complies with local regulations in all countries where EDF group operates. The external whistleblowing system is ISO 27001 certified and has received the European Privacy Seal. It was audited by EDF's IT departments prior to being brought into service and is subject to regular intrusion testing.
To help people reporting breaches understand the process, the topics covered by legislation have been grouped together in the following categories: corruption, conflicts of interest, fraud, financial ethics, violations of competition law, international sanctions and controls on international trade, harassment and discrimination, human rights(2), serious damage to the environment, and personal data protection. The whistleblowing system also has a feature "Ask for advice/Exercise your personal data protection rights".
The whistleblowing system supports other channels for reporting breaches and is purely voluntary. The admissibility of a breach report is assessed based on the system's scope and the whistleblower's relationship with the Group. Admissibility is independent of the reality of the alleged facts and can only be confirmed once the report has been processed.
As part of the zero-tolerance policy, each report that is deemed to be valid is processed within the secure platform. The whistleblower may remain anonymous if the facts are found to be serious and the report is adequately detailed and accurate to confirm the facts described. The DECG provides regular reporting on the procedure. Whistleblowers in 2018 received a message within two working days acknowledging the alert reported. On average, reports were processed and closed within a 48-day period. A total of 81% of alerts were dealt with in the same year that they were reported. An action plan was drawn up by the management team of the entity concerned for every report deemed to be valid. This may involve corrective measures such as restructuring the team or imposing disciplinary sanctions, which can range from a warning through to the dismissal of an employee. In 2018, the DECG identified 76 reports submitted to the Group whistleblowing system: 12 requests for advice and 64 breach reports. Forty-four of these breach reports were deemed to be valid, of which 11 were made anonymously. The 44 alerts broke down by topic as follows:
|Harassment and discrimination
* The methodology changed in 2018.
In the "Other" category in 2018, alerts included two reports of data protection breaches, one report of serious harm to the environment and no reports concerning personal safety and human rights.
Validity of reports in 2018
Whistleblower’s relationship to the Group
Geographical breakdown in 2018
Breakdown in 2018 by entity
As part of the annual self-assessment of internal control, the DECG conso-lidates entities' responses in order to map ethics and compliance risks at Group level. The entities define a risk prevention and mitigation plan suited to their operating environment. In addition to that mapping, the DECG defined a special corruption risk map in order to comply with the Sapin 2 law. This map identifies and ranks the risks of exposure to corruption by business sector and by country. The Code of Conduct will be updated regularly in line with the Group's risk map.
Integrity checks on business relations
Integrity checks on business relations are the subject of a memorandum of instructions, which defines the third-party assessment procedures to be implemented before and throughout business relations. The type of controls is based on the level of risk presented by the third party. Entities are required to check the integrity of partners by assessing their intrinsic quality and the integrity of the business relations based on legal, economic and material factors. Entities must also check that partners meet compliance requirements throughout the duration of business relations. A tutorial on this issue is available to all employees on the Group's intranet.
The Group Accounting and Taxation Department carries out numerous controls in application of the anti-fraud memorandum of instructions and guide published in 2017. The control procedures defined for the various processes (purchasing, sales, treasury, HR, inventory assets, accounting, etc.) meet the objectives of the Sapin 2 law. These procedures include 70 random or automatic checks, of which 23 on accounting processes. No known fraud relating to corruption has been reported in recent years by the accounting department following controls or voluntary reports.
The Group Ethics and Compliance Division develops prevention and trai-ning programmes and provides programme implementation tools for all employees, including awareness videos. It coordinates a network of pro-fessionals in the various entities and has a dedicated community on the Group intranet. DECG training includes a Corruption Risk Prevention programme, which meets the requirements of the Sapin 2 law. Initially for senior managers in 2016, it was extended to all potentially exposed managers and employees in 2017 and 2018. At the end of 2018, 8,556 employees had successfully completed the anti-corruption training programme.
The DECG also provides general classroom training for some potentially exposed employees (e.g. subsidiary management and contract managers), along with special training programmes on, for instance, the whistleblowing system and how reports are processed with its Ethics and Compliance Officers.
In accordance with the Sapin 2 law, any violation by employees of rules set out in Chapter 3 of the Group Ethics and Compliance Code of Conduct could lead to disciplinary sanctions. The sanctions are defined in article 6 of the Statut des Industries Électriques et Gazières (Statutes for Electricity and Gas Industry employees) and the French Labour Code.
Internal control and assessment measures
To ensure that the measures implemented to prevent or detect any breach of ethics or compliance are both appropriate and effective, the DECG uses results from the annual internal control self-assessment to determine how much of the GECP and anti-fraud compliance programme have been rolled out.
The control and assessment measures are strengthened by regular internal audits of entities and subsidiaries, creating a continuous improvement loop.
(2) These are violations of human rights (child labour, forced labour, freedom of association and collective bargaining, use of force, local community rights and decent work).