Step 1: Separate the wheat from the chaff
First and foremost, you should identify reports that are not compliance-relevant or are even denunciatory. These types of reports do not require an investigation. Nevertheless, it is important to provide feedback to the whistleblower and, where appropriate, take action if an abusive report has been made that is clearly in breach of internal policies.
Step 2: Contact the whistleblower
Establish communication with the whistleblower as soon as possible. If the whistleblowing is not responded to within a few days, you risk employees losing confidence in your whistleblower system and its credibility being damaged. Ideally, develop a whistleblower feedback template in advance so that you can react to reports quickly. If a report doesn’t contain sufficient grounds to suspect actual misconduct, be sure to ask the whistleblower to provide more detailed information on the incident in question. Digital whistleblowing systems allow whistleblower communication by means of integrated mailbox functions.
Step 3: Get to the bottom of things
Internal investigations should be initiated promptly if there is sufficient evidence to indicate that a compliance violation has occurred. The bulk of the investigation generally consists of the evaluation of documents (including evidence received from the whistleblower), as well as interviews with employees and potential further discussions with the whistleblower. When doing this, make sure to comply with labor law, confidentiality and data protection requirements. Ideally, all relevant documents and investigation results should be saved in the secure Case Management area of your whistleblowing system.
Step 4: Take corrective measures
After the completion of any investigation, you will need to summarize results for management, including any corrective measures that have been taken or are planned. Sanctions and other processes should be transparently communicated within the organization. At the end of the investigation, close the incident in your Case Management system and anonymize any collected personal data, if necessary. For reporting and archiving purposes, all cases should remain within the whistleblower system.
To sum things up:
A comprehensive study on whistleblowing in European companies