What should the ideal whistleblowing policy include?

How to create a whistleblowing policy that builds trust and encourages a culture of integrity.
Moritz Homann

Whistleblowers can bring enormous benefits to a business. But by speaking up about potential misconduct or wrongdoing in the workplace, they often risk their career and livelihood, as high-profile cases around the world continue to show. As a result, many countries have now recognised the need to protect such individuals from retaliation and are introducing or expanding their whistleblower protection legislation. This means that organisations may need to draw up or amend their whistleblower policies and procedures to ensure that they fully comply with the law.

Whistleblowing policy

When do you need a whistleblower policy?

Globally, the type of legal protection offered to whistleblowers is still quite fragmented. Across the European Union, however, thanks to the European Whistleblower Protection Directive, the situation has become more harmonised. Despite numerous delays, member states have now largely enacted their own national laws in line with EU requirements. All organisations operating in the EU with 250 or more employees were the first to be required with the new legislation while it was later extended to those with 50 or more members of staff. 

Clearly, any UK companies with operations in the EU also need to comply with the bloc’s new legal standards. For companies that operate solely in the UK, national laws, such as the Public Interest Disclosure Act 1998 and the Employment Rights Act 1996, already provide extensive whistleblower protection. However, public disclosures in the UK may result in a loss of protection.

Wherever your company operates, compliance professionals need to be familiar with local legislation to be in a position to design a whistleblower protection policy that is fit for purpose. Given the disparities across different jurisdictions, is there a single whistleblower policy that might work for global organisations?

Only if you apply the strictest of standards wherever your organisation works in the world.

What is the purpose of your whistleblower policy?

Irrespective of any legal requirements, the main purpose of a whistleblower protection policy is invariably the same across the globe. Its goal is to cultivate a culture of integrity within an organisation. Full transparency is essential for individuals to put their trust in such a policy.

An effective whistleblowing policy builds trust by…

In a nutshell, a whistleblower policy should promote a commitment to ethical behaviour and encourage a culture where wrongdoing is safely reported at an early stage.

What should a whistleblower policy include?

Many whistleblower policies will need to include the same basic information.

Who is a whistleblower and who is protected?

Any whistleblower policy needs to explain what is meant by “whistleblower”. Typically, it is someone who speaks up about suspected wrongdoing that they reasonably believe is in the public interest.

Under EU law, your policy will need to protect your employees and former employees, as well as interns, the self-employed, employees of a supplier and business partners who work with your organisation. Even third parties who are closely connected to the person reporting the misconduct have to be protected — and this includes family members.

What are valid whistleblowing concerns?

Your policy should leave no doubt as to the kind of whistleblower reports and concerns that are covered by whistleblower protection legislation. Generally, whistleblowers are legally protected if they act in the public interest and disclose any information related to corrupt, fraudulent, hazardous, or illegal activities.

The areas covered typically include:

What whistleblowing is not

Reports of personal grievances, such as harassment or bullying, are not generally covered by whistleblower protection legislation and this needs to be clear in your policy. Organisations should therefore set up formal employee grievance procedures for such issues to remain separate from your whistleblowing procedures.

Reporting options: internally, externally and to the media

Your policy needs to outline your legal obligations regarding reporting procedures. In the EU, for instance, companies are obliged to…

The EU Directive actively encourages internal reporting of misconduct first. However, if your internal reporting mechanisms do not result in a speedy and appropriate resolution of a case, the EU whistleblower protection legislation allows an individual to take their concerns to the relevant authorities — and still be legally protected from retaliation. An individual can turn to the media as a final resort and will still be protected from reprisals under EU legislation. You need to inform whistleblowers of such options in your policy.

Obviously, it is generally neither in a company’s nor in an individual’s interest for a whistleblower report to go first to the authorities or to the press. To avoid such scenarios, it’s essential for companies to set up appropriate reporting channels.

What kind of internal reporting channels are necessary?

Given the legal provisions, organisations need to provide and promote safe and secure internal channels for people to report misconduct in their workplace. You will need to clarify what they are in your policy.

At a minimum, this will require:

What is clear is that anonymous reporting is already, or will become, a common key feature of any whistleblower policy or reporting mechanism. Why protect the anonymity of whistleblowers? A major barrier to people coming forward when they witness corruption or misconduct is the fear of exposure and retaliation. For this reason, EU legislation requires that organisations set up reporting channels that allow for confidential reporting. The identity of the whistleblower — or the people implicated in any whistleblower reports — may not be disclosed without explicit consent of the individuals involved.

The key to success: communication

What should you do when there are legal constraints that prevent you from disclosing the exact outcome of an investigation? Even in such instances, it’s crucial to provide at least a minimum of feedback to the whistleblower. Your policy should outline what you can and cannot communicate.

One option is to publish anonymised reports at regular intervals to inform staff and the general public about any whistleblowing incidents in your organisation and their outcomes. Your policy should indicate where such reports can be found.

Ultimately, the more transparent you are, the more likely people will understand the legal restrictions in place, trust your policy and therefore speak up. An effective whistleblower policy can only succeed if people are aware of it and feel it can be trusted.

Guide to the Introduction of Whistleblowing Systems

How to successfully implement a whistleblowing system in your organisation.

Share this blog post on

Moritz Homann contact image | integrityline.com
Moritz Homann
Managing Director Corporate Compliance | EQS Group
Moritz Homann is responsible for the department of Corporate Compliance products at EQS Group. In this function, he oversees the strategic development of digital workflow solutions tailored to meet the needs of Compliance Officers around the world.