Skip to content


How to Set Up a Process for Whistleblowing

By Matt Kelly

Our last several posts have talked about whistleblower programs: the fundamental need for them, and what compliance officers should consider before putting a program into place. Today let’s take this subject to its next logical step.

How should a corporate compliance officer set up a process for whistleblowing? What protocols should a business have in place so employees (or other whistleblowers) can submit complaints? How should the company handle a complaint after it’s received?
All those questions, and many more, need thoughtful consideration if you want a robust whistleblower program — one that will pass muster with regulators evaluating your compliance program and deliver the benefits that a strong speak-up culture can bring to a business.

Refresher: Why You Need a Process for Whistleblowing

Many businesses need to implement a whistleblower program because the programs are required by one or more laws that the business operates under. That is, even before considering all the other benefits a strong whistleblower system can bring, your business most likely must implement an internal reporting hotline of some kind. You have no choice.

For example, companies that trade on U.S. stock exchanges must offer an internal reporting hotline to comply with the Sarbanes-Oxley Act or the Dodd-Frank Act. Government contractors must operate a whistleblower program to bid on various federal or state contracts. The European Union’s Whistleblower Protection Directive will be the law of the land by the end of 2021, and most EU member states have their own whistleblower law in place already.

Even if your company doesn’t have a legal requirement to implement a whistleblower program, or simply having a process for whistleblowing, having such a program just makes good business sense anyway.

Academic research shows that a business receiving more internal reports actually performs better on a host of performance metrics than peer companies receiving fewer reports. More internal reporting correlates to fewer material lawsuits, smaller legal settlements, fewer bad headlines in the press, and even higher return on assets (a measure of how efficiently a company wrings profit from its operations).

Conversely, a business running a weak whistleblower program — or worse, doesn’t have one at all — is courting all manner of grief. Employees might take their grievances to regulators or social media, leaving your company exposed to costly investigations and reputation harm. Worse, when you try to settle any regulatory investigation into corporate misconduct, the lack of an effective whistleblower program will mean steeper financial penalties or criminal charges.

Who Counts as a Whistleblower?

Almost anyone can count as a whistleblower. One good definition comes from the National Whistleblower Center, which defines the term as broadly as possible: “A whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing.”

By that definition, whistleblowers could be current or former employees; third parties working on your company’s behalf (overseas sales agents, for example, or employees of franchisees to your corporate business); and even customers or suppliers. Whistleblowers can also be any level of employee. Some very senior executives (chief auditors, compliance officers, vice presidents of sales, and so forth) have blown the whistle on misconduct at their own businesses, often by taking their concerns directly to regulators.

The crucial point for corporate compliance programs is to understand when someone becomes a whistleblower, and anti-retaliation protections start to apply.

Technically, a person becomes a whistleblower only when he or she follows the whistleblowing procedures outlined in a specific whistleblower statute — and the United States alone has dozens of whistleblower protection statutes. At a practical level, however, compliance officers should assume whistleblower protections begin as soon someone submits a report to your internal hotline.

After all, whistleblower complaints and retaliation can disrupt your organization in all sorts of ways, from unfavorable press headlines to internal dissension among employees. (Plus the risks and costs of formal investigations and regulatory settlements.) Sparring over precisely when someone became a whistleblower is unlikely to be worth the costs, compared to the simpler strategy of taking the complaint seriously and refraining from any retaliation.

Important Questions for a Robust Process for Whistleblowing

Compliance officers should have clear, thorough answers to three questions as they implement their whistleblower program.

How would a whistleblower submit a complaint?

A robust whistleblower program should allow people to submit complaints through multiple channels. These can include a telephone hotline, web submissions, or even a suggestion box nailed to the factory wall.

What matters for compliance officers are two things. First, the procedures to submit a complaint should be written down, and then disseminated to employees through training materials or the corporate handbook (with attestations from employees that they received those procedures and understand them). Second, the procedures should also be accessible to employees, so that they can submit complaints. For example, don’t rely only on email submissions if your employees work in factories or low-income regions where few of them might have access to a computer.

How would whistleblower complaints be addressed?

Your business should also have written policies and procedures about how to review and investigate a complaint once it’s received. For example, someone should first triage the complaint to understand its nature and severity, and then direct that complaint to an appropriate person for investigation. HR might handle complaints about workplace bullying by a mid-level manager; outside counsel and the board should handle complaints about accounting fraud committed by the CFO.

A full discussion of investigation protocols is beyond the scope of what we can discuss today. Suffice to say, a written set of policies and procedures to handle complaints is crucial, to assure that each allegation receives the proper attention.

How would retaliation be handled?

You should also have written policies and procedures for complaints of whistleblower retaliation. The most important step is to adopt a policy warning employees that retaliation is not acceptable, and that they can face disciplinary action if they retaliate against an employee; then follow up with training and executive communications so that employees understand their obligations.

The compliance, HR, and legal teams should also have their own policies about how to investigate and resolve retaliation complaints. For example, you should have policies about when to keep an accuser and accused separate from each other, and when someone accused of retaliation should be suspended with (or without) pay. You will also need standards for how much evidence to gather, when to take disciplinary action against an offender, and how to document conclusions that retaliation did not happen.

Simplifying the implementation of a Whistleblowing Process

Planning and patience are fundamental to the successful implementation of a whistleblower program. Along those lines, then, consider several steps to make your implementation process easier.

Begin with a risk assessment and written policies. That is, understand which whistleblower laws apply to your business, what those laws require, and what policies you should draft to meet those compliance obligations. It’s important to do this first so that the technology you use can serve your compliance obligations — rather than falling into the trap of letting the limits of your technology dictate what your compliance program can or can’t do.

Select a whistleblower vendor wisely. We have written before on this blog about how to select a whistleblower vendor, and won’t rehash those details here. Suffice to say that you should strongly consider outsourcing your whistleblower program, so that your business can (1) rely on the vendor’s expertise in setting up intake systems and fielding calls to the hotline; and (2) have an extra degree of independence and objectivity when receiving complaints, since the vendor is removed from your internal operations.

Focus on training and messaging. For a whistleblower program to succeed, employees need to trust it. So invest in training and messaging to various groups — employers making calls, managers who might be the subject of complaints, executive leaders who can drive a speakup corporate culture — to show each one that a robust hotline is a good thing for the business, not a threat.

The actual implementation of a whistleblower system can be tedious, and almost anti-climatic. The more important point for compliance officers is to consider how you can make your whistleblower program a success — how to put it to work, and leverage it for better business performance (and regulatory compliance across the enterprise).

Succeed on that front, and you’re driving corporate compliance into the heart of the business and making your whistleblowing program a strategic advantage. That’s what you want.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.