Skip to content

What to Consider Before Setting Up a Whistleblower Program

In a previous post about whistleblower programs, we explored why a strong whistleblower program and culture of internal reporting are so important for corporate organizations.

Today let’s assume that you presented those arguments to your board, which promptly agreed that the business should implement a whistleblower program as soon as possible. So what happens next? What should a compliance officer understand before setting up a whistleblower program?

These are important questions to answer before you get started. Navigating the requirements of whistleblower protection laws can be difficult, especially for global organizations that are subject to different laws in different countries. A compliance officer also needs to consider nuances of corporate culture and executive messaging, as well as technical issues like data analytics and reporting.

Miscalculate on any of those issues, and you’re setting up your program for failure. So what should a compliance officer consider today, to avoid such mistakes tomorrow?

Key Elements of a Whistleblower Policy

Your whistleblower policy should include several points.

  • Why the policy exists. Stress that your business wants employees to speak up about misconduct they see, since management is eager to address those concerns and run an ethical operation that stays on the right side of the law. If you have a mission statement that proclaims the company’s ethical priorities (you should), cite them here.
  • What should be reported. Give examples of misconduct and other concerns that should be reported: corruption, labor law violations, discrimination, harassment, financial fraud, anti-competitive behaviors, and so forth.
  • How to submit a report. Explain the various mechanisms that employees (and third parties) can use, such as an internal hotline, online submissions via email or an app, or even just a suggestion box nailed to the wall. Stress that anonymous reports are always welcome, and that the more information an employee can provide, the better.
  • The importance of anti-retaliation. Your whistleblower policy should also stress that retaliation against whistleblowers is not allowed, and counts as a separate offense that whistleblowers or others can also report, in addition to the underlying misconduct. (Your anti-retaliation statements here are separate from any other anti-retaliation policies or training you might have for managers specifically.)

Whistleblower Protection Laws

Whistleblower protection laws already exist in abundance in the United States and are proliferating in other countries around the world as well.

The laws in the United States often work by prohibiting a certain type of conduct and including language to specify that employees reporting such misconduct should not suffer retaliation. That’s how laws such as the False Claims Act, the Sarbanes-Oxley Act, the Anti-Money Laundering Act, the Food Safety Modernization Act, and numerous other statutes work. Other laws, such as the Criminal Antitrust Anti-Retaliation Act, address whistleblower retaliation directly. ( has a list of more than 20 federal statutes that include whistleblower protections.)

Individual states within the United States also have their own whistleblower protection laws, or a “public policy exception” to state labor laws that lets employees file wrongful termination lawsuits if they believe they’ve suffered retaliation.

Whistleblower protection laws are less developed in Europe, and the ones that do exist can be more complicated because the European Union also extends more privacy and labor protections to employees than what exists in the United States. But momentum is building toward more protections, evidenced by the forthcoming EU Whistleblower Directive.

That directive, which EU member states must implement by the end of 2021, establishes an EU-wide standard for whistleblowers reporting misconduct either to regulators or their employers. It also requires businesses with 50 or more employees to operate internal reporting mechanisms, which must allow for anonymous reporting and be available in local languages that employees use on the job.

The practical reality for large organizations is simply this: you must operate a whistleblower program and work to prevent retaliation against whistleblowers. The chances that you aren’t subject to at least one relevant whistleblower law are vanishingly small.

Indeed, one first step in building a whistleblower program should be a review of your organization’s operations to understand how many whistleblower statutes do apply to the business; In all likelihood, it will be covered by numerous statutes. The same fundamentals will exist across all those laws (offering anonymous reporting channels, protecting whistleblowers, encouraging a speak-up culture), but your policies, procedures, and training may need some fine-tuning from one jurisdiction to the next.

Whistleblowing Ethics

Compliance officers should also consider the “ethics” of whistleblowing. That is, you need to convince managers and employees alike that whistleblowing is a good thing.

Some of that message should come from senior executives, who can talk in broad terms about the company’s desire to know what’s going wrong at the business so they can fix the problems. Middle managers and department heads should also receive training on how to talk about speaking up and how to recognize retaliation (with a clear warning that anyone who tolerates retaliation against whistleblowers will suffer disciplinary repercussions themselves).

Bringing about this culture change is important. Without it, your whistleblower policies, procedures, and systems will never achieve their full potential. The return on investment in your whistleblower program can be substantial, if you shift the corporate culture to see whistleblowing as a good, ethical thing, rather than a bad thing.

How Software Can Help With a Whistleblower Process

Given all these challenges with whistleblower programs — the specific requirements of various laws, the need for confidentiality, the multiple intake channels you should have, the need to categorize different types of complaint so you can leverage that insight, and much more — one other truth about whistleblower programs stands out.

Compliance officers need technology to do this effectively.

First, technology can help with those reporting channels; plenty of employees are happy to submit internal reports via email, web forms, or an app, and software can manage that first intake. Configured properly, the technology can also help route complaints to the proper people for investigation and provide data analytics so that you, in the chief compliance officer’s chair, can see what issues are most on the mind of your workforce.

Second, whistleblower technology can help to keep an internal reporter’s identity secret by segregating that specific point of data from the rest of the complaint, and restricting access to only a privileged few who truly need to know the name. As elementary as that step may sound, it’s crucial to get right; fear of exposure and retaliation is one of the primary reasons that employees don’t report misconduct.


To repeat what we said in our previous post: an effective whistleblower program and a strong culture of internal reporting can help any business — large or small, public or private, U.S. or international. The benefits of setting up a whistleblower program are universal.

That said, establishing your program requires planning and deliberation. Understand which laws apply to your business, craft a policy that includes all the right elements, and use technology to leverage the program’s reach and efficiency.

Then your enterprise will be able to foster trust among employees and harness their desire to see your organization succeed. That’s what a good ethics and compliance program is all about.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution