Creating A Whistleblowing Policy: What, How And Why Now?

The EU Whistleblowing Directive will soon be transposed into national law and your business needs to be compliant. In order to fulfil the directive’s requirements, there are a host of systems and procedures you must have in place. A robust whistleblowing policy will help you stay on top of the new, more stringent requirements. 

The directive is clear on the importance of whistleblowers in preventing illegal activity. It states that: 

“Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society.”

For organisations within, or who operate in, European Union member states, these are the deadlines for implementing the directive:

1. What is a whistleblowing policy?

A whistleblowing policy is a set of procedures and standards set by an organisation in an internal mechanism to facilitate the reporting and investigation of wrongdoing within the business. It should encourage those with a genuine concern over information on criminal behaviour to feel confident in alerting the company. It should also inform staff that they will be protected from retaliation, their report will be taken seriously and action will be taken to uncover the truth. 

All employees should have access to the policy so that they understand the procedures they must follow when reporting incidents, their rights, including their right to confidentiality, what happens during investigation and how they are required to behave towards a reporting person if they know or suspect them to be a whistleblower. 

This is an example of a whistleblowing policy from international charity Sightsavers. 

2. Why create a whistleblowing policy?

2.1 Compliance

If you do not already have a whistleblowing policy in place, now is the time to implement one. The scope of the Whistleblowing Directive is such that it would be impossible to comply with it without one. In the legislation, it is stated that 

“legal entities in the private and public sector that have internal reporting procedures in place should be required to provide information on those procedures […] It is essential that such information be clear and easily accessible, including, to any extent possible, also to persons other than workers, who come in contact with the entity through their work-related activities.”

Your whistleblowing policy provides this information to your employees and keeps you in line with the directive. This helps prevent you from incurring the “effective and proportionate” sanctions for non-compliance. 

UK companies have to comply with the Public Interest Disclosure Act, which protects current employees who report fraud, illegality, criminal behaviour and other issues that they come across due to the circumstances of their work. 

2.2 Prevent criminality

PwC’s Corporate Crime survey found that “while professional auditors were only able to detect 19% of the frauds on private corporations, whistleblowers exposed 43%.” This shows the benefit of empowering employees to speak out and report corruption and violations to the company they work for without discrimination. 

The survey found that the “executives surveyed estimated that the whistleblowers saved their shareholders billions of dollars”. This goes to show there is a material benefit to having a clear, effective and encouraging whistleblowing policy. 

In addition, the prevention of criminality is important for business reputation and integrity, so anything you can do to promote the exposure of wrongdoing is beneficial too. The directive requires employers to do all they can to encourage whistleblowers to report internally in the first instance, which suits organisations, too. They can deal with the criminal activity in-house, rather than be exposed in an external body, such as the press or on social media.  

2.3 Create a supportive environment

With so many positive reasons to create a whistleblowing policy, it makes sense to use it to show how supportive you are of reporting persons. Employees that feel confident their employer will look favourably on their report, rather than seek to punish them for “causing trouble,” are clearly more likely to blow the whistle.

If your policy shows them the steps they need to take to make their report, this can also help to persuade them that it is the correct channel for raising concerns without the fear of victimisation.  

3. What to include in your whistleblowing policy

3.1 Scope of the policy

The scope of your whistleblowing policy should at least match the scope of the EU Whistleblowing Directive. This means that it not only applies to employees, but also to: 

• Employees
• Freelance workers
• Contractors
• Subcontractors
• Suppliers
• Shareholders
• People in management roles
• Former employees
• Prospective employees
• Volunteers and Trainees
• Agency workers
• Consultants

You should take this into consideration when deciding on your policy and where to display it or distribute it. 

3.2 Whistleblowing channels and systems

Your whistleblowing policy should set out which whistleblowing channels you have in place to enable people to make reports. There is also a range of different internal reporting systems to choose from. Deciding which ones you should implement depends on your business and its needs. 

They can either involve written or oral reporting, and you should also bear in mind how they help you meet with the requirements of the Whistleblowing Directive in terms of confidentiality and record-keeping, as well as remaining compliant with other pieces of legislation, such as the General Data Protection Regulation (GDPR).  

Some of the whistleblowing channels include: 

• Face-to-face meetings.
   These allow the interviewer to ask follow-up questions to flesh out the report but rely on accurate note-taking and impartiality. Anonymous reporting is not possible.
• Postbox. This works for reporting persons who are situated at an office but does not help remote workers. The chances of being seen whilst filing a report of impropriety are also high, which may discourage some whistleblowers.
• Telephone hotline. This is also good for being able to draw more information out of the reporter but must be staffed 24 hours a day, requires accurate note-taking and impeccable document filing, and makes anonymous reporting more difficult. It is also a challenge to run a confidential helpline in a smaller business where people know each other’s voices. 
• Digital whistleblowing systems such as IntegrityLog. It allows anonymous reporting and shows a dashboard with the status of each case. The system also notifies designated people when reports come in and when the legal deadlines are approaching, while preventing unauthorised access of information and storing data in compliance with GDPR. 

3.3 Roles and responsibilities

The directive requires “appropriate persons or departments” to receive and investigate whistleblowing reports, so this should be reflected in your policy. The legislation stipulates that the choice of persons to fulfil these roles and responsibilities should “ensure independence and absence of conflict of interest.” They should look into the credibility of the concern about unethical conduct. 

You could choose to have a separate person or department receive the report from those who investigate, or they could be the same. You should choose the option that works best for your organisation. 

3.4 Types of reports that can be submitted

The directive currently applies to breaches of European Union law, in the areas of:

• public procurement
• financial services, products and markets, and prevention of money laundering, terrorist financing and the financial interests of the EU
• product safety and compliance
• transport safety
• protection of the environment
• radiation protection and nuclear safety
• food and feed safety, animal health and welfare
• public health
• consumer protection
• protection of privacy and personal data, and security of network and information systems
• areas relating to the internal market of the EU, including breaches of state aid rules, competition laws and corporate tax

You might want to also encourage reporting of any breach of national law in your policy. 

Indeed, some nations are extending the scope of the directive as they implement it within their boundaries to include national law too, so you should make sure you check the legislation in your territory to ensure you meet the local requirements. 

3.5 How to submit a report

Knowing how to make a report of criminal activity is an essential part of a functioning whistleblowing system. This is why you should document the process and expectations in your policy. 

It should detail the choices that the reporting person has over the different channels, as well as how each works.

3.6 Procedure for handling reports

You should make sure the policy features the procedure that your company undertakes to process reports. This includes who receives the report and who investigates it. 

Additionally, you must lay out your deadlines for acknowledging the receipt of the report and for giving feedback to the reporting person. In line with the EU Whistleblowing Directive, the acknowledgement must come within seven days and you should follow up with the whistleblower, offering feedback within three months. However, these are minimum requirements and you can shorten these deadlines if you wish. 

3.7 Confidentiality and anonymity

You can choose whether to allow anonymous reporting of suspected wrongdoing if this is allowed in your jurisdiction. It is important to add this information to the policy. 

As noted in the directive, whistleblowers should be afforded confidentiality, as should anyone mentioned in their report who is accused or suspected of illegal behaviour. Employees should be aware of this so that they understand where they stand if they find themselves in either position as the safety of any individual must be maintained. 

3.8 Policy on retaliation

One of the main reasons behind the implementation of the directive was to prevent retaliation against whistleblowers. An aim of this policy should be to promote ethical behaviour and honesty over personal interests to prevent potential whistleblowers from staying quiet. There should be no fear of reprisal.

The directive states that:

 “Common minimum standards ensuring that whistleblowers are protected effectively should apply as regards acts and policy areas where there is a need to strengthen enforcement, under-reporting by whistleblowers is a key factor affecting enforcement.”

Retaliation, as described in the directive, includes dismissal, demotion, preventing promotion, harassment, disciplinary action and any other punishment relating to a report. Staff should know what protections and compensations are available if they experience bullying, as well as the sanctions the organisation will impose on anyone found to have carried out retaliation. 

4. Tips for creating an effective whistleblowing policy 

Effective whistleblowing policies: 

• Are easy to understand and clear in their intention
• Have defined aims and objectives
• Encourage positive behaviour
• Promote the benefits of a speak-up culture
• Pledge to commit to training employees
• Explain procedures simply
• Offer reassurance that there will be no retaliation 
• Show the organisation is committed to doing the right thing
• Provide a grievance procedure if the reporter is unsatisfied with the outcome.

5. FAQs

5.1 Who can be a whistleblower according to the EU Whistleblowing Directive? 

A whistleblower, or reporting person, is described as “a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities” in the directive.

5.2 How are whistleblowers protected?

Your organisation should set sufficiently effective and proportionate sanctions in place to prevent retaliation against whistleblowers. Reporting persons should also have access to legal remedies and compensation if they feel that they have been unfairly targeted because of their report. 

6. Conclusion

The EU Whistleblowing Directive is almost here and brings with it a plethora of minimum standards. The role of a clear and effective policy is to explain how to make and handle reports, complaints or allegations of malpractice, how to prevent and report unethical behaviour or criminal offence. All of this is essential for meeting your legal obligations. That’s why, for European Union countries, or those that do business within the EU, a whistleblowing policy is a key element of the compliance programme.

If you want to make compliance easy and automate the processes for dealing with whistleblowing reports, IntegrityLog can help. Try it free here or request a 14-day free trial.

7. References and Further Reading

• More about IntegrityLog
• How To Choose An Internal Whistleblowing System
• All About The EU Whistleblowing Directive
• How To Encourage Whistleblowing 
• Whistleblowing examples
• EU Whistleblowing Monitor
• What the directive means for the United Kingdom
• WHO on whistleblowing and retaliation