Companies are increasingly putting whistleblowing policies and guidelines in place. It’s a great initiative, but where do you start? For many organizations, it's a new process and they are writing a whistleblowing policy for the first time.
Our goal is to help you understand what are the best practices in writing a whistleblowing policy. We'll walk you through what you need in your policy document and what sections you should have. Finally, we will wrap it up by providing you with some inspiration with a template you can use to kickstart your policy. Our objective with the template is that it reads easily and helps you clearly communicate your whistleblowing guidelines.
Step 1: Start With Your Purpose
The first section of your whistleblowing policy should focus on the big picture. Start with your overall goals and what you want to achieve through your whistleblowing program. Next, outline what conduct employees should report as well as who falls under your whistleblowing policy.
From the beginning, it is good to outline, in bullet points, the goals of your whistleblowing program. It’s a chance to clearly and concisely communicate what you want your program to achieve. Keep it short, make it very clear, and ensure these are very tangible goals. Examples can look like:
- Every employee should have the chance to speak up anonymously when they feel we are not adhering to our corporate values. They should have a place to report misconduct, every report will be heard and acted on, and we will make improvements based on the results.
- We believe everyone should be able to make reports anonymously. We commit to protecting informants' identities and they only need to reveal themselves if they choose to.
- We will investigate every report of misconduct. At the end of the investigation, we will document the results and provide feedback when appropriate.
The Commitment Of Your Organisation
Here is where you can communicate your organization's commitment to hearing from whistleblowers. You can tie this commitment together with your goals or keep it separate; it depends more on what you would like to say. Your commitment should focus on the broader, aspirational elements like “we believe all employees should be able to speak up”, “employees should feel safe in expressing their concerns”, “employees have a right to be anonymous”, and “employees will not face retaliation or abuse for providing their concerns”.
What Conduct Should Be Reported
When creating your whistleblowing guidelines, it’s important to identify what behavior you want employees to report. Some behaviors like theft, fraud, harassment, and discrimination are very clear-cut. Other behaviors, especially personal interactions, need a very clear description to aid employees. You want them to be able to easily identify whether something is misconduct or not.
A best practice is listing out the acts of misconduct you want employees to report. By providing examples of behavior, it helps employees better understand what to report. It's also helpful to identify behaviors that you don't consider misconduct. Examples of these could be feedback from management, general workplace interactions, complaints that are not actually misconduct, etc... It's up to you to determine what you want to be reported; just ensure your employees can understand it.
Who Falls Under Your Policy
You want to identify who inside and outside your organization will come under your policy. Typically all employees would come under it, but you also want to define if your policy covers other parties like contractors, partners, and former employees. If you have multiple business units or joint ventures, you'll want to define whether they come under your policy or a separate one.
Step 2: Follow With Your Process
After outlining the purpose of your whistleblowing policy, next comes the process of how an employee submits a report. If your purpose is the “why” and "what", then your process is the “how”. In this section, you want to clearly outline each step an employee will take and what options they have available along the way.
What Options Employees Have To Make A Disclosure
The first step is communicating how employees can make a report. A robust whistleblowing policy provides options for how to make a disclosure. Increasingly employees report through web and mobile-based whistleblowing software. Additionally, there can be a phone hotline, submission via email, and even submission through the post.
You will want to clearly outline your preferred channel for communication. Typically this is the one providing the most anonymity, which nowadays are web and mobile-based software that provides 2-way, anonymous communication. These platforms aid the informant and the organization in being able to ask questions and provide answers without revealing one's identity. It's also important to provide employees with additional options. By providing various communication channels, it allows them to choose the one they are most comfortable with. For Gen Y and Gen Z employees, this typically is via the web or their mobile phone. However, baby boomer employees might still feel more comfortable speaking with someone via a hotline.
Where Do Employees Make A Report
In many organizations, employees don't know where to make a report or disclosure. Your whistleblowing policy is one place (but not the only one) where you can communicate how and where to submit a report. If you use a web and mobile-based whistleblowing software, you can direct employees to a website to submit a report.
Your whistleblowing policy is where you make it clear on where to report, but don’t stop here. Your employees are overloaded with information and it's important to reinforce how they can make a report. This includes consistent messaging, management reinforcement, and educating new employees. Not knowing how to make a report is one of the biggest areas that hold employees back. Yet, it is also one of the easiest to fix - just focus on the communication of your whistleblowing program.
What Happens If They Choose To Remain Anonymous
Anonymity is a big part of any whistleblower policy. You want employees to know they are protected when they submit a report. It’s important to communicate what you will do to protect their identity. Many organizations use a web or mobile-based whistleblowing software to ensure anonymous communication. These platforms protect the informant's identity and allow for a 2-way conversation. They also take out identifying information like location or IP addresses.
It's important to note that the informant does not need to identify themselves when they make their initial report. However, it's prudent to mention that in some cases, an investigation cannot continue without knowing the informant's identity. Your whistleblowing policy should communicate this is ultimately the informant's choice. However, if they choose not to reveal themselves, there might be limitations on what you can do in your investigation, despite your best endeavors.
What Is The Investigative Process
In this section of your whistleblower policy, you outline the process your investigations will go through. Employees naturally will not know what steps you will take and how much time you need. Use your whistleblowing policy to set expectations and then over-communicate this during the investigation. If employees know what the process is and the steps you are taking, they will have more confidence in the ultimate result of the investigation.
The Use of 3rd Parties For Receiving Reports & Investigating
In your whistleblowing strategy, you will determine when and how you might work with a third party. Your policy should outline how you work with these third parties and in what instances you might utilize them. Examples of third parties can include:
- Web-based whistleblowing software
- Accounting firms
- Lawyers & legal firms
- Specialized investigative or forensic firms
- Hotline providers
- Human Resources consultants
If you are using a web-based whistleblowing software, it’s good to include it in your policy so your staff knows it's an independent provider. Employees are often confused and believe corporate IT runs the whistleblowing software. This confusion can hold them back from making reports as they're worried about anonymity.
Many organizations use third parties to do the triage of receiving and evaluating the initial reports. They also might conduct investigations as well as provide advice on particularly sensitive matters. Your whistleblowing policy doesn't need to identify every way you plan to engage with a 3rd party. However, it's a best practice to outline how you might engage with 3rd parties as part of your program.
Who Is Alerted About The Report
Your whistleblowing policy should identify who receives an alert when an informant submits a report. There can be different stakeholders depending on what type of misconduct is reported. For example, legal might handle a report about fraud. Vice versa, Human Resources will handle a report about sexual harassment. You do not need a detailed outline of who manages what, but it helps to provide a general context of who will be involved.
What Is The Process Of Updating The Informant
When you detail the investigative process, you should also outline how an informant is updated. Updates can include confirming you have received their report, timely updates on the investigation, and what they can expect at the end. Updates during the investigation don't need to be very detailed. The goal is to let the informant know the investigation is ongoing and you want to keep them updated.
Ensure you close the loop with the informant once the investigation is closed. Informants want closure and to understand what were the results. However, there will be much that you can't share due to privacy guidelines. Your whistleblower policy should outline what the informant can expect to receive at the end of the investigation. This helps set expectations and shows them the full process from the initial report to the final result.
What If The Informant Is Not Satisfied With The Result
When an investigation is complete, as mentioned above you should provide the informant with feedback. However, there is a chance they might not be happy with the results. Often, this happens when you can not confirm the claims they reported. In your whistleblower policy, you should provide the process where an informant can escalate their report.
It’s important to note that if an informant wants to escalate this, they typically would need to identify themselves. You need to clearly mention this in your policy, as well as the steps you put in place for an informant to escalate a report.
Step 3: Outline How You Protect The Informant After Reporting
All informants want to know how they will be protected before they make an anonymous report. Once they make a report, they especially want to know everything your organization is going to do to protect their identity and ensure they are not retaliated against. While your Whistleblower Policy will have already addressed anonymity, it’s in this section you discuss specific protections you provide an informant after they've submitted a report.
You will have already discussed anonymity in your whistleblowing policy. In this part of your policy, focus on how anonymity works after submitting a report. Examples can include:
- The informant has the right to remain anonymous and does not need to identify themselves at any time during the investigation process.
- You use tools and platforms that help protect their identity during and after submitting a report.
- At no time will the organization force the informant to reveal their identity.
- The informant can refuse to answer questions they feel could identify themselves.
- If the informant reveals themselves at any time, you will document who will have access to their identity. This can include the case manager, whistleblowing program owner, etc.
Ensure you address the situation when an informant is concerned staff, management, or the organization might retaliate against them. Document the steps you will take to protect an informant from direct retaliation due to making a report. These steps can include protection from:
- Being terminated or having their employment ceased.
- Performance management.
- Harassment on the job or workplace bullying.
- Warnings or disciplinary actions.
- Any other action that can be perceived as retaliation for making a report.
Considered Risk of Retaliation
Considered risk of retaliation is one step further than potential retaliation. Potential retaliation deals with what "could" happen. Risk of retaliation is what an informant expects will happen and the threat is imminent. Let employees know what you will do if this situation arises. Potential action to protect the employee could include them taking leave or being reassigned.
It’s worth noting that the organization might not be able to take action if the informant is still anonymous.
Already Retaliated Against
In this situation, the informant has already faced a form of retaliation due to their report. In many cases (but not all), retaliation has taken place before you could take action on the "considered risk of retaliation". When retaliation takes place, provide the contact details of whom the informant should contact.
Also, detail what protection you will provide. Protection can include putting them on leave, reassigning them, or some other action to provide them with protection.
Retaliation Not Adequately Resolved
Identify the escalation process if an informant feels they were not protected from retaliation. Provide the details of whom they should contact and the process for communicating this with your organization.
How Do You Deal With Retaliation
Up until this point we have dealt with retaliation aimed towards the informant. You should also outline how you handle the individuals who are doing the retaliating. Outline in clear language that they will face disciplinary action, including the potential to be terminated from their roles.
Separation Of Issues
You want to make sure you are able to separate any issues that might arise from being an informant with other work or performance-related issues. While you want to protect an informant from retaliation, you also want the informant to perform and be effective in their job. It's important that you can still raise any performance or contract issues with the informant. However, you will need to keep these issues separate from any reports they have made.
Protection & Immunity For Others
While typically one person makes an anonymous report, there are often others involved in the issue or incident. Many times they will be called on to tell their story and could also come under the threat of retaliation. Communicate that the same protections afforded to an informant also come to a witness as a result of their involvement in an investigation.
Legislative/Regulation Protection & Assistance
Many countries and jurisdictions have existing whistleblowing protection laws. In your whistleblowing policy, you should document the laws that exist in the countries you operate in. This can include linking to the relevant legislation. You should also confirm that your organization abides by all the existing whistleblowing regulations.
Step 4: Identify Key Roles & Responsibilities
It’s important to identify who in the organization owns your whistleblowing policy and program. This could be a dedicated whistleblowing team for larger organizations. Medium and smaller organizations might have whistleblowing in legal, compliance, or human resources.
As part of identifying the roles and responsibilities, you should state:
- What role or team owns the whistleblowing program at the organization?
- Who is the individual owner of the program?
- What are the individual roles in the program and what responsibilities does each role hold? Examples of this can be the program owner, day-to-day manager, case managers and investigators, etc.
- What team investigates anonymous reports and does that team change based on the type of misconduct being reported? An example could be that sexual harassment allegations are investigated by human resources, whereas fraud is investigated by legal.
- For global companies, is the whistleblowing program managed from the headquarters? Or are people involved across different regions and countries?
The goal of documenting your roles and responsibilities is to provide employees with clarity on who will be involved. For many organizations this is quite simple as the team is going to be small. For larger organizations, it helps to identify who is responsible and where they are located.
Step 5: And Finish With Governance
The last section will build on your roles and responsibilities and detail the governance of your whistleblowing program. Governance provides the link from the organization to your Board of Directors. It also outlines who is involved in setting and approving your whistleblowing policy.
Changes To Your Whistleblowing Policy
Document who is involved when you change your whistleblowing policy and who ultimately approves this. Your policy should also contain a changelog that outlines when there have been changes and who was the ultimate approver. You can include this in an appendix and it does not need to be in the main body of your policy.
Report To Your Board Of Directors
It's important to make sure there is a link from your whistleblowing policy to your Board of Directors. Provide details about how often you update the board what you update them about. If you have a larger board, identify which committee manages the whistleblowing program and its results.
The overarching goal of your whistleblowing policy should be to educate your employees on how to report misconduct. Walk them through your program and provide them with the details they need to understand the process. This includes knowing how to make a report and how you will protect them after they report. And remember, writing your whistleblower policy is just the first step. It needs to live and you have to consistently communicate it to your organization. Establishing an effective whistleblowing program is not a one-off activity - it's an ongoing effort.