The Parliament of Australia defines whistleblowing as the ‘disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employers, to persons or organisations that may be able to effect action’. Meanwhile the EU Whistleblower Directive defines a whistleblower as someone who reports breaches of Union law that are harmful to public interest.

Internal whistleblowing occurs when an individual reports suspected misconduct up the chain of command at the person’s workplace. Whistleblowers are vital for maintaining an open, transparent, and honest workplace, as they expose misconduct or hidden threats.

Employers are obligated to act when an employee’s actions are disruptive to the workplace, and when their actions prevent others from fulfilling their duties, including whistleblowing. Inadequate handling of these cases can incur serious reputational, legal and civil liability.

Here are important tips and things to consider when handling Internal Whistleblower Cases:

1. Provide Anonymity

Anonymity is critical in internal whistleblowing case management.

According, e.g., to the Australian Treasury Laws Amendment (Enhancing Whistleblower Protections) Act, Whistleblowers have a right to make anonymous disclosures, and to have their identity protected. Many other jurisdictions have similar protections.

Whistleblowers are able to submit reports either in writing via an online system, a mailbox or by post and/or orally via a telephone hotline or answering machine system. Companies are also obliged to offer a personal meeting upon request.

Regardless of which reporting channel is used, companies must ensure that the identity of the whistleblower is kept confidential.

2. Selecting a person to handle the report

The first step is to determine the “most suitable” person to receive and follow up on reports internally.

Individuals in a wide range of roles are designated as ‘eligible recipients’ for whistleblowing disclosures. This includes directors, officers, senior managers, actuaries and members of an audit team (both internal and external audit).

According to the EU Whistleblower Directive, this could be a:

  • Compliance officer
  • Head of HR
  • Legal counsel
  • Chief Financial Officer (CFO)
  • Executive board member or management

Companies can also outsource the processing of reports, for example to an external ombudsman.

3. Create a diverse team

A wide scope of matters may be reported. This includes matters that breach the law, as well as any “misconduct or improper state of affairs or circumstances”, including in relation to the tax affairs of the company.

Therefore, it is critical that the team can handle all sorts of cases. ​​It is advisable to have representatives from your Legal, Compliance, HR and Ethics Departments to Corporate and IT Security.

4. Know your obligations

Individuals in a wide range of roles could be involved in the handling of a whistleblowing case. In order to avoid potential liability, these individuals need to understand their obligations under the law, particularly in relation to protecting the identity of anonymous whistleblowers.

A fair and thorough investigation can prevent and protect companies and individuals from long-term risk.

5. Be Responsive

Conducting the investigation in a timely and thorough manner is critical to a whistleblowing case. According to the EU Whistle Blower Protection Directive:

  1. The company is obliged to confirm receipt of the report to the whistleblower within seven days.
  2. The whistleblower must be informed of any action taken within three months, the status of the internal investigation, and its outcome.

6. Be Fair and Impartial

Consider all relevant evidence with impartiality, and give the parties the opportunity to respond to any key evidence or documents that arise during the investigation.

It is considered best practice for the decision-maker, with regard to any outcomes, penalties, or so on, to be a different person to the investigator.

7. Practice Open Communication

Communication is critical at all times. At the outset of the investigation, steps and processes should be clearly communicated.

During the investigation, the discloser should receive updates and receive any further information upon request.

After the investigation, the whistleblower should be informed of the outcome including steps taken as a result of the case.

8. Data Storage

All reports received must be kept in a secure location, whether electronic or physical, so that they can be protected from deletion or tampering, and used as evidence where appropriate. 

9. Duty of Information

Companies are required to provide information on their internal reporting process as well as on the reporting channel(s) to relevant regulators. They are also required to provide information on how to access their reporting process to employees as well as suppliers, service providers, and business partners.

10. Refer to laws and guidelines

The investigation must be conducted in alignment with the company’s whistleblowing policy guidelines, as well as federal and state laws. If you operate in multiple jurisdictions there may be minor technical, or substantive, differences in reporting and handling requirements, so make sure you have local expertise available in each jurisdiction.

11. Produce a clear and insightful report

Following the investigation, there investigator should create a report detailing any lessons learned from a whistleblowing incident, as well as documentation of any changes to the compliance management system as a result of the incident. This report is crucial for building trust in the effectiveness of the overall system of whistleblower protection and reduces the likelihood of further risk. 

Ways Forward

Although handling an internal whistleblowing case is a delicate matter, if done properly, it can hold many benefits to individuals and organizations. It can uncover and address dishonesty and dangerous workplace practices which can prevent and protect companies and employees from long-term risk.

How we can help with whistleblower investigations

Security and anonymity are your primary concern when handling whistleblower cases, as opposed to other internal investigations. Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely, while our detailed security configuration ensures you can keep whistleblowers fully anonymous, or known only to an external or internal whistleblower team, depending on the level of anonymity requested. Once you have ensured the anonymity and security of a whistleblower disclosure, it’s important to follow best practice standards of investigation – which we cover in other blogs such as this one on procedural fairness. Polonious’ configurable workflows ensure a fair, consistent, and compliant process for all internal investigations.