• EQS Cockpit
  • Whistleblowing
  • Insider Management
  • Policy manager
  • Investor Targeting
  • Disclosure
  • Webcast
  • Career
Back to overview

What should the ideal whistleblowing policy include?

How to create a whistleblowing policy that builds trust and encourages a culture of integrity. 

Moritz Homann Moritz Homann

    Whistleblowers can bring enormous benefits to a business. But by speaking up about potential misconduct or wrongdoing in the workplace, they often risk their career and livelihood, as high-profile cases around the world continue to show. As a result, many countries have now recognised the need to protect such individuals from retaliation and are introducing or expanding their whistleblower protection legislation. This means that organisations may need to draw up or amend their whistleblower policies and procedures to ensure that they fully comply with the law.

    When do you need a whistleblower policy?

    Globally, the type of legal protection offered to whistleblowers is still quite fragmented. Across the European Union, however, thanks to the European Whistleblower Protection Directive, the situation is about to become more harmonised. Essentially, all EU member states are required to transpose this Directive into robust local whistleblowing legislation by 17 December 2021.

    The key requirements:

    • From 17 December 2021, all organisations operating in the EU with 250 or more employees will be required to be compliant with the new legislation.
    • From 17 December 2023, the law will extend to all organisations with 50 or more employees.


    However, the Directive sets only a minimum standard to protect whistleblowing. Each member state is at liberty to enforce stricter regulation if they so wish. At the moment, it is unclear which countries will choose to do so.

    Clearly, any UK companies with operations in the EU will also need to comply with local legislation. For companies that operate solely in the UK, national laws, such as the Public Interest Disclosure Act 1998 and the Employment Rights Act 1996, already provide extensive whistleblower protection. However, public disclosures in the UK may result in a loss of protection.

    Wherever your company operates, compliance professionals need to be familiar with local legislation to be in a position to design a whistleblower protection policy that is fit for purpose. Given the disparities across different jurisdictions, is there a single whistleblower policy that might work for global organisations?

    Only if you apply the strictest of standards wherever your organisation works in the world.

    Guide to the Introduction of Whistleblowing Systems

    How to successfully implement a whistleblowing system in your organisation.

    Free download

    What is the purpose of your whistleblower policy?

    Irrespective of any legal requirements, the main purpose of a whistleblower protection policy is invariably the same across the globe. Its goal is to cultivate a culture of integrity within an organisation. Full transparency is essential for individuals to put their trust in such a policy.

    An effective whistleblowing policy builds trust by…

    • Educating staff and other third parties on company standards.
    • Providing clear guidance on the whistleblowing process.
    • Explaining how to raise a concern.
    • Defining the types of concerns that can be raised.
    • Outlining any legal protections or restrictions.


    In a nutshell, a whistleblower policy should promote a commitment to ethical behaviour and encourage a culture where wrongdoing is safely reported at an early stage.

    The Complete Guide to Policy Management

    Learn how to effectively create, implement and communicate Compliance policies and measure the success of your policy program.

    Free download

    What should a whistleblower policy include?

    Many whistleblower policies will need to include the same basic information.

    Who is a whistleblower and who is protected?

    Any whistleblower policy needs to explain what is meant by “whistleblower”. Typically, it is someone who speaks up about suspected wrongdoing that they reasonably believe is in the public interest.

    Under EU law, your policy will need to protect your employees and former employees, as well as interns, the self-employed, employees of a supplier and business partners who work with your organisation. Even third parties who are closely connected to the person reporting the misconduct have to be protected — and this includes family members.


    What are valid whistleblowing concerns?

    Your policy should leave no doubt as to the kind of whistleblower reports and concerns that are covered by whistleblower protection legislation. Generally, whistleblowers are legally protected if they act in the public interest and disclose any information related to corrupt, fraudulent, hazardous, or illegal activities.

    The areas covered typically include:

    • Accounting fraud
    • Bribery and any form of corruption
    • Corporate tax evasion
    • Money laundering
    • Financing of terrorist organisations
    • Environmental damage
    • Breaches of food and product safety regulations
    • Breaches of public health and safety regulations


    What whistleblowing is not

    Reports of personal grievances, such as harassment or bullying, are not generally covered by whistleblower protection legislation and this needs to be clear in your policy. Organisations should therefore set up formal employee grievance procedures for such issues to remain separate from your whistleblowing procedures.

    Building an Effective Anti-Bribery and Corruption Programme

    Key principles of establishing an effective ABC programme

    Free download

    Reporting options: internally, externally and to the media

    Your policy needs to outline your legal obligations regarding reporting procedures. In the EU, for instance, companies are obliged to…

    • Acknowledge receipt of a whistleblower report within seven days.
    • Provide prompt and appropriate feedback on the report during the investigation.
    • Conclude the investigation and provide a final follow-up within 90 days of the filing of the report.
    • Maintain diligent and secure record keeping.


    The EU Directive actively encourages internal reporting of misconduct first. However, if your internal reporting mechanisms do not result in a speedy and appropriate resolution of a case, the EU whistleblower protection legislation allows an individual to take their concerns to the relevant authorities — and still be legally protected from retaliation. An individual can turn to the media as a final resort and will still be protected from reprisals under EU legislation. You need to inform whistleblowers of such options in your policy.

    Obviously, it is generally neither in a company’s nor in an individual’s interest for a whistleblower report to go first to the authorities or to the press. To avoid such scenarios, it’s essential for companies to set up appropriate reporting channels.

    Whistleblowing Report 2019

    Comprehensive study on whistleblowing in European companies

    Free download

    What kind of internal reporting channels are necessary?

    Given the legal provisions, organisations need to provide and promote safe and secure internal channels for people to report misconduct in their workplace. You will need to clarify what they are in your policy.

    At a minimum, this will require:

    • A system that allows employees and third parties to report potential misconduct in a confidential manner.
    • Various secure reporting channels to give individuals a choice to file a report in person, verbally or in writing.
    • Reporting mechanisms that are accessible outside of the company network.
    • Safeguards to protect whistleblowers from retaliation.
    • Impartial individuals, including subject-matter experts, who follow up on the reports and communicate with the whistleblower.
    • Guaranteed anonymity where desired or provided for in national law.


    What is clear is that anonymous reporting is already, or will become, a common key feature of any whistleblower policy or reporting mechanism. Why protect the anonymity of whistleblowers? A major barrier to people coming forward when they witness corruption or misconduct is the fear of exposure and retaliation. For this reason, EU legislation requires that organisations set up reporting channels that allow for confidential reporting. The identity of the whistleblower — or the people implicated in any whistleblower reports — may not be disclosed without explicit consent of the individuals involved.

    The key to success: communication

    What should you do when there are legal constraints that prevent you from disclosing the exact outcome of an investigation? Even in such instances, it’s crucial to provide at least a minimum of feedback to the whistleblower. Your policy should outline what you can and cannot communicate.

    One option is to publish anonymised reports at regular intervals to inform staff and the general public about any whistleblowing incidents in your organisation and their outcomes. Your policy should indicate where such reports can be found.

    Ultimately, the more transparent you are, the more likely people will understand the legal restrictions in place, trust your policy and therefore speak up. An effective whistleblower policy can only succeed if people are aware of it and feel it can be trusted.

    Our digital whistleblowing system EQS Integrity Line helps you to reduce risks in your company.

    Moritz Homann
    Moritz Homann

    Managing Director Corporate Compliance – EQS Group | Moritz Homann is responsible for the department of Corporate Compliance products at EQS Group. In this function, he oversees the strategic development of digital workflow solutions tailored to meet the needs of Compliance Officers around the world.