5 Step Guide to Internal Whistleblowing

In today's corporate world, being clear and accountable is crucial. Having internal reporting channel is no longer a competitive advantage but rather a necessity. Global markets and policies require companies to address unethical behavior quickly, all while protecting identity of people reporting it.

But what is the best way to go about implementing whistleblowing practices? To make it clear, we have asked an expert on this topic - Oscar Fredriksson.

About Oscar Fredrikkson

Oscar Fredriksson is a lawyer and head of investigations at Starck & Partner. He is an expert in handling various internal investigations, including violations, sexual harassment, discrimination and workplace bullying.

With Oscar Fredriksson's input, we have outlined his knowledge into an easy-to-follow guide. By following its 5 steps, it will help you establish a whistleblowing system that is both compliant and effective.

Fredrikkson's 5 Step Guide:

1. Establish Reporting Channel(s)

Set up one or more reporting channels. They can be operated by an internal employee, a specific department, or a third-party provider. What is important is to ensure:

  • Confidentiality: Protect whistleblower (person reporting) and third-party identities
  • Access Control: Limit report access to authorized staff members
  • Flexible Reporting: Allow reporting via written documents, calls, messages, or physical meetings
  • Whistleblower Control: Let whistleblowers review and approve their reports

National legislation may introduce some additional requirements. However, these features are fundamental and should be a part of any reporting channel.

2. Provide information on how to report

Having a whistleblowing channel and having your employees know about it are 2 different things. Make sure you explain your employees how your particular internal reporting works. Talk to them about different reporting options, show them where to report and tell them who will be responsible for their reports. Inform them about legal deadlines and ways to follow up on their report.

Additionally, do not forget updating new hires about your internal whistleblowing system. Even better, consider having a reporting manual as a part of your internal system. This way, it would always be available for your employees to come back to.

3. Respond to Reports Within 7 Days

After receiving a report, acknowledged it to the whistleblower within 7 days. This timeframe does not mean any responsibility to answer the content of the report. The purpose of the response is to let the person know, that their report was received and will be investigated.

4. Assess the Report

After responding to the report, you need to thoroughly investigate reported wrongdoings. The process involves:

  • Qualification Assessment: Determine if the report aligns with the Whistleblowing Directive or relevant domestic law. If not, provide a clear response to the whistleblower explaining why the reported questions do not qualify. (It can still be investigated, however, you are not legally bound to do so)
  • Separate Treatment: If multiple questions or concerns are raised within a single report, it is crucial to separate the ones that qualify for investigation under the Whistleblowing Directive from the ones that do not. Transparent communication regarding this decision is crucial for fostering trust.

The latest EU Whistleblowing Directive does not provide any answers on how to address questions that are outside its scope. However, there might be other legislation and procedures in your country that regulate how to handle these questions.

5. Investigate and Report back within 3 Months

Investigate questions and wrongdoings that do qualify thoroughly. If needed, ask for legal advice or help from a third party. After investigation, report the findings back to the whistleblower within the 3-month timeframe.

Case Management in Practice

Let's walk through how case handling would unfold in a real-world scenario. Imagine you are the designated employee overseeing the reporting channel at a Swedish Agency. Some time ago, you set up a whistleblower function by using a third-party provider. Today you have received your first case.

Upon accessing the provided information, you read:

"First, my co-worker X in department Y is a bully and has verbally harassed me and others. You need to address it; otherwise, I will make this information public.

Second, I have observed a lack of control over the use of EU funds in projects A, B, and C, where I served as an administrator for several months. Initially unclear, I am now certain that proper routines are not followed, leading to unaccounted euros in each project."

Here is the summary of your following actions:

1. You  promptly report back (within 7 days) that you have received the case

2. You assess the case and decide on the investigation approach:

You conclude that the first issue is a matter of suspected workplace harassment and bullying. Since it does not affect any public interest, it should not be treated as a whistleblower case. However, it is still a serious issue. Because of that, you refer it to HR for further actions and investigations.

In contrast, it is in the public interest that funds are used properly. Because of that, you need to start a whistleblowing investigation regarding the second issue.

3. You communicate with the whistleblower and request more information

You use the whistleblower function to inform the whistleblower that the first question will be handled by HR.

For the second question, you express the intention to investigate and request additional documentation.

4. After getting all the evidence, you launch an internal investigation

You receive a reply with more information. Within 3 months, you conclude that an independent review of projects A, B, and C is necessary. 

You let the whistleblower know about the upcoming internal investigation (which is the outcome of the report). Besides that, you encourage them to revisit the whistleblowing report once in a while to see if they need to provide more information.

5. Followingly, you report back and after reaching the conclusion close the case

Upon the conclusion of the investigation, you inform the whistleblower about the report's outcome, ensuring transparency in the process. The origin of the investigation as a result of a whistleblower report remains confidential. Consequently, you officially close the case. By doing so, you safeguard the privacy and anonymity of the reporting individual.

Alongside this process, The HR department handles and resolves the first question concerning workplace harassment.

Things to Know - External Reporting & Public Disclosure

Sometimes internal channels are absent or do not work well. Perhaps, reports are not handled carefully, take too long to resolve, or no proper action is taken. In this case, whistleblowers have the option to use external channels. These can include competent authorities, the press or social media.

External reporting is also possible if whistleblowers have a reason to think they might lose privacy or get treated badly for reporting. In such cases, competent authorities may be better positioned to address the breach effectively.

However, it is important to mention that this can have a great negative effect on the company. Above others, it can damage brand reputation and bring legal and financial consequences. Read more about internal vs external reporting and their consequences on your business here

At Walor, and in line with the European Union's recommendations, we strongly advise focusing on enhancing internal whistleblowing channels. To do so, ensure your employees feel comfortable reporting and establish efficient internal reporting systems to simplify the process.

Explore how Walor's Whistleblowing software can simplify your internal reporting here.