What if a whistleblower keeps reporting the same problem? The investigation team has already worked through the irregularity more than once and found nothing that would confirm the report. The same employee files it again.
The repetition itself can be a signal that something is happening which the board cannot see. The whistleblower clearly still treats the matter as unresolved, and a closed investigation file does not, on its own, make them wrong. Before pushing the report aside, it is worth asking what a disciplined response to a repeat report should look like, and what the law expects of an organisation once any report lands.
Treat every report as a new report
Janelle Aaker, a diversity, equity and inclusion practitioner, framed the trap with Aesop's fable of the boy who cried wolf.
"I think you need to treat every report like it's a new report. Do you remember the tale of the boy who cried wolf? Just because the first three yells for help weren't real, it doesn't mean the next one isn't."
Janelle Aaker
The instinct she names, evaluating each submission on its own facts rather than against memory of the last one, is the single most useful discipline a triage team can practise. A repeat reporter can be wrong on the same fact pattern five times and right on the sixth, and the wrongness of the first five does not give anyone a free pass on the sixth. Investigation discipline is not only defensive: companies that handle reports seriously tend to spot operational damage earlier, which is the simplest reason whistleblowing pays back commercially rather than draining resources.
When repeat reports point at a communication gap
Where the same problem keeps coming back and the evidence keeps running out, the cause may not be on the reporter's side at all. If an employee files the same concern repeatedly, something in the channel between the report and the response is failing. The intent of the original submission may have been misread; the reporter's expectations may diverge from what management treats as obvious; the team closing the case may be measuring against the wrong yardstick.
Before a report ever reaches the system, the person filing it has often spent weeks or months deciding whether to file. They knew the report needed making, and they were afraid of what would happen afterwards. That fear does not vanish on submission. If the reply is generic or dismissive, the next report from the same person is the predictable result.
Assumptions about what employees need are easy to get wrong. The fix is rarely to push back harder on the reporter; it is usually to listen to what the repeat report is actually pointing at, and to write the response so the reporter can tell their concern was heard.
What "responding" means under EU law
The rules around responding are no longer just custom. The EU Whistleblower Directive (Directive 2019/1937) sets concrete deadlines that any organisation operating in the EU must meet. Under Article 9 of Directive 2019/1937, the organisation must acknowledge receipt of an internal report within 7 days and provide feedback to the reporter within three months. External authorities have the same three-month feedback window, extendable to six months in justified cases.
Feedback is not a status email. It must cover the action envisaged or taken, the reasons for that action, and, where the case is closed, the rationale for closing it. A repeat reporter who keeps filing the same concern is often a reporter who never received that level of feedback the first time.
All 27 Member States have passed transposition legislation, but the European Commission has flagged that none can yet be considered fully compliant, and multiple infringement cases have been referred to the Court of Justice. Treating Article 9 as a paperwork exercise is the wrong bet: a thin paper trail is the first thing a reporter cites when they take the case to a national authority instead of waiting on the internal one.
A structured channel beats ad-hoc handling
The international standard for handling reports, ISO 37002:2021, breaks the work into four operational stages: Receive, Assess, Address, Conclude. Each stage carries documentation obligations, and the four together create the audit trail that lets a company show what happened on the sixth report and not only the first.
An anonymous reporting channel is what makes the rest of that flow work in practice. Reporters who fear retaliation will not surface concerns that put their job at risk, and an organisation that only hears from people willing to use named channels hears a fraction of what is going on. Anonymity does not block follow-up: the reporter can keep returning to the same case file, add new evidence, and answer follow-up questions without exposing their identity. That is the channel feature that turns repeat reports from a nuisance into a richer evidence trail.
Built around ISO 37002's principles of trust, impartiality and protection, a structured channel also gives the investigation team something the ad-hoc inbox never gives: a record of what was actually done after each report was filed. When regulators ask, the answer is the case file, not a guess.
The same employee filing the same concern is rarely the problem the team thinks it is. More often it is a signal that the response, not the report, is what needs work. A disciplined approach to each submission, the deadlines fixed by Article 9, and the four-stage flow under ISO 37002 do not just tick compliance boxes; they make it likelier that the next repeat report is treated on its merits, and that the organisation finds out before regulators or journalists do.
