Reasons to invest in whistleblower software

When fraud comes to light inside an organisation, it is most often a colleague who first spots it. The Association of Certified Fraud Examiners' latest Report to the Nations puts a number on it: 43% of occupational frauds are detected by a tip, more than three times the share found by internal audit, management review, or any other single control. The same study tracks a median loss of 145,000 US dollars per case and notes that organisations lose roughly 5% of revenue to fraud each year. A reporting channel is not the only thing that closes that gap, but every credible analysis of how it gets closed puts a channel near the top of the list. The case for investing has changed in another way too: in much of Europe, the channel is no longer optional.

The directive turned advice into law

The EU Whistleblower Directive (2019/1937) set 17 December 2021 as the date by which every member state had to put internal and external reporting channels on a statutory footing for organisations of 50 or more workers. By that deadline most countries had not transposed it. The last to land were Poland and Estonia in May 2024, and in March 2025 the Court of Justice of the EU ordered Germany, Luxembourg, the Czech Republic, Estonia and Hungary to pay financial penalties for missing it. Brussels has since said the law is on the books everywhere, but the quality of transposition still varies. See the European Commission overview for the current status.

In Poland the Whistleblower Protection Act took effect on 25 September 2024. Employers above the 50-person threshold had to have an internal procedure in place by that date, and external reports to the Ombudsman opened on 25 December 2024. Sectors such as financial services, anti-money laundering, transport safety and environmental protection are bound regardless of headcount. The detail sits with the Polish Ministry of Family, Labour and Social Policy on gov.pl. The compliance question is no longer whether to set up a channel but how well the one you set up actually works.

Tips beat audits, every year

The 43% figure is not a one-off. The ACFE has run the same study for two decades and the ranking has not changed: tips are the leading detection method, every wave, in every region. Most of those tips come from inside the building. Employees account for 52% of them; customers and vendors supply most of the rest. The longer a scheme runs, the deeper the damage: median losses climb from about 50,000 US dollars for fraud caught inside a year to 250,000 US dollars for schemes that go on for a decade. A channel does not stop a determined wrongdoer, but it does shorten the runway between the first warning sign and the first investigation, and the loss curve rewards that. Acting on a report is what converts that tip into recovered money, but no act-on step exists without an intake step first.

Channels people actually use

The shape of those tips has shifted. ACFE 2024 records reporting through web forms at 40%, email at 37% and phone hotlines at 30%; for the first time the web mechanism is the most popular single route. Anonymous reports make up about 15% of the total, and they tend to surface the most senior-level wrongdoing, which is exactly the category an auditor is least likely to find on their own. The implication for tooling is unambiguous. A channel that only takes phone calls in office hours, only in the corporate language, only from a desk on the corporate network, will miss most of the people who would otherwise speak up.

Beyond fraud: retaliation, harassment, health and safety

The directive's protected-disclosure scope is wider than fraud. It covers public procurement, financial services and AML, transport safety, environmental protection, food and feed, public health, consumer protection and privacy. In practice that means the same channel handles a manager paying off an inspector, a colleague being harassed, a near miss on a loading dock, and a leak of personal data. What ties these together is the cost of staying quiet about them, and the law is now explicit that punishing someone for speaking up (dismissal, demotion, exclusion, paper shuffling, the slow freezing-out) is itself a separate offence. Responding to reports well, and being seen to do so, is what makes a channel something people will actually use the second time.

Build it on a recognised standard

The directive is the floor; the operational manual is ISO 37002. The standard, published in 2021 and available from ISO, lays out how to run a whistleblowing management system on three principles: trust, impartiality, and protection of the reporter. Anchoring an internal procedure to ISO 37002 makes it audit-ready and gives the board a defensible answer when an investor, a procurement counterparty or an ESG report asks how the company handles concerns. It also lets you reuse the language of an existing system (ISO 37301 for compliance, ISO 27001 for security) rather than building a parallel governance stack.

None of this is theoretical money. The US Securities and Exchange Commission paid 255 million US dollars to 47 individual whistleblowers in fiscal year 2024 and has paid 2.2 billion US dollars in total since the programme started in 2011. European regimes do not pay bounties on the same scale, but the cost side (fines, lost contracts, restated accounts, departing customers) lands the same way on a balance sheet whether the tip ever leaves the building or not. The cheapest place to deal with a report is in your own intake.

What the labour market reads from all this is the part that usually gets understated. Candidates research employer culture before they sign, and an active reporting channel that gets used and answered is a hiring signal long before it is a compliance one. A company that has thought through how a worried employee files a report, who looks at it, and what happens next is a company that has thought through other things too. Investing in a system for whistleblowers used to be filed under insurance. It is closer now to what a well-run company looks like from the outside.