Implementing whistleblowing in the company
Setting up whistleblowing in a company comes down to seven ordered steps. You check who the law covers, write a procedure, pick a secure system, and put someone in charge. Each report then runs on a tight clock: a reply within 7 days and a full answer within 3 months. Do them in order and you meet what nearly every country's law asks for.
Key Takeaways
- Whistleblowing duties now apply in many countries, often starting at around 50 staff.
- Your written procedure comes first, setting out how a report is made, handled, and answered.
- A compliant channel takes written and spoken reports and keeps the reporter's name secret.
- Acknowledge every report within 7 days and give a full answer within 3 months.
- Retaliation is banned, and the employer must prove any action against a reporter was fair.
Check whether the law applies to you
Start by checking whether the law covers you. Most countries make a private company run an internal reporting channel once it reaches a set headcount, often around 50 workers. Finance and anti-money-laundering firms are usually covered at any size, and public bodies are covered too. The exact trigger sits in your own country's law.
How do you count the 50? Most laws count everyone on the payroll. That means part-time and temporary staff, not just full-time roles. Some laws count seasonal workers too. If you sit just below the line, check again each year. A single busy season can push you over it.
Company structure counts as much as headcount. A group with several legal entities usually cannot funnel every report into one shared point of intake. Each entity keeps its own duty of confidentiality, even where a parent helps run the system. Smaller firms can still be pulled in when their work carries higher risk, such as safety or the environment.
Thresholds, deadlines, and penalties differ from one country to the next, so read the rule that applies where you operate. Our list of whistleblowing laws by country is the fastest way to find yours. The duty is not only European. The United States runs its own federal whistleblower protections. Australia sets its rules through the Corporations Act and its public-sector law.
Write your internal whistleblowing procedure first
Before you buy a tool or name a person, write the procedure. This is the document everything else rests on. It says who can report, how they do it, who receives the report, and the deadlines for acknowledging and answering it. It also sets out how you protect identities, keep records, and ban retaliation.
A good procedure is short and specific. Name the channels a person can use. State that reports can be made in writing or by voice. Explain what happens after someone reports, step by step, so the reader knows what to expect. Say plainly that nobody who reports in good faith will be punished for it.
Keep the procedure easy to read. Skip the dense legal prose. A worker who is worried and unsure should still follow it in one pass. Have senior management approve it, so it carries real weight. Then store it where staff can find it, not in a locked drawer.
You don't have to start from a blank page. ISO 37002, the international standard for whistleblowing management systems, lays out how to structure intake, follow-up, and closure. You can read the standard on the ISO website. For a worked example, see our whistleblowing policy example and the guide to setting up whistleblowing procedures.
Choose a dedicated whistleblowing system
With the procedure written, choose the system that carries it out. The channel must be secure, keep the reporter's identity confidential, and accept reports in writing and by voice. It must also let a reporter ask for a meeting in person. A shared inbox or a personal phone cannot do these things reliably.
Dedicated whistleblowing software is built for this job. It limits access to the people handling the case, tracks the 7-day and 3-month deadlines, and keeps a record that cannot be altered after the fact. You can run it yourself or through a provider that operates the channel for you.
| What the law expects | Why a dedicated whistleblowing system delivers it |
|---|---|
| Confidential, secure intake | Access limited to named handlers, with the reporter's identity shielded |
| Written and spoken reports | One place captures forms, voice notes, and meeting records |
| 7-day and 3-month deadlines | Built-in timers and reminders track every case |
| A proportionate, lasting record | A tamper-evident log, kept only as long as it is needed |
Which route fits you? A small company often starts with software it runs itself. A larger group, or one with higher risk, tends to hand the channel to a provider. Either way, the reporter should see one clear place to go. Do not scatter reports across three different tools.
Put the channel where people will find it. A link on the intranet is a start. Add it to the staff handbook and a notice in shared spaces. If your team speaks more than one language, offer the channel in each one. A worker reports more easily in their own words.
Email and phone lines fall short because they leak identities and leave no reliable trail. We explain the gap in why whistleblowing software beats email or telephone. If you want to compare tools before you commit, read our roundup of the best whistleblowing software.
Put someone impartial in charge of reports
A channel needs an owner. Name a specific person or team to receive reports, stay in contact with the reporter, ask for more detail when needed, and deliver the final answer. They must be impartial, free of any conflict with the cases they handle, and reachable even when one of them is away.
This cannot be a side task for a busy manager. The person who handles reports may face sensitive claims about senior staff, so they need real authority and clear independence. Many companies give the role to a compliance officer, a legal lead, or an outside provider with no stake in the outcome. Whoever you pick, tell staff who they are.
Train the handler before the first report lands. They need to know how to stay neutral. They need to know how to keep a secret. Set up cover for holidays and sick days, so a report never waits a week because one person is out. Give them a simple script for that first reply.
What that person does next counts as much as who they are. A handler who logs a report and forgets it defeats the whole system. Our guide on responding to whistleblower reports covers the handling itself, from first contact to closing the case.
Acknowledge in 7 days, follow up, and reply within 3 months
The clock is where most systems fail. Acknowledge every report within 7 days so the reporter knows it arrived. Look into it properly, then give the reporter a real answer within 3 months. That answer explains what you found and what you plan to do about it.
Diligent follow-up is the heart of the process. Assess whether the claim looks accurate, open an inquiry where it does, and refer or close it once the facts are clear. Keep the reporter informed along the way. A report that vanishes into a drawer is both a failure of trust and a breach of the rule.
A simple timeline keeps you honest. On day one, log the report and send the reply that says it arrived. In the first week, decide who looks into it. Over the next weeks, gather the facts and talk to the reporter. By the third month, send a clear answer. Late is a breach, even by a day.
Decide early how you treat anonymous reports. Accepting them is a choice, not a duty, in many countries. But if you do accept them, follow up just the same. Keep a confidential record of every report. Share the reporter's identity only with the people handling it, and hold the data no longer than you need. Where you record a call or a meeting, let the reporter check and correct the notes. Confidentiality is what makes a person willing to come forward at all. We look at that from the reporter's side in is whistleblowing safe.
Ban retaliation and protect people who speak up
Protection from retaliation is the promise that makes reporting possible. Once someone reports in good faith, you cannot punish them for it. Retaliation covers far more than dismissal. It includes demotion, a transfer, a pay cut, lost training, a poor reference, blacklisting, and harassment.
In a dispute, the burden sits with you, not the reporter. If a person who reported is later dismissed or moved, you must show the decision had nothing to do with their report. Protection also reaches the people around them: a colleague who helps, and relatives who work at the same company.
Build a simple safeguard into your HR process. Before you dismiss or move anyone, check whether they have reported in recent months. If they have, pause. Write down why the action is fair and unrelated to the report. Ask a second person to sign off. That record is what protects you if the decision is ever challenged.
You also owe reporters clear, free information about their rights and where to turn. Getting this wrong is costly. Penalties for retaliation, obstruction, or naming a reporter exist in most countries, though the amounts differ widely. Our guide to the penalties for retaliation and the piece on the consequences of skipping a whistleblowing policy set out what is at stake.
Make the procedure known across the company
A channel nobody knows about protects nobody. Once the system works, tell everyone it exists. Publish clear, easy-to-find instructions on how to report inside the company and how to reach the outside authorities. Train every manager to recognise a report and to never retaliate against the person who brings one.
Staff need to know they can go to a regulator as well as to you. Explain that route honestly rather than hiding it; a company that signposts the external reporting option looks more trustworthy, not less. Then test your own channel before you rely on it. Send a dummy report through and watch it travel: does it reach the handler, start the 7-day clock, and land in the record?
Repeat the message on a regular beat. Cover the channel in the welcome pack for every new hire. Remind the whole company once or twice a year. Drop a short line about it into team meetings when the moment fits. People forget a system they hear about only once.
Treat the rollout as ongoing, not a one-off launch. Repeat the training for new joiners, review your reply times, and check that the channel is actually used. A line that stays silent for a long stretch usually means people don't trust it or don't know it is there.
The hard part of whistleblowing is not the policy document. Plenty of companies write a fine procedure, publish it, and still fail the first real test. The work that counts is the quiet, daily kind: acknowledging each report on time, keeping the record clean, and making sure the person who spoke up is never worse off for it. A whistleblowing system is only as good as the day you finally have to use it.
Compliance specialist focused on policy roll-out and internal information flow. Writes on EU rule-making, landmark cases, and implementing reporting software.