What is a Whistleblowing System? The Fast Way to Compliance

Yulia Landbo

Yulia Landbo

Last updated: Oct 14, 2024 8 min read

A whistleblowing system is a digital solution that companies incorporate into their workspace to enable employees to report wrongdoings. For companies and their staff, it is a secure tool to manage a whistleblowing channel that complies with the national whistleblowing legislation and EU Whistleblowing Directive - an EU-wide official directive that ensures confidentiality for employees and protects them during the process.

Enabling reporting of misdeeds provides an effective way for companies to identify issues before they become significant problems and, simultaneously, gives workers assurance that their complaints will not go unheard. 

Let's explore how this invaluable asset functions and why its implementation is so beneficial.

What is a Whistleblowing System and How Does It Work?

A whistleblower system is a software system that provides a form for a company’s employees and potential partners to report malpractice, unlawful or unethical acts. A whistleblower system can also be called a whistleblower hotline or a reporting system.

An employee, also known as a whistleblower, reports wrongdoings by filling in the form in the company’s whistleblowing system. The whistleblower can contact an investigation office, send attachments, and conduct a dialog with case handlers through the whistleblowing system. Every step is carried out in a way that maintains the confidentiality of the whistleblower and third parties mentioned in the report and forecloses the possibility of unauthorized access to information. Employees can also choose to report ultimately anonymously without revealing their identity if the option is available in the chosen whistleblowing system.

Which Companies Need a Whistleblowing System? 

By 17 December 2021, following the adoption of the EU Whistleblowing Directive, all EU countries must have developed a National Whistleblowing Protection Act and announced a deadline for companies with 250+ and 50+ employees to implement a whistleblowing hotline internally. However, some countries needed more time to draft their law and postponed the adoption of the Directive until later in 2022 and 2023.

Without exceptions, all EU member states must impose a law forcing all companies, first with 250+ headcount and later with 50+ headcount, to implement a whistleblowing reporting channel. The law applies to both the public and private sectors. The implementation process and deadlines vary from country to country, thus, check the EU Whistleblowing Monitor for a deadline in a particular country. 

All things considered, if a company is located in the EU with more than 50 employees, it needs a whistleblowing system. Failing to do that by the established national deadline could cause heavy fines. 

Types of Whistleblowing Channels: Where Can Employees Report?

Companies have relied on various whistleblowing channels to protect their interests and promote transparency. From phone hotlines to decentralized digital platforms, companies employ multiple strategies for encouraging staff members and stakeholders to come forward with potential wrongdoing or misconduct. 

whistleblowing channels.png

Organizations can now take advantage of a secure and confidential digital whistleblowing system that protects any submitted information from unauthorized access. Employees or third-party partners can send their reports through an online platform or a form on the website, remaining anonymous if they choose. A digital whistleblowing system gives users peace of mind when bringing potentially sensitive issues into the light, and, depending on the provider, can be one of the fastest ways to set up a fully compliant whistleblowing channel.

Some digital whistleblowing providers also allow for oral reporting through the channel.

Some companies offer a dedicated email channel through which employees can send reports to the investigation team. A dedicated email is usually created by IT admins for the investigation team to have access to it. An email hotline seems fast and effortless, but it raises privacy and security concerns. Thus, using them can put the security of the companies’ most delicate matters at risk. Also, e-mails can't be considered anonymous channels. 

Theoretically, emails can be encrypted to protect the content, but it requires preliminary actions: both the sender and receiver need to set encryption in advance. Not all companies do it; further, only a few employees know how to do it. And if employees need to take care of it themselves, they will quickly lose trust in the channel. Further, there is no guarantee that the mail systems wouldn't delete encrypted attachments because their content cannot be scanned for safety. 

Together with email, having a dedicated phone line has been a common practice among early adopters of whistleblowing channels. It was usually a toll-free hotline that anyone could call, and phone lines could be used both internally and externally. 

A telephone whistleblowing channel often works 24/7, allowing people to call when it is most convenient for them to discuss a case. Operators receiving calls are all located in secure places that can't be overheard. With the whistleblower's consent, the voice report can be recorded for further usage and to ensure the invariability of the provided information.

A phone line can't be considered an anonymous channel as it is relatively easy to recognize the voice. Additionally, following up with requests for more information or feedback is problematic.

Some whistleblowing systems also allow phone lines as add-on products. This will often allow the case handlers to handle both form submissions and phone submissions in the same case management system.

Alternatively, companies can offer to meet the investigation officer in person. The "Direct address" or "in-person" channel includes an assigned internal case handler that employees can speak to within the company, such as the head of HR or a compliance officer. Employees can securely discuss their concerns and allegations without fear of being overheard by making an advanced appointment for a safe, confidential meeting.

As it is an in-person meeting, there is no option to stay anonymous. With this whistleblowing channel, employees often hesitate to voice their concerns due to the uncertainty about who might hear them reporting. As such, critical issues that arise within the company could be unheard of and unaddressed for far too long.

An ombudsman is an externally hired consultant, often a lawyer, DPO, or an external compliance manager, who acts as a  trusted and confidential resource for the company’s employees, partners, job applicants, or other third parties. Anyone who observes any warning signs of unethical operations, such as fraud or corruption in the workplace, can contact an ombudsman for support.

Reporters might be able to contact the ombudsman via different channels: phone, direct meeting, or online form, if all three are provided. Not all ombudsman work with digital whistleblowing systems, though most consider it a must for compliance and security reasons. More and more consultants implement a digital hotline in their whistleblowing package nowadays – this allows them to provide anonymous reports, which is required in some EU countries.

The advantage of an ombudsman is that it is undoubtedly an impartial source, which for some reporters, might be a decisive factor when submitting a report. 

Which Whistleblowing Channel to Pick?

For companies looking to comply with the national whistleblowing law and give employees the safest channel, the industry standard is to choose a digital whistleblowing system. A ready-made platform that is fully compliant with all data regulations like GDPR and can give companies the flexibility they need regardless of the country where companies are based. 

Older methods, like e-mails or physical mailboxes, usually do not allow for anonymous reporting, and neither do they eliminate the stress and hesitation of employees who wish to share major concerns with the organization. It is safe to assume that the number of reports collected through traditional tools was insufficient. 

However, some companies still provide these alternatives along with the digital whistleblowing system due to established practices and cultural preferences. 

whistleblowing channels comparison.png

How Does a Whistleblowing System Work?

An employee files a report

In case of wrongdoings in the company, an employee can report a case through the company's whistleblowing system. If a system allows, they can choose to remain entirely anonymous. According to the law, the whistleblower should receive a confirmation shortly after submission. Maximum confirmation time can vary within EU countries, but most countries request confirmation within 7 days. 

A case handler starts an investigation 

Once a report is submitted, an internally appointed whistleblower unit or an individual case handler will investigate it on the subject of issue veracity. They will make an initial assessment of the case, evaluating whether a need exists to bring in additional resources. 

Communication between a whistleblower and case handler

Once submitted the report, the whistleblower receives a unique code to the online system where they can see the case updates and securely communicate with the investigation team. In the case of an anonymous report, all communication remains anonymous unless the reporter decides to reveal themself.

The reporter also needs to consider the safety of the unique code. It cannot be recovered if lost. It might be a good idea to print it out and store a copy to ensure you always have access to the report. If the code is lost, there is usually no way to access the information through the whistleblowing system.

A whistleblower gets updated on case resolution 

The whistleblower should expect to receive a follow-up within a reasonable timeframe.   

Why should companies implement a whistleblower system?

Keeping compliant and avoiding fines is just the beginning when it comes to establishing a whistleblower system. An effective whistleblower policy can also offer numerous rewards for a business - from internal cost savings and improved compliance processes to enhanced organizational trust between employees and management teams. Notably, it is a chance to:

1. Handle a case internally before the whistleblower decides to go to a public entity

Detecting and solving problems internally should be on top of priorities in many companies, and hence, among the primary reasons to implement an internal whistleblowing hotline. By this means, companies can address issues once they arise, not letting them grow into a larger problem. 

Ultimately, it is in the businesses interest to handle cases internally. The alternative for the whistleblower would be to either take it to a public channel owned by a public entity or to the press. Both for the company's future efficiency and reputation, it is better to solve issues internally.

2. Comply with legal regulation

If a company is located in Europe with over 50 employees, it needs to implement a whistleblower hotline to comply with the law and avoid fines. Ensure your company complies from the start, so there will be no need to deal with fallouts later.  

3. Create a “Speak-up” culture 

Creating a speak-up workplace culture is the key to building a dynamic people-centric culture. Establishing this environment can make way for greater employee retention, loyalty, and talent acquisition – all essential components of impacting today's marketplace. It goes beyond just talking about it – companies need to put into practice tangible actions such as implementing whistleblowing policies that encourage people to report wrongdoings when such take place.

4. Protect employees 

While it is undoubtedly beneficial for companies to detect and prevent violations, not everyone might be happy once certain wrongdoings or malpractices emerge, especially if they are involved. This is precisely the point of whistleblowing – to provide whistleblowers protection during the process. Without ensuring some protections, chances of getting problems communicated to the relevant business personnel are lower, thus also making it harder for the management to improve on problems in the company. 

5. Preventing damages to the company’s brand or economy

Whistleblowing is an invaluable resource that allows organizations to confront issues in their infancy. By receiving direct information from its workers and dedicated teams, companies can safeguard themselves against potentially negative consequences that can damage both the company's brand and economy. 

How to Implement a Whistleblowing System

This is a typical process for an organization implementing a whistleblowing system.

1. Choose Your Stakeholders

When establishing an internal whistleblowing system, appointing the stakeholders is the first action point. The company is responsible for selecting the most suitable candidates from their company or hiring an external representative. However, due to the topics' sensitivity, most organizations pick members of their HR, compliance, board, or leadership teams. The only requirement is that they are impartial and can manage cases promptly.

Are there any regulations for who can be on the investigative team?

According to the EU Whistleblowing Directive, the investigation team could consist of a compliance officer, HR director, legal counsel, Chief Financial Officer, board member, or management member. Alternatively, companies can also choose to outsource the processing of reports to an external lawyer.

2. Choose a Whistleblowing System

Most companies quickly realize that building the system themselves is too cost heavy with the security and process requirements most companies have.

The best practice has become to seek an external provider for an easily accessible digital platform where whistleblowers can report confidentially or anonymously, orally or in written form. A digital whistleblowing system will allow employees to maintain conversations with the approved investigation committee members, provide more proof when required, and track progress toward closure. 

3. Create a Whistleblower Policy

Develop a document that includes detailed information on processes employees can use to report, types of reportable violations, the protection that covers whistleblowers, etc. Ensure everyone can find your whistleblowing policy by publishing it through the whistleblowing system, the intranet, and on your website.

If you need assistance creating a whistleblowing policy, feel free to contact us, as we have an extensive network of compliance professionals and lawyers that specialize precisely in this area.

4. Communicate Your Whistleblowing Policy to Employees

The efficiency of the whistleblower system depends directly on your employee's awareness of its existence and merits. Communicate your policy to your employees and introduce them to the responsible people managing their cases.

Next, share the internal reporting system with them and provide continued training on which behaviors to look for, how to report, and the protections whistleblowers enjoy to foster an environment where potential whistleblowers feel safe to report.

Physical media is also a great option to communicate your system. Posters, signs, and other visual content in the office can help you create awareness of your whistleblower system, and some systems might help you produce the material for this.

Top features to look for when choosing a whistleblower system 

Whistleblower transparency

Reporting an issue can sometimes be challenging for employees up to the point when they might change their minds about submitting a report. That is why many companies are looking for a whistleblowing system that can smoothly guide employees through every step, ensuring that their case is handled transparently and safely. 

GDPR-compliant and maximum IT security

One of the primary reasons so many companies are considering Whistleblower Software is the requirement to stay updated with whistleblowing data privacy standards, including GDPR.

Besides hosting in the EU, the GDPR Schrems II ruling requires, in most cases, a certain IT infrastructure that is a part of the product called end-to-end encryption. A big handful of providers do not account for this.

Most companies also have serious requirements for such a system in terms of IT security certificates due to the fact that it is potentially the company's worst internal issue that could end up on the platform.

A good certificate to look for is the ISAE 3000 and the ISO 27001 certification. Be sure that the whistleblower system does not only use an ISO 27001 certified hosting provider, but their own company also has the certification, so that you are sure their internal teams are also following the processes required by the ISO standard.

Anonymous and confidential reporting

Anonymous reporting is a feature that allows whistleblowers to stay anonymous throughout the processes of reporting and communicating with the company. Most companies prefer to offer anonymous reporting as an option to employees, due to the fact that more employees prefer to stay anonymous.

In some countries, anonymous reporting is also obliged by law.

Providing anonymous and confidential reporting to employees means allowing them to choose the one they are more comfortable with. If you still need to figure out the difference, we have the article explaining anonymous and confidential reporting in more detail.  

Choosing a provider that supports anonymous and confidential whistleblowing is a good idea, even if you currently use only one.

Flexible reporting page & case management

Setting up your reporting page with the fullest amount of flexibility to tailor whistleblower policies, brand colors, languages, and input fields is a must for most companies.

Case management should also be convenient in usage but also flexible and secure. One feature to look for could be the ability to assign users access-limited roles to protect against leaks, which makes the "Control access" feature an absolute must for every whistleblowing system. Likewise, features such as “Redact” (in case you are more than one case handler), or the 4-eye principle help you handle the cases with more care.

Supported languages

Multilingual support is a relatively straightforward decision if companies want their employees to use the whistleblowing system in their language. Most systems charge extra for this, and the difference between the quality of translations differs a lot.

A loved feature is also the ability to securely machine-translate reports, which enables case handlers to screen cases in multiple languages with ease.

Top things whistleblowers need to know before submitting a report

If you're thinking about submitting a whistleblowing report, here are a few useful tips. Remember, it's always a good idea to check your company's whistleblowing policy or the relevant parts of the national legislation for more information.

1. Your rights as a whistleblower:

2. Preparation before submitting a case

Read your company’s whistleblowing policy. It is usually the best place to start, as it will clearly describe the details you need to know when submitting a report. The policy will guide you on how to raise concerns, what issues can be reported, which proofs to include, how to attach files securely so they preserve your anonymity, and what legal protection you can rely on.

You have certain rights, if you fall under the provisions of the law. It is a good idea to understand if you do, and what that means for you, by taking a look at the official law in your country.

3. Anonymous or confidential reporting? What’s the difference? 

The EU Whistleblowing Directive mandates ensuring confidentiality by keeping the identities of whistleblowers confidential throughout the entire reporting and case revision process. However, it doesn't change the authority of EU member states to decide whether organizations in the private or public sector, as well as competent authorities, are obligated to accept and act upon anonymous reports of wrongdoing. Thus, it is up to each individual country to decide whether companies and institutions should accept and review anonymous reports.

However, in cases where both options are available, it is important to understand the difference. 

Confidential

Anonymous

Information whistleblowers share

Whistleblowers are required to disclose some contact information about themselves via a form provided by a company.

Whistleblower’s identity will only be known to those who handle the case. The whistleblower’s identity will appear anonymous to others in case processing.

Whistleblowers can submit a report without disclosing any personal information via a form provided by a company.

Absolutely no one knows the identity of a whistleblower in the case processing.

Whistleblower protection

According to the law, all whistleblowers who report confidentially are protected. 

According to the law, all whistleblowers who report anonymously are protected. 

Further communication

The whistleblower can be securely contacted for more information via the reporting page based on the Whistleblower Software. The security of all shared data is double-ensured through end-to-end encryption.

The whistleblower can be securely contacted for more information through the anonymous page. For anonymous whistleblowing, Whistleblower Software allows two-sided communication through end-to-end encryption.

*The whistleblower can access the case page with the authentication code generated when an anonymous report was submitted.

FAQ

How many reports can I expect?

The amount of whistleblowing reports companies can expect to receive varies from one company to another, depending on the industry, country, and how well the whistleblowing system has been incorporated and promoted in the company. The average number that we at Whistleblower Software saw on the example of our clients was around 0.5 - 1% of the headcount. Thus, in a company of 500 employees, the investigation committee can receive approximately 2 to 5 reports annually.

Should I allow anonymous whistleblowing?

When an employee decides to report an incident, there are two ways to do it: anonymous or confidential whistleblowing. Many companies raise the question of whether anonymous whistleblowing is a requirement of any whistleblowing policy. 

Make sure you know the difference between confidential and anonymous whistleblowing.

The answer depends on the national law of every EU member state country. While some countries require mandatory implementation of anonymous whistleblowing, others don’t.

Thus, for example, in Portugal and France, employers must always provide an option of anonymous reporting, while in Denmark or Sweden, it is up to companies to decide whether to have anonymous whistleblowing.

What is the difference between internal and external reporting?

Based on where the reports end, there are two whistleblowing channels:

  • The first option is an internal reporting channel, when reports go directly to an employer or a person appointed by the organization; thus, the information remains within the organization.

  • The second option is an external reporting channel when a whistleblower goes with the information outside the organization to competent authorities established by each Member State. 

It is in the company's best interest to encourage its employees to use an internal system, as it would allow the company to handle the case internally. In practice, employees would also consider internal reporting as a first option. Unless the situation is critical and the company has neither shown any action nor expressed concern. 

We have a company group. Do we need multiple whistleblowing systems?

In many countries, companies with multiple subsidiaries can have a shared whistleblowing system within their branches, if the whistleblowing system provider has taken into account such a solution. Of course, Whistleblower Software falls into this category, and if you have questions about this, we recommend you reach out to our support.

How long does it take to implement a whistleblowing system?

The implementation of a whistleblowing system itself depends on the size of the company. Setting up a whistleblowing policy and training an investigation committee might take some time as well. This aspect is more relevant for larger companies and enterprises, as there are usually more people involved, thus a bigger process.

As for the time spent on the whistleblowing system implementation, setup varies from several hours to months, depending on the software provider. The setup is primarily swift when a company has a dedicated whistleblowing solution. There are some providers in the industry, that have a very long implementation period (months).

Who does a whistleblowing committee consist of? Would companies need to hire dedicated employees?

A whistleblowing investigation team could, for example, consist of a compliance officer, HR director, legal counsel, Chief Financial Officer, board member, or management member. The number of committee members depends on the size of a company. In smaller companies, you will often find one or two case handlers; this number will be higher in larger companies. However, a higher number of case handlers doesn’t mean overload with whistleblowing case handling. 

Companies can choose to hire an external lawyer to screen and evaluate cases, but this is not a requirement. If you seek to find the right lawyer, we have a great network of leading law firms and ombudsmen using Whistleblower Software. Please contact us here.

___________________________________________________________________________

This article was developed for information purposes only. For legal advice, contact your trusted advisor. Alternatively, Whistleblower Software can connect you with a local legal expert. 

Book a demo

5/5 stars on G2