When an organisation receives a whistleblowing report, it needs to make sure it responds correctly. So it helps to be prepared with effective policies, procedures and systems to investigate reports fairly and promptly. We’ve summarised five important steps that companies should employ when handling internal investigations of whistleblowing cases.
Get as much information as possible at the beginning of the investigation to determine if the claim is actually a whistleblowing matter or something that can be dealt with by HR. You could do this via an online whistleblowing system, telephone messaging service or even physical post-box.
Once it’s determined that it is a whistleblowing matter, review all the information carefully and re-assess it regularly, because one claim could spark an influx of similar reports.
Setting expectations can prevent negative feelings and the whistleblower getting the impression that nothing is being done.
Dealing with a report can take a long time, so explain to the whistleblower how you’ll respond to the information, for instance in batches rather than each individual message. Let them know how the information will be handled, and that it can remain confidential.
As soon as you have an estimated timeframe for the investigation, inform the whistleblower. If you’re a company in the EU, then this should be in accordance with the EU Whistleblowing Directive, which is seven days for confirmation of receiving the report, within three months for feedback.
Decide who will be involved in the internal whistleblowing investigation team. Will it be an in-house legal team, HR, or risk department, or an external legal partner? Anyone potentially connected to the allegation should, of course, not be involved in managing the investigation. Note that this might include more people than were named by the whistleblower, and that the misconduct may also have a wider scope.
Keep the whistleblower informed of the investigation, the outcome and actions being taken with as much detail as possible (bearing in mind confidentiality). This helps the whistleblower see that their report was fully investigated, making any long-term grievance less likely. And as mentioned above, the EU Whistleblowing Directive requires for this to be done within three months of receiving the report.
Keep a record of all the information, steps taken, and key decisions made during the investigation. Most importantly take care to protect this data and keep confidentiality, and also be aware of any local laws relating to deleting of data.
If the whistleblower allows their identity to be known, don’t forget to check in on them. This way you’ll notice any potential retaliation early on and put a stop to it. Employees must feel free to raise any concerns without reprisal, keeping the company a safe workplace for everyone involved.
A whistleblowing system can help an organisation receive, process and feedback on cases in a well-structured way, as well as store information and communicate securely with the whistleblower.
The Whistlelink whistleblowing system is built to firstly make it simple for a person to make a report, and secondly for the organisation to manage cases. This is to help investigations run more smoothly and in line with the EU Whistleblowing Directive.
The case management module helps an organisation to keep all the gathered information on a case in one place, and securely. It also supports confidential two-way conversations between the organisation and the whistleblower. This provides a simple solution for giving feedback without identifying the whistleblower, and Whistlelink alerts the organisation when a deadline is looming.
What’s more, Whistelink’s partners can help organisations with internal whistleblowing investigations. To find a partner that is suitable for your organisation, check out our Partner Arena.
If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.
Philippa Johnsson, Whistlelink
Test our whistleblowing system free for a month
HAPPY TO MEET YOU!