Worldwide: Top Tips On Whistleblowing – Our Very Best Advice For A Trusted And Efficient Whistleblowing System

Last Updated: 11 February 2019
Article by Gunilla Hadders
Most Read Contributor in Sweden, July 2019

With whistleblowing making the headlines so much in 2018, we decided to start 2019 by sharing everything that we think is worth sharing when it comes to whistleblowing. Every day we discuss whistleblowing and matters such as compliance and codes of conduct with business leaders, and these are the kinds of questions that always come up: Do we need an external whistleblowing provider? What if we get irrelevant reports? Why should we keep the whistleblower anonymous?

So in this post we have compiled the most frequent questions we receive. If you don't find answers to your questions here – please get in touch. We are only too happy to share what we have learnt from years of supporting customers with whistleblowing around the globe.

So sit back and read on. Here come...


1. Why should I use an external whistleblowing provider?

We know that the majority of customers want a whistleblowing solution that is easy and cost-efficient, but our most important advice here is: No DIY! There are two main reasons for this, whistleblower protection and secure and efficient follow-up of cases received.

1a. Why is whistleblower protection important?

Anonymous whistleblower reporting is what it takes if you want to receive business critical information. We know from experience that implementing truly anonymous channels increases the likelihood of your getting reports on serious misconduct and hence have the chance to minimise damage and risks, WhistleB Customer study. Why is this so? People need to trust that they will be protected against retaliation, and the only safe way is to allow them to remain anonymous both in the initial dialogue and throughout any investigation.

True whistleblower protection implies that you need a whistleblowing solution that is separate from your own IT environment. You must be able to show that a whistleblower cannot be tracked – and it's not just us that say so, read more whistleblower protection. Also, the whistleblower system you choose must be fully secure, for example it should not use e-mail and should minimize the number of individuals with access to content.

1b. How does an external whistleblowing system help with secure and efficient case management?

When it comes to case management, you can absolutely use your internal resources, but an external whistleblowing system can support you. It will contain an easy-to-use case management system that guides you through appropriate steps and legal considerations, for example. It provides a solid IT solution and structure so that you can manage the cases, investigations and communication using internal resources. It will have rich functionality such as a case log, secure communication, correct archiving and deleting procedures and so on. An external whistleblowing provider can also ensure the software is kept right up to date with the latest data security functionality to help protect your data throughout case management.

There's another important benefit to assigning reception of whistleblower cases to an external party, namely to prevent a report being disclosed to a particular whistleblowing team member. We support many companies with receiving reports from their whistleblowing hotline, and aside from support with general management our responsibility as a third party whistleblowing provider is to make sure that any appointed receiver/investigator implicated in a report does not receive this specific whistleblowing report.

2. Will we get irrelevant cases through a whistleblowing service, thus wasting our time? How do we handle these?

The question of irrelevant cases comes up in almost every whistleblowing system implementation. Of course we cannot give any guarantees – but our experience shows that this concern is unfounded. This was also reflected in our latest annual customer survey. Irrelevant reports might include matters to be handled by HR, such as grievances about salary or promotion. These are nonetheless important for the individual, which is why the whistleblowing team benefits from having systems that offers a possibility to securely assign cases to HR (see more under question 4).

At the end of the day though a whistleblowing service aims at unveiling misconduct, and our advice is to invest time in thorough communication about the service so that you receive true whistleblowing reports. Help employees understand what constitutes a whistleblowing case, and what doesn't. Inform them of alternative communications channels for other matters. Communication should include a whistleblowing policy and guidelines, and our system helps with that.

Another piece of advice here is to introduce the service in stages. For example, run the whistleblower system for a year or so, then as you feel comfortable with the results, broaden your target group to suppliers, partners, customers and the public.

What we like to remind customers is that the reason for allowing whistleblowing is to minimise business risks, and this requires anonymous communication channels. We think that the benefits of implementing a whistleblowing system far outweigh the risk of receiving irrelevant reports. Sometimes we just have to take the bad with the good.

3. How many whistleblowing reports should we expect?

There are a couple of considerations when it comes to the number of whistleblower reports. Firstly, how can you increase the likeliness of people reporting suspicions on real whistleblowing cases?

As mentioned earlier, whistleblower anonymity is key.

Communication is also essential and must be continuous to really drive engagement. First, set the right tone at the top to create trust. That includes communicating the company's core values and philosophy on how to do business, according to your Code of Conduct.

Secondly, a person most likely blows the whistle only once in their lifetime making this a very stressful situation for the whistleblower. De-dramatize the process of whistleblowing in your communication and keep the reporting process simple. Don't make it worse with complex questionnaires!

The above two points underline why the whistleblower communication channel should be as easy and efficient to use as possible. Remove any thresholds, such as when, where or from which device a whistleblower can send a report. At the end of the day, you don't want to risk not receiving business critical information, and in today's environment, this basically boils down to solid whistleblowing software and technology.

Finally on this point, many customers implement a whistleblowing service as a preventive measure. The very fact that the system is in place prevents misconduct occurring in the first place. A very low number of reports coming through the whistleblowing channel might actually mean that it is working.

4. I have read about incidents in which the company actually has a whistleblower hotline, yet reports have not reached the right people. How can I stop this from happening?

Think very carefully through how whistleblower reports should be received, investigated – and above all by whom. We advise customers to appoint an internal team that creates trust and ensures cases are dealt with in a secure way. The team should preferably include non-operational individuals, such as members of the Board and internal audit. We see managers from a range of functions, often Compliance, HR, Sustainability and the CFO represented on the whistleblowing teams at our customers. Ensure your team does not come from one single part of the organisation, but that it is spread across managers from a range of functions.

The whistleblowing system itself should also support rigorous and correct case management. For example, through your case log it should be impossible to delete a case without notifying team members.

Finally don't forget to be transparent. Tell your employees and other stakeholders about how reports are managed. Make sure follow-up is transparent and that you communicate your results to the Board through regular reports on whistleblowing, see interview.

5. We have just received a serious whistleblowing case, which we need to investigate. It came from an anonymous whistleblower – what shall I report back to them?

You know nothing about the whistleblower, which is why we advise you to proceed with caution in this situation. Be as careful and as brief as possible in your communication with the anonymous person. At least until you know more about who you are communicating with. Unfortunately, whistleblower anonymity allows for some level of abuse of the whistleblowing system from persons who may in some way want to harm the organisation, or a specific person within the organisation.

Your whistleblowing system should provide you support in this situation, in terms of secure management of data and allowing for continued dialogue to build trust between the parties. For example, you need to ensure that all related data is protected, use secure encrypted systems, do not use e-mail, and so on. Keep investigation documents and communication within the protected whistleblowing system. Use a system that undergoes regular professional penetration and information security testing. Limit the number of persons involved. Once again, if you have the right team in place to manage whistleblowing reports, they will be able manage this process with integrity.

6. According to the company union representative, the whistleblowing service must be available to everyone, i.e. not only through the web? What is your experience?

During the last two years we have seen that many companies are now skipping the whistleblowing phone hotlines as a mode of reporting. Some of the reasons given are that it is less secure (the information cannot be encrypted all the way from the whistleblower to the receiver of the message), it is less cost-efficient and less user-friendly. Today, in the world of smart phones, whistleblowers are more likely to attach pictures and text files as evidential material, which is valuable for the investigations.

This move away from telephone reporting was supported in a poll of Compliance officers we conducted at the 3rd Summit on Anti-Corruption (Nordics Edition) in November 2016. Nearly 80% of Compliance officers revealed that they preferred to receive whistleblowing reports through a web service, whereas only one in ten preferred to receive them via the telephone, read more.

So our advice is to offer voice phone whistleblowing hotlines as an option only in countries where Internet access is not widespread, or for employee groups that might hesitate to report in writing.

7. How can we protect whistleblowing data? Our Board is worried that we might spread sensitive data or fail to comply with the GDPR, for example?

Our advice here is simple – ensure you select a whistleblowing system with the very toughest security on the market! We think it is key that our customers control their own data and that it is not accessible to any persons not authorised by the customer. Suppliers should access encrypted data, it should not be accessible to read. The decision on the individuals to whom access to sensitive data should be given must at all times remain with the customer.

Data security is something we feel very strongly about at WhistleB. From the beginning we have been fully behind all regulatory moves towards more secure management of personal data, as we knew that this one principle, above all others, is fundamental to the proper working of an organisational whistleblowing system. Top security in whistleblowing systems is the very foundation of trust, and it is what we thought lacked in the systems we came across in our former roles. This is one of the reasons we started WhistleB.

And it is why we started readying our whistleblowing system to be fully compliant with the EU's GDPR regulations some six years ago. We do not see data security and regulatory compliance as a cumbersome matter, we see it as a competitive advantage for our product, and therefore for our customers. Read more at this link about the security measures we have taken to ensure that we always provide market-leading IT security in our whistleblowing service.

So there you go, our very best advice for implementing a trusted an efficient whistleblowing system. But there's one more thought we'd like to leave you with. We've talked a lot about whistleblowing in the context of risk management, of protecting the company brand. We would also argue that a whistleblowing service is a brand enhancer, a way to strengthen the organisation's sustainability profile. Here's our argument...

There's tough competition for attracting the best talent, and today, the younger generation is more likely to select an employer whose values match their own. We are also seeing that existing employees are more loyal if they feel they are in companies where they know they will be safe, where ethics are taken seriously.

When we put this knowledge together with the recent #Metoo campaign, we're inclined to say that what we're currently seeing is a grass-roots movement. A more aware labour force has spoken out – and what it wants is ethical business.

Digital tools, such as an online whistleblowing system, provide opportunities to respond in new ways. Forward-thinking leaders who take business ethics seriously will already have a robust code of conduct in place. Above and beyond that though, they will be able to point to tools and other mechanisms that underpin their code of conduct, give their employees a voice and strengthen their brand as a responsible employer, such as a secure, online whistleblowing system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
21 Aug 2019, Webinar, Stockholm, Sweden

EU:s direktiv kan ses som ett svar på en global mega-trend för främjande av transparens. Vilka krav ställer den nya lagen? Och vad är avgörande för en trovärdig hantering av visselblåsarärenden?

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions