EU Whistleblower Directive; how will you follow-up?

How to adequately respond to whistleblower reports?

In our previous blogs, we assessed the requirements and implications of the EU Whistleblower Directive, based on the text and explanation of the Directive itself. Additionally, we explored the design and implementation of an effective whistleblower or speak-up program. In this blog we summarize what organizations should have in place to adequately respond to the receipt of a whistleblower report.

Implementing an effective whistleblower framework is only the first step; response is an increasingly important part of every company’s compliance environment. Whistleblower reports demand special attention from an organization’s decisionmaker and require an unique set of skills and competences. Every organization should have an adequate process in place to respond to incoming reports, including protocols for conducting investigations. A complicating factor in responding to whistleblower reports is the variety of the concerns that are being reported. Such reports can vary from #metoo concerns to allegations of fraud or bribery and corruption. 

Triage process

Responding to reported concerns starts with assessing the incoming report; the triage process. The purpose of this process is to determine the nature of the reported concern, whether the report requires an investigation and if so, what type of investigation is appropriate. In that case, one should also determine who should investigate the matter. This person can be found within an internal department (e.g., internal audit, compliance, HR) or externally. Furthermore, in certain cases (external) support from forensic accountants or legal counsel might be necessary. It might even be necessary to involve all of these parties. A critical element of the triage process is to determine the validity of the reported concern, as well as the possibility to investigate (i.e., is there sufficient information and a reasonable possibility of obtaining further information?) Having a triage protocol including division of roles and responsibilities is key.

Guiding principles

If the reported concerns require an investigation, it is critical that the investigation is conducted in line with the organization’s values, procedures, protocols and best practices. The application of such policies should be tailored to the nature and context of the case. Furthermore, the following guiding principles are crucial to the success of an effective investigation.

  1. Laws and regulations – All applicable local laws and regulations in a specific jurisdiction in which an investigation takes place must be adhered to.
  2. Confidentiality – Appointed investigator(s) should work under strict confidentiality and under the supervision and instruction of for example an ethics and integrity commission.
  3. Independence – Appointed investigator(s) must be sufficiently independent and be perceived to be so, to perform the investigation in an objective manner (e.g., the investigators should not be a direct colleague, the direct manager or the direct report of the individuals involved in the reported concern).
  4. Proportionality – The investigator(s) must choose investigation procedures that are legal and proportional to the nature and size of the concern being investigated and sufficient to achieve the investigation objective(s). Investigation procedures should not have a disproportional impact on the privacy of the individuals involved in the reported concern.
  5. Fair hearing – All individuals involved in the investigation (e.g., the whistleblower, the implicated) should be provided with the opportunity to reply to and understand all the facts and perceptions relevant to them.
  6. Reasonable timeframe – The investigation must be conducted and completed within a reasonable timeframe.
  7. Proper documentation – The investigation process and the results thereof should be well documented and/or stored in secured internal files (audit trail).

The investigation process

Organizations should have an investigation protocol in place which instructs investigators on how to perform investigations with due care. Wrongfully executed investigations can have a detrimental impact on the organization and all people involved. The investigation process typically consists of five main phases:

  1. Initiation – This phase involves further obtaining an understanding of the matters to be investigated and evaluating those factors/conditions that might impact the investigation.
  2. Planning – Planning is essential to help ensure the investigation has clear objectives and that the engagement strategy aligns with the objectives. Investigations, by nature, can grow rapidly and lead investigators in many directions. Therefore it is important that each step in the investigation process is properly considered in terms of what is going to be completed and what will be achieved.
  3. Information gathering – This phase involves the identification and collection of information. Given the possibility that the investigation results can be used in future court cases or regulatory action, investigators must have a strong focus on the sound collection of evidence.
  4. Analysis and interpretation – The type of analyses to be performed highly depends on the nature of the investigation. The objective of the analysis and interpretation phase is to analyse the information collected during the gathering information stage. This is important in order to assist in proving or disproving the concerns and to ultimately arrive at a factual conclusion.
  5. Reporting and closure – This phase involves reporting on findings from the investigation that are synthesized and analysed into meaningful and actionable recommendations. Furthermore, the report should be able to withstand scrutiny from third-parties, courts of law and other regulatory bodies.

It is important to note that the investigation process is presented as a linear process. However in practice investigator find themselves going back and forth between phases. For example, if new information is discovered in the information gathering or analysis phase, investigators might need to revise the initial investigation planning.

The way forward

As discussed in this and the previous blogs, there are many aspects to adequately following up on an incoming report. Organizations should consider the governance details, have the correct tooling and policies in place, perform a triage process to determine how to follow-up and – in some instances – perform an investigation. In case of the latter, organizations should adhere to the described guiding principles and implement an effective investigation process.

Despite the fact the before mentioned assets of whistleblower might be challenging for your organization, it can also be highly beneficial. A study shows that 43% of researched fraud schemes were identified based on a tip, of which half were made by employees.1  In addition, an effective whistleblowing framework including (investigative) follow-op procedures could lead to detecting misconduct in an early stage. Furthermore, it provides better insight into the effectiveness of the internal control framework.

Contact us to discuss how you can design and implement
effective protocols and procedures. 

 1Study ‘Report to the Nations’ of the Association of Certified Fraud Examiners (2020), accessible via 

Did you find this useful?