Four ways to boost your whistleblower program's effectiveness

insight featured image
Imagine for a moment that someone in your organization knew of some internal wrongdoing, such as theft or an undisclosed conflict of interest. Perhaps they have proof that your CEO is taking advantage of company assets for their own personal benefit. Maybe they’ve witnessed senior-level employees committing fraud.

Do they know how to safely bring that information forward? And will they feel certain that they won’t be victimized or retaliated against because they report this inappropriate behaviour? 

In truth, many whistleblowers, including those real-life examples cited above, don’t know how to proceed when they spot wrongdoing. In the case of the fraudulent senior-level employee, the potential whistleblower didn’t know of any channel to communicate wrongdoing with the company’s owners. In an anonymous survey conducted by Grant Thornton, the employees noted that they wanted to report the fraud, but didn’t know how. 

"I wanted to tell the owners, I knew they would care, but I didn't have any way to communicate with them."        

 Potential whistleblower

Even when employees know how to report illegal or unethical behaviour, they may fear repercussions. In the case of the unethical CEO, whistleblower complaints at that company went directly to that same CEO, making it all but impossible to report his wrongdoing. The staff member who was aware of this incident subsequently stated that they didn’t file a report because they didn’t want to lose their job.  

The moral of the story? It’s not enough to simply have a whistleblower program, it needs to be well communicated and properly designed. If you haven’t had any reports on your whistleblower hotline, don’t assume there’s no problem—it could be a sign of a bigger problem. 

If you haven't had any reports on your whistleblower hotline, don't assume there’s no problem—it could be a sign of a bigger problem. 

To avoid the most common missteps in developing a whistleblower program and reap the significant benefits of this affordable fraud detection tool here are four things to keep in mind. 

1. Bolster program awareness and access 

For a whistleblower program to be effective, people need to know it exists, how it works and how to access it. Despite this being a critical step, in our experience, about 50 per cent of companies that implement programs don’t offer basic education and awareness to their staff. 

To remedy this issue, include the details of your program in key organizational documents like your code of conduct, employee manual, ethics policy, and even your supplier and vendor contracts. And don’t forget to include posters and contact cards in key locations throughout your organization, such as staff lunchrooms and work stations. Basically, you want everyone to know that you have a multi-lingual program available 24/7 that they can access by phone, email or online. 

Include the details of your program in key organizational documents like your code of conduct, employee manual, ethics policy and even your supplier and vendor contracts.

To better understand employees’ knowledge of the program, it’s helpful to include questions about your whistleblower program in an annual employee survey to understand which communication efforts are working and which aren’t.  

But, communications alone can’t make your program succeed. It is critical that you hold in-person annual training sessions on fraud prevention, regularly discuss how to identify red flags,  and explain how to report suspicious activity with your employees. Encouraging this open communication and reporting will demonstrate a strong tone at the top and underscore that there is zero tolerance for fraudulent behaviour. 

In a similar vein, executives must be briefed on how the program works and the legal implications of breaking whistleblower protection laws. This was something Barclays learned the hard way after its CEO tried to uncover the names of two whistleblowers who filed complaints against company executives. After investigation, it was discovered that other senior executives and members of the board of directors also failed to act appropriately. In the end, the company was fined £642,430 by the Financial Conduct Authority and the Prudential Regulation Authority, as well as US$15 million by the New York State Department of Financial Services . All too often we see companies inappropriately focusing on identifying who blew the whistle rather than on fixing the root cause of the problem in their organization. 

2. Guarantee anonymity 

It’s not enough to promise that a whistleblower report will remain confidential, there needs to be appropriate controls and reporting mechanisms in place to make sure that whistleblowers can remain anonymous (should this be their desire). This means using a system that assigns each report a case file number and omits any information that could potentially identify the whistleblower, like their department or position. Additionally, each case file should be handled according to a pre-defined and well-publicized protocol that aims to protect the whistleblower above all else. 

It’s also important to have a system that allows two-way communication with the whistleblower without their identity being exposed. Many organizations don’t realize this is even an option. On a regular basis, we hear key decision makers say that having an anonymous whistleblower program means they won’t be able to fully investigate the potential issue, which is simply not true. 

The goal here is to give whistleblowers an appropriate reporting mechanism, along with the confidence to come forward because they understand and trust the system. This means eradicating any fears that reports will be disclosed or personal identities revealed. If whistleblowers believe there’s any chance of personal retaliation, reprisal, victim-blaming or other negative consequences, they will not come forward. 

If whistleblowers believe there's any chance of personal retaliation, reprisal, victim-blaming or other negative consequences, they will not come forward. 


3. Give your program teeth 

To encourage your employees to assume the risks of whistleblowing, you need to prove that you’ll follow up credible reports with appropriate action. This means the board and senior levels of management must be fully committed to the program—and they have to be able to demonstrate it. If employees see that nothing gets done when people report potential issues, they’ll lose faith in the system and stop using it. 

One way to demonstrate this commitment is through a clearly-defined and highly publicized response protocol—one that outlines which departments are involved in whistleblower reports (e.g., legal, HR, investigative and IT), how investigations are conducted and how remediation plans are implemented. In addition to being experienced and, ideally, independent, your investigative teams should also be capable of responding quickly. Again, demonstrate zero tolerance for fraud and inappropriate behaviour. 

4. Aim for appropriate oversight 

Above all, your whistleblower program should not be the responsibility of a single person. Rather, it needs to report to the board or other high-level governance oversight function. Otherwise, a single person or group, through budget cutbacks or other interference, could impair the program’s objective, independence and overall effectiveness. 

Get the most out of a good thing—it’s a no-brainer! 

Whistleblower programs are invaluable tools in the fight against white collar crime. To realize their full benefit, however, organizations should properly design these programs and equip whistleblowers with the protections and knowledge they need to confidently come forward. 


The information contained herein is prepared by Grant Thornton LLP for information only and is not intended to be either a complete description of any issue or the opinion of our firm. You should consult your Grant Thornton LLP advisor to obtain additional details and to discuss whether the information provided here applies to your specific situation.