How to implement a whistleblowing system – case management

May 25, 2021

In this third article in our series on how to implement a whistleblowing system, we look at the specific elements of whistleblowing case management. In article one, we provided guidance to help you with communication about whistleblowing to build trust, help people feel safe to report and educate them about why and how. Article two focused on preparing the organisation (aside from the system), in terms of the correct team, key procedures and legal matters.

So now when the whistleblowing reports start to come in, how do you process them? 

1. Receiving a report

Confirm that the report has been received
When the receiving team is notified that a report has been received, they should aim to log in as soon thereafter as possible to check the report. Response is a critical part of building trust in the whistleblowing case management process so the whistleblower needs to know quickly that the report has been received. The EU Whistleblower Protection Directive defines a “timely response” as sending an acknowledgement of receipt of the report to the whistleblower within seven days. This can happen automatically through a digital solution.

Assess whether the report constitutes a whistleblowing case
Next, the whistleblowing team needs to assess the content and decide whether to accept or decline the report as a whistleblowing case. In the event that it is not accepted, it is good practice to inform and refer the reporter to the appropriate place. (Link to previous blog in the series). The whistleblowing team may decline a message if:

  • the alleged conduct is not reportable under the organisation’s whistleblowing guidelines
  • the message has not been made in good faith or is malicious
  • there is insufficient information to allow for further investigation

Delegate the report and monitor it throughout case management
If the report is to be processed as a whistleblowing case, it should be categorised and securely delegated to the correct person or case management team to take further action. Cases should also be monitored to ensure that appropriate progress is being made once they have been delegated.

2. Investigating a whistleblowing report 

Each case will need to be investigated as appropriate to the specific situation, however, the whistleblowing system functionality should allow you to do the following:

Maintain full security
All communication related to the case must adhere to strict data protection laws and uphold the confidentiality and/or anonymity of the reporter. To facilitate this, consider implementing a whistleblowing system that allows secure chat between authorised individuals, secure re-assignment of cases and secure dialogue with the whistleblower. Encryption of data in transit and in storage and non-traceability of IP addresses are just some of the security features that should be in place.

Obtain more information from the whistleblower 
Whistleblower reports are seldom perfectly packaged for investigation when they come in from the whistleblower. Your whistleblowing process should therefore allow for dialogue with the reporter, either through a technology solution or other robust feedback process. A dialogue establishes trust and enables you to get to the core of a report. The system should therefore support secure file uploads from the whistleblower, if your whistleblower team requests such materials as evidence. 

Appoint the correct experts
Since the subject matter of whistleblower reports can vary widely, it is not uncommon for additional experts to be needed to investigate the case properly. These may include professionals such as employment lawyers or economic crime investigators, and they may be internal or external to your organisation. Once the case has been categorised, the system should have functionality to add in these experts to the team, securely and on a case-by-case basis.

Provide further feedback to the whistleblower
According to the EU Whistleblower Protection Directive organisations will need to give feedback to the whistleblower about the follow-up to the report within three months. Regardless of whether your company is subject to this law, it is good practice to provide feedback to build trust. However, the right balance has to be found between the rights and obligations of the whistleblower, the company and other people involved (e.g. the accused). So proceed with caution in this situation. Do not share sensitive information with the whistleblower, as it may be detrimental to the investigative process and resolution of the wrongdoing. If the reporter is anonymous, extra care may be needed to build up trust on both sides. Technology can assist in allowing for a dialogue while the anonymity of the whistleblower is maintained. 

3. Recording, deleting and archiving the report correctly

Record: Always ensure you keep proper records and process all data in compliance with applicable laws. This entails keeping records of every report received as well as the actions taken by each member of the case management team.

Delete: Personal data in whistleblowing reports and investigation documentation should subsequently be deleted once the investigation is complete, with the exception of any personal data that must be kept for legal purposes. 

Archive: Some laws require that archived investigation documentation and whistleblower reports must be anonymised. In other words, they must not include personal data through which persons can be directly or indirectly identified. 

If you would like more practical guidance on how to implement a whistleblowing system, we recommend you take a look at our easily digestible handbook: The ABC guide for establishing a whistleblowing solution that increases customer and employee satisfaction. Download the e-book or order a hard copy from Amazon or Bokus.


Your message was successfully send. We will get in contact with you as soon as possible.

There seems to be some problem when sending your message. Try again soon.