How to Build a Whistleblowing Policy (2026)

A code of ethics tells people what you stand for. A whistleblowing policy is the mechanism that lets them tell you when something is going wrong. Without a safe, trusted way to speak up, your values are aspirations on paper. This guide walks you through building a whistleblowing programme from scratch: what the policy must contain, which reporting channels to offer, how to protect people from retaliation, the workflow for handling a report, and how to tell whether the programme actually works.

Colleagues meeting around a table to discuss a workplace speak-up and whistleblowing policy

Why 2026 Is the Year to Get This Right

Speak-up activity tends to climb during periods of economic pressure and organisational change, exactly the conditions many businesses face now. Reporting volumes have been rising for years. NAVEX's 2024 benchmark report, drawn from 3,784 organisations and 1.86 million reports, found that the median share of substantiated reports reached 45%, an eleven-year high, with anonymous reports making up a median of 56% of the total. People are speaking up more, and a growing share of what they raise turns out to be founded.

The legal backdrop is shifting too. The United States Department of Justice launched its Corporate Whistleblower Awards Pilot Program on 1 August 2024, offering discretionary financial awards for original information leading to forfeiture. In the UK, Parliament is debating the Office of the Whistleblower Bill, and HM Revenue and Customs announced in March 2025 a reward scheme for informants in larger tax cases. Across Europe, the Whistleblowing Directive has already pushed mandatory internal channels down to firms with 50 or more workers, and connected supply-chain rules are passing the same expectations on to smaller suppliers. The direction of travel is clear, and waiting for an incident to force your hand is the most expensive way to build a policy.

What a Whistleblowing Policy Must Contain

Before you choose tools or write procedures, agree what the document itself needs to cover. A policy that leaves any of the following unanswered will create confusion at the worst possible moment. Use this as a copy-ready checklist when you draft.

Purpose and scope. What the policy is for, and who it covers. Extend it beyond employees to contractors, agency staff, suppliers, volunteers and former workers, since they often see things employees do not.
What can be reported. Concrete examples: fraud, bribery, health and safety breaches, data misuse, harassment, environmental harm, regulatory non-compliance. Make clear that honest mistakes raised in good faith are welcome, not punished.
How to report. Every available channel, with the contact details, and plain instructions for using each one.
Confidentiality and anonymity. What you will keep confidential, when identity might have to be shared, and whether anonymous reports are accepted.
Anti-retaliation protection. A clear statement that anyone who raises a concern in good faith will not suffer any detriment, and that retaliation is itself a disciplinary matter.
The process after a report. Acknowledgement timeframes, who triages, how investigations run, and what feedback the reporter can expect.
External routes. The regulators or bodies a person can go to if internal channels fail or are not appropriate.
Roles and ownership. Who owns the policy, who investigates, and who the report goes to if it concerns those people.
Records and review. How reports are logged, how data protection is respected, and when the policy is reviewed.

ISO 37002:2021, the international guideline for whistleblowing management systems, organises the whole process around four steps: receiving reports, assessing them, addressing them, and concluding cases. It is guidance rather than a certifiable standard, but it is a useful structure to test your draft against.

Step 1: Secure Leadership Commitment and Assign Ownership

A whistleblowing programme stands or falls on whether people believe leadership means it. Before drafting a word, get the owner or board to agree two things: that reports will be taken seriously and acted on, and that no one will be punished for raising a concern in good faith. Put a named senior person in charge of the programme, and identify a separate route for reports that concern that person or the owner.

In a small business this does not require a department. It requires one accountable owner of the policy, one or two trained people to handle reports, and a board-level commitment that the rules apply to everyone, including the people at the top.

Step 2: Choose Your Reporting Channels

People differ in how they want to raise a concern. Some will walk into a manager's office; others will only ever use a route that does not reveal who they are. Offering more than one channel is the single biggest driver of whether people use the programme at all. The four common options each have trade-offs.

Channel	Strengths	Limitations	Best for
Named contact (manager, HR, designated officer)	Personal, allows follow-up questions, fast	No anonymity, depends on trust in that person	Smaller teams, lower-sensitivity concerns
Dedicated email or web form	Low cost, always open, creates a record	Email is not truly anonymous; needs disciplined monitoring	Most small and mid-size businesses
Phone hotline	Accessible to staff without easy computer access, feels human	Cost if outsourced, needs trained handlers	Frontline, shift or field-based workforces
Third-party platform (independent hotline or software)	Genuine anonymity, secure two-way messaging, audit trail	Subscription cost, another supplier to manage	Firms wanting credible independence and anonymity

A practical baseline for a small business is a named contact plus a confidential web form or email, with a third-party platform added as you grow or if your sector carries higher risk. Whatever you choose, the channel must be easy to find. List it in the policy, the staff handbook, on the intranet, and on posters where people can read the details without anyone watching over their shoulder.

A person filling in a confidential online whistleblowing report form on a laptop

Step 3: Guarantee Confidentiality and Anonymity

Confidentiality and anonymity are not the same thing, and your policy should be precise about both. Confidentiality means you know who the reporter is but you protect their identity, sharing it only where strictly necessary and with their knowledge where possible. Anonymity means the reporter never tells you who they are.

State plainly what you can promise. You can promise to limit who sees a report, to keep identities out of investigation paperwork, and to ask before revealing a name. You cannot always promise total secrecy, because some investigations or legal processes may eventually require disclosure. Being honest about that boundary builds more trust than an overblown promise you cannot keep. Where you accept anonymous reports, use a channel that allows secure two-way messaging, so you can ask follow-up questions without ever learning who the person is.

Step 4: Build Anti-Retaliation Protection Into the Policy

Fear of retaliation is the main reason people stay silent. Retaliation is rarely a dramatic sacking. More often it is subtle: a colder relationship, exclusion from meetings, a sudden dip in a performance review, being overlooked for the good projects. Your policy has to name these behaviours and forbid them.

Make the protection concrete. State a zero-tolerance rule. Treat any act of reprisal as a disciplinary offence in its own right, separate from the original concern. Limit knowledge of the reporter's identity to the smallest possible group. And keep a quiet record of the reporter's role, duties and appraisals around the time they report, so that if their treatment changes you can see it and act. As the UK charity Protect, the leading whistleblowing advice body, frames it, the goal is to make it safe to speak up, because the alternative is that problems stay hidden until they become crises.

Step 5: Design the Triage and Investigation Workflow

A report is only the start. What happens next determines whether people ever report again. Build a simple, repeatable workflow so that no report falls through the cracks and every reporter is treated the same way.

Acknowledge

Confirm receipt quickly. The EU Directive sets a seven-day acknowledgement benchmark, and it is a sensible standard to adopt regardless of where you operate. A prompt acknowledgement tells the reporter they have been heard, which is often what stops them escalating elsewhere.

Triage and assess

Decide how serious and how urgent the concern is, and whether it belongs in this process at all. Some matters are routine grievances better handled by HR; some are safeguarding or criminal issues that need immediate escalation. Screen for conflicts of interest before assigning anyone, and record the triage decision.

Investigate

Assign an investigator who is independent of the people and area involved. Gather facts proportionately, keep the reporter's identity out of the working papers, and document each step. Fairness runs both ways: the person a concern is raised about also has rights, and a well-run investigation protects everyone.

Conclude and give feedback

Reach a finding, decide on action, and close the case. Give the reporter feedback on the outcome within a reasonable time; the Directive uses a three-month feedback window. You will not always be able to share every detail, but you can confirm the matter was taken seriously and addressed. Then capture any lessons that should change how you operate.

Step 6: Communicate and Train

A policy no one knows about is the same as no policy. Launch it deliberately. Brief managers first, because they receive most concerns in person and their reaction in the first thirty seconds shapes whether the report goes any further. Train them to listen, not to investigate on the spot, and to pass concerns into the process.

Then tell everyone else: in onboarding, in team meetings, and in the places people actually look. Repeat it. Reporting routes that are mentioned once at induction are forgotten by the time they are needed. The aim is that any worker, on any day, could tell you how to raise a concern without having to ask.

Step 7: Measure Whether the Programme Works

You cannot improve what you do not track. The instinct to read a rise in reports as bad news is usually wrong. More reports generally mean people trust the system, not that misconduct is exploding. Silence is the warning sign, because problems do not stop happening just because no one is telling you about them. Track a small set of figures and review them with leadership at least annually:

Report volume and trend, including the split between named and anonymous.
Time to acknowledge and time to close, so reporters are not left waiting.
Substantiation rate, the share of reports found to have merit.
Outcomes and actions taken, including any changes made as a result.
Retaliation claims, which should be rare and investigated immediately.
Awareness, measured through a simple staff survey question on whether people know how to report and feel safe doing so.

Common Mistakes to Avoid

A few predictable errors undermine otherwise good policies. Routing all reports through line managers leaves no escape route when the manager is the problem. Promising total anonymity you cannot guarantee destroys trust the first time you cannot deliver. Writing a policy and never mentioning it again means it is never used. And treating retaliation as a soft issue, rather than a disciplinary one, tells everyone watching that speaking up is risky. Each of these is avoidable with the steps above.

Frequently Asked Questions

Is a whistleblowing policy a legal requirement for small businesses?

It depends on where you operate and how many people you employ. Under the EU Whistleblowing Directive (Directive (EU) 2019/1937), private organisations with 50 or more workers must run an internal reporting channel. In the UK, the Public Interest Disclosure Act 1998 protects workers who blow the whistle but does not force every employer to publish a policy. Even where it is not mandatory, a written policy is treated as good practice and helps demonstrate you took reasonable steps to prevent wrongdoing.

Do we have to accept anonymous reports?

The EU Directive lets member states decide whether organisations must accept anonymous reports, so the rule varies by country. As a matter of good practice, most modern programmes accept them, because some people will only come forward if they can stay unnamed. The key is to handle every report seriously whether or not the person is identified, and to keep their identity confidential when they do share it.

How quickly must we respond to a whistleblowing report?

Under the EU Directive the benchmark is an acknowledgement within seven days of receipt and feedback to the reporter within three months. Even outside the EU these timeframes are a sensible standard to write into your policy, because silence is what pushes people to report externally or to the media.

What counts as retaliation, and how do we prevent it?

Retaliation is any detriment a person suffers because they raised a concern: dismissal, demotion, being passed over, exclusion, a sudden poor appraisal, or informal freezing-out. Prevent it by stating a zero-tolerance rule in the policy, limiting who knows the reporter's identity, recording their working conditions before and after they report, and treating retaliation as a disciplinary offence in its own right.

Who should investigate whistleblowing reports?

Choose someone independent of the people and area involved. In a small business that is often a senior person outside the relevant team, a non-executive director, or an external adviser. The investigator must have no conflict of interest. If a report concerns the owner or a director, you need a route that bypasses them entirely, such as an external hotline provider or a named board member.

How do we know if our whistleblowing programme is working?

A healthy programme usually shows a steady or rising number of reports, which signals trust rather than more wrongdoing, alongside a reasonable substantiation rate and short closure times. Track report volume, anonymous versus named split, time to acknowledge and close, substantiation rate, and any retaliation claims. Review these figures with leadership at least once a year.

Moving Forward

A whistleblowing policy is where your stated values meet reality. It is the channel that turns a quiet worry into a problem you can fix before it becomes a crisis. Build it in the right order: leadership commitment first, then channels, protection, a workflow, communication, and measurement. Keep the document short and the routes obvious.

This works best as part of a wider ethical framework. If you have not yet set out your code of ethics for business owners, start there, then attach the speak-up mechanism that enforces it. Grounding both in your core ethical principles gives people a reason to use the policy, not just a procedure to follow. You can find more practical guides across the E-Business Ethics resources.

For the underlying law and protections, the UK government's official guidance on whistleblowing for employees and the European Commission's overview of whistleblower protection are reliable starting points to check what applies to your business.

Need Help Building Your Whistleblowing Programme?

We help business owners and compliance leads design speak-up policies, choose reporting channels, and set up fair investigation workflows that hold up under scrutiny. Our consulting services guide you from first draft to a programme people actually trust.