Step 1: Separate the wheat from the chaff
First and foremost, you should identify reports that are not compliance-relevant or are even denunciatory. For example, complaints revolving around personal grievances do not need to be investigated.
Nevertheless, it is important to provide feedback to the whistleblower and, where appropriate, take action if an abusive report has been made that is clearly in breach of internal policies.
Step 2: Contact the whistleblower
Establish communication with the whistleblower as soon as possible. If a response to the whistleblowing report is not provided within a few days, you risk employees losing confidence in your whistleblowing system and its credibility being damaged. Ideally, develop a whistleblower feedback template in advance so that you can react to reports quickly.
If a report doesn’t contain sufficient grounds to suspect actual misconduct, be sure to ask the whistleblower to provide more detailed information on the incident in question. Digital whistleblowing systems allow whistleblower communication by means of integrated mailbox functions.
It is important to remember that in EU member states, the new Whistleblowing Directive has made communication between the organisation and the whistleblower mandatory. The person speaking up must be updated about the progress of the investigation at regular intervals.
Step 3: Get to the bottom of things
Internal investigations should be initiated promptly if there is sufficient evidence to indicate that a compliance violation has occurred. The bulk of the investigation generally consists of the evaluation of documents (including evidence received from the whistleblower), as well as interviews with employees and potential further discussions with the whistleblower.
When doing this, make sure to comply with labor law, confidentiality and data protection requirements. Ideally, all relevant documents and investigation results should be saved in the secure Case Management area of your whistleblowing system.
Step 4: Take corrective measures
After the completion of any investigation, you will need to summarize results for management, including any corrective measures that have been taken or are planned. Sanctions and other processes should be transparently communicated within the organization. At the end of the investigation, close the incident in your Case Management system and anonymize any collected personal data, if necessary. For reporting and archiving purposes, all cases should remain within the whistleblower system.
To sum things up:
- Carefully consider how your organization plans to respond to an incoming report/incident if the report is received while you are still in the process of implementing a whistleblowing system.
- Opt for a whistleblowing system which allows you to process cases in a well-structured way and to communicate securely with the whistleblower.
- In the event that you receive a report, react quickly and follow the steps outlined above.