Over the last year whistleblowing has received significant media attention, including in relation to:

  • The “Horizon scandal” at the Post Office;
  • Safety concerns at the aerospace company Boeing;
  • Criticism of the BBC by whistleblowers in relation to the inquiry into a prominent former news presenter;
  • The sewage scandal in the water industry; and
  • Whistleblowers in the NHS raising issues such as patient safety and bullying.

These and other whistleblowing cases have highlighted that many organisations have inadequate or poorly implemented whistleblowing processes.

Whilst the reasons for this can vary, we frequently find that organisations overlook the importance of establishing effective whistleblowing mechanisms as part of their compliance and governance frameworks.

Whistleblowing should be a core component of those frameworks. Effective whistleblowing can facilitate the detection and prevention of misconduct, unethical behaviour, unlawful activities or other wrongdoing, which may help organisations to avoid or limit serious damage, harm and loss associated with those activities. This can include significant reputational damage for organisations that fail to listen to whistleblowers or where whistleblowing reports are mishandled.

In this article we explore:

  • What whistleblowing is;
  • The EU Whistleblower Directive;
  • Why effective whistleblowing is important;
  • Key components of an effective whistleblowing process; and
  • What organisations may want to consider in relation to whistleblowing.

What is whistleblowing?

Whistleblowing is when an individual (the whistleblower) raises a concern to one or more individuals in a position of authority. The nature of the concern can vary but may relate to alleged acts or omissions relating to breaches of an organisation’s policies and procedures, misconduct, perceived danger, risk, unethical behaviour (including fraud or bribery and corruption), unlawful activity or other wrongdoing.

Generally the term whistleblowing is thought about in the context of when a whistleblower, with knowledge of suspected misconduct being committed in, by or on behalf of an organisation, makes a report to a relevant group1 leading to action to confirm the accuracy of the report and, where necessary, further responsive action to address the misconduct.

The European Union (‘EU’) Whistleblowing Directive

From a European perspective, one of the most significant recent developments in the whistleblowing landscape was the publication of the EU Whistleblowing Directive (the ‘Directive’) in 2019. This was prompted, at least in part, by strong public pressure on policymakers to improve protection for whistleblowers linked to high-profile whistleblowing reports2.

The Directive instructed each EU Member State to implement legislation requiring in-scope organisations to adopt minimum standards (based on best practices) in their whistleblowing processes, including around the:

  • Establishment of accessible, confidential and secure whistleblowing reporting channels;
  • Implementation of mechanisms to enable whistleblowing reports to be responded to and followed-up on a timely basis3;
  • Provision of training around whistleblowing to relevant groups of individuals, such as employees; and
  • Protection of whistleblowers4 from retaliation.

From December 2023 the Directive has applied to all private and public sector organisations5 with more than 50 employees, all regulated entities within the financial services sector and entities susceptible to money laundering or terrorist financing, regardless of their size.

Certain EU Member States have implemented more stringent legislation that goes beyond the minimum standards established by the Directive. For example, Sweden has extended whistleblowing protection to individuals who provide assistance to a whistleblower.

You may be wondering whether the Directive applies to UK organisations.

The answer is that as the UK is no longer an EU Member State there is no legal requirement for the UK to implement the Directive. However, the Directive remains relevant for UK organisations with operations in the EU and the minimum standards established by the Directive may be helpful to organisations seeking to implement an effective whistleblowing process as it is a useful reference point.

Why effective whistleblowing is important

Effective whistleblowing may bring multiple benefits for an organisation, these include:

  • Should misconduct, unethical or unlawful activity occur, it may be easier to detect and detection may occur earlier. This can enable such activity to be addressed more quickly and stop it continuing or escalating, which may potentially prevent serious damage, harm and loss;
  • Individuals may be less likely to perpetrate misconduct, unethical or unlawful activity at organisations where other individuals are encouraged to speak up about such activity and management are more likely to take appropriate action;
  • Organisations may find it easier to establish an open and honest culture, which can potentially result in improved levels of communication, productivity and trust;
  • Significant reputational damage may be avoided if whistleblowing occurs through appropriate internal channels rather than to external parties; and
  • Whistleblowing may help organisations to identify areas of risk, including those that are new or emerging, and understand them better.

The UK is currently experiencing high levels of fraud. Estimates from the Crime Survey for England and Wales published by the Office of National Statistics (the ‘ONS’) indicate that individuals experienced 3.1 million fraud incidents in 2023 with fewer than one in seven fraud offences reported to the police or Action Fraud. Based on research published by the Association of Certified Fraud Examiners 43% of occupational fraud6 was identified through a tip off from a whistleblower, which emphasises the importance of effective whistleblowing in detecting fraud.

Operating in an environment with high levels of fraud may result in organisations receiving higher numbers of whistleblowing reports and put increased strain on whistleblowing mechanisms. For those organisations without effective whistleblowing processes this could present a serious problem.

Key components of effective whistleblowing

There are various components involved in the establishment of effective whistleblowing mechanisms, including:

  • Investment in appropriate technology: To encourage whistleblowing individuals need to have trust in whistleblowing channels, therefore it is important for the underlying technology to enable whistleblowing to be made in an anonymous, confidential and secure manner. A robust audit trail may help to improve confidence in whistleblowing reporting and reduce inappropriate interference. Technology can also facilitate a faster response to whistleblowing reports, for example, by supporting effective triage of whistleblowing reports.
  • Independence and proportionately in response: An organisation’s response to each whistleblowing report should be independent and proportionate to what is communicated to help avoid unnecessary costs and ensure appropriation action is taken. This may require the establishment of a robust triage process to help evaluate the significance of each report, implementation of a framework to help an organisation determine how to respond in different situations and the involvement of independent individuals in the organisation’s response. 
  • Monitoring and review: Regular monitoring and review of whistleblowing mechanisms may help organisations to determine whether they are operating effectively and help to identify issues on a timely basis. This should involve consideration of the end-to-end whistleblowing lifecycle and build on lessons learned in relation to historic whistleblowing reports.

What organisations may want to consider in relation to whistleblowing

Organisations seeking to assess and, where necessary, improve the effectiveness of their whistleblowing processes may wish to ask the following questions:

  • How many reports were received through the organisation’s whistleblowing channels in the last year? Does this suggest that potential barriers exist discouraging individuals from making a whistleblowing report?
  • How are whistleblowing reports triaged?
  • How long does it take for whistleblowing reports to be investigated? Who is responsible for this?
  • What monitoring is performed over whistleblowing?
  • What training is provided around whistleblowing? Who is this provided to?

KPMG can provide a range of support organisations in relation to whistleblowing, this includes:

  • Direct ad-hoc consultation on whistleblowing;
  • Assessment of the effectiveness of an organisation’s whistleblowing processes and identification of areas for possible improvement;
  • Assistance with design and transformation of whistleblowing mechanisms; and
  • Outsourced management of the end-to-end whistleblowing lifecycle in line with the organisation’s requirements utilising KPMG’s global reach.

If you would like to discuss the topic of whistleblowing in more detail, including how KPMG can support your organisation, please contact Richard Haynes or Matthew Croad.

1. Such as senior management within the organisation, a regulator, a law enforcement agency, the press or the general public.

2. Such as the leaking of the Panama Papers and LuxLeaks.

3. The Directive includes a prescriptive specific timeline, including requirements for organisations to acknowledge receipt of a whistleblowing report within seven days and provide an update to the whistleblower on the investigation within three months of the initial report.

4. This protection is available to individuals who report breaches of EU law within specific areas (such as public procurement, financial services and transport safety) that they reasonably believe, at the time of the whistleblowing report, to be true and to constitute a threat or harm to a specified public interest. The whistleblower must also make their report in the context of their “work-based relationship” with an organisation.

5. Both companies and public bodies.

6. The Association of Certified Fraud Examiners define ‘occupational fraud’ as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets” (i.e. “fraud committed by individuals against the organizations that employ them”).