Skip to content

What is a Whistleblower Hotline?

A well-run whistleblower hotline should be the lifeblood of compliance throughout an organization.

This is why it’s critical to build a comprehensive whistleblower hotline process with a whistleblower hotline solution. Fail to do so and your compliance team will lack the insights needed to effectively oversee corporate conduct and could ultimately put the organization at risk. A proper whistleblower hotline will help employees' concerns be heard, allow compliance to better understand the pulse of the business, and uncover bad actors.  

So, how exactly does a compliance team establish a whistleblower hotline? What are the intake channels? Are hotlines required? And most importantly: How can you put hotlines and internal reporting systems to their best use? Let’s dive right in.

What is a Whistleblower Hotline?

If you are asking yourself, what is a whistleblower hotline? Let’s first remember what a hotline is not. It is not simply a dedicated phone number that employees call to report a concern.

Sure, you can use a traditional telephone line as one aspect of your whistleblower hotline program. Just about every large company does, and just about every large company should—but under several important whistleblower laws and regulations, you don’t actually need to use a phone line.

For example, the Sarbanes-Oxley Act only requires corporate boards to “establish procedures for the receipt, retention, and treatment of complaints.” But neither SOX or the Securities and Exchange Commission (SEC) rules that put the law into effect use the word “telephone” or “hotline.” They only say the company should establish a system that’s effective in bringing employee concerns to the audit committee.

So you don’t need to use a phone hotline if you’re confident that you can maintain a good complaints intake system without one. That’s just a hard argument to make in hindsight if your phone-less system leads the company to miss a major issue and regulators start asking about the wisdom of that original decision.

In other words, the “hotline” is just the compliance industry short-hand for “a system that allows employees to bring concerns directly to management or the audit committee.” A phone line can be one avenue to submit issues, but so can email, online portals, or even conversations with managers.

A hotline isn’t a single thing any longer. It’s a multi-channel system to keep management aware of potential concerns.

What are Intake Channels?

When it comes to intake channels, there are three main methods organizations rely on. You will likely need a combination of channels, based on the industry, size, and cultural environment your business operates in, to capture the highest number of concerns possible.

whistleblower hotline

Various legislation also has different approaches to intake channels. The EU Whistleblower Directive allows reports to be made either orally or in writing, or upon request, in an in-person meeting. The 2002 Sarbanes-Oxley Act does not specify in which form reports may be made.

It’s wise to remember that there are cultural issues at play when it comes to the usage of different channels: younger generations may be more accustomed to digital communications and feel comfortable filling out a web-based form while others expect to be able to pick up the phone to relay their concern. The goal is to capture as many concerns as possible so by providing multiple channels you make it easier and more likely that employees (and third parties) will speak up.

Why Have a Whistleblowing Hotline?

That’s why an internal reporting system—call it a whistleblower hotline or whatever you want—is so crucial today. Yes, that system is a regulatory requirement to help prevent fraud, corruption, workplace harassment, and much else.

But more than that, a strong internal reporting system is instrumental in helping your company keep its corporate ear to the ground. Corporations face tremendous volatility and risk today. We need every bit of help and intelligence about those threats that we can get.

That’s how I thread the needle between our new menace of coronavirus and the age-old chestnut of talking about whistleblower hotlines. Whistleblower hotlines aren’t a regulatory burden we’re forced to deploy. They are a cornerstone of risk management, where regulatory compliance is just one of many risks we need to keep in check.

For example, we’ll need employees to report when they are feeling ill, or when they suspect a coronavirus outbreak might be happening at a company facility. We’ll also need employees to report all their “usual” concerns about improper payments or corrupt deals or harassment, although they may be submitting reports from their homes rather than an office phone. We’ll need them to warn us about cybersecurity threats, potential supply chain bottlenecks, competitors planning to merge, and lord knows what else.

Quite simply, management should want employees to warn them about anything. The more information the C-suite gets, the better its ability to identify true risks and respond astutely.

Internal reporting systems are the means to make that responsive ideal come into being. That’s why hotlines (which includes all methods of intake) are so useful. That they fulfill regulatory requirements is nice too, but a strong internal reporting system truly is a strategic advantage, too.

compliance technology

Are Whistleblower Hotlines Required?

In many cases, yes—but certainly not in all cases. Public firms in the U.S. have been required to have procedures in place since the entry into force of the 2002 Sarbanes-Oxley Act. So if your organization has a public offering on the horizon, it might be a good time to get your whistleblower hotline process in order.

The recent passage of the EU Whistleblower Directive, which will take effect in 2021, requires many European companies to have a hotline in place. The legislation requires all businesses operating in the trading block—including those headquartered outside the EU—with more than 249 employees to install internal reporting mechanisms allowing their employees, and in many cases also designated third parties, to lodge complaints anonymously.

Notably, under the directive, whistleblowers will be allowed to bypass internal channels and report straight to the authorities without fear of retaliation if they do not trust the internal channels. Moreover, the directive contains language prohibiting organizations from stifling potential whistleblowers through the use of non-disclosure agreements in addition to other wide-ranging protections against retaliation. This makes it even more critical for companies to create a whistleblower hotline process that is user-friendly and easy for their employees (and third parties) to actually use.

What are Other Hotline Considerations? 

As much as hotlines, anonymous email addresses, and secure web forms are crucial to internal reporting, compliance officers need to consider a few other components that accompany the whistleblower hotline. Among them:

  • A case management system: Once a person makes a report via the hotline, the company needs a disciplined approach to investigating the issue, determining the proper course of action, and assuring that any needed actions (new controls, discipline, disclosure to regulators) actually happens.
  • Training: Employees need to trust that an anonymous hotline really is anonymous. They need to know how to use it—including when not to use it unless you want a flood of complaints about somebody’s moldy food in the breakroom. Managers also need training about how to handle a complaint once it enters the system.
  • Executive messaging: If you want employees to trust the company and use the hotline, they need to believe management is sincere. So the more senior leaders can talk about ethics and the importance of speaking up; the more they can provide real examples of how the company values good business practice—the better.

All of these factors, working cohesively, is how a company generates awareness of risks and motivates employees to call the hotline with what’s on their mind. Given everything compliance programs need to manage—and everything that all of us are enduring right now—the more an organization can make full use of its whistleblower hotline, the better.

Are Whistleblower Hotlines Really Anonymous?

At times, employees (or third parties) wanting to report potential wrongdoing may wonder if they are able to file anonymously. Fear of retaliation or other consequences are very real obstacles that compliance officers should help reporters to overcome.

Protecting reporters from retaliation inside the organization is certainly one of the most challenging aspects of any internal reporting program. One part of the challenge is distinctly human: how do you foster a culture of ethics in your organization which makes it clear that any form of retaliation is not tolerated? One part of the solution heavily leans on buy-in from the top, but also middle management.

In order to have the most claims submitted through your whistleblower hotline program, it’s essential to have anonymous reporting as an option. Fortunately, with the right ethics and compliance hotline provider, you and your employees can rest easy knowing that everything will remain anonymous. Providers can create a unique case identification number that allows follow up through chat functionality, which is often needed. Internal reporting solutions really help anonymous reports become a viable possibility and enable further communication after the initial report.

Why Your Company Needs a Whistleblower Hotline

Beyond whistleblower hotlines being increasingly required by legislation (such as the EU Whistleblower Directive), facilitating internal reporting kicks off a virtuous cycle within organizations. In fact, increased whistleblower reports are correlated with better business outcomes, having a world-class internal reporting system in place should be a top priority to facilitate employees and third parties coming forward.

However, this process by itself isn’t enough: you will need a comprehensive ethics program, and indeed a culture of ethics instilled into your business for your process to function properly. Do this well and it can lead to trust among your employees which will encourage them to speak up if they do come across misconduct.

Our investigations process is a great solution to all your internal reporting and case management needs. To read more on the topic, we highly recommend checking out The Ultimate Guide to Internal Reporting & Investigations. Not only does the eBook cover the most common case management challenges but it also includes a checklist of features you should look for in an ethics and compliance hotline provider.

12 Essential Whistleblower Metrics To Measure

Without compliance metrics, you are driving blind. Driving with poor vision might get you to your destination, but you likely won’t take the best route, and you certainly have some dings in your car from the bumpy ride. For compliance professionals, metrics provide a critical view of their program. To ensure you are driving with clear optics, let’s review the essential whistleblower metrics your program should be measuring.

Measuring the results of your whistleblower program and optimizing your processes over time are critical to success. You can build the best whistleblower and case management process for your company, but if you fail to measure what actually happens once the process is live, you could miss out on major optimization opportunities and inadvertently add additional risk.

Aligning the industry around common metrics has been a longstanding challenge, somewhat because no two compliance programs are the same. All programs have unique variables to take into account, but working towards a common set of metrics has the power to elevate all compliance programs by establishing industry standards.

So let’s review the whistleblower hotline and case management elements you should measure. Does your program capture all of these metrics?

Important Whistleblower Metrics

Cases Over Time

One of the most basic, but fundamental, whistleblower metrics is a chart of cases reported over time. Seeing this data displayed can provide insight into the seasonality of cases or explain a spike in reports after a certain event. Looking at cases reported over time can also inform organizations if their program is working. Remember, more cases being reported is not a bad thing. Oftentimes, it means your employees are prioritizing ethics and feel comfortable speaking up. Although a downward trend in cases reported may seem like the compliance program is working, it can also mean that employees are not embracing a culture of compliance.

Cases by Geography and Department

Ensure you are tracking the total numbers of cases submitted by location, business unit, country, and department. All of these factors can help illuminate trends in the organization and provide you with the necessary insights to make critical adjustments to your program. For example, if a specific region or team begins reporting incidents at a higher rate it could be a smoke signal of poor training or a larger corruption issue at hand.

Anonymous Ratio

Analyze the number of anonymous vs non-anonymous reports. This metric can provide insight into the culture of your organization. For instance, if the majority of your cases are reported anonymously, it might indicate that employees are wary of speaking up and fear retaliation. Although there is not a direct correlation, this should be one factor you take into consideration when looking at the broader culture of compliance.

Channel Breakdown

Compare the total number of cases submitted via a reporting hotline vs online channels vs in-person reports (or any other reporting channels you might deploy). Having a deep understanding of where employees go to report wrongdoing can inform you broadly about trust throughout the organization. A channel breakdown can also tell you which channels are easiest for employees to navigate. Take the time to see if there are regional or departmental trends here as well. Do employees from certain geographical areas tend to report via one channel over the others? This could give you a better understanding of the subcultures or regional cultures within your organization. Understanding the most (and least) popular reporting channels can be a fascinating whistleblower metric.

Case Management Insights

Investigator Stats

Looking at a breakdown of case management metrics by the investigator is a useful exercise. As with any human-led process, there will be variation. Your job is to make sure that the variation between how cases are handled is within a tolerable range. Be sure to analyze the number of open and closed cases assigned to each investigator as well as how many cases each investigator is managing.

Investigations Per Case

It’s good to have an understanding of the number of investigations that happen per case. On average, how many investigations need to occur per case before it is substantiated or closed? This is a time management question as much as it is a resourcing question which you will have a clearer picture of once you start scrutinizing the number of investigations per case.

Cases By Status

Quickly get a sense of how many cases are currently in each status. Statuses likely include open, completed, and in progress, so by understanding where the cases are you can gain insight into what is currently happening in your organization.

Another way to sort your cases is by risk-level or priority. Knowing how many high-risk and high-priority cases are currently ongoing at your organization can ensure your finger is always on the pulse.

Substantiation Rate

Compare substantiated vs unsubstantiated cases in aggregate. Understanding what percentage of reported cases led to a substantiated investigation can be very insightful. If you have a large number of unsubstantiated reports at your company, employees may need to be retrained on what the hotline is for and the types of incidents that should be reported through these channels.

Lead Times

How long does it take for cases to launch into an investigation? Compare the lead times across case types and investigators. See what the average times are and make it a goal for investigators to meet or beat that time. In some countries lead time is subject to regulation, which makes it crucial that you measure and track lead time to protect your business from legal liability.

Case Closure Times

Find average times of case closure across the organization. Where are the times higher? Why does it take longer to close certain cases? There will be natural variation in case closure time depending on how many investigations need to take place, if the report is substantiated, and how severe the claims are, but look to case closure time to better understand these trends.

Incident Breakdown

Compare the number of cases based on incident types. This chart or report will tell you what the most common issues plaguing your organization are. These topics could inform future policies and trainings to help ensure the issues do not continue to arise. You can also look at the inverse (the least common incident types) for insights around the areas your organization does not have as much of a current issue with. However, you need to ensure that the employee population still knows where they can report these less common issues if they do ever surface.

Root Cause Analysis

Analyze the root causes of incidents and types of remedial actions deployed. Leveraging a reporting tool to keep track of root causes can allow you to identify bigger issues within the organization that might need to be addressed. It’s also wise to review the types of remedial actions deployed and check in down the road to ensure they were effective. Did similar reports come in after remedial actions occurred? If so, this could be a sign that your resolution activities are ineffective and need to be reviewed.

What to do Before, During and After Employees Blow the Whistle

When an employee steps forward to report misconduct within the organization, that person may be providing a vital service to the organization or the public, but they are also putting themselves at risk of retaliation, from harassment to termination or further legal repercussions. Let’s article examine the internal controls your company should establish to protect whistleblowers and look at how companies should handle case management before, during, and after an employee blows the whistle.

Several laws set forth protections against retaliation as well as incentives for whistleblowing. Relevant whistleblowing acts include the Dodd-Frank Act, the Sarbanes-Oxley Act, the False Claims Act, and France’s Sapin II anti-corruption law. International companies must also consider related laws and regulations in the countries in which they operate, as regulations differ from country to country. For instance, companies operating in Europe must be aware of EU data-protection rules as investigating whistleblower reports is most likely to involve the collection of personal data.

Before an Employee Blows the Whistle

An effective compliance program should ensure investigation of misconduct reports, and keep the complainant in the loop regarding the complaint’s status and resolution. To be effective, companies should implement a case management system that establishes a clear process for handling whistleblowing before, during and after reports occur. Any company should be able to provide all employees, including third parties, a clear line for communicating incidents of misconduct–the most apparent of which is a whistleblower hotline.

A compliance program must also provide a mechanism for reporting allegations of misconduct up the chain of command. When a complaint is made, the chief compliance officer (CCO) must be ready to respond appropriately. If employees feel that their reports are being ignored or that nothing is being done to address the allegations, they might take their allegations to authorities or the media. Whistleblower reports to the Securities and Exchange Commission have over the past years yielded large monetary awards to whistleblowers that have uncovered fraud and corruption inside companies.

Regarding establishing protections for whistleblowers, employees must be protected from being discharged or demoted, suspended, harassed or discriminated against. Retaliation or “pretaliation” can carry severe penalties. All the while, companies must make sure that all cases–from reporting to closure–are prudently documented.

When an Employee Blows the Whistle

When employees submit complaints about misconduct, these should be consolidated into one master system (typically a case management system). This allows the compliance officer to risk rate the allegations into low or high risk to effectively pursue urgent cases. Reports should then be routed to the appropriate executives for investigation to determine what necessary action should be taken.

If an internal complaint is not sufficiently resolved or the employee faces retaliation, a whistleblower may bring their case to authorities under state or federal jurisdiction. If authorities accept the whistleblowing allegation, they may issue a litigation hold. This hold requires organizations to meet their legal responsibilities and cooperate to produce documentation.

This goes back to the need for maintaining a prudent document policy. Companies with strong case management systems in place and cooperative mentality will likely fare better when it comes to sentencing, so an automated system would be useful in ensuring thorough documentation.

Three key issues at this stage are negotiations, interviews, and communications.

  • Negotiations: If your company receives a litigation hold, instruct your counsel to contact the government to initiate communications, specifically to determine the scope and terms of contemplated data production.
  • Interviews: If your company is under investigation, you should interview and screen employees first to identify relevant facts. Following such an internal investigation, the government will assign outside investigators to gather interview information; this may be collected independently or from your existing interviews.
  • Communications: Enforcement agencies will issue communications regarding the whistleblower’s allegations, in determination of the complaint’s merits. This gives your company an opportunity to build a case, from identifying relevant documents and interviewing employees to negotiating damages with the agency.

After a Whistleblower Investigation

After the closure of a whistleblower investigation—regardless of the outcome—it’s time to take stock. Reassess your case management program, and take the time to rebuild anywhere you find flaws in your systems and/or processes. Learn more about our case management solution.

Finding a Whistleblower Reporting Solution

While all these elements are critical to understanding the success of your whistleblower process, it would be difficult (if not impossible) to measure all these factors on an ongoing, real-time basis without the support of a solution. That’s why we built GANalytics, a powerful reporting and analytics tool that keeps your program’s performance in focus, including critical whistleblower metrics.

GANalytics serves you with the insights you need on your whistleblower process to make informed and data-driven decisions. The reporting platform sits on top of fundamental compliance processes, like Investigations, to provide a complete picture of your compliance program with a real-time feed of information. Our highly intuitive reporting and analytics tool keeps critical stakeholders looped in at all times. When managed effectively, data can be a powerful catalyst within your program and the greater business.

GANalytics includes robust reports and dashboards for our Investigations, Conflicts of Interest, Gifts & Entertainment, and Risk Management processes as well as any custom compliance process our customers need. Learn more about GANalytics and our Investigations solution by booking a demo today. By requesting a demo, one of our compliance experts will reach out to learn more about your program and build out a customized platform walkthrough.

compliance software solutions

Implement a tailored Third-Party Risk Management solution