Skip to content
Get in touch Support Hub Partners Investors
Book a demo Free trial
Back to blog

How to Set up a Workplace Whistleblowing Policy

6 minute read

Risk Management Compliance Strategy
How To Set Up a Whistleblowing Policy at Work
Last updated: July 18, 2025

Whistleblowing about internal and external malpractices is vital for the functioning and survival of companies. But you need a process that is trusted.

Key takeaways

  • Build trust with a clear reporting framework. It is important to encourage whistleblowing by providing secure, accessible, and anonymous reporting channels in your company that demonstrate seriousness and support.
  • Ensure legal compliance and confidentiality. Protect whistleblowers under UK law by safeguarding anonymity, clearly outlining legal rights, and avoiding restrictive clauses.
  • Establish robust, fair processes. Define clear steps for handling reports, including prompt follow-up, support for reporters, and transparent investigation procedures.

Explore our Risk Management Library

Edward Snowden. Katharine Gun. Antoine Deltour. John Doe. Bradley Birkenfeld. Howard Wilkinson. History shows that whistleblowers rarely get the thanks they deserve.

Yet without them, we might never know about the United States surveillance program (PRISM), the tax deals struck by multinationals (LuxLeaks), the lengths the rich and famous go to conceal their wealth (Panama Papers) or countless other misdemeanours.

Setting up a workplace whistleblowing policy

  1. Why do you need a whistleblowing policy?
  2. What should be in your whistleblowing policy?
  3. What are the EU's whistleblowing rules?
  4. How do you deal with employee disclosures?
  5. What is whistleblowing to a prescribed person?

Whistleblowers often pay a heavy price for speaking the truth: smear campaigns, financial ruin, untold stress and problems getting another job.

No surprise then that many more choose to remain silent for every person who speaks out, fearing retaliation or reprisal.

  • Recent research shows that over half of UK employees would feel unsafe whistleblowing if their company was breaking the law.
  • UK workers' main concerns about whistleblowing are fear of losing their job, fear of retaliation, and fear that their confidentiality will be broken.
  • Only 18% of employees say that they are very confident their employer will support and protect them from retaliation.

1. Why do you need a whistleblowing policy?

Staff are often reluctant to bring misconduct to the attention of management. That's why you need to create an open, transparent and safe environment where workers feel able to speak up.

Fortunately, the law protects whistleblowers. People should not be treated unfairly or lose their jobs because they raised the alarm on corporate misconduct.

A company's whistleblowing policy will depend on the size and nature of the organisation. Large organisations may have a policy where employees can contact their immediate manager or a specific team of trained individuals to handle whistleblowing disclosures. Smaller organisations may not have sufficient resources to do this.

2. What should be in your whistleblowing policy?

In the UK, workplace whistleblowing policy should establish a company's commitment to safeguarding whistleblowers from detrimental treatment as set out by the Public Interest Disclosure Act 1998.

It should be simple, easily understood and include:

  • An explanation of what whistleblowing is, particularly concerning the organisation
  • A commitment to training workers at all levels of the organisation concerning whistleblowing law and the organisation's policy
  • A commitment to consistent and fair treatment of all disclosures
  • A commitment to confidentiality by taking all reasonable steps to protect the identity of whistleblowers where it is requested (unless required by law to break that confidentiality)
  • Clarification that any so-called 'gagging clauses' in settlement agreements do not prevent workers from making disclosures in the public interest

3. What are the EU's whistleblowing rules?

From December 2021, there are rules to enhance whistleblower protection across the EU. Whilst similar to those in the UK, they are far from identical.

  • Provide a hierarchy of safe reporting channels - if your company has over 50 employees. In the first instance, reports are to be made within the organisation and then via external channels, which public authorities are obliged to set up.
    NB: Anyone choosing to report externally will not lose any of the protections.
  • Prepare for the widening scope - the EU rules cover financial services, public procurement, prevention of money laundering, product and transport safety, nuclear safety, consumer and data protection.
  • Support amd protect whistleblowers from retaliation - including suspension, demotion and intimidation. Measures include independent information and advice, assistance from competent authorities, legal aid in criminal and cross-border proceedings and financial support. Colleagues and relatives must be protected too.
  • Follow up whistleblower reports within three months - within this period of time of acknowledging the whistleblowing report (which should be in 7 days), the designated person or department should provide feedback to the whistlblower

There are also provisions to protect whistleblowers from liability to prevent companies from misusing copyright, defamation, copyright or insider dealing legislation to silence or threaten whistleblowers.

Read our Risk Management Roadmap

4. How do you deal with employee disclosures?

After the employee discloses information, it is good practice to hold a meeting with the whistleblower to gather all the information needed to understand the situation.

In some cases, the parties may reach a suitable conclusion through an initial conversation with a manager. There may be a need for a formal investigation in more serious cases. Your company will need to decide the most appropriate action to take.

Best practices for dealing with whistleblowing disclosures

  • Have a facility for anonymous reporting
  • Treat all disclosures seriously and consistently
  • Provide support to the worker during what can be a difficult or anxious time with access to mentoring, advice and counselling
  • Reassure the whistleblower that their disclosure will not affect their position at work, and you will protect their confidentiality
  • Produce a summary of the meeting for record-keeping purposes and provide a copy to the whistleblower
  • Allow a trade union representative or colleague to accompany the worker at meetings about the disclosure

5. What is whistleblowing to a prescribed person?

Ideally, you'd want your employees to feel they could make a disclosure directly to their organisation. However, there may be circumstances where they feel unable to. In this case, a whistleblower can make an external disclosure to what is referred to as a prescribed person.

Prescribed persons are mainly regulators and professional bodies but can also include other persons and bodies such as MPs. The relevant prescribed person depends on the subject matter of the disclosure, so a disclosure about wrongdoing in a care home could be made to the Care Quality Commission, for example.

A worker might choose to approach the media directly with their concerns. The only issue with this is that they can expect to lose the rights accorded to them by law in most cases.

Want to learn more about Risk Management?

Having a whistleblowing policy in place and informing employees of this is essential. We offer e-learning on whistleblowing across multiple libraries, including our Essentials Library, FCA Library, Global Compliance Library and Insurance Library:

We have also created a Risk Management roadmap to help you navigate the compliance landscape, supported by our training packages, which provide access to everything your company needs to comply with a variety of compliance topics. giving your company the tools needed to meet a wide range of compliance obligations. Our Compliance Bites library offers quick, focused learning, complemented by a range of free resources, including e-learning modules, microlearning content, and more. Our Compliance Bites library and our additional free resources support this.

If you would like to access leading insights and compliance tips, you can browse our free resources to by topic to find guides, modules, compliance bites and more.

Explore our collection

Written by: Emmeline de Chazal

Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.

Emmeline de Chazal

Related articles

responsible-ai-explained:-innovation-&-accountability-|-skillcast
Risk Management

Responsible AI Explained: Innovation & Accountability |...

6 minute read

Artificial intelligence (AI) is transforming industries worldwide. We explore the principles of responsible AI in the UK and key steps to use AI ethically.

Read more
the-dora-readiness-report-|-dora-|-skillcast
Information Security Risk Management

The DORA Readiness Report | DORA | Skillcast

10 minute read

Discover which UK financial sub-sectors are prepared for the DORA regulation and how to mitigate risks with practical steps, including compliance training.

Read more
operational-resilience-framework-|-skillcast
Risk Management

Operational Resilience Framework | Skillcast

4 minute read

Having an operational resilience framework has become vital for firms to navigate uncertainties and disruptions effectively. We unpack factors to consider.

Read more
Visit the blog