It’s a question of trust – 

Whistleblowing, Trust and Compliance Management 

What does our brain associate with the figure of the whistle-blowers? There is inevitably EDWARD SNOWDEN, JULIAN ASSANGE and the betrayal of secrets. Sex and Crime.

Less trust and compliance communication. Yet it is precisely these that are currently at the heart of the whistle-blowers issue.

For a better understanding we leave our couch and Netflix, the NSA and the exile in Moscow. And take a look at our annual plan for 2021 working from home in Germany. By the end of the year, or more precisely from 17 December 2021, companies with more than 250 employees and public authorities must set up a whistleblowing system. Two years later, this obligation will also affect smaller companies with 50-250 employees. According to the Federal Minister of Justice, Christine Lambrecht, the German draft law will go beyond the EU Directive on the protection of whistle-blowers, as it also covers violations of national law.

Aim of the legal regulation

What are the whistle-blower scenarios about? Scandals from the Panama Papers to Cambridge Analytica and the Lux Leaks affair. Time and again, the wrongdoings are uncovered by so-called whistle-blowers. Politicians have recognised how important this is for politics and business and have an important message. People who show courage and take responsibility for society should not be afraid of disadvantages, including losing their job. That is why the protection of whistle-blowers and the prohibition of reprisals are the focus of the EU Whistleblowing Directive. Whistle-blowers are to be protected by a suitable structure with which misconduct can be pointed out.

Whistle-blowers in companies

At the company level, it means reporting the misconduct of a colleague or supervisor within the company. Via anonymous reporting mechanisms, such as hotlines. These already exist in many companies today. But it is neither sensible nor sustainable.

Because dealing with the whistle-blower issue can only be done with empathy and level-headed communication.

Why and under what circumstances do people report violations?

People within an organisation only dare to report unacceptable behaviour if they know about this possibility. They also need to be sure that they themselves will not suffer any disadvantage.

Confidentiality is the heart and soul of an effective reporting system.

Super Hero or Super Denunciator?

The dividing line between heroism and denunciation must be drawn as sharply as possible. Otherwise, it could provide a breeding ground for toxic relationships in the first place. It must be clear:

  • Do I have an obligation as an employee of the company to point out suspected or actual misconduct?
  • There must be a framework for action that defines what constitutes good and legally impeccable corporate behaviour: If the rules are not clearly and transparently available – how am I supposed to know whether observed misconduct even qualifies as such?
  • Furthermore, there should be a climate in the company in which employees are more willing to report potential or actual misconduct or to seek advice without fear of retaliation.

It´s the company culture, stupid! 

Those companies that live a good corporate culture are clearly at an advantage. Because rules are only observed and lived if there is a cultural context in which values are lived and employees see a reason to actively care about good corporate behaviour in the first place.

It is therefore a matter of understanding employees in the company as mature and thinking members of the organisation. In addition to fulfilling the job description, it is also about thinking and understanding what is expected of me in addition to my regular work and what my contribution is. This also includes speaking up when something goes wrong and also helping to find solutions on how to better achieve the organisational goal.

Because: Taking calculable business risks is part of entrepreneurial activity and ensures the survival and further development of the company. Only then can the company offer good jobs and fair remuneration in the long term. Compliance risks, however, do not include the aspect of securing the future. They are not calculable and can also mean the certain end of the organisation (see WIRECARD). A business model that generates incalculable and uncontrollable risks is not viable.

Creating and living a good corporate culture is the company’s own core task.

No one can impose this from the outside. Management consultants, agile coaches, happiness coaches – this is no longer esoteric. If the good will of the management is there and if there is empathetic leadership, then outsiders can and should help to keep the corporate culture alive through professional communication. Because it is always an ongoing process. Corporate values and rules must be transparent and well communicated in order for them to be lived.

In the EU Whistleblowing Directive 2019/1937, the paradigm shift in compliance becomes clear. The focus is on prevention instead of sanction, which becomes very clear in the paradigm shift in the Three lines of defense.

Whistleblowing Directive: What does that mean for the Compliance department in a company?

In the future, the compliance officer will continue to perform his core tasks, such as checking the respective national laws for his multinational company. At the centre of the whistleblowing issue, however, is the challenge: How do I guarantee the protection of people who report violations of EU law?

For the whistle-blower issue, in addition to setting up a confidential reporting channel, it means making knowledge of the business conduct framework available. In other words, showing employees what is possible and where boundaries would be crossed.

Again, it is only used when the parameters are clear:

Interactive Whistleblowing Directive in a safe space: The Rulebook as a confidential communication tool

When it comes to setting up a reporting channel, the main question is: How do I manage to build trust in the first place? This can be conveyed through corporate values and through the concrete requirements and protective mechanisms for reports. Here, the certainty that employees will get support from their superiors in case of doubt will help.

The question of how best to protect whistle-blowers thus calls for the entire compliance system. Clear, transparent communication is key to building trust within an organisation.

It is about making the reporting channel so attractive that it is used confidentially. It is all about good communication. And this is where the Rulebook helps.


There are now many recommendations for companies on how to set up a successful reporting channel. Professional policy communication is at the heart of policy management.

1) Communication is key: What way to the reporting channel?

The new EU law on whistleblowing systems mandates extensive regulations for companies with more than 250 employees by 17 December 2021:

Whistle-blowers should be able to submit an anonymous tip either in writing via an online system, a mailbox or by post and/or verbally via a telephone hotline or answering system. In addition, companies are also obliged to offer a face-to-face meeting if the whistle-blower so wishes. This is all good advice that one could come up with on their own. The crucial question, however, is where do I, as a company, point to such a reporting channel in the first place? This first step is highly sensitive, because unprofessional communication can discourage or – even worse – invite denunciation. Ideally, the existence of such a reporting channel is integrated into the company’s values. It needs to be done in such a way that the uncovering of wrongdoing is seen as a valuable contribution to a good corporate culture. The best way to do this is via a compliance app.

“Hemingway once wrote, the way to make people trustworthy is to trust them.” ― Edward Snowden, Permanent Record


How can trust be built? The best way is through mutual trust.

The internal whistleblowing system must be designed, set up and operated in such a way that the identity of the whistle-blower and third parties mentioned in the report is always treated with confidentiality. Unauthorised employees must not gain access to it. Receipt of a report must be acknowledged to the whistle-blower within a period of seven days after receipt of the report.

For the purpose of follow-up, an impartial person or department shall be designated to receive reports, remain in contact with the whistle-blower, request further information if necessary and provide feedback to the whistle-blower. Follow-up measures shall also be defined with regard to anonymous reports. Feedback shall be provided to the whistle-blower within a reasonable time frame of a maximum of three months. The time limit begins with the acknowledgement of receipt of the report or – if receipt has not been acknowledged to the whistle-blower – expires three months after the expiry of the period of seven days after receipt of the report.

2) Fake News? How do I guarantee protection against denunciation and prejudgement for those affected by tips?

Anonymous reporting systems can inevitably provide a breeding ground for a corporate culture of cowardice and anonymous denunciation. It must be crystal clear that this is not the higher purpose of the reporting channel.

According to the representative Whistleblowing Report 2019 of the University of Applied Sciences in Chur, Switzerland (HTW), abusive reports, for example to denounce employees or colleagues for personal reasons, are rather rare, even if they were made anonymously. Nevertheless, it must be clear what content is necessary so that the company can follow up on a tip.

3) Protection of informants? 

It must be well communicated how whistle-blowers are protected from negative consequences. Of course, whistle-blowers who report misconduct to the best of their knowledge and belief must not suffer any disadvantages. They must therefore be treated confidentially and given the opportunity to obtain legal assistance if necessary.


4) How is the qualification of received information carried out in the company, how is an objective and high-quality investigation of the facts guaranteed?

Only when objective and factually comprehensible facts are reported can measures be developed by the company to remedy grievances. It is therefore more important to obtain a precise description of the facts than to already have a legal classification of the incidents. The whistle-blower must therefore first be encouraged to describe as precisely as possible what happened, when, how and where.

This is the starting point for the pre-assessment of the incoming information and thus the classification of the facts as a possible compliance violation. Qualified personnel is required for this!

If a tip is then qualified as a possible compliance violation, it is important to carry out appropriate clarification and investigation work. For this purpose, it is necessary to distinguish between organisational/process weaknesses and intentional or negligent misconduct by individuals.

Ideally, investigative measures are coordinated by professionally qualified bodies/individuals. Following the submission of investigation reports, an independent decision should be made on appropriate measures and consequences.

5) How do I, as a whistle-blower, find out what results and consequences my tip-off has led to?

Finally, it is elementary to inform whistle-blowers after the initiation and conclusion of measures and also to report transparently – if necessary in anonymised form – within the company and how it was dealt with.

This creates trust and promotes integrity in working together.

All this content about the whistleblowing procedure belongs in a good whistleblowing policy, which can be communicated via our Rulebook – concretely, empathetically and legally secure.

In this way, employees are informed transparently about their rights and obligations as well as the established procedures and can thus contribute to mutual success.