The 7-step whistleblower investigation process & checklist to follow

Receiving the first report of wrongdoing within the organization can be scary, let alone the whistleblower investigation process which follows. Not only will it say that there’s something bad going on within the business, but it will also imply that someone is feeling hurt directly or indirectly by this incident. By law, the assigned person who is responsible for handling incoming reports is obligated to follow certain protocols to ensure that the whistleblowing process is authentic.

So how do you do this?

1. Relevance

When you receive the first incident report, you have to determine whether this is a whistleblowing issue or not. Whistleblowing issues vary, but there are also a lot of different issues that are not regulated by a whistleblowing policy, such as personal grievances and complaints. Some examples of incidents that can be reported under the whistleblowing law are: 

  • Corruption, bullying, fraud, etc.
  • Harassments based on sexuality, gender, age, religion, and disabilities.
  • Deficiencies of the workplace’s safety policies. 

2. Obligations

  • From the moment you receive the report, you have 7 days to reply to the whistleblower and confirm the reception of this report.
  • Within 3 months after receiving the report, you have to give feedback to the whistleblower about what is happening.

Both of these timelines are requirements that are regulated under the EU whistleblowing directive, which means that it can lead to serious consequences for your organization if these aren’t followed.

3. Questions, questions, and questions

To ensure that you take the correct actions regarding this case, you should be thorough in terms of asking questions, even those questions that you may be anxious about asking. Even if the subject is something that may feel embarrassing for the whistleblower, you need to ensure that you get detailed answers in all aspects of which the incident did occur. 

If you don’t feel comfortable asking these questions early on in the process, or if the whistleblower doesn’t feel secure talking about this currently, assure that the whistleblower knows that you may need to ask these questions at a later stage of the process.

4. Evaluation

When you have all the information in hand, start by evaluating if this is something that you can solve internally within your organization. If this is a very serious matter or if a director of the business is a part of the concern sent in by the whistleblower, this may be hard to handle internally, and you may have to include a third party to assist in this matter. If you need assistance in evaluating the incident, NorthWhistle can provide experts to participate in the evaluation process. 

5. What external party is required to solve this misconduct?

This can be hard to evaluate, but it is wise to ask a legal representative about what to do in most cases that require external assistance. With NorthWhistle, you are offered expert help in the matter as an add-on.

6. Following up with the whistleblower

Whether you feel that the filed incident is something that the whistleblower feels bad about or not, it’s important that you follow up, and check in on the employee’s wellbeing. This should be done through the same channel that the report was sent in, and if your system is 100% confidential – this is the only way to do it.

This can be a great time to ask those important questions as well, that you may not have been able to ask during the first contact. Or follow up with any other questions, statements, or tips on how the whistleblower can process what did or did not happen.

7. Examples of outcomes

It’s crucial to know that you may not always be able to find a solution for the reported incident, such as not having enough evidence. You need to give feedback about this if this is the case, and if not – you need to explain what is going to happen next regarding the report. Maybe it will lead to letting somebody go, or by placing someone in a different sector at work, to prevent two people from working together. Maybe it will lead to a larger, legal investigation that leads to even more discoveries associated with that one incident.


Upon receiving the first report of misconduct within your organization, you will first determine the relevance of the reported incident. After determining the relevance and choosing whether this is a concern within your whistleblowing policy, you have obligations that you need to consider. 

Within 7 days after receiving the report, you are required to confirm the report’s reception, and you are to send feedback to the whistleblower regarding the matter within 3 months. 

Ask questions, a lot of them, to ensure that you have all the crucial information that you need to follow up on a received report of misconduct. Evaluate whether internal parties can handle it or not.

Lastly, follow up with the whistleblowing continuously to ensure that you have all the information crucial to the incident and make sure that the whistleblower can get professional help with coping and moving on.