White Paper: Whistleblowing Management Systems

i-aml whistle blower

Introduction to whistleblowing.
Nelson Mandela once said, “We can change the world and make it a better place. It is in your hands to make a difference.” James Thomas Webb, a former employee of The Boeing Company, decided to make a difference by blowing the whistle on the wrongdoing he witnessed in the organization.


Mr. Webb reported that The Boeing Company violated the terms of a defense contract by charging the United States (US) government improperly for aircraft maintenance. Mr. Webb alleged that the company’s mechanics were being paid for lunch breaks and other extended breaks — a condition which was not included in the contract. Mr. Webb won the case and was rewarded $3 million, while The Boeing Company paid $18 million to the US government to settle these allegations.

Another similar case was when a former employee of MB2 Dental Solutions reported the company for falsely claiming that they provided pediatric dental services and other wrongdoings. In the end, MB2 Dental Solutions and 21 affiliated pediatric dental practices agreed to pay $8.45 million to resolve allegations that they violated the False Claims Act. The whistleblower also received a share of the recovered money.

Individuals who disclose any information on unethical and illegal practices within their organization, such as fraud, corruption, and abuse of power, are called whistleblowers. Whistleblowing can be internal, i.e., an employee reports wrongdoing using the reporting channels within the organization, or external, i.e., an employee reports wrongdoing to parties outside the organization. Research shows that employees are the primary source of fraud exposure. By reporting wrongdoing, they protect the customer’s interest and may save organizations a lot of money by preventing further losses.

However, people still hesitate to expose fraud and other wrongdoings because of the challenges they may face when doing so. Common factors that hinder people from reporting include fear of retaliation, social status (e.g., lower income, lower job position, and lower education), the nature of the wrongdoing (e.g., infrequency and triviality of the wrongdoing), cultural barriers (e.g., disapproval from colleagues and the acceptance of unethical practices), or organizational barriers (e.g., lack of appropriate internal channels and unethical leadership). 

A major issue regarding whistleblowing is the lack of legal protection and support for whistleblowers. In the past, there were only a few laws that protected whistleblowers. However, many conventions were held around the world which presented laws for protecting, supporting, and encouraging whistleblowers. In 1989, the US passed the Whistleblower Protection Act to protect federal whistleblowers. Other countries, such as the United Kingdom (UK), India, Japan, Jamaica, Australia, and South Africa have laws for protecting and supporting whistleblowers. Having said that, such laws come with limitations, e.g., the South African Protected Disclosure Act 26 of 2000 includes only people with an employment relationship and excludes other citizens who want to report wrongdoing.

In 2019, the European Union (EU) enacted the Whistleblowing Directive which requires all EU countries to create whistleblowing laws or improve their existing ones. From December 2023, companies with more than 50 employees, operating in any of the EU countries, are required to establish internal reporting channels through which employees can report breaches of Union Law. However, laws address situations of individual countries or regional groups and they do not provide guidance on how to meet the requirements. Even though countries like Japan, the UK, Canada, and France have some national guidelines and standards regarding whistleblowing, there is still a need for global synchronization on this topic. This is one of the gaps that ISO 37002 aims to cover.  


Whistleblowing Management System and Its Principles

An effective WMS enables organizations to receive, assess, and address reports of wrongdoing, and treat whistleblowing cases based on the principles of trust, impartiality, and protection. Organizations can follow a Plan-Do-Check-Act (PDCA) cycle when implementing a WMS. This cycle follows a process-based approach aimed at improving processes and facilitates the implementation of a WMS in the organization.

As can be seen in the figure above, in order to be effective and achieve its objectives, a WMS based on ISO 37002 should be built upon the three main principles: trust, impartiality, and protection.

According to the guidelines of ISO 37002, the top management and whistleblowing management function are critical in the effectiveness of the WMS based upon these three principles. The organization’s top management should establish a whistleblowing policy that includes a commitment to trust, impartiality, and protection. In addition, the organization’s employees should be trained on the processes that ensure the integration of the aforementioned principles in the WMS.

According to research, the greater the trust of employees in the organization, the higher are the chances that they will decide to report wrongdoing. This includes trusting a supervisor and perceiving the structures of the organization and its reporting channels as fair and impartial. Implementing a WMS based on ISO 37002 enables organizations to build this trust and assure employees that their reports will be handled properly and with confidentiality throughout the entire process of a whistleblowing case.

When employees don’t trust that the top management will address their report ethically, they choose to report to parties outside the organization  which may bring unwanted and unnecessary scandals, lawsuits, and financial losses. According to ISO 37002 guidelines, organizations should ensure that the people managing a whistleblowing case are trustworthy, feedback is provided to the whistleblowers to build trust, secure reporting channels are established, and surveys are conducted to verify employees’ trust in the whistleblowing management system.


BANNER Asset Tracing Enfor i-AML


ISO 37002 suggests organizations to guarantee the impartiality of the people dealing with a whistleblowing case and to address and investigate reports and detrimental conduct with impartiality. This can be done by ensuring that the persons dealing with a whistleblowing case are objective and fair in decision-making. Furthermore, all possible or actual conflicts of interest, which may lead to biased processing, should be addressed appropriately. In addition, organizations should assure employees that no matter what job position they have, their reports will be addressed without any bias. Organizations may also provide anonymous reporting channels or outsource whistleblowing reporting channels to create the conditions for impartiality and increase trust.

Fear of retaliation and detrimental conduct prevents many people from reporting wrongdoing. For this reason, organizations should assure their employees that they will be protected from any potential harm when they report wrongdoing, for as long as needed. The guidelines of ISO 37002 suggest organizations define the degree of protection that they can provide, take the necessary actions to protect whistleblowers and interested parties from detrimental conduct, and validate whether people who are responsible for protecting whistleblowers have the necessary competence to ensure protection. Furthermore, organizations should make sure that documented information related to a whistleblowing case is protected from damage and misuse.

Alongside protection, ISO 37002 also suggests supporting whistleblowers. ISO 37002 guidelines recommend providing emotional, financial, legal, and reputational support to whistleblowers and other interested parties involved in the process of a whistleblowing case. Organizations should make sure that employees maintain the same job position and professional reputation that they would have if they never reported the wrongdoing. They should treat them equally when providing any organizational benefits, support them throughout legal procedures (if needed), and provide them with an apology and compensation for detriment and any damage they may have suffered. As another form of support, offering tokens of appreciation and financial rewards has proven to be extremely effective in generating high quality reports.

However, there is a dichotomy of opinions regarding financial rewards. One group thinks that if people are making money through fraud and corruption, then people should also be rewarded for doing the right thing and reporting wrongdoing. This will encourage people to establish ethical practices. On the other hand, the other group thinks that these rewards may lead to an increase in false reports. However, studies conducted by Transparency International, the Stockholm Institute of Transition Economics, and the Booth School of Economics have proven this theory wrong, claiming that rewards are only provided after a report is proven to be true.


Confidentiality as a Part of the WMS

Many organizations have established whistleblowing policies that proactively protect the confidentiality of information and the organization’s intellectual property. If employees disclose confidential information, legal action can be taken against them by their employers. In terms of whistleblowing, whistleblowers sometimes have to disclose the confidential information of the organizations in which they work, because that information may prove that organizations are committing wrongdoings and their actions are damaging to the public interest. When whistleblowers report wrongdoings against organizations, their identity should be kept confidential.

Lastly, the need for confidentiality is emphasized in clause 8 Operation for all four processes of the whistleblowing management system: receiving, assessing, and addressing the reports of wrongdoing, and concluding whistleblowing cases.

The importance of providing and assuring confidentiality for all relevant interested parties involved in the process is highlighted throughout the guidelines of ISO 37002. Therefore, an effective WMS established in accordance with the ISO 37002 guidelines enables organizations to address and handle reports of wrongdoing properly by ensuring the confidentiality of everyone involved in a whistleblowing case. This encourages employees and other interested parties to blow the whistle and report wrongdoings.


The Benefits of a WMS based on ISO 37002 

Organizations that implement a WMS based on the guidelines of ISO 37002 obtain several benefits.

A WMS based on ISO 37002 facilitates the process of reporting wrongdoing and, subsequently, encourages employees to blow the whistle by providing trustworthy reporting channels. An effective WMS encourages whistleblowers to speak up and assures them that their reports will be appropriately addressed and that they will be protected from any type of retaliation. This, as a result, will help organizations to identify, prevent, and address risks of wrongdoing as early as possible, consequently minimizing costs, loss of assets, and reputational damage.

Organizations will also be able to support and protect whistleblowers, and prevent detrimental conduct toward them by ensuring their confidentiality. Lastly, organizations that have established an effective WMS based on ISO 37002 are able to deal with whistleblowing reports appropriately and in a timely manner.

Furthermore, implementing a WMS based on the guidelines of ISO 37002 will promote and foster a culture of openness, transparency, and integrity within and outside of the organization. As a result, the organization will maintain a positive reputation and build trust and confidence with relevant interested parties. In addition, implementing an effective WMS ensures compliance with legal and other requirements.

Finally, a WMS based on the guidelines of ISO 37002 can be easily integrated with other management systems based on ISO standards. This enables organizations to harmonize and optimize practices, formalize informal systems, reduce costs, and improve communication. 



Whistleblowers are one of the main sources of information for exposing fraud and other illicit or unethical activities in organizations worldwide. However, the fear of retaliation, the lack of psychological and financial support, the lack of safe internal channels to report wrongdoings, and the lack of proper frameworks for managing reports of wrongdoing are discouraging and daunting to many employees who want to blow the whistle when they witness or experience wrongdoings.

ISO 37002, published in July 2021, provides guidelines for establishing, implementing, maintaining, and improving a whistleblowing management system (WMS), based on the principles of trust, impartiality, and protection. Organizations that establish a WMS based on ISO 37002 are able to effectively receive, assess, and address reports of wrongdoing, and conclude whistleblowing cases. A WMS based on ISO 37002 enables organizations to facilitate and encourage reports of wrongdoing, provide support and protection for whistleblowers, establish appropriate procedures to deal with reports, decrease risks of wrongdoing, and improve their organizational culture. Moreover, the high-level structure of ISO 37002 enables organizations to implement the WMS as an independent entity or easily integrate it with other management systems based on ISO standards.

ISO 37002 suggests organizations implement a WMS following the PDCA cycle and ensure that the principles of trust, impartiality, and protection are reflected throughout the elements of the WMS. Organizations should assure their employees that the organization’s structures will remain impartial throughout any whistleblowing case and will protect and support them from any potential harm. This increases chances that employees will use internal reporting channels, rather than risking scandals and lawsuits by reporting externally.

A WMS based on ISO 37002 will promote and foster a speak-up/listen-up culture, through which the management encourages employees to speak up by assuring them that they will be heard and their reports will be handled appropriately. Additionally, a WMS based on ISO 37002 will ensure the confidentiality of whistleblowers and other interested parties involved in a report of wrongdoing. These actions will enhance whistleblowers’ confidence and trust and encourage them to blow the whistle regarding wrongdoings committed in organizations.


February 18, 2022, published by the Professional Evaluation and Certification Board.

Recent Posts