Research consistently shows that whistleblowing is the single most effective mechanism for detecting corporate fraud — more effective than internal audit, external audit, or management review. And yet most companies treat it as a compliance checkbox rather than a governance asset.
What a mechanism that works looks like
Anonymous — the reporter can raise concerns without identifying themselves. Many serious concerns are never raised because the reporter fears identification.
Accessible — not buried on page 47 of the intranet. Clearly communicated, multiple channels (phone, online, email), available in all languages the company operates in.
Protected — strong anti-retaliation policies, enforced at the highest level. A whistleblower who suffers retaliation sends a message to every other potential whistleblower: this company does not want to hear bad news.
Investigated seriously — every report investigated, findings reported to the audit committee. The investigation must be independent of the people being reported on.
Feedback loop — the reporter knows their concern was taken seriously, even if they cannot be told the outcome in detail.
What a mechanism that doesn't work looks like
A mechanism that doesn't work is worse than having none — it creates the illusion of protection without the substance.
The regulatory direction
The direction is clear across all major jurisdictions: stronger protections, mandatory channels, board-level oversight. The EU Whistleblower Directive requires companies with 50+ employees to establish internal reporting channels. Dodd-Frank provides financial incentives for whistleblowers in the US. The UK's prescribed persons regime gives whistleblowers a route to the regulator.
The board's job: ensure the mechanism exists, works, is trusted, and that the audit committee receives regular reports on its use.
This article is adapted from The Director's Craft by Peter Burchardt. Read the full chapter in the book →