Whistleblower Programme Review Checklist
This checklist helps organisations review whether their whistleblower programme is workable in practice, not just documented on paper. It covers reporting channels, triage, confidentiality, training, oversight, and legal alignment so boards and programme owners can spot gaps before they undermine trust or compliance.
Key takeaways
- A whistleblower programme review checks whether your speak up system is trusted, usable, compliant, and well governed.
- The best reviews look at policy, reporting channels, triage, confidentiality, investigation workflow, training, board oversight, and continuous improvement.
- If staff do not trust the process, they will not use it.
- A good review ends with a prioritised action plan, not a vague recommendation to "raise awareness".
A whistleblower programme review is a structured check of whether your reporting system actually works in practice. It is not enough to have a hotline or a policy on paper. You need to know whether people understand the process, trust it enough to use it, and believe disclosures will be handled fairly.
This article is for boards, directors, executives, company secretaries, legal teams, HR leaders, risk teams, and compliance teams that need a practical way to assess a whistleblower programme before small issues become larger ones.
It covers the practical review areas that matter most, the evidence you should request, and the questions leaders should be able to answer before a problem tests the system. It does not replace legal advice on a specific disclosure or a formal external assurance scope.
Source note: this guide aligns with Core Integrity's whistleblower programme review services, Speak Up Hotlines service, and Australian whistleblower protections, including ASIC Regulatory Guide 270 and the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019.
Reviewed by Core Integrity's investigations team.
A whistleblower programme is only useful if people believe it will protect them, be taken seriously, and lead to action.
At a glance
| Check | What to look for | What good looks like |
|---|---|---|
| Reporting | Are there clear, trusted ways to speak up? | Staff can report easily, confidentially, and without confusion |
| Triage | Are disclosures handled quickly and consistently? | New matters are logged, assessed, and assigned under a defined process |
| Oversight | Is leadership getting useful reporting? | The board sees themes, risks, and case quality, not just counts |
| Fairness | Are people treated fairly during the process? | People get a chance to respond before findings are finalised |
| Action | Do findings lead to change? | Issues are tracked to close-out with owners and deadlines |
When should you commission an external review?
Commission an external review when complaints are rising, disclosure volumes are unusually low, senior leaders are involved, the organisation has had a recent incident, or the board wants stronger assurance. It is also the safer choice when internal independence could be questioned.
ASIC Regulatory Guide 270 is a useful reference point here because it expects organisations to explain how disclosures are made, received, investigated, and protected. A review should test whether those things happen in practice, not just whether the policy mentions them. ASIC RG 270 Whistleblower Policies
What should the review cover?
| Area | What to check | What good looks like |
|---|---|---|
| Policy | Is the policy current, clear, and legally aligned? | The policy explains how to report, who can receive disclosures, and what protection means in practice |
| Reporting channels | Can people report in more than one way? | Phone, web, email, and other channels are available and easy to find |
| Eligible recipients | Do people know who can receive protected disclosures? | Eligible recipients understand their role and what to do next |
| Confidentiality | Are identity controls and access restrictions in place? | Only the right people can see sensitive information |
| Triage | Are new matters assessed quickly and consistently? | Each matter is logged, prioritised, and routed under a defined workflow |
| Investigation workflow | Are cases managed in a defensible way? | Scope, evidence, interviews, findings, and close-out are documented |
| Board oversight | Does leadership get meaningful reporting? | The board sees trends, risks, timeframes, and themes, not just counts, and can test whether oversight aligns with ASIC Regulatory Guide 270 expectations |
| Training | Do people know how to use the programme? | Eligible recipients, managers, and staff receive role-based training |
| Metrics | Are you tracking the right indicators? | Use, time to triage, time to close, and outcome themes are monitored |
| Continuous improvement | Are lessons fed back into the programme? | Policy, training, and process updates follow case trends and review findings |
Real-world scenario
A mid-sized organisation may have a hotline, a policy, and annual training, yet still fail the review if disclosures sit untriaged for days, eligible recipients cannot explain their role, and the board only receives case counts. In that situation, the programme looks compliant on paper but weak in practice.
Checklist: 15 things to verify
- The policy is current and matches your actual reporting process.
- Reporting channels are visible, easy to use, and available in the formats staff prefer.
- Anonymous reporting is possible where appropriate.
- The programme explains what whistleblower protection means in plain English.
- Eligible recipients know their responsibilities and escalation steps.
- Triage rules are defined, documented, and used consistently.
- Conflict checks are completed before anyone is assigned to a matter.
- Confidentiality controls are strong enough for sensitive matters.
- Investigations are scoped properly before evidence collection begins.
- People affected by an allegation get a fair chance to respond.
- Reports are written clearly and support defensible decisions.
- Leaders receive trend reporting, not just isolated case summaries.
- Training is role-specific, current, and repeated often enough.
- The organisation tracks whether people actually trust the programme.
- The board or executive team acts on findings and closes the loop.
Evidence you should ask for
| Evidence | Why it matters |
|---|---|
| Current whistleblower policy | Shows whether the formal rules are current and complete |
| Hotline or reporting channel logs | Shows how the programme is being used |
| Triage records | Shows whether issues are being assessed quickly and consistently |
| Investigation reports | Shows whether matters are handled fairly and defensibly |
| Training completion records | Shows whether staff and eligible recipients have been briefed |
| Board or executive reports | Shows whether leadership receives useful oversight |
| Action tracking register | Shows whether findings lead to change |
What good looks like
The best whistleblower programmes are easy to find, easy to use, and easy to trust. They give people a clear route to speak up, give the organisation a disciplined way to assess disclosures, and create a paper trail that stands up if a decision is later challenged.
For Australian organisations, the legal baseline matters too. A programme review should be checked against ASIC Regulatory Guide 270 and the whistleblower protections in the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, not just against internal policy wording.
ASIC Regulatory Guide 270 is especially useful here because it reinforces the need for clear channels, practical procedures, and properly trained people who can receive and manage disclosures. The 2019 reforms also matter because they expanded the practical consequences of mishandling confidentiality, detriment risk, and recipient pathways. ASIC RG 270 Whistleblower Policies | Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019
If the programme cannot show who receives disclosures, how they are triaged, and how fairness is protected, the system is not ready.
Common gaps we see
- The policy is out of date or does not match the real process.
- Staff do not know where to report a concern.
- Eligible recipients have never been trained on their role.
- Disclosures are not triaged quickly enough.
- The same person is too close to the matter and the decision.
- Confidentiality is promised but not operationally protected.
- Board reporting is too thin to support oversight.
- The programme has never been tested against a live scenario.
Common mistakes in programme reviews
| Mistake | Why it matters |
|---|---|
| Treating the review as a policy exercise only | Misses whether the system works in practice |
| Accepting low disclosure numbers at face value | Can hide trust or communication problems |
| Reviewing counts but not case quality | Leaves triage and fairness issues unnoticed |
| Ignoring the board's actual oversight role | Weakens governance and accountability |
| Failing to test the programme with a scenario | Leaves real-world failure points undiscovered |
If the review finds problems
Treat the review as a prioritisation exercise, not a blame exercise. Start with the gaps that affect trust, legal compliance, and case handling. Most organisations do not need a complete rebuild. They need a clear sequence of fixes, owners, and deadlines.
Simple review worksheet
Use these four questions as a fast review worksheet before a full programme reset:
- Can we explain exactly how a disclosure is received, triaged, investigated, and closed?
- Can we show who is trained to receive disclosures and what they would do next?
- Can leadership see trend reporting, not just isolated case counts?
- Can we prove confidentiality and fairness controls with records rather than assumptions?
If the answer to any of those is no, the programme needs deeper work.
Mini example
If a manager receives a disclosure, forwards it casually to several colleagues, and then delays triage for a week, the programme is sending the wrong signal. If that same disclosure is logged, restricted, reviewed by the right person, and tracked to close-out, the programme is doing its job.
What a review cannot establish from documents alone
Documents can show what the programme says it does. They cannot, by themselves, prove that staff trust the system, that managers use the escalation path correctly, or that confidentiality is protected in live handling. That is why a strong review usually tests both the written process and the lived process.
FAQ
What is a whistleblower programme review?
A whistleblower programme review is a structured assessment of whether your speak up system is working as intended. It checks the policy, reporting channels, triage, confidentiality, training, oversight, and reporting outputs. The goal is to identify gaps before they turn into legal, reputational, or cultural problems.
How often should a whistleblower programme be reviewed?
Most organisations should review the programme at least annually, and sooner if the business has grown, the legal environment has changed, or a serious disclosure has exposed weaknesses. A review is also sensible after an incident, a merger, a leadership change, or a regulator request.
Who should conduct the review?
The review can be done internally if the team has enough independence and expertise, but an external reviewer is often better when senior leaders are involved or the organisation wants stronger assurance. External reviews are also useful when internal teams are too close to the matter.
What should the review produce?
The best output is a practical action plan. That should include the issues found, the risk level, the recommended fix, the owner, and the due date. A good review does not just describe problems. It shows what to do next and in what order.
What if the programme looks fine on paper but staff still do not trust it?
That is a common finding. In that case, the issue is usually not only policy design. It may be communication, leadership behaviour, past case handling, or poor follow-through. Review the lived experience of staff, not just the written documents.
Conclusion
A whistleblower programme review should answer one simple question: if someone needed to speak up tomorrow, would the system work for them and hold up for the organisation? If the answer is unclear, the programme needs a closer look.
If you want an independent review of your current whistleblower programme, Core Integrity can help assess the system, identify gaps, and prioritise practical fixes.