Since the passing of the Sarbanes-Oxley act and, more recently, the Supreme Court’s decision to expand whistleblower protection, companies have adopted whistleblower policies to facilitate internal reporting and protect informants.

After reviewing several policies from a range of organizations, we’ve compiled some of the core elements. We intend to give you and your company a jumping-off point to start formulating a policy of your own.

So let’s start with the basics—what should you call your whistleblower policy?

(More from CMS: Small Businesses Must Now Consider Whistleblower Compliance Guidelines)

A Whistleblower Policy by Any Other Name

While the answer to this question seems straightforward, in reality, it is much more complex. And perhaps the most important question to answer. As Donn Meindertsma outlines in his article Why Your “Whistleblower Policy” Should Not Be Called That, “Whistleblower Policy” might not be the best name.

As Meindertsma points out, the term “whistleblower” comes with baggage. The word itself can be construed in several ways, not all positive. The word also contains a polarising element. In the past, whistleblowers have been praised as heroes and condemned as villains.

Daniel Ellsberg, Bradley Manning, and, more recently, Edward Snowden are all famous examples of whistleblowers. They are also examples of how the term can, for some people, denote paragons of civil service and, to others, represent the worst kind of traitor.

Because of this, it might be wise to call your policy something different. A couple of ideas Meindertsma puts forward include a Speak-Up Policy, Employee Concern Policy, or Issue Resolution Policy. That said, a whistleblower policy by any other name should contain certain basic elements.

(More from CMS: What is a Whistleblower?)

Core Sections of a Whistleblower Policy

In your whistleblower policy, you must define three basic elements: Why, what, and where. More specifically, why do you have a whistleblower policy, what merits reporting, and where/how the reports should be made?


Before encouraging employees to speak up against ethics violations your company needs a strong ethics policy or code of conduct. The “why” is an integral part of your whistleblower policy. Without a why there is no reason for your employees to speak up at all. The Universal Service Administrative Company’s whistleblower policy does a good job of explaining why the policy exists and what its goals are.

Here is an excerpt:

Assuring effective stewardship of the federal universal service programs by guarding against misuse or waste is a priority shared by USAC, the FCC, and Congress, as well as program applicants, service providers, and the general public. To that end, this page allows applicants, service providers, contributors, and others to alert USAC to instances when universal service support is possibly being misapplied or program rule violations might exist.

(More from CMS: Ethics Policies vs. Whistleblower Policies)


If you want to encourage your employees to speak up, you need to tell them what to speak up against. Most policies use blanket terms like fraud, waste, and illegal activity. These are fine to use but, depending on your industry, you may want to be more specific. Publicly traded company Parker Drilling clearly defines what kind of complaints and issues should be reported in their policy.

It states:

Employees of the Company have an obligation to report irregularities (whistleblower) of which they become aware and the right to voice complaints about questionable accounting, internal accounting controls and auditing practices, without fear that such report or complaint will impact their employment status, rate of pay or responsibilities within the organization. Reports of “irregularities” may include, but are not limited to, policy violations, theft or misappropriation of Company assets, the misreporting of accounting, financial or operational data, the failure to report health, safety or environmental violations, the violation of antitrust laws, the violation of the Foreign Corrupt Practices Act, the violation of anti-boycott laws, fraud, harassment, worker intimidation, the payment of bribes, the inappropriate granting or acceptance of gratuities, and other conduct which is illegal, unethical or contrary to the letter or spirit of Company policy. In addition to these irregularities, employees are encouraged to voice “complaints” regarding questionable accounting practices, internal accounting controls and auditing matters.


Your whistleblower policy also needs to contain information on where and how employees should lodge their complaints. This can range from informing their immediate supervisor to a third-party whistleblower hotline. The University of Miami’s policy is a good example of how to define where an employee should report their complaint.

Here is an excerpt detailing exactly how an employee should report a violation:

If an employee has knowledge of information that is in violation of any law, rule or regulation as described above, the employee is encouraged to contact his/her immediate supervisor, visit the ’Cane Watch website at or call 877-415-4357, to provide information directly or on an anonymous basis to afford the University a reasonable opportunity to review and correct the activity.

(More from CMS: What is a Whistleblower Compliance Hotline?)

Other Considerations

Beyond the why, what, and where of a whistleblower policy, there are two other considerations to take into account: Confidentiality and anti-retaliation.


Most whistleblower policies have an added clause about maintaining the confidentiality or anonymity of the whistleblower.

It is important to note that these clauses also state anonymity will be maintained to whatever extent possible. Meaning sometimes, you simply can’t protect the anonymity of a whistleblower. If anonymity is no longer practical, you don’t want your organization to be liable.

(More from CMS: Fraud and Ethics Hotline Services)


All whistleblower policies contain anti-retaliation clauses. These clauses explicitly state that whistleblowers cannot be retaliated against for their whistleblowing. They also clearly define what retaliation looks like.

Not only is this ethical, but it is a federal law contained in the Sarbanes-Oxley Act and many other statutes.

Always Seek Legal Counsel

When thinking about your company’s whistleblower policy, these are all good places to start. However, this is by no means an exhaustive list, and you should always consult legal counsel before finalizing any whistleblower policy.

By Last Updated: September 13, 2022Categories: Blog5.1 min read