Quick Read
Most organisations believe their whistleblowing programmes meet regulatory requirements because they have a policy and hotline, but ISO 37002:2021 defines whistleblowing as a complete management system built on trust, impartiality, and protection—not just a reporting channel. The standard requires structured governance across four operational steps (receiving, assessing, addressing, and concluding reports), explicit oversight by the governing body, and periodic independent assessment, yet most organisations operate with significant gaps that expose them to liability. Low report volumes are often misinterpreted as programme success when they typically signal that employees lack confidence in the system's ability to protect them and act impartially.
Executive Summary
Most organisations that have a whistleblowing or speak-up programme believe they have what the law, regulators, and governance standards require. They have a policy. They have a hotline — perhaps a third-party platform with a case management dashboard. They have a procedure that tells employees how to report wrongdoing and what protection they can expect. They believe they have a speak-up culture.
ISO 37002:2021 — the international standard for whistleblowing management systems — tells a more complicated story. The standard defines whistleblowing not as a channel or a policy, but as a management system: a structured, governed, continuously improved organisational capability built on three foundational principles — trust, impartiality, and protection — and delivered through four operational steps: receiving, assessing, addressing, and concluding reports of wrongdoing.
The gap between what most organisations have and what ISO 37002 actually requires is significant. In this whitepaper, Speeki identifies seven of the most common and consequential gaps, explains what the standard requires at each point, and sets out what a genuinely effective whistleblowing management system looks like in practice.
The paper also addresses the role of the governing body — a role that ISO 37002 defines explicitly and that most organisations ignore entirely — and makes the case for periodic independent assessment as the most effective mechanism for identifying system weaknesses before they become governance failures.
A speak-up programme that cannot be trusted, that lacks the independence to investigate impartially, and that fails to protect those who come forward is not just ineffective. It is a liability.
1. The Illusion of Speak-Up Culture
In the aftermath of major corporate scandals — from financial fraud to workplace harassment, from environmental wrongdoing to bribery — a consistent pattern emerges. The wrongdoing was known, or suspected, by people inside the organisation long before it became public. Those people did not report it. Or if they did, their reports were not acted upon.
The academic and practitioner literature on wrongdoing consistently finds that a large proportion of serious organisational wrongdoing first comes to the attention of the affected organisation — if it comes at all — through internal reports. This is not marginal: it is the primary detection mechanism for most categories of serious organisational misconduct. An organisation that cannot receive, process, and act on reports of wrongdoing is not just failing its compliance obligations. It is operating blind.
The absence of reports is not evidence of the absence of wrongdoing. It is evidence of the absence of trust. |
|---|
Despite this, many organisations remain confident in their speak-up programmes in the face of low report volumes. Zero reports — or very low volumes — are treated as evidence that the organisation is clean. ISO 37002 takes a different view. Clause 9.1.2 notes explicitly that the number of reports received is 'not always a true reflection of the level of wrongdoing occurring' and that the absence of reports 'should lead to questions about the system's effectiveness.'
There are two distinct failure modes. The first is structural: the organisation genuinely does not have a system. It has a policy document and a reporting channel, but no triage process, no investigation function capable of operating impartially, no protection mechanism, no measurement regime, and no governing body oversight. The infrastructure of a speak-up programme exists; the substance does not.
The second failure mode is cultural: the organisation has invested in infrastructure but has not created the conditions under which people will use it. Leadership does not visibly demonstrate commitment to the programme. Managers do not know how to handle reports appropriately. Employees do not believe their reports will be taken seriously or that they will be protected. The hotline rings — or does not ring — but the culture of silence remains.
ISO 37002 addresses both failure modes. Its requirements on leadership commitment, governing body involvement, communication, training, and the speak-up/listen-up culture go beyond process design. They are requirements on behaviour and organisational culture. This is what makes compliance with the standard difficult and meaningful.
2. What ISO 37002 Actually Requires
A Management System, Not a Policy
ISO 37002 is structured around the ISO harmonised structure (HLS) — the same architecture used in ISO 9001, ISO 14001, ISO 37001, ISO 37301, and other major management system standards. This is deliberate and important. A management system standard has a different character from a policy standard or a guidelines document.
It requires context analysis (Clause 4), leadership commitment at both governing body and top management levels (Clause 5), planning — including risk assessment and objective-setting (Clause 6), support resources including competence, awareness, communication, and documented information (Clause 7), operational control (Clause 8), performance evaluation through measurement, internal audit, and management review (Clause 9), and continual improvement (Clause 10).
Having a policy is not the same as having a management system. Having a hotline is not the same as having a management system. A management system is a set of interrelated, governed, and continuously improved processes — documented, reviewed, and operated with defined roles, authorities, and accountability.
The Three Foundational Principles
ISO 37002 defines three principles that must underpin every element of the whistleblowing management system. They are not aspirational values. They are operational requirements that shape how the system is designed, how it handles individual cases, and how its effectiveness is evaluated.
TRUST | The system must be believable. Reporters need to believe that their report will be taken seriously, handled confidentially, and that they will be protected. Trust is built through visible leadership commitment, consistent follow-through, and feedback at every stage of the process. A hotline that receives reports but never closes cases, or never communicates back to the reporter, destroys trust faster than having no system at all. |
|---|---|
IMPARTIALITY | Investigations must be free from bias — toward the reporter, the subject of the report, or the organisation's commercial interests. ISO 37002 is explicit that investigations must be conducted by suitably qualified personnel who are free from actual or potential conflicts of interest. Where this cannot be guaranteed internally, the standard recommends external investigators. Impartiality is not just procedural integrity; it is the condition under which findings are credible. |
PROTECTION | Whistleblowers face real risks: retaliation, marginalisation, reputational damage, and career harm. The standard requires that protection begins from the moment a report is received, not after detriment has occurred. Proactive risk assessment, identity management, need-to-know information controls, and ongoing support are all required elements. Protection also extends to the subjects of reports — who are presumed innocent until investigation concludes — and to witnesses and other affected parties. |
The Four Operational Steps
The operational core of ISO 37002 is a structured four-step process. Each step has specific requirements on documentation, communication, timeliness, and protection. Each step must be completed 'without undue delay' and within a 'reasonable time frame.' Each step requires feedback to the reporter.
01 | RECEIVE | Accessible, visible, secure, and multi-channel reporting mechanisms — with at least one channel independent of the management hierarchy. Anonymous, confidential, and open reporting all accommodated. Immediate acknowledgement of receipt. Documented. |
|---|---|---|
02 | ASSESS | Structured triage against defined criteria: is the report in scope? What is the risk to the reporter? What is the severity and urgency of the potential wrongdoing? Is external referral required? All decisions documented and communicated back to the reporter. |
03 | ADDRESS | Impartial, adequately resourced investigation with clear terms of reference. Concurrent protection and support for the reporter, the subject of the report, and relevant third parties. Due process throughout. Feedback at every material step. |
04 | CONCLUDE | Formal case closure with findings documented. Actions taken in response to recommendations (disciplinary, policy, procedural). Ongoing monitoring of protective measures. Lessons learned captured. Documented information retained. |
ISO 37002 is guidelines, not requirements — does that matter? ISO 37002 uses 'should' rather than 'shall' throughout, reflecting its status as a guidelines document rather than a requirements standard (like ISO 37001 or ISO 27001). This means organisations cannot be certified to ISO 37002 in the same way as requirements-based standards. However, this does not reduce its practical significance. Regulatory bodies, courts, and due diligence assessors increasingly reference ISO 37002 when evaluating the adequacy of whistleblowing programmes. A structured assessment against ISO 37002 — even without formal certification — provides a credible, internationally recognised basis for demonstrating that a programme meets good practice. Speeki conducts exactly this type of assessment. |
|---|
3. The Seven Gaps — Where Organisations Commonly Fail
In assessing whistleblowing management systems against ISO 37002, Speeki consistently identifies seven categories of gap. They are not random failures. They are structural weaknesses that arise from treating whistleblowing as a compliance checkbox rather than a governance capability.
# | Gap | Clause | What it means in practice |
|---|---|---|---|
1 | Governing Body Not Involved | 5.1.1 | The board or governing body has no active role in setting objectives, approving policy, or reviewing WMS performance. Responsibility is fully delegated to HR or Legal. ISO 37002 is explicit: the governing body must exercise adequate oversight of implementation, integrity, and improvement. |
2 | Policy Without a System | 4.4 | An organisation has a whistleblowing policy — sometimes a detailed one — but no underlying management system. There are no documented processes for triage, no defined roles and authorities, no internal audit, and no management review. The policy exists; the system does not. |
3 | Single or Inadequate Reporting Channel | 8.2 | ISO 37002 recommends at least one channel distinct from the management hierarchy. Many organisations offer only a single channel — a line manager conversation or a shared HR inbox — which creates structural barriers for reports involving those managers. |
4 | Triage Is Informal and Undocumented | 8.3 | When reports are received, assessment decisions are made ad hoc. There is no documented triage process, no risk-based prioritisation, and no clear criteria for when to investigate, escalate, or refer to authorities. Decisions cannot withstand review. |
5 | Whistleblower Protection Is Reactive | 8.4.2 | Most organisations respond to detriment after it occurs. ISO 37002 requires proactive risk assessment from the moment a report is received, with protective strategies implemented and monitored throughout the process. Protection begins at receipt, not at complaint. |
6 | No Measurement or Performance Indicators | 9.1.2 | The organisation does not track the indicators the standard identifies — time to acknowledge, time to close, employment outcomes for reporters, survey data on trust, or the proportion of cases resulting in corrective action. Without measurement, improvement is impossible. |
7 | No Management Review or Continual Improvement | 9.3 | The WMS is never formally reviewed by top management. There is no process to evaluate suitability, identify systemic failures, or drive improvement. The system — such as it is — remains static. ISO 37002 treats this as a core failure of the management system. |
A programme without measurement is not a programme. It is a hope. |
|---|
These seven gaps are not independent. A missing governing body role (Gap 1) makes it almost impossible to secure adequate resources for investigation (Gap 4) or to drive the management review process (Gap 7). Informal triage (Gap 4) undermines the impartiality of investigations. Inadequate measurement (Gap 6) means the organisation cannot determine whether any of the other gaps have been closed.
The practical implication is that partial compliance with ISO 37002 — addressing some gaps while leaving others — provides limited assurance. The standard is designed as a system; individual elements that function well in isolation cannot compensate for system-level failures.
4. The Governing Body's Missing Role
Of the seven gaps, the absence of governing body involvement is the most consequential — and the most commonly overlooked.
ISO 37002, Clause 5.1.1 sets out the governing body's responsibilities explicitly. The governing body must set objectives for an effective whistleblowing management system and monitor management in relation to those objectives. It must approve the organisation's whistleblowing policy. It must receive and review information about the content and operation of the system at planned intervals. It must ensure that adequate and appropriate resources are allocated. And it must exercise adequate oversight of the implementation, integrity, and improvement of the system.
In most organisations, none of this happens. The board receives no regular reporting on WMS performance. It has not approved the whistleblowing policy at board level. It does not monitor management's implementation of the programme. The compliance, legal, or HR function owns the programme entirely — and the governing body's relationship to it is limited to receiving occasional exception reports when a significant case has arisen.
The board doesn't need to run the programme. But it must own the outcome. |
|---|
The distinction matters for several reasons. First, ISO 37002 explicitly addresses the governing body because whistleblowing frequently involves senior management. If the programme is owned entirely by those who may be the subject of a report — or who report to someone who may be — structural impartiality is compromised from the outset. Governing body oversight is the mechanism that protects the programme's integrity in precisely these cases.
Second, the governing body's role in setting objectives gives the programme legitimacy and resource security that internal ownership alone cannot provide. A compliance function advocating for whistleblowing platform spend competes internally in ways that a board-mandated programme does not.
Third, the governing body's periodic review of system performance — including trend data on report volumes, investigation outcomes, time-to-close, and employment outcomes for reporters — is the primary mechanism for identifying whether the programme is functioning as intended. A board that never reviews this information cannot govern a programme it does not see.
Boards that have taken whistleblowing governance seriously typically embed it in the audit committee mandate, establish a regular WMS performance report as a standing agenda item, and ensure that the head of the whistleblowing management function has direct, unrestricted access to the board. ISO 37002 expects exactly this. Most boards are far from it.
5. Building an Effective System — What Good Looks Like
An effective whistleblowing management system under ISO 37002 has six characteristics that distinguish it from a compliance checkbox programme.
1. Multiple, Accessible Reporting Channels
Good practice involves more than a single reporting mechanism. The system provides telephone, online, and in-person channels, with multilingual capability where required. At least one channel is independent of the management hierarchy — meaning reporters can bypass their line manager, HR, and local management entirely. Channels are visible: actively promoted, not buried in a policy document.
2. A Documented Triage and Assessment Process
Every report is assessed against defined criteria. The triage process determines scope, urgency, risk to the reporter, and appropriate response pathway. Decisions are documented and can withstand administrative and legal review. The reporter receives timely acknowledgement and feedback on the outcome of assessment. Nothing is handled informally or lost in a team inbox.
3. Investigative Capability That Is Genuinely Independent
For reports involving senior figures or matters where internal impartiality cannot be guaranteed, external investigators are engaged. The investigation function is separated from the protection function. Investigators operate with defined terms of reference, maintain a clear audit trail, preserve evidence, apply due process to subjects of reports, and communicate regularly with the reporter throughout.
4. Proactive Whistleblower Protection
Protection begins at the moment of receipt. A risk assessment is completed for every report: What is the likelihood that the reporter's identity will be exposed? Is there an existing or immediate risk of detriment? What protective measures are appropriate? Identity is managed on a strictly need-to-know basis. Protective arrangements are monitored and reviewed at each step of the process, not just at the start.
5. Regular Measurement Against Defined Performance Indicators
The organisation tracks the full set of performance indicators identified in Clause 9.1.2 (see Section 6 of this paper). It conducts periodic surveys of personnel on awareness of and trust in the programme. It conducts internal audits of the WMS at planned intervals. Management reviews the programme formally and reports findings to the governing body.
6. A Culture of Speak-Up and Listen-Up
Leadership at every level actively demonstrates commitment to the programme. Senior leaders participate in training. They publicly commend those who have reported wrongdoing (with consent). They do not signal, directly or indirectly, that raising concerns is unwelcome. The WMS is not a risk management tool quietly maintained by compliance — it is part of how the organisation governs itself.
6. Measuring What Matters
Clause 9.1.2 of ISO 37002 provides a non-exhaustive list of quantitative and qualitative indicators for measuring whistleblowing management system performance. Speeki organises these into seven categories for practical programme management:
Indicator Category | What to Measure |
|---|---|
Volume & Intake | Total reports received per period, by channel (internal/external), by geography, by department or business unit |
Responsiveness | Time to acknowledge receipt of initial report (target: within 3 working days); Time taken to complete triage and assessment |
Investigation Quality | Time to close cases; proportion escalated to investigation; proportion referred to external authorities; audit trail completeness |
Outcome Integrity | Proportion of reports sustained by investigation vs. not sustained; proportion resulting in corrective action; nature and seriousness of wrongdoing found |
Whistleblower Outcomes | Employment status of reporters post-disclosure; proportion departing the organisation following a report; reason for departure where known |
System Trust | Periodic personnel survey: awareness of the WMS; perceived safety of reporting; confidence that reports are handled impartially |
System Health | Proportion of cases falling outside scope (routed to correct process); proportion where information was knowingly false; frequency and outcome of internal audits |
Two important caveats apply to all measurement activity. First, report volume is a lagging and unreliable indicator of programme health. High volumes may indicate a healthy culture in which people feel safe to report — or they may reflect a genuine spike in wrongdoing. Low volumes may indicate that the programme is not being used, or they may reflect an organisation that is well-governed. Volume must be read alongside trust survey data and contextual intelligence.
Second, measurement is only useful if it drives action. The management review process (Clause 9.3) must connect indicator analysis to programme decisions: resourcing, process improvement, communication campaigns, training updates, or structural changes to the system. A dashboard that is produced quarterly but never discussed at governance level does not constitute effective performance evaluation.
7. The Case for Independent Assessment
ISO 37002 requires internal audit of the whistleblowing management system at planned intervals (Clause 9.2). This is necessary but not sufficient. Internal audit faces an inherent limitation when applied to whistleblowing: the system is designed, in part, to capture wrongdoing involving the organisation's own leadership and management. Internal auditors — however skilled and independent in their operating model — are employed by the organisation. In many cases, they report to the very functions whose behaviour the WMS is designed to govern.
This is not a criticism of internal audit. It is a structural constraint that the standard acknowledges by noting that organisations 'should' consider external investigators where impartiality cannot be guaranteed. The same logic applies to the assessment of the system itself.
A programme that only audits itself cannot see its own blind spots. |
|---|
An independent assessment against ISO 37002 — conducted by a third party with practitioner expertise in whistleblowing system design, investigation, and governance — provides a materially different output. It identifies systemic gaps that internal review is unlikely to surface. It provides a credible external reference point for board reporting, regulatory engagement, or due diligence. And it generates a structured improvement roadmap that is grounded in the standard's requirements rather than the organisation's own view of what is adequate.
Speeki conducts ISO 37002 assessments as part of its broader compliance and governance assurance practice. An assessment covers the full scope of the standard: the system's governance architecture (Clauses 4–6), its operational design and documented information (Clauses 7–8), its performance evaluation regime (Clause 9), and its continual improvement mechanisms (Clause 10). The assessment is conducted by senior practitioners with direct experience of whistleblowing system design, investigation management, and regulatory engagement — not by junior consultants applying a checklist.
The output is not a certificate. ISO 37002 is a guidelines standard, and formal certification is not available in the way it is for requirements-based standards like ISO 37001. What a Speeki assessment provides is a detailed, clause-by-clause evaluation of system adequacy — with findings graded by severity, root-cause analysis of systemic gaps, and a prioritised remediation plan. For boards and audit committees seeking credible assurance that their speak-up programme is fit for purpose, this is the most rigorous and defensible basis available.
Speeki's whistleblowing practice Speeki operates the Speeki Platform — a purpose-built whistleblowing and case management platform used by organisations across 100+ countries. This operational experience informs our assessment work directly. We have seen what effective systems look like in practice, across industries and jurisdictions, and we have seen what fails. Our ISO 37002 assessments draw on that practitioner knowledge, not just the text of the standard. |
|---|
Conclusion
ISO 37002 defines a high standard for whistleblowing management. Most organisations are not close to meeting it. The gap is not primarily a resourcing problem or a technology problem — it is a governance problem. Boards that do not own the programme, leadership that does not visibly commit to it, and compliance functions that treat it as a tick-box cannot build the trust that makes a speak-up programme work.
The consequences of getting this wrong are significant. An ineffective whistleblowing programme does not simply fail to detect wrongdoing. It may actively suppress it, by signalling to potential reporters that their concerns will not be taken seriously or that they will face retaliation if they speak up. In that scenario, the programme is not neutral — it is a liability.
The path to a genuinely effective system is defined by the standard: governing body ownership, clear leadership commitment, structured processes for receiving, assessing, addressing, and concluding reports, proactive protection, rigorous measurement, and independent review. None of these is technically complex. All of them require organisational will.
Organisations that invest seriously in building an ISO 37002-aligned whistleblowing management system are not just managing compliance risk. They are building an early-warning capability that financial controls, internal audit, and external assurance cannot replicate. They are building trust — with their own people, with regulators, and with the market. And they are creating the conditions under which wrongdoing is detected and corrected before it becomes a crisis.
Speeki
Speeki is an ISO-accredited ESG assurance and certification firm operating across more than 100 countries, with offices in Singapore, the United Kingdom, and France. Speeki provides sustainability assurance under ISSA 5000 and AA1000AS v3, management system certification across a broad range of ISO standards, and practitioner-led advisory and assessment services.
Speeki operates the Speeki Platform — a whistleblowing, ethics, and case management platform used by organisations globally — and conducts ISO 37002 assessments as part of its compliance and governance practice. Speeki's assessments are conducted by senior practitioners with direct experience in whistleblowing system design, investigation management, and regulatory compliance. Speeki is accredited under ISO 17021-1 through COFRAC (France) and ANAB (USA).
Speeki is an AI-native firm. Its agentic AI system, Nicole, supports operational delivery across assurance, certification, and client engagement. Speeki positions itself as the credible, senior-practitioner alternative to Big Four advisory for organisations that require genuine independence, transparent pricing, and deep technical expertise.
For more information: speeki.com | info@speeki.com
The views expressed in this whitepaper are those of Speeki and are intended to contribute to practitioner and governance discourse on whistleblowing management system design and assessment. They do not constitute legal advice.