Quick Read
A whistleblowing system can meet all structural and compliance requirements while remaining unused due to cultural distrust; this whitepaper distinguishes between system assessment (which audits processes and documentation) and culture assessment (which measures employee perceptions, behaviours, and trust through surveys, pattern analysis, integrity testing, and qualitative research). Effective speak-up programmes require both disciplines operating in parallel, with culture assessment conducted over time through multiple methods to identify the invisible barriers that prevent people from actually using the system. Organizations that conduct only one of these assessments operate with significant blind spots that audits alone cannot reveal.
Executive Summary
A whistleblowing system can be structurally sound and culturally broken. The processes can be documented, the channels can be accessible, the triage protocols can be defined — and yet the system may generate almost no reports, because the people it is designed to serve do not trust it enough to use it. No audit of processes and documentation will reveal this. Only a culture assessment will.
This paper is a companion to Speeki's whitepaper on ISO 37002 Whistleblowing Management Systems. Where that paper addresses the structural and governance requirements of a compliant system, this paper addresses the parallel discipline of speak-up culture assessment: what it is, how it differs from system assessment, how it is conducted, and what the findings should drive.
Culture assessment operates across five instruments — perception surveys, behavioural pattern analysis, system integrity testing, qualitative research, and decision audits — and must be embedded in a cadenced programme with defined governance outputs. This paper sets out the methodology for each instrument, the red flags that signal cultural dysfunction, and the principles for translating assessment findings into meaningful organisational change.
The central argument is this: you can audit a system. You cannot audit a culture. Culture must be assessed — through multiple methods, over time, with honest reporting to the people who have the authority to act on it. Organisations that do only one of these two things are operating with significant and largely invisible blind spots.
1. Why Culture Assessment Is Different from System Assessment
The distinction between system assessment and culture assessment is not semantic. It describes two genuinely different things that require different methods, different expertise, and different governance responses.
System assessment asks: does the structure exist? Are the processes documented? Does the triage protocol work as described? Is the documentation complete? It is primarily a review of design and operational compliance. It can be conducted by a trained assessor reviewing documents, interviewing process owners, and testing procedural elements. It is necessary. It is not sufficient.
Culture assessment asks: do people trust the system enough to use it? Do they believe that concerns raised will be taken seriously? Do they fear retaliation? Do they observe their leaders behaving consistently with the values the system is designed to protect? It is a review of beliefs, perceptions, and behaviours — none of which appear in a process document or a case management system. It requires different instruments, different skills, and different analytical frameworks.
A programme that employees don't trust is not a programme. It is a liability dressed as a control. |
The relationship between the two is important to understand. System quality is a necessary but not sufficient condition for cultural effectiveness. A well-designed system with strong cultural foundations will generate meaningful reporting. A well-designed system with a broken culture will generate almost nothing. A poorly designed system with strong cultural foundations may still generate valuable intelligence, but will lose cases through inadequate process. The worst combination — poor design and poor culture — is not merely ineffective. It is actively harmful, because it gives organisations a false sense of security.
Culture is shaped by factors that lie largely outside the whistleblowing management system itself. The single most powerful driver of speak-up culture is visible leadership behaviour — whether senior figures demonstrably act with integrity, whether they treat concerns that are raised with seriousness, and whether they are seen to be held to the same standards as everyone else. These are not system design questions. They are leadership and governance questions, and they require governance-level responses.
The ISO 37002 connection ISO 37002 Clause 9.1.2 explicitly requires periodic surveys of personnel measuring awareness of and trust in the whistleblowing management system. Clause 5.1.1 requires the governing body to exercise oversight of the implementation, integrity, and improvement of the system — which necessarily includes its cultural effectiveness. The standard does not treat culture assessment as optional. Organisations that measure only system design are not meeting their obligations under the standard. |
2. The Five Instruments of Culture Assessment
A rigorous speak-up culture assessment uses five distinct instruments. No single instrument is sufficient. Each reveals a different aspect of the culture and acts as a check on the others. Triangulation — the process of comparing findings across instruments to identify consistent patterns versus single-source anomalies — is the core analytical discipline.
# | Instrument | What It Does | Data Source |
|---|---|---|---|
01 | Perception Survey | Structured anonymous survey measuring psychological safety, leadership credibility, outcome trust, and consistency. The primary perception instrument. Administered annually minimum; quarterly pulse versions following significant events. | Personnel at all levels, disaggregated by geography, business unit, seniority, and function. |
02 | Behavioural Pattern Analysis | Diagnostic reading of the data the speak-up system already generates: volume, topic diversity, channel mix, resolution outcomes, reporter employment outcomes. Reveals what is actually happening, as opposed to what people say is happening. | Speak-up case management system; HR employment data; exit interview records. |
03 | System Integrity Testing | Direct testing of the system under realistic conditions, including mystery reporting, channel accessibility audits, triage timeliness measurement, and conflict of interest mapping. Tests whether the system performs as designed. | External assessor; live reporting channels; case management workflow; documentation records. |
04 | Qualitative Research | Focus groups, structured interviews, and ethnographic observation that surface the lived experience of the speak-up culture. Provides explanatory depth that surveys and data analysis cannot — the 'why' behind the numbers. | Cross-section of personnel; ideally facilitated externally to reduce social desirability bias. |
05 | Decision Audit | Review of actual business decisions — procurement, HR, commercial — to assess whether ethical considerations appear in recorded reasoning. Tests whether the culture of integrity extends beyond speak-up into routine decision-making. | Decision records, meeting minutes, approval documentation, escalation logs. |
The sequencing of instruments matters. Quantitative instruments (survey, behavioural analysis) should typically precede qualitative instruments (focus groups, interviews) so that the qualitative work can be targeted at the anomalies and low scores that the quantitative data surfaces. System integrity testing should be conducted independently of any advance notice to the operating team — mystery reporting, in particular, is only valid when it is genuinely unannounced.
The social desirability problem Survey responses are affected by social desirability bias — the tendency of respondents to answer in ways they believe are expected or approved, rather than reflecting their genuine perceptions. This effect is most pronounced when: surveys are not genuinely anonymous; employees have witnessed retaliation and fear it; the survey is administered by internal HR rather than an independent party; or the organisation has previously communicated expectations about 'positive' survey results. Qualitative research conducted externally, with guaranteed anonymity, is the primary tool for identifying whether survey scores are reliable. When survey scores are high but qualitative findings are negative, the qualitative findings should be treated as the more reliable signal. |
3. The Perception Survey — Design, Deployment, and Analysis
Survey Design Principles
A diagnostic speak-up culture survey is not an awareness survey. The goal is not to establish whether employees know the programme exists. The goal is to understand whether they would use it, why or why not, and what their experience of the culture is. This requires questions that probe perception, not just knowledge.
Effective survey design follows five principles:
Specificity over generality. 'I feel safe speaking up' is weaker than 'I would feel safe raising a concern about wrongdoing without fear of negative consequences for my career.' The more specific question produces more actionable data and is harder to answer positively without genuine conviction.
Behavioural anchoring. Questions about what people 'would do' under specific circumstances reveal more than questions about general attitudes. 'If I witnessed a colleague engaging in financial misconduct, I would feel confident raising it through the speak-up programme' generates diagnostic data that 'I support the speak-up programme' does not.
Scaled responses. Likert-scale responses (strongly disagree to strongly agree, or 1–10) enable trend tracking over time and cross-divisional comparison. Binary yes/no responses are less analytically useful.
Open-text provision. At least two open-text questions — 'What would make you more likely to use the speak-up programme?' and 'What concerns you most about raising a concern?' — surface explanatory content that scaled questions cannot.
Genuine anonymity architecture. Survey instruments should be designed so that individual responses cannot be identified, including through demographic cross-tabulation that could identify individuals in small teams. This should be communicated clearly to participants before they respond.
Core Survey Themes and Diagnostic Questions
A comprehensive speak-up culture survey covers five diagnostic themes. The following questions represent a validated framework; organisations may adapt language to their specific context while preserving the diagnostic intent of each question.
Theme | Diagnostic Question | Diagnostic Purpose |
|---|---|---|
Psychological Safety | "I would feel safe raising a concern about wrongdoing without fear of negative consequences for my career or working relationships." | Whether fear of retaliation suppresses reporting at the point of decision. The single most important culture indicator. |
Psychological Safety | "I know someone in my team or department who has raised a concern and faced negative consequences as a result." | Whether perceived retaliation is present — even informally — in the immediate working environment. |
Leadership Credibility | "Senior leaders in this organisation act consistently with our stated values, even when it is commercially difficult." | Whether tone-at-the-top is perceived as authentic behaviour or performative policy. The 'even when commercially difficult' qualifier is critical. |
Leadership Credibility | "If a senior leader behaved inappropriately, I believe they would face the same consequences as anyone else in the organisation." | Whether perceived double standards for seniority suppress reporting of senior-level wrongdoing — the most significant category of suppressed concern. |
Manager Behaviour | "My direct manager would handle a concern I raised seriously, confidentially, and without making me feel that I had caused a problem." | Whether the immediate management relationship is a barrier or enabler. Line managers are the first point of contact for most concerns. |
Outcome Trust | "When concerns are raised in this organisation, I believe they are investigated thoroughly and fairly." | Whether past case handling has built or eroded trust in the system's integrity. If this score is low, process improvement alone will not recover trust. |
Outcome Trust | "I would know what to expect if I raised a concern — what would happen, who would be involved, and how long it would take." | Whether the system is accessible and transparent enough for potential reporters to make an informed decision to use it. |
Consistency | "Standards of conduct are applied consistently in this organisation, regardless of a person's seniority or commercial value." | Whether commercial pressure creates perceived exceptions to ethical standards. Low scores here correlate strongly with suppressed reporting. |
Analysis and Reporting
Raw survey scores are less informative than patterns across scores. The following analytical questions should drive the interpretation of survey results:
Which theme has the lowest aggregate score, and what does that indicate about the primary barrier to reporting? Low psychological safety requires different interventions than low outcome trust.
Where is variation greatest across divisions or geographies? The highest-variance themes indicate where the culture differs most significantly from place to place — and where targeted intervention is most urgent.
What is the correlation between low scores on leadership credibility and low scores on psychological safety? If these move together, the culture problem is leadership behaviour, not system design.
How do open-text responses relate to scaled question scores? If high-scoring divisions produce open-text responses that describe fear or suppression, the scaled scores are likely unreliable.
How do scores compare to previous periods? Declining trends — even from already-positive scores — are more diagnostically significant than the current level alone.
Survey results should always be reported with divisional disaggregation as the primary frame. Aggregates are useful for board-level communication but must be accompanied by the range across units. A board told only that '74% of employees feel safe to raise concerns' may believe this is satisfactory. A board told that the score ranges from 89% in one division to 41% in another understands that something requires urgent attention.
4. Behavioural Pattern Analysis — What Your Data Already Tells You
Most organisations that have a functioning speak-up platform are sitting on a body of diagnostic data that they do not read systematically. Case management systems, HR records, exit interview databases, and channel access logs contain signals about the state of the speak-up culture that are invisible without deliberate analysis. This section identifies the most diagnostically significant patterns.
Volume and Benchmark Analysis
The most commonly cited speak-up metric — total report volume — is also the most commonly misread. Zero reports, or very low volumes, are not evidence of a clean organisation. They are evidence of something: low awareness, low trust, fear of retaliation, or the perception that reports are not acted upon. The analytical question is not 'how many reports did we receive?' but 'how many reports should we expect in an organisation of this size, sector, and complexity, and what does the gap between expected and actual tell us?'
While no universal benchmark exists, organisations in comparable sectors and geographies with active, trusted speak-up programmes typically generate volumes in the range of one to three reports per hundred employees annually, with higher rates in sectors with strong regulatory expectations (financial services, pharmaceuticals) and lower rates in geographies with strong cultural norms around hierarchy and deference. Sustained deviation below reasonable benchmarks should trigger a culture assessment, not a self-congratulatory compliance report.
Topic Diversity Analysis
A healthy speak-up programme receives reports across a meaningful range of issue categories. The mix of topics reveals the boundaries of what reporters feel safe raising. Common patterns with diagnostic significance:
A programme receiving only interpersonal conduct reports (harassment, manager behaviour, workplace conflict) and no reports of financial irregularity, safety concerns, or policy breaches is almost certainly functioning as an informal HR channel. High-stakes and legally significant wrongdoing is not reaching the programme. This is a suppression signal, not evidence that high-stakes wrongdoing does not occur.
A programme that receives reports from only junior employees — with no reports involving senior management or cross-functional issues — suggests that the cultural safety to report upward or sideways is absent. The programme is capturing downward complaints but not functioning as a governance mechanism.
A sudden shift in topic diversity — particularly an increase in reports touching on a specific function, geography, or senior individual — is a signal that warrants investigation, not statistical normalisation.
Channel Mix and Accessibility
Where reporters choose to report reveals what they trust. A programme in which 90% of reports come through a single channel — particularly a channel that routes through internal management — is structurally constrained. If the telephone line is underused, is this because reporters do not know it exists, because they distrust it, or because it is genuinely difficult to access? This question cannot be answered from the data alone, but the question must be asked.
Channel diversity is itself a culture signal. Organisations with genuinely trusted programmes tend to see reporting distributed across channels as reporters self-select the mechanism that feels right for them. Concentration in a single channel — particularly when that channel offers lower anonymity — suggests reporters are using the most available option, not the most comfortable one.
Post-Report Employment Outcomes
ISO 37002 Clause 9.1.2 identifies monitoring of employment outcomes for reporters as a required performance indicator. This is the most sensitive data point in a speak-up programme and the most commonly ignored.
The analysis is straightforward in concept: of all individuals who made a report in a given period, what proportion left the organisation — voluntarily or otherwise — within the following twelve months, and how does this compare to the organisation-wide rate for comparable employees? A statistically significant elevation in post-report departure rates is a retaliation signal, regardless of whether formal retaliation claims were made.
Informal retaliation — exclusion, marginalisation, reduced opportunity, social ostracism — is far more common than formal retaliation and far harder to detect. Employment outcome analysis is not a perfect detector, but it is the closest available proxy for an outcome that would otherwise be invisible.
The counterintuitive division In organisational culture assessments, the division with zero reports and high survey scores is frequently more concerning than the division with elevated volumes and moderate survey scores. High volume with moderate trust often indicates a healthy reporting culture in a complex environment. Zero volume with high survey scores may indicate that the survey scores are unreliable — shaped by social desirability or fear — and that a genuine silence problem exists. The quiet division deserves more investigative attention, not less. |
5. System Integrity Testing
System integrity testing is the discipline of evaluating whether a speak-up system actually performs as designed under realistic operational conditions. It is distinct from process review — which confirms that processes are documented and plausible — and from case file audit — which reviews what happened in specific historical cases. System integrity testing asks: if a real employee submitted a real report right now, what would actually happen?
Mystery Reporting
Mystery reporting is the primary instrument of system integrity testing. An external assessor — posing as a concerned employee with no prior relationship to the organisation — submits a report through one or more of the organisation's live reporting channels. The report describes a plausible but fictional scenario involving wrongdoing at a specific level of severity, chosen to test specific elements of the triage protocol.
The assessment evaluates the system's response against the following criteria:
Channel accessibility — was the reporting mechanism easy to find and use? Did it function without technical failure? Was it available in the relevant language?
Acknowledgement timeliness — was an automated acknowledgement generated immediately? Was a personalised acknowledgement provided within the standard's recommended three working days?
Triage quality — was the report assessed against the correct criteria? Was the severity and urgency of the scenario correctly identified? Was a referral to investigation initiated where appropriate?
Communication to reporter — did the reporter receive meaningful feedback on the outcome of assessment? Did the communication manage expectations appropriately without compromising the investigation?
Confidentiality integrity — was the reporter's identity protected throughout? Were confidentiality protocols applied correctly? Was any information shared beyond the need-to-know boundary?
Mystery reporting should be conducted without advance notice to the operating team. Prior notice defeats the purpose of the exercise — the question is not whether the team can perform correctly when they know they are being watched, but whether the system functions correctly under normal conditions. This requires explicit governance-level authorisation for the external assessor to conduct the exercise, with reporting to the governing body rather than to the compliance or HR function.
Designing effective mystery reporting scenarios The most useful mystery reporting scenarios test specific elements of the system that are known or suspected to be weak. Common test designs include: a report involving a junior employee alleging misconduct by a named senior figure (tests whether senior-level reports receive the same treatment as others); a report submitted anonymously through the web channel outside business hours (tests channel availability and anonymous-reporter handling); a report that is ambiguous in scope — potentially within the WMS or potentially a separate HR or legal matter (tests triage judgment and scope decisions); and a high-urgency report involving an immediate safety risk (tests whether escalation protocols activate correctly). Running multiple scenario types across a single assessment cycle provides a more complete picture than a single test. |
Channel Accessibility Audit
A channel accessibility audit evaluates each of the organisation's reporting channels — telephone, web portal, mobile application, in-person referral, postal address — against a standard set of accessibility criteria. The audit is conducted by an external assessor without organisational assistance.
Criteria include: findability (how many steps to locate the channel from the organisation's main website or intranet?); usability (can the channel be used without technical knowledge?); availability (is the telephone line staffed outside business hours? Does the web portal function correctly on mobile devices?); multilingual capability (is the channel available in all languages used by the organisation's personnel?); and anonymity architecture (does the channel genuinely protect anonymous reporters, or does it collect IP addresses, browser fingerprints, or other identifying information?).
Channel accessibility failures are among the most common system integrity findings. They are also among the most easily addressed — but they are invisible without testing, because the organisation's own team knows how to navigate a system that may be opaque to a first-time user.
Documentation and Triage Quality Review
A sample of historical case files — selected without advance notice to avoid curated submissions — should be reviewed against the documentation standards the standard requires. Specifically: are triage decisions documented with reasoning, not just outcomes? Does the documentation support the conclusions reached? Would the file withstand legal or regulatory review? Are protection assessments documented for each case? Are feedback records complete?
Documentation quality is a direct proxy for process discipline. Organisations that make good decisions but document them poorly are one regulatory inquiry away from an inability to demonstrate what they actually did. Organisations that document well tend to decide well — the discipline of recording a decision forces clearer thinking about the basis for it.
6. Qualitative Research — Going Deeper Than the Numbers
Surveys and data analysis identify what is happening. Qualitative research — focus groups, structured interviews, and observational methods — explains why. It surfaces the lived experience of the speak-up culture: the specific incidents that shaped perception, the social norms that govern whether raising a concern is safe, and the beliefs about leadership that underpin trust or distrust in the system.
Focus Groups
Focus groups should be conducted by an external facilitator, with guaranteed anonymity for participants, and with groups stratified by level and geography. Senior employees should not be present in groups with junior employees — their presence suppresses candour in exactly the way a speak-up culture assessment is trying to measure.
Effective focus group protocols explore three questions: What do people actually know and believe about the speak-up programme? What would stop them from using it, or has stopped them? What would change their minds? The answers to these questions frequently diverge sharply from what survey scores suggest, particularly in cultures with strong social desirability effects.
Focus groups following adverse survey findings are particularly valuable. A division that scores 38% on psychological safety is telling you that something is wrong. Focus groups explain what — whether it is a specific incident that created fear, a pattern of manager behaviour, a belief that senior figures operate outside the rules, or a more diffuse sense that the organisation does not genuinely value integrity alongside commercial performance.
Exit Interview Analysis
Exit interview data is one of the most underused sources of culture intelligence in most organisations. Employees who are leaving — particularly those who are leaving voluntarily — have less to lose from honest answers and frequently provide the clearest window into the culture as it actually operates.
Most organisations do not ask questions in exit interviews that are directly relevant to speak-up culture. Adding three to five targeted questions — 'Were you aware of the speak-up programme?', 'Did you ever consider raising a concern through it?', 'If you did not, what stopped you?', 'Do you believe concerns raised by employees are taken seriously by leadership?' — transforms exit interviews from a retention management exercise into a culture diagnostic.
Exit interview analysis should be disaggregated by the reason for departure. Involuntary departures of employees who made prior speak-up reports are a retaliation signal. Voluntary departures citing cultural concerns — 'I didn't feel I could raise issues', 'I didn't trust the management' — are a speak-up culture signal. Neither is visible without systematic collection and analysis.
7. The Red Flags — Recognising Cultural Failure Before It Becomes a Crisis
The following red flags represent the most diagnostically significant warning signs of speak-up cultural failure. Each is a signal that requires investigation and governance-level response. None of them are visible without a systematic culture assessment programme.
Red Flag | Priority | What It Signals and What To Do |
|---|---|---|
Zero or near-zero report volumes for extended periods | HIGH | Sustained low volume in an organisation of significant size is almost never evidence of a clean culture. It is evidence that the reporting culture is broken, the channels are distrusted, or people have learned that reports are not acted upon. Investigate the culture, not the absence of cases. |
Survey scores diverge from speak-up volume patterns | HIGH | If personnel say they feel safe to report (high survey scores) but report volumes are very low, the survey scores are likely unreliable — reflecting social desirability rather than genuine perception. Qualitative research is needed to understand what is actually happening. |
Reports concentrated in HR or conduct topics only | MEDIUM | Programmes that receive only interpersonal conduct complaints — harassment, manager behaviour — and never receive reports of financial irregularity, safety concerns, or policy breaches are likely operating as informal HR channels rather than genuine speak-up mechanisms. High-stakes wrongdoing is not reaching the programme. |
Significant variation in psychological safety scores by seniority | HIGH | If junior employees score materially lower on psychological safety than senior employees, the programme is likely capturing upward concerns (more junior staff feel relatively safer) but suppressing lateral and downward concerns. This is a structural culture problem, not a system design problem. |
Reporters disproportionately leave the organisation post-disclosure | HIGH | Even without formal retaliation claims, a pattern in which reporters leave at elevated rates following disclosure is a retaliation signal. It suggests that informal mechanisms — exclusion, marginalisation, reduced opportunity — are operating below the threshold of formal complaint. |
Mystery reporting reveals delayed or absent acknowledgement | HIGH | If a test report submitted through the live channel receives no acknowledgement within the required timeframe, or receives a response that suggests the report was not properly received, the system is operationally broken for its primary purpose. This failure is invisible without testing. |
No divisional disaggregation of culture data | MEDIUM | Organisations that report only aggregate culture data are structurally blind to divisional problems. A division scoring 35% on psychological safety in a group averaging 70% will never trigger action if divisional data is not extracted and reported. The aggregate protects the outlier. |
The board has never reviewed speak-up culture data | MEDIUM | If the governing body has not reviewed speak-up culture data in the last twelve months — survey results, volume trends, reporter outcomes — it is not exercising the oversight that ISO 37002 Clause 5.1.1 requires. This is a governance failure that no amount of system quality can compensate for. |
The organisation that finds its red flags in a culture assessment is fortunate. The one that finds them in a regulator's report is not. |
8. The Assessment Cadence — Building a Continuous Programme
Speak-up culture assessment is not a one-time exercise. Culture changes — in response to leadership transitions, significant cases, commercial pressures, and organisational restructuring. A culture that scored well eighteen months ago may have deteriorated significantly. An assessment programme that relies on periodic snapshots without continuous monitoring is operating with significant lag.
A mature speak-up culture assessment programme operates on multiple cadences simultaneously:
Frequency | Activity | Responsibility | Governance Output |
|---|---|---|---|
Continuous | Speak-up case data monitoring | Compliance / WMS function | Monthly report to senior management |
Quarterly | Volume and trend analysis; divisional comparison | Compliance / WMS function | Quarterly board or audit committee report |
Annually (minimum) | Full diagnostic culture survey; channel accessibility audit | Compliance + HR; externally facilitated where possible | Annual governing body report; action plan update |
Every 1–2 years | Mystery reporting exercise; full system integrity test | External assessor | Assessment report to governing body with remediation plan |
Event-triggered | Pulse survey following significant case or public incident; qualitative interviews following adverse survey findings | Compliance + HR; external where sensitivity requires | Report to governing body within 30 days of trigger event |
The governance outputs from each cadence are as important as the assessment activities themselves. An assessment that generates findings but does not produce a board-level report with specific actions and accountabilities is an assessment that has been absorbed into the compliance function and will not drive change. The governing body must see the findings, own the response, and be held accountable for the improvement trajectory.
9. From Assessment to Action — Closing the Loop
The purpose of a speak-up culture assessment is not to produce a report. It is to drive improvement in the culture — the beliefs, behaviours, and structural conditions that determine whether people will actually use the system the organisation has built. Assessment findings that do not produce specific, owned, time-bound actions are not an investment. They are an expense.
Prioritising Findings
Not all assessment findings are equal in urgency or impact. A practical prioritisation framework considers two dimensions: severity (how significant is the cultural failure, and what harm could it cause?) and tractability (how amenable is the failure to the interventions available?).
High severity, high tractability findings — for example, a channel accessibility failure that can be remediated with a straightforward technical fix — should be addressed immediately, with completion verified within 30 days. High severity, low tractability findings — for example, a culture of perceived double standards for senior leadership — require longer-term structural and behavioural interventions with clear accountability at the most senior level. Low severity findings should be tracked but not allowed to crowd out action on the high severity issues.
Matching Interventions to Root Causes
The most common mistake in responding to speak-up culture assessment findings is applying system-level interventions to culture-level problems. Adding a new reporting channel does not address a culture of fear. Updating the policy does not address a perception that senior leaders are held to different standards. Launching a communication campaign does not address the experience of employees who have watched a reporter face informal retaliation.
The root cause of each finding should be established before intervention is designed. Low psychological safety scores typically reflect either specific incidents that have shaped perception (requiring a visible response to those incidents) or a pattern of leadership behaviour (requiring leadership development and accountability mechanisms). The intervention for each is different. Applying the wrong intervention not only fails to address the problem but may signal to employees that the organisation does not understand — or does not want to understand — what is actually happening.
Accountability and Tracking
Every action in the improvement plan should have a named owner, a defined completion date, and a measurable success indicator. The improvement plan should be reviewed at least quarterly by the governing body, with progress reported against each action and escalation for delayed or blocked items. Improvement plans that exist in a compliance function document without board visibility will not be driven with the urgency that culture problems require.
The ultimate test of whether the assessment programme is working is whether culture scores improve over time, whether mystery reporting reveals improved system performance, and whether report volumes move in the direction that reflects a healthier culture — not necessarily higher in all cases, but more consistent with the size and complexity of the organisation and more diverse in the topics they cover.
10. The Case for Independent Assessment
The argument for independent external assessment of speak-up culture is structurally identical to the argument for external auditors: internal assessment cannot see its own blind spots, and the appearance of objectivity is as important as objectivity itself.
An organisation's compliance or HR team can administer a culture survey. But respondents know who is running the survey. An organisation's internal audit function can review case files. But investigators and case handlers know that internal audit is their employer. An organisation's management team can interpret behavioural data. But their interpretation is inevitably shaped by their own place within the culture they are assessing.
Independent external assessment removes these constraints. Respondents answer differently when they know the assessor is genuinely external and the findings will go to the governing body rather than to the management team. Mystery reporting cannot be conducted internally. Focus groups conducted by an internal facilitator produce different results than those conducted by an external one. The presence of an independent assessor is not just a procedural nicety — it is a condition for obtaining reliable information.
An organisation cannot see its own blind spots. That is precisely what makes them blind spots. |
Speeki's speak-up culture assessment practice combines all five assessment instruments — perception survey, behavioural analysis, system integrity testing (including mystery reporting), qualitative research, and decision audit — into a structured assessment programme designed to the methodology set out in this paper. Assessments are conducted by senior practitioners with direct experience in speak-up programme design, investigation management, and regulatory engagement, and findings are reported directly to the governing body with a prioritised improvement plan.
For organisations seeking to understand what their speak-up culture actually looks like — not what their compliance function believes it looks like — an independent assessment is the only methodology that provides reliable answers.
Conclusion
A speak-up culture that works is one of the most valuable governance assets an organisation can have. It provides early warning of wrongdoing before it becomes a crisis. It signals to employees that the organisation is serious about its values. It builds the trust that makes accountability possible. And it is genuinely difficult to build — not because the methods are complex, but because it requires sustained leadership commitment across the full range of conditions in which that commitment will be tested.
Assessing whether that culture exists — and where it is weakest — is not a compliance exercise. It is a governance discipline. The instruments exist. The methodology is established. What is required is the will to use them honestly, to report findings to the people with the authority to act on them, and to sustain the improvement effort across the time and change that culture assessment requires.
Organisations that invest in this discipline are not just managing compliance risk. They are building the conditions under which integrity can be sustained — and under which wrongdoing, when it occurs, is detected and corrected before it becomes irreversible.
Related Speeki Resources
Why Most Speak-Up Programmes Fail the ISO 37002 Test Companion whitepaper covering the structural and governance requirements of ISO 37002, the seven most common system gaps, and the governing body's role. | Speeki Executive Education — WHI02 Three-day practitioner programme covering whistleblowing programme design, ISO 37002 requirements, triage and case management, and culture assessment methodology. |
Speeki
Speeki is an ISO-accredited ESG assurance and certification firm operating across more than 100 countries, with offices in Singapore, the United Kingdom, and France. Speeki provides sustainability assurance, management system certification, and practitioner-led advisory and assessment services including speak-up culture assessment, ISO 37002 system assessment, and whistleblowing programme design.
Speeki operates the Speeki Platform — a whistleblowing, ethics, and case management platform used by organisations globally. Speeki is accredited under ISO 17021-1 through COFRAC (France) and ANAB (USA).
For more information: speeki.com | info@speeki.com
The views expressed in this whitepaper are those of Speeki and are intended to contribute to practitioner and governance discourse on speak-up culture assessment methodology. They do not constitute legal advice.