‘Speak up’ and ‘whistleblowing’ are often used to describe an individual raising a concern about something, usually occurring in the workplace, that they perceive as an illegal, regulatory breach, non-adherence to processes, non-compliance with an organisation’s policies, not engaging with shared values, creating danger or wrongdoing to customers, stakeholders or members of staff. The allegation is often made, in the first instance, to their line manager, human resources or staff representative group but may also be made publicly to a regulator or the press or via social media. 

In April 2018, the EU introduced directives to protect whistleblowers; these are at different levels of embedding across member states. In the UK, whistleblowers are protected by law (Public Interest Disclosure Act 1998 [PIDA]) and shouldn’t be treated unfairly because they report concerns. The Protected Disclosures Act 2014 protects whistleblowers in Ireland. If, however, concerns are reported directly to the media, whistleblowers can lose many of their legal rights. Under the Public Interest Disclosure Act 1998, whistleblowing is an employee raising a concern about an alleged wrongdoing including corrupt, illegal or unethical behaviours in a public or private sector organisation.

To be covered by whistleblowing law, an employee blowing the whistle must reasonably believe two things:

  • They are acting in the public interest (ie not for personal/private gain)
  • The allegation shows past, present or future wrongdoing

While PIDA grants protection to employees and some ‘workers’ eg agency staff and contractors (as specified in the PIDA 1998 Part IVA Protected Disclosures, Section 43K), there are gaps meaning that some do not qualify for protection including job applicants, volunteers, interns and independent non-executive directors. It has been criticised for no longer being fit for purpose as it is too complicated and does not protect all citizens.

Recent high-profile media coverage highlighted the importance of speaking up, anonymously or not, and how seriously this should be taken by the organisation, media, individuals and stakeholders.

There are many examples of positive whistleblowing experiences, but unfortunately many where processes are not sufficient, information is reported inappropriately, data is misused, or anonymity is not maintained.

Barclays was fined $15m by the New York State Department of Financial Services for violating banking law. In the UK the CEO was fined over £600k (jointly by the Financial Conduct Authority and Prudential Regulation Authority) after being judged to have failed to comply with Code of Conduct (COCON), Individual Conduct Rule 2 (ICR2)you must act with due skill, care and diligence.

Top Considerations

  • existing organisational policy, or whether introducing one would be beneficial
  • roll-out of the policy including training, awareness and embedding
  • compliance of policy with relevant local legislation, directives etc
  • the Public Interest Disclosure Act 1998 (PIDA)/The Protected Disclosures Act 2014
  • Sarbanes-Oxley Act of 2002
  • access for staff to whistleblowing/speak up facilities, use of outsourced providers
  • use of prescribed people and bodies
  • ability of an organisation to respond to whistleblowing/speak up allegation, carry out investigations etc
  • privacy/maintenance of investigation records
  • reporting channels for investigation progress/outcomes ie to board and/or audit committee
  • false allegations or misuse of whistleblowing/speak up processes (eg personal grievances, harassment)
  • ‘witch-hunts’ by people who have allegations made against them eg Barclays CEO
  • outcomes from investigations and making changes within an organisation
  • vulnerable individuals who speak up (eg those not defined as ‘workers’)
  • when individuals who speak up believe they’ve been treated unfairly
  • negative connotations of whistleblowing
  • pressures on management to deliver on targets
  • when an internal auditor makes a speak up allegation
  • the role of internal audit in a speak up allegation eg is internal audit the investigator, the gatekeeper, the escalation route?
  • whether speaking-up is rewarded and how this can influence behaviours
  • links to non-disclosure agreements (NDAs) and so-called gagging clauses. 

World Whistleblower Day occurred on 23 June 2019, and the G20 declared whistleblowing a priority for their 2019 anti-corruption work. 4.7 billion people live in countries represented by the G20.

Pressures on management

There are examples of where companies have not acted ethically when under pressure to deliver.

Wells Fargo reached settlements with the city of Los Angeles totalling $190m following allegations of improper activity including opening accounts and transferring funds without customer consent, opening lines of credit and issuing credit and debit cards. 5,300 employees were terminated in connection with these activities, one of whom is quoted in US media as acting to 'survive' rather than access lucrative bonuses – 'to say we were under pressure is an understatement'. 

During the trial of three Tesco executives, following the overstatement of profit forecast by £250m, a whistleblower told the court that he prepared financial reports showing the growing gap between actual performance and planned which had reached £240m. He described the intense pressure, 'constant reviews and… how Tesco had to do better'.  

The 2012 LIBOR (London Interbank Offered Rate) investigation involved a whistleblower who traded immunity from prosecution in exchange for providing information. The group of interest-rate derivative traders had colluded/manipulated the rate to aid their trading positions for the purpose of gaining profit.

Public sector

In 2017 the government introduced a nationwide pilot Whistleblowers Support Scheme offering a range of services for NHS staff who have suffered detriment as a result of raising concerns. A key recommendation from the Stafford Hospital inquiry (involving concerns over poor care and high mortality rates amongst patients) stated that whistleblowers needed to be protected. One of the main findings was that people had known about poor levels of care but did not speak-up.

While there is no legal requirement to have a whistleblowing/speak up policy, having one demonstrates a commitment by the organisation to listen to concerns raised by customer, stakeholder and employees. The UK Corporate Governance Code July 2018, (Board Leadership and Company Purpose, Provision 6) requires a 'means for the workforce to raise concerns in confidence and – if they wish – anonymously.'

Organisations may have differing definitions of what counts as speaking-up – criminal offences, health and safety violations, environmental damage, miscarriage of justice, or unethical behaviour to meet targets. The following provides some examples of what public and private organisations have in their policy documents:

  • in this policy ‘whistleblowing’ means the reporting by employees of suspected misconduct, illegal acts or failure to act within the Council
  • it is important to the charity that any fraud, misconduct or wrongdoing by employees of the organisation is reported and properly dealt with
  • the purpose of the Code of Conduct Reporting & Whistleblowing Procedure is to enable incidents or suspected incidents of business wrongdoing to be raised safely within the organisation
  • the whistleblower policy is designed to help employees report any form of unethical behaviour.

From a whistleblower’s perspective, there can be various motivations for speaking-up. People can feel that it is morally right to report something that they have seen or been a part of. People can also trade information for their own protection once a scandal has been uncovered. There have been examples of people not realising that they are speaking-up and therefore can be protected.

The culture of the organisation needs to be open and accepting of people speaking-up for it to be seen as a positive and an opportunity to address a wrongdoing. 

Why should organisations take action?

Internal audit can offer assurance over controls in place to make sure that whistleblowing/speak-up arrangements comply with local legislation as well as being suitable for and applied properly within the organisation to enable people to report poor practices.

Employers may be keen to create an open, supportive and transparent working environment where employees feel comfortable to raise concerns. Organisations also must be cautious not to treat an employee any differently because they spoke up, blew the whistle or raised a concern. 

Organisations must comply with relevant legislation or regulatory requirements in the jurisdictions in which they operate – be aware of this during global internal audits and testing across jurisdictions. 


Each internal audit should be planned individually but some areas of risk to consider:

  • there is no internal mechanism to speak-up, or speaking-up is discouraged, and therefore people do not
  • speaking-up is not treated independently or investigated appropriately, enabling actions to continue
  • culturally the organisation is not open/accepting/mature enough to accept speak-up reports
  • people are treated unfavourably after making a speak-up report
  • people make a press or social-media report instead of speaking-up internally.

Speaking-up crosses into other areas of an organisation that might be subject to an internal audit: organisational culture, the shared values of the organisation, record keeping, reporting and governance, HR and legal agreements, social media and traditional media monitoring.


Having a whistleblowing/speak up policy in place sets the tone from the top, reinforcing the standards expected; provides an opportunity to educate staff and management, encouraging a culture where concerns are reported early, which makes it easier for employers to address concerns and potentially reduce risk.

Further reading 

UK Government - Whistleblowing for employees

Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998)

NHS - Report on the Freedom to Speak Up review

Department for Business Innovation and Services  - Whistleblowing - Guidance for Employers and Code of Practice 

NVCO/Knowhow - Whistleblowing

Protect (formally Public Concern at Work)

Chartered IIA - Whistleblowing in the US and the EU blog 

Financial Conduct Authority & Prudential Regulation Authority - press release re Chief Executive of Barclays Group

Safecall - Case studies  

Information Commissioner's Office - 'Speak up' the ICO's whistleblowing policy and procedure 

Public Interest Disclosure Act 1998

Protected Disclosures Act 2014 - Protection for Whistleblowers 

Whistleblowers UK 


Content reviewed: 12 March 2021