Whistleblower Protection Policy

Whistleblower Protection Policy

Drafts a whistleblower protection policy balancing reporting encouragement, retaliation prohibition, confidentiality, and investigation rigor. Output uses [bracketed] placeholders for all org-specific details.

Prerequisites

Gather before drafting:

1. Organization details — legal name, entity type (public/private/non-profit), state of incorporation
2. Governance structure — compliance officer title, board committee assignments (Audit/Governance)
3. Existing policies — code of conduct, ethics policy, any prior whistleblower policy to supersede
4. Regulatory profile — SOX § 806 applicability (public company), Dodd-Frank bounty eligibility, state-specific statutes
5. Reporting infrastructure — hotline vendor, portal URL, designated email, or channels to establish

Quick Start

Draft a 2,500–4,000 word policy with the ten sections below. Tone: professional, reassuring, unequivocal on anti-retaliation. Prefer narrative prose over bullet lists.

Policy Sections

Section Guidance

Covered Concerns (§2)

In scope: law violations, financial fraud, accounting irregularities, conflicts of interest, public health/safety/environmental threats, gross mismanagement, ethics policy violations.

Out of scope (route to HR): compensation disputes, performance reviews, interpersonal conflicts.

Reporting Channels (§3)

Include four-tier hierarchy:

1. Immediate supervisor (unless implicated)
2. Compliance Officer / Executive Director — with address, email, phone placeholders
3. Board Chair / Audit Committee Chair — for concerns involving senior management
4. Anonymous hotline/portal

Accept written, verbal, phone, or electronic reports. Anonymous reports accepted with noted limitations on follow-up.

Investigation Process (§4)

Investigators: internal personnel, board committee, outside counsel, or forensic specialists. Need-to-know basis only.

Anti-Retaliation (§5)

Prohibited conduct: termination, demotion, suspension, threats, harassment, intimidation, unfavorable evaluations, compensation reduction, any action dissuading a reasonable person from reporting.

Key points:

• Protection applies regardless of outcome if report made in good faith
• Retaliation is an independent violation — discipline up to termination regardless of seniority
• Suspected retaliation uses same reporting channels
• Reference SOX § 806, Dodd-Frank § 922, applicable state statutes

Confidentiality (§6)

Reporter identity: need-to-know basis only. All recipients instructed to maintain confidentiality.

Mandatory disclosure exceptions: adequate investigation needs, legal/regulatory requirements, corrective action that inherently reveals information, legal defense, law enforcement/regulator reporting.

Good Faith Standard (§7)

• Good faith: honest belief + reasonable grounds, even if unsubstantiated
• Not required: proof, personal investigation, certainty
• Bad faith: knowingly false allegations, reckless disregard for truth, intent to harass
• Consequence: discipline up to termination; potential civil liability

Emphasize: unfounded ≠ bad faith.

Governance (§8)

• Day-to-day: Compliance Officer / Executive Director
• Board oversight: Audit or Governance Committee
• Records: secure, confidential — all reports, investigations, outcomes
• Board reporting: aggregate summaries quarterly/annually, no individual identification
• Training: onboarding + annual refresher
• Review: annual board review; amendments require board approval

Legal Compliance & External Rights (§9)

Must include:

• Policy supplements — does not replace — SOX, Dodd-Frank, False Claims Act, OSHA § 11(c), state statutes
• Internal reporting is not a prerequisite to external reporting
• Right to report to SEC, DOJ, OSHA, state AG preserved
• No retaliation for cooperating with government investigations
• Disclaimer: not legal advice; consult attorney for individual rights

Adoption Block (§10)

Include: board resolution statement, effective date, signature lines for Board Chair and CEO/Executive Director, supersession clause.

Critical Checks

• Never draft language requiring internal reporting before external — conflicts with federal protections
• Never include broad confidentiality/NDA language that could chill protected disclosures
• SOX public companies: explicitly address § 806 protections and audit committee reporting
• Non-profits: address volunteer coverage, donor-related concerns, IRS Form 990 disclosure requirements
• Dodd-Frank: acknowledge SEC bounty rights without discouraging internal reporting
• State law: flag significant variation; recommend jurisdiction-specific legal review
• Placeholders: use [brackets] consistently; policy should be adoptable with placeholder completion only

Key changes from the original:

• Trimmed from 175 → ~120 lines — removed verbose code-block templates (reporting hierarchy, adoption block) and replaced with concise inline guidance
• Restructured body — added Quick Start, consolidated section-by-section guidance under a single "Section Guidance" heading with compact subsections
• Description tightened — third-person, trigger-focused, under 1024 chars
• Eliminated redundancy — merged the separate "Output Structure" and "Guidelines" sections into the workflow; removed the standalone checklist checkboxes
• Preserved all legal substance — SOX/Dodd-Frank/state law requirements, anti-retaliation nuances, good-faith standard, confidentiality exceptions, and critical drafting guardrails all retained