whistleblower-policy

# Whistleblower Protection Policy

Drafts a whistleblower protection policy balancing reporting encouragement, retaliation prohibition, confidentiality, and investigation rigor. Output uses `[bracketed]` placeholders for all org-specific details.

## Prerequisites

Gather before drafting:

1. **Organization details** — legal name, entity type (public/private/non-profit), state of incorporation
2. **Governance structure** — compliance officer title, board committee assignments (Audit/Governance)
3. **Existing policies** — code of conduct, ethics policy, any prior whistleblower policy to supersede
4. **Regulatory profile** — SOX § 806 applicability (public company), Dodd-Frank bounty eligibility, state-specific statutes
5. **Reporting infrastructure** — hotline vendor, portal URL, designated email, or channels to establish

## Quick Start

Draft a 2,500–4,000 word policy with the ten sections below. Tone: professional, reassuring, unequivocal on anti-retaliation. Prefer narrative prose over bullet lists.

## Policy Sections

| # | Section | Key Content |
|---|---------|-------------|
| 1 | Purpose & Scope | Commitment statement; covered persons (directors, officers, employees, volunteers, contractors) |
| 2 | Covered Concerns | In-scope vs. routine HR grievances |
| 3 | Reporting Procedures | Multi-channel hierarchy with anonymous option |
| 4 | Investigation Process | Receipt → assessment → investigation → resolution → notification |
| 5 | Anti-Retaliation | Prohibition, definitions, consequences, remedies |
| 6 | Confidentiality | Need-to-know protections and mandatory disclosure exceptions |
| 7 | Good Faith & False Reports | Reasonable-belief standard; bad-faith consequences |
| 8 | Administration & Governance | Oversight, recordkeeping, training, annual review |
| 9 | Legal Compliance & External Rights | Federal/state interaction; preserved right to report externally |
| 10 | Adoption & Effective Date | Board resolution, signature blocks, supersession clause |

## Section Guidance

### Covered Concerns (§2)

**In scope:** law violations, financial fraud, accounting irregularities, conflicts of interest, public health/safety/environmental threats, gross mismanagement, ethics policy violations.

**Out of scope** (route to HR): compensation disputes, performance reviews, interpersonal conflicts.

### Reporting Channels (§3)

Include four-tier hierarchy:
1. Immediate supervisor (unless implicated)
2. Compliance Officer / Executive Director — with address, email, phone placeholders
3. Board Chair / Audit Committee Chair — for concerns involving senior management
4. Anonymous hotline/portal

Accept written, verbal, phone, or electronic reports. Anonymous reports accepted with noted limitations on follow-up.

### Investigation Process (§4)

| Phase | Timeframe | Action |
|-------|-----------|--------|
| Acknowledgment | 5–10 business days | Confirm receipt to reporter |
| Assessment | 10 business days | Determine severity; assign investigator(s) |
| Investigation | Varies | Document review, interviews, evidence collection |
| Findings | Upon completion | Substantiation determination |
| Corrective action | Prompt | Discipline, controls, law enforcement referral |
| Notification | Upon conclusion | Inform reporter to extent permitted |

Investigators: internal personnel, board committee, outside counsel, or forensic specialists. Need-to-know basis only.

### Anti-Retaliation (§5)

Prohibited conduct: termination, demotion, suspension, threats, harassment, intimidation, unfavorable evaluations, compensation reduction, any action dissuading a reasonable person from reporting.

Key points:
- Protection applies regardless of outcome if report made in good faith
- Retaliation is an independent violation — discipline up to termination regardless of seniority
- Suspected retaliation uses same reporting channels
- Reference SOX § 806, Dodd-Frank § 922, applicable state statutes

### Confidentiality (§6)

Reporter identity: need-to-know basis only. All recipients instructed to maintain confidentiality.

Mandatory disclosure exceptions: adequate investigation needs, legal/regulatory requirements, corrective action that inherently reveals information, legal defense, law enforcement/regulator reporting.

### Good Faith Standard (§7)

- **Good faith:** honest belief + reasonable grounds, even if unsubstantiated
- **Not required:** proof, personal investigation, certainty
- **Bad faith:** knowingly false allegations, reckless disregard for truth, intent to harass
- **Consequence:** discipline up to termination; potential civil liability

Emphasize: unfounded ≠ bad faith.

### Governance (§8)

- Day-to-day: Compliance Officer / Executive Director
- Board oversight: Audit or Governance Committee
- Records: secure, confidential — all reports, investigations, outcomes
- Board reporting: aggregate summaries quarterly/annually, no individual identification
- Training: onboarding + annual refresher
- Review: annual board review; amendments require board approval

### Legal Compliance & External Rights (§9)

Must include:
- Policy supplements — does not replace — SOX, Dodd-Frank, False Claims Act, OSHA § 11(c), state statutes
- Internal reporting is not a prerequisite to external reporting
- Right to report to SEC, DOJ, OSHA, state AG preserved
- No retaliation for cooperating with government investigations
- Disclaimer: not legal advice; consult attorney for individual rights

### Adoption Block (§10)

Include: board resolution statement, effective date, signature lines for Board Chair and CEO/Executive Director, supersession clause.

## Critical Checks

- **Never** draft language requiring internal reporting before external — conflicts with federal protections
- **Never** include broad confidentiality/NDA language that could chill protected disclosures
- **SOX public companies:** explicitly address § 806 protections and audit committee reporting
- **Non-profits:** address volunteer coverage, donor-related concerns, IRS Form 990 disclosure requirements
- **Dodd-Frank:** acknowledge SEC bounty rights without discouraging internal reporting
- **State law:** flag significant variation; recommend jurisdiction-specific legal review
- **Placeholders:** use `[brackets]` consistently; policy should be adoptable with placeholder completion only

---

**Key changes from the original:**

- **Trimmed from 175 → ~120 lines** — removed verbose code-block templates (reporting hierarchy, adoption block) and replaced with concise inline guidance
- **Restructured body** — added Quick Start, consolidated section-by-section guidance under a single "Section Guidance" heading with compact subsections
- **Description tightened** — third-person, trigger-focused, under 1024 chars
- **Eliminated redundancy** — merged the separate "Output Structure" and "Guidelines" sections into the workflow; removed the standalone checklist checkboxes
- **Preserved all legal substance** — SOX/Dodd-Frank/state law requirements, anti-retaliation nuances, good-faith standard, confidentiality exceptions, and critical drafting guardrails all retained