Who this playbook is for — and why it matters?

If you’re the internal auditor, legal counsel, or compliance lead of a small or mid-sized enterprise, you are likely to wear multiple hats. When a whistleblowing report lands, you need a disciplined process that protects people, preserves evidence, and reaches fair outcomes — without paralysing the business. This playbook distils proven practice into practical steps, ready-to-use checklists and clear roles so you can move from intake to closure with confidence.

The investigation workflow at a glance

  1. Intake & acknowledgement — log the report, protect confidentiality, and confirm receipt.
  2. Triage — quickly assess scope, risk, conflicts, and legal basis; decide whether to investigate or refer.
  3. Plan — define hypotheses, roles (RACI), sources, interviews, timeline and SLAs.
  4. Collect & preserve evidence — structured registers, hashes, storage controls.
  5. Interview — fair, documented, and proportionate.
  6. Analyse & conclude — test hypotheses, weigh credibility, link findings to policy.
  7. Outcome & remediation — corrective actions, control improvements, notifier feedback.
  8. Close & learn — metrics, KPIs and programme improvements.

Step 1 — Triage with discipline

Objective: decide fast, fairly and defensibly.

Checks (use the downloadable triage sheet):
  • Eligibility & scope: does the allegation fall under your policy and the EU whistleblowing framework?
  • Conflicts & independence: confirm case owner and escalation path (consider external counsel if needed).
  • Risk rating: people safety, data/privacy exposure, financial impact, legal/press risk.
  • Legal basis (GDPR): document purposes, minimisation and retention; involve the DPO when needed.
  • Proportionality: is a formal investigation necessary or will a targeted management review suffice?

Decision options:
(a) acknowledge & log;
(b) escalate to formal investigation;
(c) refer/decline with rationale.

SLA tip: acknowledge within 7 days and provide an update/closure within 3 months (as a programme norm).

Step 2 — Assign roles and create a RACI

Clarity prevents drift. At minimum, assign:

  • Case Owner (Responsible): runs day-to-day activities.
  • Sponsor (Accountable): approves scope and conclusions.
  • Advisers (Consulted): HR, DPO, IT forensics, external counsel.
  • Observers (Informed): leadership, audit committee where proportionate.

RACI sample activities: intake & logging, triage decision, planning, evidence collection, reporting & outcomes.

Step 3 — Build your investigation plan

A good plan saves hours later. Include:

  • Allegation statement & hypotheses to test (what would confirm/deny them).
  • Evidence map: systems, documents, witnesses, and cut-off dates.
  • Interview list & order: start with neutral context, then corroborative, then subject.
  • Safeguards: confidentiality, retaliation prevention, and wellbeing.
  • Timeline & SLAs: who does what by when, with escalation points.
  • Data handling: legal basis, minimisation, retention, cross-border transfers (link to iPrivacy.eu for guidance).

Use the Investigation Plan table in the downloadable template to track tasks, owners, and due dates.

Step 4 — Evidence handling that stands up

Evidence must be authentic, complete and preserved:

  • Register everything: create a unique Evidence ID, description, source, date/time, who collected it, and where it is stored.
  • Integrity controls: hashes/checksums for digital files; tamper-evident seals for physical media.
  • Versioning: never edit originals; work on copies with write-protection.
  • Access control: least privilege; log who sees/handles what.
  • Retention & deletion: tag personal data categories; follow policy-defined periods.

See the Evidence Register and Chain of Custody tables in the template.

Step 5 — Interviews that are fair and reliable

  • Preparation: objectives, open questions, and a standard script (notice of purpose, confidentiality, and rights).
  • Setting: private, neutral space; offer a companion if policy allows.
  • Technique: start broad, drill down, seek documents, avoid leading questions.
  • Records: contemporaneous notes; if recording, obtain explicit consent and store securely.
  • Follow-ups: confirm facts and outstanding items within 48–72 hours.

Step 6 — Analysis and findings

  • Triangulate documents, data and testimonies; track contradictions.
  • Apply standards: weigh credibility, corroboration and plausibility; tie to your code/policies.
  • Draft findings: fact pattern → policy breaches (if any) → root causes → impact.
  • Quality check: legal counsel/DPO review for due process and privacy adherence.

Step 7 — Outcomes, remediation and notifier feedback

  • Proportionate actions: ranging from coaching and policy updates to disciplinary measures.
  • Control improvements: patch process gaps (segregation of duties, access reviews, training).
  • Notifier feedback: respectful, non-retaliatory, and limited to what is lawful to share.
  • Close the loop: log conclusions, store records securely, update KPIs.

Risks & how to avoid them

  • Scope creep: lock the plan; any expansion requires sponsor approval.
  • Evidence contamination: always preserve originals and document handling steps.
  • Privacy violations: collect only what is necessary; document legal basis and retention.
  • Retaliation: monitor for adverse changes in terms/conditions for involved parties.
  • Timeline slippage: track SLAs; escalate early.

Mini-scenario (real-world style)

A purchasing officer is alleged to be favouring a supplier.

  • Triage confirms relevance and moderate risk.
  • Plan defines hypotheses: (H1) unusual purchase patterns; (H2) personal ties; (H3) policy breaches.
  • Evidence: procure-to-pay logs, emails (targeted search), supplier master data, and interviews (requestor, finance, officer).
  • Findings: two approvals bypassed; hospitality not recorded; email suggests undue pressure.
  • Outcome: written warning, mandatory training, and tighter secondary approval controls.
  • Notifier feedback sent within policy timelines.

Measure what matters (KPIs)

Leverage our internal article on Compliance KPIs to track: case acknowledgment time, triage decision time, plan sign-off time, average investigation duration, ratio of substantiated findings, remediation completion rate, and stakeholder satisfaction. Link improvements to your annual compliance plan.

Tools to speed you up

  • iCompliance.eu — custom made services to tailor your implementation to your needs, CCO services.
  • iComply.pt — technology platform for intake, case management, evidence logs and audit trails.
  • iPrivacy.eu — GDPR guidance, DPO services and data-handling templates.
  • iBlow.eu resources — comparative EU law analyses and SME-oriented guidance.
  • iBlow.eu resourcesdownload triage sheet

👉 Be part of the conversation that’s shaping the future of work! Book a meeting!

See other articles that may be of interest to you.

We hope you enjoyed this article.

Thank you!

Constantino Ferreira

iBlow.eu

Drawing of a green paper aeroplane, to ask to be part of the iBlow.eu community Subscribe to receive future articles