building trusted whistleblowing

management systems

A practical webinar on strengthening whistleblowing systems through trusted governance frameworks.

In collaboration with

Key questions answered


Organizational transparency is no longer a peripheral compliance check; it is a definitive competitive differentiator. In an era where “mere words on paper” are scrutinized by sophisticated investors and a vocal public, the transition from a reactive hotline to a robust management system is the hallmark of ethical resilience. Whistleblowing, when properly integrated, functions as a foundational pillar of psychological safety, allowing an organization to self-correct before internal risks escalate into terminal reputational failures.

 

Trusted whistleblowing systems are an essential part of good governance, helping organisations respond to concerns early, strengthen accountability, and support ethical culture. During this event , we explored the practical application of SANS/ISO 37002 and how organisations can build whistleblowing management systems that are credible, effective, and fit for purpose.

The definition of whistleblowing has undergone a radical transformation, moving from a narrow law enforcement tool to a strategic governance mechanism. Historically, the term is rooted in the 19th century.
 
“The term appeared to have a historic connotation to law enforcement officials in the 19th century who used a whistle to alert the public or a fellow police person that a crime is occurring or is going to occur.” — Dr. Liezl Groenewald
 
This evolved into the modern activist definition popularized by Ralph Nader in 1971:
“Whistleblowing is an act of a man or woman who, believing that the public interest overrides the interest of the organization he or she serves, blows the whistle that the organization is involved in corrupt, illegal, fraudulent, or harmful activity.” — Ralph Nader
 
Today, through the lens of ISO standards, whistleblowing is recognized as the disclosure of perceived wrongdoing or risk to those capable of effecting action. This shift reflects a move from viewing the whistleblower as a “disloyal informant” to seeing them as a “cultural catalyst.”
 
The “So What?” Strategic Synthesis: 
An organization’s handling of whistleblowers reveals the “true state” of its ethical culture. While many boards claim integrity, their reality is exposed by their reaction to internal dissent. Adopting ISO 37002 moves an organization beyond a simple, often untrusted “hotline” toward a management system grounded in impartiality and confidentiality. This builds “ethical resilience,” ensuring that stakeholders see the organization as a credible, safe environment where the “goodness is baked into the cake” rather than treated as a compliance-mandated vegetable.

Whistleblowing is a high-value ROI strategy and a primary risk-management tool. For senior leadership, the “carrot cake” analogy is instructive: compliance should not be the “vegetable” that employees are forced to eat; it should be the nutrients baked into the organization’s success. When ethics are integrated, the measurable outcomes are significant:

  • Legal and Operational Savings: Organizations with effective systems realize a 20% reduction in legal costs and discover approximately 42% of internal fraud through speak-up channels.
  • Asset Performance: Successful systems correlate with a 2.8% increase in return on assets (ROA).
  • Reputational Safeguards: There is a documented 46% reduction in negative news stories for organizations with robust reporting frameworks.
  • Macro-Economic Recovery: In South Africa, whistleblower information allowed the Special Investigations Unit (SIU) to recall approximately R2.3 billion in the 2023/24 period alone.
  • Staff Retention: The cost of replacing a single employee is estimated at £30,000 to 40,000 (or dollars), excluding the intangible “knowledge loss” that occurs when ethical failures drive talent away.

The “So What?” Strategic Synthesis:
 
These statistics prove that early detection via internal channels prevents catastrophic structural and reputational failures. Consider the Jet Set Club roof collapse, where a failure to 
detect known structural flaws led to 236 fatalities. Conversely, the Boeing 737 MAX tragedies represent a failure to address reports; despite 12 internal whistleblower warnings regarding safety, the board remained preoccupied with speed and competition. A robust system ensures these signals are never neglected in favor of short-term metrics.

Harmonized standards level the playing field for organizations entering global markets. By utilizing a “Mirror Committee” process, national bodies like the South African Bureau of Standards (SABS) ensure that international best practices (ISO) are adapted to local contexts without “reinventing the wheel.”

  • The Mirror Committee: This involves diverse stakeholders, including labor, civil society, academics, and SMEs, to ensure that standard development is inclusive and representative of the “Global South.”
  • Dual Numbering: Standards are often adopted identically (e.g., SANS/ISO 37002), facilitating a “dual numbering system” that guarantees an organization’s governance framework is recognized globally.
  • ARSO Integration: On a regional level, the African Organization for Standardization (ARSO) harmonizes these benchmarks to support the African Continental Free Trade Area, removing technical barriers to trade.

The “So What?” Strategic Synthesis:
 
For the C-Suite, these standards prevent technical isolation. Following international best practices ensures that “all voices are heard” and that an organization’s governance is judged by the same rigorous benchmarks as its global competitors. This transparency is a prerequisite for high-value international contracts and sustainable partnerships.

ISO 37002 utilizes the “Plan-Do-Check-Act” (PDCA) methodology to operationalize reporting. The system is divided into four distinct phases:

  1. Receiving: Organizations must provide 24/7, multilingual, and culturally appropriate channels (e.g., secure portals rather than unencrypted emails) to ensure accessibility across global operations.
  2. Assessing: This is the triage phase. It must be aligned with ISO 31000 (Risk Management) to determine the urgency and validity of the concern.
  3. Addressing: Investigations must be conducted with professional rigor, protecting the integrity of evidence and the rights of all parties.
  4. Concluding: This involves closing the case, communicating results, and—crucially—monitoring the long-term well-being of the participants.

The “So What?” Strategic Synthesis:
 
In the “Assessing” phase, leadership must evaluate the “Four Dimensions” of risk: the concern itself, the whistleblower’s well-being, the risks to other stakeholders (witnesses), and the availability of evidence. It is a strategic imperative that the organization never turns the whistleblower into an investigator. Doing so compromises the evidence, violates the presumption of innocence for the subject, and places the individual at unacceptable physical or professional risk.

The “crisis of trust” remains the primary obstacle to effective governance. In many contexts, such as South Africa, the fear of being labeled a “snitch” or “impimpi” is a powerful deterrent. This is often rooted in an “Interdependent Culture” (like Ubuntu, where collective identity is paramount) versus the “Independent Culture” prevalent in Western corporate models.

  • Dispelling the Anonymity Myth: Senior stakeholders often dismiss anonymous tips as “uninvestigable.” This is a fallacy. Whether a report is signed by a real name or a pseudonym like “Mickey Mouse,” evidence, not the source, is the investigator’s primary currency. Secure, two-way dialogue via third-party portals allows for robust evidence collection while maintaining anonymity.
  • Natural Justice: Protection must be balanced with the presumption of innocence for the subject of the report, ensuring the process is impartial and prevents collateral damage to the organization’s reputation.
  • Knowledge Asset Protection: Duty of Care does not end when a case is closed. Retaliation often manifests subtly—such as a denied promotion six months later.

The “So What?” Strategic Synthesis:
 
Organizations must frame whistleblower protection as 
Knowledge Asset Protection. If an employee leaves due to late-onset retaliation, the organization loses “governance history” and intellectual property. ISO 37002 mandates proactive check-ins every 3 to 6 months to monitor career progression and well-being. By treating the whistleblower as a long-term asset rather than a temporary burden, the organization secures its future and reinforces the trust required for a truly sustainable ethical culture.

short explainer summary

podcast-style

This is valuable for:

Board members, executives, ethics and compliance professionals, governance and risk practitioners, internal auditors, legal advisors, HR leaders, and anyone responsible for organisational integrity or reporting systems.

Dr Liezl Groenewald

Dr Liezl Groenewald is a Certified Ethics Officer with more than two decades of experience in ethics, compliance, governance, and organisational culture. She is widely recognised for her work in ethics management, whistleblowing, and values-driven organisational practice, and has contributed to a range of publications, tools, and training programmes that strengthen accountability and integrity.

Sadhvir Bissoon

Sadhvir Bissoon is passionate about standards and their role in advancing economic growth, sustainability, and social progress. Through his involvement in regional and international standardisation bodies, he contributes to shaping the standards landscape and strengthening Africa’s voice in the development of quality, safety, and sustainability frameworks.

Andrew Samuels

Andrew Samuels is a governance, risk, and compliance specialist focused on delivering practical, defensible GRC solutions that support trust, resilience, and growth. He has led programmes across a wide range of sectors and contributes to the development of ISO governance and compliance standards, helping organisations turn best practice into simple and effective frameworks.

Join the movement to build whistleblowing systems that people trust.


Glossary of key terms:

Term
Definition
ARSO
The African Organization for Standardization, responsible for harmonizing standards across the African continent to support the African Continental Free Trade Area.
Conformity Assessment
Quality assurance services provided by bodies like SABS to ensure that industry and regulators are correctly implementing established standards.
Disgruntled Employee
A derogatory label often applied to whistleblowers to dismiss their concerns; the text argues whistleblowers are often the most loyal employees.
Impimpi
A South African term for an informer or “snitch,” often used negatively to discourage whistleblowing.
ISO 37002
The international standard providing guidelines for whistleblowing management systems based on trust, impartiality, and protection.
Management Information (MI)
Data generated by whistleblowing systems (e.g., trends in misconduct) used by leadership to make informed organizational decisions and improvements.
Mirror Committee
A national-level committee that reflects the work of an international technical committee, ensuring local expert input in global standard-setting.
Natural Justice
The legal principle that ensures a fair process, including the presumption of innocence for those accused of wrongdoing during a whistleblowing investigation.
Psychological Safety
An environment where employees feel safe to raise concerns about misconduct without fear of being penalized or marginalized.
Retaliation
Adverse actions taken against a whistleblower, such as job loss, harassment, or being passed over for promotion; in 2024, nearly half of South African whistleblowers reported experiencing this.
SABS
The South African Bureau of Standards, the national body mandated to develop, promote, and maintain South African National Standards.
Substantiated Report
A whistleblowing disclosure that, upon investigation, is proven to be accurate; approximately 42% of reports are substantiated globally.
Triage
The initial process of assessing and prioritizing incoming whistleblowing reports to determine the appropriate next steps, such as escalation or investigation.

Terms and Conditions

  • The Good Governance Academy nor any of its agents or representatives shall be liable for any damage, loss or liability arising from the use or inability to use this web site or the services or content provided from and through this web site.
  • This web site is supplied on an “as is” basis and has not been compiled or supplied to meet the user’s individual requirements. It is the sole responsibility of the user to satisfy itself prior to entering into this agreement with The Good Governance Academy that the service available from and through this web site will meet the user’s individual requirements and be compatible with the user’s hardware and/or software.
  • Information, ideas and opinions expressed on this site should not be regarded as professional advice or the official opinion of The Good Governance Academy and users are encouraged to consult professional advice before taking any course of action related to information, ideas or opinions expressed on this site.
  • When this site collects private information from users, such information shall not be disclosed to any third party unless agreed upon between the user and The Good Governance Academy.
  • The Good Governance Academy may, in its sole discretion, change this agreement or any part thereof at any time without notice.

Privacy Policy

Link to the policy: GGA Privacy Policy 2021

The Good Governance Academy (“GGA”) strives for transparency and trust when it comes to protecting your privacy and we aim to clearly explain how we collect and process your information.

It’s important to us that you should enjoy using our products, services and website(s) without compromising your privacy in any way. The policy outlines how we collect and use different types of personal and behavioural information, and the reasons for doing so. You have the right to access, change or delete your personal information at any time and you can find out more about this and your rights by contacting the GGA, clicking on the “CONTACT” menu item or using the details at the bottom of the page.

The policy applies to “users” (or “you”) of the GGA website(s) or any GGA product or service; that is anyone attending, registering or interacting with any product or service from the GGA. This includes event attendees, participants, registrants, website users, app users and the like.

Our policies are updated from time-to-time. Please refer back regularly to keep yourself updated.