"Whistleblowing," a fundamental component of any compliance program, refers to specific allegations of misconduct raised typically through an anonymous hotline or similar mechanism. "Speak-Up" is broader and refers to a culture where people feel safe to raise any allegation or concern.

Posted In:

A positive speak-up culture is a business imperative. A poor speak-up culture risks employees detailing concerns on social media, in the press, or to government agencies. In FY 2021, the SEC received the largest number of tips in a fiscal year since the program’s inception and paid more whistleblower awards than in all prior years combined.¹ Additionally, there have been significant instances of corporate issues splashed across headlines. Cultivating a speak-up culture and promoting internal channels for raising concerns can mitigate the risk of reputational damage and additional scrutiny; moreover, it contributes to a feeling of psychological safety in the workplace.

Developing and maintaining an effective speak-up culture requires more than establishing a whistleblowing hotline. Here, we present five steps to maintain an effective speak-up program.

1. Establish a Framework to Receive, Escalate, and Report

A speak-up program needs a framework outlining: (1) available channels for employees and third parties (e.g., contractors, customers, vendors) to raise concerns; (2) groups or functions involved in receiving, investigating, escalating, and reporting concerns; (3) guidance for training and communications; (4) metrics and reporting requirements; and (5) governance to establish an environment where employees feel comfortable expressing views and raising concerns without fear of retribution or retaliation, and where concerns are received and managed in a timely and appropriate manner.

Organizations should encourage speaking up through all channels, not just the official whistleblowing hotline. In other words, organizations should focus on the general encouragement of raising concerns rather than any specific reporting channel. Ideally, the first point of escalation should be an employee’s manager. Organizations that encourage employees to speak directly to managers and then incorporate those reports into broader reporting systems hear more reports and have a better sense of organizational issues.

2. Maintain Awareness with Ongoing Communication and Training

Written procedures in a binder and kept on a shelf offer little benefit. Effective speak-up programs require values established and maintained by leadership—from the top down—every day. Without active contributions and support for a speak-up culture, entities will not withstand regulatory scrutiny and risk significant reputational damage and financial loss. Two critical components include:

Ongoing Communication and reminders of the channels for speaking up, including the whistleblowing hotline, should be communicated consistently. Employees should know where and how to access resources for raising any concerns. Company policies, especially the Code of Conduct and Whistleblowing Policy, should reiterate escalation channels and key contact points. Companies should incorporate similar detail into employee onboarding, performance management, company meetings, team check-ins, and -all-staff emails, among other mediums. Though repeating the same message may seem uninspired, it eliminates the risk of confusing employees, which can subsequently discourage willingness to raise concerns altogether.

Training on the code of conduct and speak-up culture should be mandatory for all employees and third parties acting on behalf of the company. One and done is insufficient. Periodic training should be a “must” and remind participants of the various reporting channels and why speaking up is essential and encouraged. Supervisors, senior management, and others in a position to receive and escalate concerns should receive additional training to help understand what action steps are required to respond to concerns appropriately (e.g., refer to other functions, escalate) and how to identify and prevent retaliation. Using real-life examples relevant to the organization’s unique structure can make training more effective.

3. Implement Policies, Procedures, and Controls to Drive Responsiveness and Accountability

Although one function may be responsible for coordination and reporting, the end-to-end process of receiving, triaging, escalating, investigating, and resolving concerns involves multiple functions and individuals. Organizations should implement policies, procedures, and controls that explicitly identify responsibilities throughout the end-to-end process. Failure to establish and implement policies and procedures increases the risk of confusion, lack of accountability, and the likelihood that potential misconduct continues. Some companies require supervisors, senior management, and other potential receiving channels to provide periodic attestations (e.g., quarterly, semi-annually) that they reviewed and, as appropriate, received concerns have been escalated as appropriate.

Accountability and consequence management are fundamental to all critical business initiatives and compliance programs. Organizations expect employees to behave consistently with organizational values and should hold accountable those that do not.

“Consequence” is typically perceived as discipline, but there can be positive outcomes. DOJ notes improvements in compliance by providing employees with positive incentives (e.g., promotions and bonuses) for demonstrating ethical leadership.²  Perhaps an employee raises a concern about a system that can be altered to safeguard better technology infrastructure, or highlights processes that are running the risk of being overlooked in day-to-day compliance functions. Positive outcomes can encourage employees to raise their hands when something feels “off.”

4. Establish Metrics to Monitor Program Effectiveness and Update Key Stakeholders

Organizations often mistakenly believe employees and third parties will raise issues and fail to implement mechanisms to track and analyze received concerns and efforts to promote a speak-up culture. Organizations should establish metrics (e.g., new inquiries/allegations, response rate, case closure times (days), cases with discipline) and conduct a combination of surveys and focus groups to assess the effectiveness of its speak-up initiatives and culture and identify trends, including concerns raised by employee level or geography, the severity of the allegation, percentage of anonymous reporting, and most (or least) frequently used channels. These insights can paint an invaluable picture of the organization’s holistic speak-up culture (e.g., areas that might require additional training, communication, control improvements, additional testing) – far beyond that which hotline data alone could produce.³

While it is essential to update stakeholders on the outcomes of individual concerns, including consideration of self-reporting to regulators, it is also important to update relevant stakeholders on the metrics, trends, and effectiveness of the overall speak-up program (e.g., aggregate data, such as through an annual report). Information should be anonymized to ensure confidentiality. An annual report can include data on the use of systems to report concerns, new progress on encouraging speak-up culture, and areas for improvement in the short and long term. Other metrics, such as investigation outcomes, employee survey results, and qualitative reporting from employee relations data (e.g., focus groups and exit interviews), can be incorporated as well. A scorecard can be created to measure progress over time.

5. Periodically Test Design and Operating Effectiveness

DOJ emphasizes the importance of testing design and operating effectiveness. First, to determine the scope of testing, organizations should take an inventory of all risks and risk responses (i.e., policies, processes, and controls) related to raising concerns. Absent a formal risks and controls inventory, companies can consider the various input, receiving, and escalation channels throughout the organization to identify control points in the process that need testing.

Testing activities include document review, interviews, detailed walkthrough discussions, and sample testing. They assist the organization in assessing the current design and operating effectiveness of the program and its associated policies, procedures, and controls. Testing should also include assessing whether the program is appropriately resourced and adequately governed. Testing—particularly sample testing—can provide comfort that the program is working in practice.

When conducted regularly, testing can identify potential gaps or areas for improvement. Rather than waiting for an issue or “break,” periodic testing provides an opportunity to remediate issues promptly, in real-time, mitigating what could be secondary effects on the overall speak-up culture.


To be effective, speak-up culture must be more than just reliance on a whistleblower hotline. Organizations looking to truly move the needle on corporate ethics and behavior must consider how they are actioning a speak-up culture every day, not simply checking the box to satisfy a regulatory requirement. Regular communication and training are key, as well as accountability across an organization and its infrastructure—including dealing with good, bad, or ugly consequences. Showing that an organization considers and acts upon the concerns raised by employees can have a positive impact in the long term when done right.

¹ SEC, Office of the Whistleblower, 2021 Annual Report (available at https://www.sec.gov/files/2021_OW_AR_508.pdf).
² U.S. Department of Justice (DOJ), Criminal Division, Evaluation of Corporate Compliance Programs, (June 2020) (available at https://www.justice.gov/criminal-fraud/page/file/937501/download).
³ A variety of data sources can be leveraged by organizations to gauge and monitor speak-up culture. See, e.g.: Frank, J., Ioffe, K. (21, April 2021). Silence is Not Golden: Five Metrics and a Scorecard for Measuring Speak-Up Culture. Corporate Compliance Insights. https://www.corporatecomplianceinsights.com/silence-not-golden-scorecard-speak-up/.

About the Authors

Rae Williams

Rae Vogelman

Rae Vogelman, a Managing Director with StoneTurn, brings over a decade of experience in compliance and monitoring, forensic accounting and investigations. Rae has extensive experience assisting companies, government agencies and […]

Read Bio
Chris Hoyle

Christopher Hoyle

Chris Hoyle, a Partner at StoneTurn, has more than 15 years of professional experience as an accountant and risk and remediation expert. He specializes in independent monitor engagements, forensic investigations […]

Read Bio
Jonny Frank StoneTurn

Jonny Frank

Jonny Frank brings over 40 years of public and private sector and law and business school teaching experience in forensic investigations, compliance, and risk management. He helps organizations and counsel […]

Read Bio