Results of KPMG’s recent Whistleblowing Survey show that the majority of private and public legal entities will need to take additional steps to meet the requirements foreseen by the EU Directive – and this by no later than December 2021. While strengthening their whistleblower protection framework in order to become compliant with the Directive, organizations will discover that improving their whistleblower system will deliver many more benefits than a simple ‘tick’ in the box. It will positively affect organizations in achieving their operational and strategic goals.

Whistleblower Protection & Reporting

The importance of whistleblower protection and reporting has – in the recent past – once more been underlined by the European Council of Ministers, who, on 7 October 2019, formally adopted Directive 2019/1937 on the protection of persons reporting on breaches of Union Law. The overall aim of the Directive is to protect whistleblowers (and those assisting) from retaliation in all forms and to oblige private firms as well as public authorities to set up formal internal processes and procedures for breach-reporting (for more information regarding the content of the Directive, click here).

As the deadline for transposition of the Directive by Member Countries into national law (December 2021) is fast approaching, it is crucial that both private and public legal entities in scope start reflecting on which measures they need to take in order to become compliant with the minimum requirements foreseen by the Directive. In this respect, KPMG Forensic decided in the summer of 2020 to design and roll out a survey enabling organizations to evaluate their current approach to whistleblower protection and reporting, and to help them assess their overall maturity in relation to these topics. 

Key insights of the KPMG Whistleblowing Survey

The results of KPMG’s Whistleblowing Survey reveal that 76% (3 out of 4) of participating organizations have implemented at least an informal type of whistleblower system (incl. policy, reporting channels, etc.). Of these organizations, however, only 22% appear to be sufficiently mature to fulfil the requirements of the upcoming Directive. 

Maturity of respondents

In other words, almost 4 out of 5 organizations will need to make additional efforts in order to be compliant with the upcoming whistleblower legislation and to provide proper protection for whistleblowers.

4 in 5 graph

Results furthermore show that organizations with a headcount of more than 10.000 employees and organizations operating in industries such as the financial sector, telecom/media/technology and energy demonstrate a higher maturity than the average population. 

Additionally, almost half of the organizations (42%) that currently don’t have a whistleblower system and policy in place (formal nor informal), indicate that they are planning to implement a whistleblower policy in the near future.

Surprisingly, the survey data also showed that 63% of organizations dealt with fraud in the past. In this regard, it is important to highlight the fact that putting a whistleblower policy and system in place can facilitate and support detection as well as prevention of fraud. Research by the Association of Certified Fraud Examiners indeed shows that tips are by far the most common initial detection method (i.e. 40 percent of fraud cases investigated) and fraud cases occurring in organizations with hotlines are on average 50 percent smaller than those in organizations without (source: ACFE Report to the Nations).

63% has dealt with fraud

Whistleblower mechanisms and channels

Directive 2019/1937 sets forth that reporting channels may be operated by an internal person or department designated for that purpose or by an external third party, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy.


allow informal reporting (e.g. to a superior)


allow reporting to a designated person / entity within the organization


allow reporting via an anonymous web-based platform managed by a designated person / entity


allow reporting to a designated person / entity external to the organization

KPMG’s Whistleblowing Survey results show that informal internal reporting (68%) remains the most commonly used reporting mechanism. Even though it is common practice to use this type of reporting (e.g. escalation to your direct manager or superior) as a baseline, it is important to (re)consider whether this is sufficient to meet the Directive's minimum requirements.

35% allow only internal stakeholders

Additionally, as indicated in the EU Directive, protection and reporting mechanisms should also extend to external categories of natural persons and/or entities who can play a key role in exposing breaches (e.g. suppliers, clients, (sub)contractors…). In this context, our survey data shows that 65% of respondents have effectively opened up their whistleblowing reporting channel(s) to at least one of their organization’s third parties, however 35% of respondents indicate that they only allow internal stakeholders to report issues through their reporting channels.


Investigation and follow-up

To investigate whistleblower reports, the majority (62%) of respondents indicate that a responsible person or entity within the organization is assigned to follow-up on reported issues, whereas only 14% has appointed a designated person or entity outside of the organization. 24% of the organizations do not have a predetermined investigation party and decide ad hoc. 

Party assigned to follow-up and investigate reported issues

For organizations where an internal person or department is appointed for the investigation and follow-up of reports, our survey results show that in 43% of the cases reports are handled by the internal audit function. To a lesser extend, reports are processed by compliance, legal and HR and other departments or functions.

Party assigned to follow-up and investigate reported issues

The Whistleblower Directive makes several requirements on procedures for reporting and follow-up. It is stated that acknowledgment of receipt of the report to the reporting person should be provided within seven days of that receipt. Additionally, it is required that follow-up and feedback should take place within a reasonable timeframe, which should not exceed three months (or six months in duly justified cases). In this respect, our survey results indicate that 38% of respondents do not foresee a timeframe in which the reported issue should be treated. 


Conclusion and way forward

KPMG can assist in reviewing and updating existing whistleblower and privacy policies as well as compliance frameworks in line with the upcoming regulatory requirements, and in designing, setting-up and managing whistleblower reporting systems.

If you have any questions with regards to the new Whistleblower Directive and the compliance requirements it entails, please do not hesitate to contact us.

38% do not foresee a timeframe

Our contacts