A whistleblower report is not an incident to defuse. It is a process to run, with specific deadlines, evidence-handling obligations, and rights for the reporter, the subject, and any third party named in the report. This guide sets out the 12 steps a compliance officer takes from the moment a report arrives to the moment the case is closed. It is written from the perspective of an internal investigator inside an EU employer subject to Directive (EU) 2019/1937 and its national transpositions.
Direct answer
A whistleblower investigation has 12 procedural steps: (1) intake and triage, (2) acknowledgement within 7 days, (3) initial conflict-of-interest check, (4) written investigation plan, (5) evidence preservation, (6) witness interviews in order of distance from the subject, (7) interview of the subject, (8) findings memorandum, (9) closure recommendation, (10) substantive feedback to the reporter within 3 months, (11) implementation of remedial action, (12) retention and post-mortem. Each step is reflected in the audit log; missing any one of them is the single most cited deficiency in regulator inspections.
1. Intake and triage
Every report enters the case-management system with a server-issued case code (Confidly uses the form WB-XXXX-YYYY). The case handler reviews the report content within one business day for: (a) is the conduct alleged within scope of Directive (EU) 2019/1937 or national equivalent? (b) is it an imminent safety, security, or criminal matter requiring immediate escalation? (c) is the subject senior enough to require a specific recusal? Triage is not a quality judgement on the report; it is a routing decision.
2. Acknowledgement within 7 days (Article 9(1)(b))
A confirmation goes to the reporter through the case timeline (for anonymous reports) or by email (where the reporter provided one). The acknowledgement names the case handler, restates the case code, explains the confidentiality protocol, and gives the reporter the means to add information. No substantive position is taken at this stage. The seven-day deadline is hard.
3. Conflict-of-interest check
Before any substantive work, the case handler verifies their own independence from the matter. The check is documented in the audit log. Where a conflict exists — a personal relationship to the subject, the handler is in the chain of command, a financial interest — the handler recuses and the named alternate takes over. For cases involving senior management, escalation to the audit committee or supervisory board may be required.
4. Written investigation plan
An investigation plan is drafted within two weeks of intake. It includes: a neutral statement of the alleged conduct, the rules potentially breached, sources of evidence, witnesses (in order, peripheral first), the privilege assessment, the timeline aligned with the three-month feedback deadline, and the decision-rights matrix. Plans are revised as evidence emerges; the original and revisions are part of the case record.
5. Evidence preservation
The first concrete act of the investigation is preservation, not collection. The case handler issues a legal hold on relevant document sources (email accounts, shared drives, chat logs, calendar, building access logs) before anyone learns an investigation is under way. Hashes of preserved data sets are computed and recorded; access is logged. Without a clean preservation step, evidence collected later may be challenged on chain-of-custody grounds, and the integrity of the entire investigation can be undermined in subsequent proceedings.
6. Peripheral witness interviews
Interviews proceed in order of distance from the subject: people who saw the conduct from outside, then those closer to it, then those reporting to the subject. This protects the reporter and minimises the risk of premature alerting of the subject. Each interview follows the documented interview protocol: opening, free narrative, specific questions, closing. Notes are signed and dated; a memorandum follows within 48 hours.
7. Subject interview
The subject is interviewed last, after the investigator understands the documentary evidence and witness accounts. Article 22(1) of Directive (EU) 2019/1937 protects the rights of the subject — to be informed of the allegations against them and to be heard — and these rights are operationalised at this step. The subject’s account is taken in good faith, points of agreement and disagreement with the witness record are explored, and contradictions are documented. The subject is not told the reporter’s identity (Article 16) but is told the conduct that is alleged.
8. Findings memorandum
A findings memorandum sets out what the investigator concluded and why. Standard structure: scope, methodology, evidence reviewed, factual findings (numbered), rule analysis, conclusion on each allegation, residual uncertainties. The standard of proof is typically the balance of probabilities, not beyond reasonable doubt; this should be stated explicitly. The memorandum is drafted under privilege where applicable and is the document on which closure decisions are taken.
9. Closure recommendation
The investigator recommends one of three outcomes for each allegation: substantiated, partially substantiated, unsubstantiated. The recommendation is reviewed by a closure panel — typically the head of compliance plus one other senior officer not in the chain of command of the subject — and approved or revised. The approval is recorded with the names and roles of the panel members. Where the conclusion implicates criminal conduct, escalation to law enforcement is considered with legal counsel.
10. Substantive feedback to the reporter within 3 months (Article 9(1)(f))
Within three months of acknowledgement, the reporter receives substantive feedback through the case timeline. The feedback states the actions envisaged or taken, on what grounds, and any remedial steps. It does not have to disclose privileged material, individual disciplinary decisions, or the identity of any subject. Where the three-month deadline will be missed, the reporter is informed of the extension and the reasons before the original deadline passes. A failure to feed back is itself a sanctionable deficiency under most national transpositions.
11. Remedial action
Where allegations are substantiated, remedial action follows: HR consequences for the subject (disciplinary, termination, demotion), policy or training fixes, system controls, or referral to authorities. Each remedial action is logged and linked to the case. Aggregated patterns inform the next year’s risk assessment.
12. Retention and post-mortem
Case data is retained per the organisation’s retention policy and the national rule (Germany: 3 years post-closure; France: case duration + 3 years; Spain: 10 years where criminal proceedings are involved). The audit log is preserved beyond the retention of the case content. A quarterly post-mortem review across all closed cases identifies systemic patterns and feeds the next risk assessment and training cycle.
What good looks like
A well-run investigation produces a clean audit log, a clean findings memorandum, and a reporter who feels they were heard even if the outcome was not what they hoped. It is not a process to outsource entirely to legal counsel: the discipline of running each step, day by day, against a deadline, is what builds the institutional memory and the regulator credibility that a single inspection cannot replace. Confidly’s workflow surfaces each of these steps on the case timeline and produces an export auditors and external counsel can read without translation.