Decorative image for whistleblower policy
Posted inDrafting Company Act, 2013 Labour laws

Drafting a whistleblower policy: A step-by-step guide for HR managers

No Comments

If you are a budding HR professional or already an accomplished one who is looking to revamp the whistleblower policy, take a pit stop here and learn to draft a whistleblower policy. This article will equip you with the knowledge to build a policy that encourages transparency, protects whistleblowers, and strengthens your organisation’s ethical system. 

Introduction

When I speak to HR managers these days, one thing is becoming very clear.

Most of them are already juggling a dozen responsibilities: hiring, onboarding, payroll, conflict resolution, compliance… the list goes on.

But here is a task that no one is warning you about.

Drafting a whistleblower policy.

And before you scroll past thinking, “That’s for the legal team to worry about,” pause. Let me tell you why this could be your opportunity to shine, not just as an HR professional, but as a guardian of your organisation’s values and reputation.

Let us talk about a few names that made global headlines.

  • Edward Snowden revealed classified NSA surveillance programs.
  • Sherron Watkins flagged Enron’s fraudulent accounting practices from within.
  • Satyendra Dubey – an Indian engineer who exposed corruption in the Golden Quadrilateral project and paid the price with his life.

They raised their voices against unethical conduct, often at great personal risk.

Their actions changed how the world views whistleblowing. Today, regulators, investors, and even employees expect that a company has a well-structured and effective whistleblowing mechanism.

It is not just about ticking the legal box. The role of HR has expanded. Companies are now looking for HR professionals who can draft and implement solid whistleblower policies, safeguard internal processes, and build a culture where people feel safe to speak up.

And, you do not need to be a lawyer to do this. You just need a roadmap. 

In the next few sections, you will be learning the basics of whistleblower policy, how to draft a comprehensive one, and how to tackle difficulties in the implementation. 

If you are someone who wants to make a difference, not just to your company, but to your career, then learning how to write and implement a whistleblower policy can be a significant step in your career..

So, are you ready?

Let us start at the very beginning.

Who is a whistleblower? What exactly is the whistleblower policy? And why should you have it in place? 

“Hey, have you come across this invoice?” Mudra asked, glaring at her monitor with eyes wide open.

Shantanu, her colleague, looked up. “Which one?”

“This vendor, ASA Services. ₹18 lakhs for? Wait, ‘consulting support’? What consulting? I have never even heard of this name in any of the project meetings.”

Arjun shrugged. “If it is signed by Mr. Mehta, it is probably fine.”

Mudra nodded slowly, but something did not sit right. Mr. Arvind Mehta, Zeego Pvt. Ltd.’s Senior Finance Manager, had a certain reputation, polished, thorough and confident. But lately, she had noticed a pattern: last-minute vendor entries, inflated figures, and documents that do not reconcile.

She leaned in. “But look at these three invoices. Same vendor. Same descriptions. Different amounts. And no project code linked to them.”

“Are you suggesting something?” Arjun whispered, his tone suddenly serious.

“I don’t know,” Mudra replied. “But if this is what I think it is…”

She did not finish the sentence. The implications were huge. A senior manager misusing company funds? That was not just misconduct; it was financial fraud. And Mudra? She was an analyst. Barely six months into the company. Should she even be asking these questions?

What if she was wrong? What if she got blamed?
Would they even listen to her? Or would they protect him?

That night, after a lot of pacing and second-guessing, Mudra remembered the whistleblower policy mentioned during onboarding. “Confidential. No retaliation. Protected identity.” She hesitated but proceeded to click on “Submit Report.”

The next few weeks were tense. An internal review was launched quietly. Documents were retrieved. IT logs were examined. And then confirmation. Arvind Mehta had been siphoning funds using fake vendor accounts for months.

When the news came to light, the office buzzed with shock. What no one knew, except HR, was that Mudra had set it in motion. And when Mehta tried to retaliate through backchannels, HR did not move.

This is how this policy works. 

A whistleblower could be anyone, your employee, client, or any such stakeholder who reports misconduct, illegal activity, or unethical behaviour, for instance, fraud, harassment, embezzlement, financial irregularities, bribery, or any serious violation of law or company policy. In the above example, you can call Mudra a whistleblower. 

A whistleblower policy is a framework of an organisation that:

  • Allows employees and stakeholders to confidentially report unethical or illegal behaviour.
  • Protects whistleblowers from retaliation, such as dismissal, harassment, or demotion.
  • Lays out the process for investigation and resolution of reported issues.

This policy aims to encourage ethical behaviour, prevent unwanted legal and financial risks, boost employee trust, protect the company’s reputation, and ensure compliance with the law. 

What is the statutory framework for a whistleblower policy?

A whistleblower policy finds its roots in the laws stated below: 

  1. The Companies Act, 2013:

    Section 177 (9) mandates listed companies and certain prescribed companies to establish a vigil mechanism, a.k.a. whistleblower policy, that enables directors and employees to report genuine concerns about unethical behaviour, actual or suspected fraud, or violation of company policies without fear of retaliation.
  2. The Whistleblowers Protection Act, 2014:

This Act provides a framework for the protection of whistleblowers who complain against corruption or wrongdoing in government bodies. Though this Act applies only to the public sector entities, private companies are often seen adopting similar principles. 

It is to be noted that the entire Act is not yet in force. 

  1. SEBI Listing Obligations and Disclosure Requirements (LODR), 2015: 

Regulation 22 mandates that listed companies have a whistleblower policy in place that provides for the timely redressal of concerns and the protection of whistleblowers. 

What are the steps that you can take before you start drafting a whistleblower policy? 

  1. Begin by assessing legal and organisational needs
  • By this, I mean review and understand the applicability of section 177 of the Companies Act 2013, relevant regulations under SEBI (LODR) Regulations, 2015, and if you are a public sector or a government entity, relevant provisions under the Whistleblower Protection Act, 2014.
  • Identify company-specific risks (financial fraud, tax evasions, embezzlement of funds, etc.) and draft the policy accordingly.
  1. Consult the stakeholders

Consult the Audit Committee, legal team, and senior management to ensure that all are on the same page.

  1. When you begin drafting the policy, ensure…

For a better understanding of the policy by every employee and other stakeholders, use clear, jargon-free language to define scope, reporting channels, and protections.

  1. Establish reporting mechanisms
  • Set up user-friendly tools (e.g., online portals, third-party hotline numbers or designated email ID) 
  • Ensure accessibility for all employees, including remote workers.
  1. Define investigation protocols
  • Outline steps: receipt, acknowledgement, investigation, and resolution.
  • In case of high-stakes cases, specify escalation to the Audit Committee 
  1. Incorporate anti-retaliation measures
  • Detailed protections and consequences for retaliation, drawing from Mudra’s HR-backed protection.
  • Monitor post-reporting work environments to prevent subtle retaliation.
  1. Promote and train
  • Inform the employees of such a policy during onboarding and remind them of the same during annual training.
  • Use posters, the intranet, and town halls to reinforce awareness.
  1. Review and update
  • Schedule annual reviews by the Audit Committee to ensure compliance and effectiveness.
  • Adapt to new risks and legal amendments.

How to draft a whistleblower policy? 

Let us have a look at the whistleblower policy of Zeego Pvt. Ltd., which gave a voice to a 6-month-old employee and exceptional courage to the HR who simply refused to move.  

The explanation for each clause is stated in red

Ensure that the policy is printed on the company’s letterhead. 

THE WHISTLEBLOWER POLICY 

Introduction

An introduction establishes the company’s foundational values, that is, integrity, transparency, and a policy of zero tolerance for corruption. It also signals a proactive stance against unethical conduct and sets a tone for the need for a whistleblower policy.

Zeego Pvt. Ltd. (“the Company”) believes in conducting its business fairly and transparently by adopting the highest standards of professionalism, honesty, integrity and ethical behaviour.  As such, the Company endeavours to work against corruption in all its forms, including demand and acceptance of illegal gratification and abuse of official position to obtain pecuniary advantage for self or any other person. 

The Company has framed and adopted a Code of Conduct which governs the conduct of management, employees and workmen. The Vigilance Department of the Company is also empowered to initiate investigations on its own and act on complaints received from the public/employees, with regard to violation of the Company’s rules and procedures and code of ethics in the conduct of business. 

Any actual or potential violation of the Company’s rules, regulations and policy governing the conduct of business is a matter of serious concern for the Company. The Company is therefore committed to developing a culture where it is safe for employees to raise concerns about instances, if any, where such rules, regulations and policy are not being followed or any fraud has been committed or business has been conducted in an unethical manner. 

In terms of the provisions of section 177 of the Companies Act 2013, every listed Company is required to have a vigil mechanism. Further, Regulation 22 of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 makes it a mandatory requirement for all listed companies to establish a mechanism for directors and employees to report genuine concerns of unethical behaviour, actual or suspected, fraud or violation of the Company’s code of conduct or ethics policy.

The mechanism is required to provide for adequate safeguards against victimisation of director(s) or employee(s) or any other person who avails the mechanism, and also provide for direct access to the chairperson of the audit committee in appropriate or exceptional cases.  

Purpose of this policy 

This segment aims to clarify the objective, which is to create a safe, reliable process for reporting misconduct, ensuring that issues are flagged early for corrective action. It also promotes a culture of accountability and good governance.

The purpose of this policy is to articulate the Company’s point of view on whistle-blowing, the process, and the procedure to strengthen the whistle-blowing mechanism at Zeego Pvt. Ltd.

This policy:

  1. Provides a platform and mechanism for the employees and directors to raise genuine concerns or grievances about unprofessional conduct without fear of retaliation. 
  2. It provides an environment that promotes responsible and protected whistleblowing. It reminds employees and directors of their duty to report any suspected violation of any law that applies to the Company and any suspected violation of the values or code of conduct.
  3. Above all, it is a dynamic source of information about what may be going wrong at various levels within the Group and which will help the Group in realigning various processes and take corrective actions as part of good governance practice.

By Group or group companies, it means the companies falling under the umbrella of Zeego Group. 

Applicability of this policy

To whom does this policy apply? This segment defines the scope of the policy and encourages other group companies to follow suit for consistency and culture alignment.

All the listed companies and other group companies in India, which are required by law to have a vigil mechanism, shall adopt this policy and get it approved by their Board of Directors. Companies other than those which are listed are recommended to adopt this policy.

Coverage of this policy

In order to avoid ambiguity and ensure that all employees and directors understand their rights and responsibilities under the policy, stating this clause becomes essential.

This policy applies to all the companies of Zeego Pvt. Ltd. in India, including all its employees and directors.

Definition of employees- An individual is an employee of the Company who works exclusively for us, directly or indirectly, under which the Group Companies have the right to control the details of work performance by providing specific wages or salary.

Who is a whistleblower? 

This is to identify who can raise concerns under the policy and under what circumstances, providing clarity and legitimacy to the reporting process.

Definition 

Any employee or director who discloses or demonstrates evidence of an unethical activity or any conduct that may constitute a breach of the Group’s/Group Company’s Code of Conduct. This whistleblower has come to the decision to make a disclosure or express a genuine concern/grievance/allegations, after a lot of thought.

Protection 

Ensures whistleblowers are safeguarded from retaliation, encouraging more people to come forward without fear, thus protecting the integrity of the reporting mechanism.

The process is designed to offer protection to the whistleblower provided that the disclosure made / concern raised / allegations made (“complaint”) by a whistleblower is in good faith and the alleged action or non-action constitutes a genuine and serious breach of what is laid down in the Company Code of Conduct.

The Company affirms that it will not allow any whistleblower to be victimised for making any complaint. Any kind of victimisation of the whistleblower brought to the notice of the Vigilance Committee will be treated as an act warranting disciplinary action and will be treated so.

As a Group, we condemn any kind of discrimination, harassment, victimisation or any other unfair employment practice adopted against whistleblowers. Complete protection will be given to the whistleblowers against any unfair practices like retaliation, threat or intimidation or termination/suspension of service, disciplinary action, transfer, demotion, refusal of promotion, or the like including any direct or indirect use of authority to obstruct the whistleblower’s right to continue to perform his/her duties/functions in a free and fair manner. 

Reporting in good faith 

This clause endeavours to distinguish between genuine complaints and malicious or frivolous ones. Promotes responsible reporting and protects those who raise concerns sincerely.

Every whistleblower is expected to read and understand this policy and abide by it. It is recommended that any individual who wishes to report do so after gathering adequate facts/data to substantiate the complaint and not complain merely on hearsay or rumour. This also means that no action should be taken against the whistleblower if the complaint was made in good faith, but no misconduct was confirmed on a subsequent investigation.

However, if a complaint, after an investigation proves to be frivolous, malicious or made with an ulterior intent, the Vigilance Committee shall take appropriate disciplinary or legal action against the concerned whistleblower.

List of exclusions 

Just as it is important to entertain complaints, it is even more important to filter out irrelevant, outdated, or inappropriate ones that should be addressed through other channels. This, in turn, will prevent misuse of the policy.  

The following types of complaints will ordinarily not be considered and taken up:

  1. Complaints that are Illegible, if handwritten
  2. Complaints that are vague, with pseudonyms
  3. Complaints that are trivial or frivolous
  4. Matters which are pending before a court of Law, a State, the National Human Rights Commission, a Tribunal, or any other judicial or quasi-judicial body
  5. Any matter that is very old from the date on which the act constituting the violation is alleged to have been committed
  6. The issue raised relates to service matters or personal grievances

The whistle blowers are encouraged to make complaints that have an impact on the Company’s brand & reputation, cases of financial irregularities, or people-related issues of bias, partiality, and discrimination of any kind, abuse, victimisation or harassment.

Dealing with anonymity 

Coming to the most sensitive part. The policy allows whistleblowers to report concerns without revealing their identity, thereby increasing participation, especially in high-risk disclosures.

A whistleblower may choose to keep his/her identity anonymous. In such cases, the complaint should be accompanied by strong evidence and data.

Confidentiality 

Needless to say, the purpose of this clause is to protect the identities of all parties involved, ensuring that complaints are handled discreetly and responsibly to avoid any undue harm.

The Vigilance Committee will treat all complaints in a confidential and sensitive manner. In specific cases where the criticality and necessity of disclosing the identity of the whistleblower is important, it may be disclosed, on a ‘need-to-know’ basis, during the investigation process and only with the prior approval of the whistleblower.

Who is a whistleblower officer? 

Designates accountability by naming who is responsible for receiving and processing complaints, thus ensuring smooth policy execution.

For the purpose of this policy, the company secretary (or in his/her absence, the legal head) of the relevant unit/business would act as the secretary of the Vigilance Committee and is also known as a Whistle Blower officer.

Procedure for raising a complaint 

This part lays down a step-by-step reporting mechanism. Provides multiple accessible channels and escalation points for raising concerns, ensuring a powerful and transparent framework.

A whistleblower can make a complaint in the following ways:

  1. Can write to the relevant Vigilance Committee. The information about the names of members and the list of the Vigilance Committee at various levels, their e-mail IDs, is available on the [insert company website]
  2. A whistle blower can send a complaint to the ethics hotline by calling a toll-free number or writing to a [designated email ID]. This is operated by an independent third-party vendor.
  3. By writing to the company secretary at [insert email ID], who is duty-bound to share the complaint with the ethics hotline.
  4. By writing to the unit head or business head of the relevant group company, who will forward this to the ethics hotline.
  5. In exceptional cases, the complainant can directly report his/her complaint to the chairperson of the audit committee at a designated email ID

The procedure for handling a complaint is as follows:

  1. A whistleblower identifies non-adherence to the Code of Conduct by any employee or a segment of the organisation, and will compile information that supports the case.
  2. The whistleblower sends the complaint to the Vigilance Committee or ethics hotline, depending on:
  1. The level at which the violation is perceived to be happening, or
  2. The seniority of the individual/s involved. If the breach or misdemeanour is at:
  3. At the Unit Head level (Strategic Business Unit Head, Regional Head, Circle Head, Unit Head, etc.) and above, the employee will write to the Group Vigilance Committee (GVSC)
  4. Unit Function Head level, the same will be reported to the respective Business level Vigilance Committee (BVSC)
  5. At any other level, the same will be reported to the respective Unit level Vigilance Committee (UVSC)
  1. Upon receipt of information, the secretary of the relevant Vigilance Committee will first do a preliminary investigation to check whether the complaint seems to be genuine and falls under the purview of whistle whistleblower policy. If the complaint is sent with malicious intent, then the committee will take appropriate disciplinary action against the whistleblower.
  2. If the complaint does not fall under the purview of whistle whistleblower policy, then same will be redirected to the right forum. For eg – If the complaint is related to sexual harassment, same will be forwarded to the Complaints Committee and will be dealt with as per the POSH Policy of the Company, if complaint is related to a personal grievance, e.g. appraisal rating, promotion etc, it will be forwarded to the relevant Chief People Officer.
  3. Once established that the case needs investigation, the secretary of the Vigilance Committee, after discussion with the committee, shall appoint a team to investigate the case, with utmost confidentiality. The investigative team can be a pool of internal people specially trained to investigate, or can be an external agency specialised in investigating such cases.
  4. Under no circumstances, the secretary, investigation team, and the committee would reveal / disclose the identity of the “accused” to anyone else (including the immediate manager) other than all those who are required to know about the case.
  5. The investigation team should work towards ensuring that the investigation is completed by following the laws of the land and principles of natural justice within 3 weeks of the complaint being reported. If the investigation cannot be completed within 3 weeks, then the committee needs to have very valid and strong reasons (for instance, complexity of the case or engaging a thirty-part expert, etc.) for the same.
  6. Once the investigation is completed, the secretary will submit the report of investigation to the committee, and the committee will then decide on the quantum of punishment to be given. While deciding on this, the committee will consider the following:
  • Severity of the misconduct
  • Impact on the organisation (Reputation, Financial / Non-Financial)
  • Record of the employee
  • Past precedents of treating similar violations (a summary of the same will be kept with Human Resources)
  1. The punishment shall constitute a minimum of a written warning and may lead to withdrawal of the last increment/ demotion, withholding promotion, dismissal from service, and/or even prosecution in a court of law.
  2. Once the report is received, the committee will put its recommendation forward to the respective management team. The team will consider the recommendation and decide on appropriate action within 15 days of receiving the recommendation.
  3. While implementing the recommendation, the management will ensure that the name of the whistleblower and the person accused are kept confidential at all times.
  4. In case the whistleblower or the person accused is not satisfied with the decision of the relevant Vigilance Committee, he/she has the option to appeal within 7 days of the order to the next higher-level committee.
  5. Based on the appeal, the next higher-level committee will decide whether to reinvestigate/relook at the quantum of punishment. The next higher-level committee will close the case within 21 days of receiving the appeal.
  6. If the charges framed on the accused are found to be false after investigation, it is essential to demonstrate that the employee’s dignity is respected. Hence, the Business Head / Unit Head should thank the employee personally for having cooperated in the process. A formal closure letter has to be sent informing that the charges have not been proved during the investigation process and hence he/she is fully exonerated of all the charges.

Reporting process 

Establishes a monitoring and governance mechanism through regular reporting to oversight bodies like the Audit Committee, reinforcing transparency and accountability.

An annual and quarterly report will be prepared by the Vigilance Committee, of which copies will be placed before the Audit Committee of the relevant Group Company and with Human Resources.

Guidelines for communication and implementation of this policy 

This promotes awareness of the policy among employees, ensures operational readiness, and assigns responsibilities for maintaining visibility and accessibility of the policy.

An ethics hotline is made available. This toll-free number will be available to report any violation or misconduct. A communication mechanism should be implemented to create awareness about this policy with the existing employees andnew joiners in all Group Companies operating in India.

It is the responsibility of the Chief People Officer of the relevant Group Company to ensure that the updated names and email IDs of the various Vigilance Committees are made available to all employees through the local intranet and/or any other communication mechanism they may adopt. A copy of this policy shall also be placed on the corporate website of the relevant Group Company.

A separate, detailed operational guideline is available for each Vigilance Committee to ensure that this policy is implemented in letter and spirit. 

Annexure 1 – Template for reporting violations 

This being a preliminary step, you need to add only limited information. Keeping this in mind, such a template standardises the complaint format, making it easier for whistleblowers to report issues clearly and for committees to process and investigate efficiently.

To: Vigilance Committee (say either at group/business or unit level) 

Please select the applicable incident type(s) from the list below that best describe the issue(s) you are reporting. Please note that multiple issues can be selected: 

  1. Misappropriation of company assets or resources
  2. Conflict of interest
  3. Inappropriate sharing of confidential information
  4. Financial fraud of any nature
  5. Violation of the gifts and entertainment policy
  6. Non-adherence to safety guidelines
  7. Inaccurate financial reporting
  8. Bribery and corruption
  9. Insider trading
  10. Other forms of harassment – victimisation, bullying, discrimination, etc.
  11. Social media usage
  12. Misuse of authority
  13. Environment, health and safety
  14. Concurrent employment
  15. Others

Please provide the name, designation and department of the person(s) involved.

Name Department Designation
Individual 1 
Individual 2
Individual 3
Individual 4

When did the incident occur? (If you are not sure of the exact date, provide a tentative one.)

________________________________________________ 

Where did the incident take place?

________________________________________________ 

How did you find out about this incident? Or how did it come to your notice? ___________________________________________________________________________________________________________________________________________________________________________________________________________________________

How long has this been occurring for?  

  • Less than a month 
  • Between 1-6 months
  • 6-12 months
  • Greater than 12 months 

Please provide a detailed description of the incident. To enable your company to act on your complaint, you are requested to provide specific information where possible, including names, location, date, time, etc. Please note that this field is limited to 5,000 characters. __________________________________________________________________________________________________________________________________________________ _________________________________________________________________________

Any evidence in support of your allegations?  

  • Yes  
  • No 

Is anyone else aware of this incident?  

  • Yes  
  • No 

Any additional information that would facilitate the investigation of this matter?   

  • Yes  
  • No 

Have you reported this earlier incident to anyone in the company?  

  • Yes  
  • No 

Date:      _________

Location:     ____________

Name of the person reporting (optional):  _________________

Contact information (incl. email, optional): __________________________  

Annexure-2- An infographic chart explaining the reporting, resolving and procedure of hearing 

What real-world challenges do organisations face when implementing a whistleblower policy, and what are the effective ways to overcome them?

Parting thoughts

Now that you have made it this far, you deserve a pat on the back. You now know how to draft a whistleblower policy. 

It is not just a document that you draft, file, and forget. It is a living and breathing aspect of your organisation’s culture. Of course, the legal compliance matters. The clauses, procedures, and reporting mechanisms need to be airtight. But what matters just as much is the message it sends: we listen, we care, and we act.

So, whether you are a seasoned HR professional, a compliance head, or someone building policies from scratch at a growing startup, just remember this: a well-drafted whistleblower policy can be the difference between covering up a crisis and correcting it early.

Because when employees trust the system enough to speak up, that is when you know you have done your job well.

FAQs

  1. My manager is involved in the wrongdoing. Can I still report it?

Absolutely. If your manager is involved, you can bypass the regular reporting line and directly approach the Whistleblower Officer or send an anonymous email. The policy ensures protection even when senior leadership is involved.

  1. Can I report even if I do not have concrete evidence?

Yes. While evidence helps, the company encourages reports based on reasonable suspicion or concern. Investigators will assess the merits and gather facts during the process.

  1. Is whistleblowing the same as complaining about my workload or promotion?

No. The Whistleblower Policy is meant for serious misconduct, ethical violations, or illegal acts. Issues like performance reviews or workload should be addressed through HR grievance channels.

  1. Will I be protected against retaliation?

If you report in good faith, you are protected under company policy and the Companies Act, 2013. The policy shields you from legal retaliation within the scope of the report. 

  1. What happens if someone uses the policy to falsely accuse someone out of personal grudge?

Making false or malicious complaints is a serious violation. If proven, the whistleblower could face disciplinary action, including termination.

  1. Is there a reward for whistleblowing?

Currently, unlike Western countries, in India there is no system to offer monetary rewards for whistleblowing. However, appreciation and recognition may be extended in exceptional cases, subject to confidentiality constraints. 

  1. What if the issue is with the whistleblower officers themselves?

In such cases, the report can be made directly to the Chairperson of the Audit Committee or any independent director of the company.

  1. How long does the investigation take?

Timelines vary based on the complexity of the case. However, the company aims to resolve most cases within 45–60 days, with regular updates (where appropriate).

  1. Will I be involved in the investigation process after I report?

You may be contacted for clarification or supporting information, but you are not expected to play an active role in the investigation unless you choose to.

Tags:
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *