This past summer, headlines blasted allegations that FIFA, the nonprofit international governing body for soccer, was riddled with corruption. The FBI’s pending case against the organization appears to be founded partly on testimony from whistleblowers. Unfortunately, malfeasance (including many bribery incidents) is alleged to have gone on for years before whistleblowers spoke up.
FIFA’s current situation highlights the need for nonprofits to protect themselves — as well as staff members, volunteers and board members — with formal whistleblower policies. Your nonprofit’s reputation and financial security depend on it.
Whistleblower policies protect individuals who risk their careers, or take other kinds of risks, to report illegal or unethical practices. Although no federal law specifically requires nonprofits to have such policies in place, several state laws do. For example, New York’s Nonprofit Revitalization Act of 2013 requires nonprofit corporations and charitable trusts with 20 or more employees and annual revenue in excess of $1 million in the prior fiscal year to adopt a whistleblower policy.
Moreover, IRS Form 990 asks nonprofits to state whether they have adopted a whistleblower policy. According to the form instructions, such policies encourage staff and volunteers to come forward with credible information on illegal practices or violations of organizational policies.
Adopting a whistleblower policy increases the odds that you’ll learn about current or potential problems before the media, law enforcement or regulators do. Encouraging stakeholders to speak up also sends a strong message about your commitment to good governance and ethical behavior and fosters an environment of accountability and employee empowerment.
Your whistleblower policy should be tailored to your organization’s unique circumstances, but consider including the following general provisions:
Covered individuals. Spell out who is covered by your policy. In addition to employees, volunteers and board members, you might want to include clients and third parties who conduct business with your organization, such as vendors and independent contractors.
Covered wrongdoing. Financial misdeeds often get the most attention, but whistleblower policies should have a longer reach. For example, you might include violations of organizational client protection policies, conflicts of interest, discrimination and unsafe work conditions.
Reporting procedures. Explain the procedures for reporting concerns. Must claims be made to a compliance officer or can they be reported anonymously? Is a confidential hotline available? Whom can whistleblowers turn to if the designated individual is suspected of wrongdoing? These procedures should be clear enough to encourage individuals to come forward.
Investigative procedures. Covered individuals and other stakeholders need to know how you’ll handle reports once they’re submitted. State that every concern raised by a whistleblower will be promptly and thoroughly investigated and that designated investigators will have adequate independence to conduct an objective query. Ideally, investigators will report directly to your nonprofit’s board of directors.
Also describe what will happen after the investigation is complete. For example, will the reporting individual receive feedback? Will the individual responsible for the illegal or unethical behavior be punished? If your organization opts not to take corrective action, be sure to document your reasoning.
Confidentiality. A promise of confidentiality can make whistleblowing more appealing. But it may not be possible to make such guarantees if whistleblowers need to become witnesses in criminal or civil proceedings. However, your policy should assure confidentiality to the greatest extent possible.
Disciplinary action. Not every whistleblower is motivated by pure intentions. State that your organization will take disciplinary action against individuals who make unfounded allegations that are reckless, malicious or intentionally false.
Beyond the written policy
Simply establishing a whistleblower policy isn’t enough. Be sure to distribute your policy widely, by, for example, incorporating it in your employee handbook and employee orientation program, and by presenting it to board members and managers.
Had FIFA followed such policies, it might have halted the alleged wrongdoing that has severely tainted its reputation and hurt its bottom line. Your organization doesn’t want to make the same mistake.
Don’t forget about retaliation
One critical component of a comprehensive whistleblower policy is the prohibition against retaliation. The Sarbanes-Oxley Act of 2002 explicitly prohibits charitable organizations from retaliating against a whistleblower who provides information on certain financial crimes. But your whistleblower policy should outline protections for all types of whistleblowers.
Protection for retaliation need not be absolute, though. Make clear that no retaliation — including harassment, termination and blacklisting — will be tolerated against anyone who raises concerns about potentially illegal or otherwise wrongful practices in good faith. “Good faith” means the individual has a reasonable belief that a problem exists.
Your antiretaliation provision should also specify the party to whom complaints of retaliation can be addressed. As with the overall whistleblower policy, you’ll want to provide training to managers and board members. And violators should be disciplined promptly and appropriately.