Skip to content
Home / Resources / Our methodology

Painless ethics management methodology


We developed a vision reflecting our philosophy, industry experience, and subject matter expertise:

  1. Ethics is not for trial & error. Our clients must succeed from the first attempt.
  2. Ethics is a must, not a luxury. Compliance software pricing should be fair.
  3. Compliance is not enough for sustainable corporate justice. It works when you go beyond compliance.
  4. Whistleblowing should be a quick-win project / a low-hanging fruit when outsourcing and leveraging the experience of others!

Our initial idea was to help clients succeed in integrity management and avoid common mistakes and pitfalls.
So, we have embedded the methodology into Ethicontrol's operating model and the default configuration of the software platform.

Afterwards, industry frameworks like EU Whistleblowing Directive and ISO 37002 Whistleblowing Management System confirmed most of the statements.


Outsourced whistleblowing should be a quick-win fruit project for compliance officers.

rocket ship icon in blue, in the style of dark white and light green, socially minded symbolize rapid rollouts

Rapid rollouts

We normally roll out our solutions within a week.
Starting from day one, you can use our systems within standard configuration not waiting for your own SOP or adaptations.
Our systems are web-based and independent of user terminals or operating systems, multilingual, and mobile-friendly.

Zipper Clasp in blue and green color symbolize highly customisable

Highly customisable

Just send us your standard operating procedures (SOPs) or brand guidelines, and we will take care of the rest.
All of the process attributes (statutes, priorities, risks, workflows), notifications, buttons, and colors can be changed.
We are also flexible in terms of server locations or rollout scenarios.

 a blue and green tool icon, in the style of elongated figures, handheld, controlled chaos

One stop shop

Apart from software, we will also take care of legal requirements, translations, telecommunication arrangements (toll-free numbers, IVRs, etc.), communication campaigns, training, and ongoing support.

a puzzle made of pieces, each with a different color, in the style of dark blue and emerald

API for integrations

Should you need to enrich your data with business intelligence or with open data, we have got an API for that.
As well as for information exchange with your ERP or CRM system.

No mistakes

Ethics is not for trial & error. Our clients must succeed from the first attempt.

a blue and green scuba diving equipment icon, in the style of interactive experiences  beyond compliance

Beyond compliance

Our solutions will help you comply with EU Whistleblowing Directive, FCPA, FCA, SOX, FSGO, SAPIN 2, UKBA, ISO 37001, ISO 37002, Global Compact, GDPR, and your local regulations.
At the same time, our features enable you to go further, improving your processes and risk management.

the icon for footwear represents a shoe, in the style of light emerald and dark blue proven methodology

Proven methodology

We know what works as well as what process design decisions can harm.
Our regular monthly fees depend on your success.
So, we developed the methodology and embedded it into our systems in addition to compliance requirements to help you avoid pitfalls and mistakes.

Life preserver in the form of a duck in green and blue colors supporting materials

Supporting materials

We have prepared a bunch of posters, stickers, risk forms, web pages or email templates to be used during your setup and communication campaign.
Should you need inspiration for your Code of Conduct, Standards Operating Procedures (SOP), or Compliance policies, we will equip you with our templates.

Tense strong pumped arm with a green heart above it training and help

Training and help

We will train your user, making sure you get the most from our solutions.
We will advise you on key decisions during rollout, making sure you succeed with your compliance program and projects.

Fair cost

Ethics is a must, not a luxury. Compliance software pricing should be fair.

 a person with an infinite symbol, in the style of light sky-blue and dark green, rounded no user seats charges

No user seats charges

Involve as many users as possible. Leverage other departments in your compliance/security/risk management workflows.
Our solutions are priced per company and per feature basis.

tariff a man lying on top of a scale on a green background, in the style of dark navy and azure, iconographic symbolism flexible tariff plans

Flexible tariff plans

Ethics management should be available for a company of any size!
You can mix & combine features and options irrespective of our standard tariff plans. We will provide you with our best quotation tailored to your jurisdiction, ToR, compliance requirements, or maturity of the company.

a helmet with green and blue lines that outlines it, in the style of medieval-inspired, light navy and white full feature period

Full feature period

Regardless of your feature plan, we provide with all available features for the first 9 months.

cloud storage icon with a parachute flying over, in the style of dark teal and silver free updates and support

Free updates & support

You get all updates and new features instantly on the subscription model.
Or you get three years of free updates and new feature releases when using our boxed (on-premise) solutions.


19 rules of painless whistleblowing

1. Encourage reporting and protect whistleblowers
A woman shouts into a loudspeaker
Promote speak-up culture. Establish a culture of free and open discussions. Support open door policy.
Help employees express their thoughts whenever possible.
Train employees to identify retaliation for speaking up.
Train employees to identify fraud and misconduct and how to report it.

Run culture, trust and fraud awareness surveys with a special section on whistleblowing.

Insert whistleblowing and speak-up into staff welcome packs and introduction training.
Establish a tone from the top respecting the importance of ugly truth.

Establish zero tolerance and the most severe disciplinary sanctions for retaliation of whistleblowers or those who openly speak up. Showing a bad attitude towards whistleblowing as a cause should also be considered retaliation.
2. Protect confidentiality and anonymity
The girl shows the sign to be silent
When it comes to whistleblowing the trust of reporters is the key success factor. A company gains trust by different actions, from secure intake of reports to fair decisions and remediation actions.

All messages should be kept confidential. Confidentiality is the best source of reporters' protection and hotline promotion.

The company should:
  • guarantee that all information will remain confidential and no one except for the designated investigation team and ethics committee will be informed about the existence of the report, the case, or its details.
  • train top managers and the investigation team to keep confidentiality during investigations, interviews, document requests, or reporting.
  • establish responsibility for breaching confidentiality
  • establish controls over information assets that store confidential information.

The best way to keep reporters protected is to let them stay anonymous. Anonymity is one of the ways to keep confidentiality.

The best way to keep reporters anonymous is to make sure that it will be impossible to trace them (by phone, by digital footprints, by voice, by metadata). This can be achieved by engaging an independent third party like Ethicontrol.
Third-party providers don't depend on the owners, management, security services, and any other employees of a company.

Ethicontrol's autonomy allows us to call things by their proper names and not deviate from the main task of our company - the preservation of reporters' anonymity and confidentiality.

The best way to protect whistleblowers for Ethicontrol is to know nothing about them not being technical to uncover, log or analyse. That is why as a part of Ethicontrol's "Zero-knowledge policy" we came up with the architecture of our system which separates physically reporters' portal from a case management system. The reporters portal does not collect any digital footprints and is script free, meaning that reporters can use identity blockage tools and still be able to use the whistleblowing tool.
3. Protect reported messages
Bottle with notes in the sea (1)
All incoming reports (100%) must be registered, provided that they contain the minimum information necessary for the next steps.

There is no space for discussions about the risks of spam or a need for filtering of any kind.

The reporters' messages and other info should be protected from deletion and alteration. It should never be deleted. Even wrong or spam messages should be protected from deletion.

To a possible extent, there should be no barriers or intermediaries between a reporter and an investigation team. Most reporting channels should support the direct registration of reports without any human or manual involvement, except for the phone channel. Even for the phone channel, the reporters should have the option to review the original transcript and provide more details on their own.

The best way to ensure the messages are protected is to pass the control over them beyond the company. It is the company that is mostly interested in hiding/altering the information. A reputable third-party whistleblowing provider is a guarantee that a company will not have any control over the data and that most of the risks concerning messages are covered.
4. Structuring instead of filtering
Barceloneta Beach in Barcelona view above
According to principle No 3, all incoming messages should be registered, provided that they contain the minimum information necessary for the next steps.
But, how to deal with messages:
  • with wrongful information;
  • with incomplete information;
  • with non-understandable rubbish;
  • with intentional and unintentional spam?
What if the capacity of a response team is not sufficient to deal with a massive number of unreliable and unclear incoming info?

We believe that our clients should successfully deal with such challenges. And the ideal way is through training reporters.
Such training can be done live or through video explainers, posters, articles, and published policies and manuals.

Also, you can do it via a guided step by step registration of the report. We suggest carefully drafting interview scripts and web intake user experience, ensuring that a poorly trained whistleblower will leave a well structured and useful message.

Establish zero tolerance and the most severe disciplinary sanctions for retaliation of whistleblowers or those who openly speak up. Showing a bad attitude towards whistleblowing as a cause should also be considered retaliation.
5. A continuous dialogue with the reporter and accountability
phones with the wire
Whistleblowing is effective when one side is ensured it will be heard and the other is ready to listen.

Appreciate sincere reporters. The information we get is not always pleasant and serves the interests of the company - still, every report has to be analysed and answered. Regardless of the company's decision, the reporter should feel that the company cares about its employees and takes all concerns seriously. The reporters know their future reports will be considered by getting feedback, so they are more encouraged to report.

Do not forget about the aftercare of those involved. Following up on a reporter should be standard practice. Reporters should be informed not only about the start of the investigation but its closure and results. Let the reporter know if any actions were taken - if not, explain why the company dismissed the report. If any delay takes place, it is normal to inform the reporters, so they understand the approximate investigation time.

This way, you manage the reporters' expectations and train them to be more efficient in the future by uploading relevant information and knowing the process.

Remember about retaliation. After the resolution, you should connect with the reporter after some time and inquire about any indicators of retaliation. Studies suggest that revenge is still very often and happens within the first three months after the case.
6. Maximum transparency
A Hand underwater (1)
Effective communication relies on trust. The lack of transparency can quickly destroy trust, leading to the failure of your ethics management efforts.

Thus, the whistleblowing management system should operate in a clear, understandable, and consistent way.

First, the whistleblowing hotline is not an IT system, a mailbox, or a phone line. Primarily, a hotline - is the response team - the responsible compliance officers - humans that care about integrity and people. The best hotline is a trusted compliance officer with an open-door policy.

It means that reports should know people standing behind the hotline and handling the investigations.

Secondly, reporters should know what will happen after the report submission, what can they expect, and what not.

Thirdly, everybody should understand how the allegations will be checked, who will judge, that there will be no subjectivity and that the decision-making process relies on evidence only. In other words, there should be a reasonable assurance that misconduct will be punished while everyone is protected from wrongful prosecution. Finally, the ethical decisions should correspond with the company values and be consistent despite the seniority or significance of involved parties.

Fourthly, company employees should be aware of the results of a whistleblowing management system: report statistics, case outcomes, and sanitised case studies.

To summarise, everything about whistleblowing and investigation should be open to reporters except for the information which is protected by privacy laws or may lead to retaliation risks.
7. Avoid conflicts of interest throughout the process: from registration to ethics decision
two women photo half face (1)
The registration of messages and reports should be independent of those responsible for the response.

In addition, there should be protection from the self-review for cases when the reported incident contains information about the response/compliance team. For such cases, Ethicontrol recommends the Escalation procedure helps to bypass the default response team automatically.

The case should be resolved by persons who are not biased and involved in the relevant process, allowing them to objectively and independently define facts and draw investigation conclusions.

Those who investigate cannot be witnesses or narrators of the investigation results.
Next, those who investigated the issue should not decide on the case whether the wrongdoing has taken place or the degree of guilt.
8. Prioritise
Small pieces of paper pinned on the desk (1)
Prioritisation is an important tool in managing reports - you do not miss the urgent ones but also keep track of the less important ones at the moment.

Make sure you have a set of criteria to evaluate the case: it can be reputational damage, a threat to life, financial damage, and more. Sorting out the cases will also help you manage your time. You will be given limited days to finish the investigation and submit a report. An assigned priority to a simple case can also ensure that the case is not forgotten and evaluated, so the reporter knows about the estimated timeframe.
9. Whole event life cycle in a single system
Starting track for running competitions (1)
 We built a system that allows tracking all the events and keeping a clear focus on them by using three components with one strategy.

Speak up / Whistleblowing communication platform. The reporters can use the platform to file their reports and later track the case's progress. With notifications, the reporter will always be aware of the updates on the case and be ready to provide additional information.

Ethics incident management. Incident management is a transitional step between whistleblowing and investigation. Here you decide how the case will be processed. Based on the internal procedures, the case will be assigned to a specific person within the company's department, following the typical investigation track.

Investigations & case management. The idea of a case management platform is to give you all the necessary tools for speedy and efficient investigation. You can communicate with a whistleblower within a case management system, create and resolve tasks, set up workflows, and delegate cases. To be impartial and investigate, you can build fact trees, check evidence, look up the perpetrator, and more. The desired result is an increased rate of reports - trust in the system, and enhanced compliance in the company.
10. Involve non-compliance users
Four person discussing issue on the meeting
You might need people outside of your team to accomplish the investigation and speed up the process in general.

We encourage inviting different professionals from other teams to share their experience and help each other with the case details. Accountants, HRs, managers - anyone can contribute to the process.

An investigation officer cannot be an expert in everything and should not be doing anything - taking care of the best use of own resources. Thus, the officer should focus on his / her core competencies: the investigation strategy, methodology, and managing the team, leaving the fact-finding and number-crunching to more applicable staff.

The investigation lead should not do all the job. Most of the investigation tasks can be delegated to non-compliance participants providing that confidentiality measures are taken.

Out platform does allow running investigations compiled of multidisciplinary/multifunctional teams with different access levels. We made this communication secure by creating tasks - it allows compliance officers to invite anyone for the investigation and, at the same time, limit their access rights.
11. Set due dates control
Watch on a mans hand
The reporters cannot wait for the response forever. Therefore, the response time should be reasonable despite deadlines set by legislation.

Overdue response means that the reporter is extremely unhappy and might have been spreading negative emotions within the company or might speak up publicly as guaranteed by laws.

Thus, each report should have a due date set from the moment of registration.

The response team should control due dates for cases with different emergency levels, or it can be done automatically. With the Ethicontrol platform, you can mark the cases as highly prioritized or low priority, and the deadline will be applied automatically.

Deadlines are also crucial for notifying whistleblowers of the case's progress. It is both good practice and a legal requirement in certain countries. Ensure you have a standard follow-up procedure: every time there is a change in the case, you can notify a whistleblower.

When the due dates are set, the Ethicontrol platform will keep your cases organized automatically, and you will be reminded to react to highly prioritized cases. In addition, the efficiency and timeliness of your work will be shown in analytics so you can improve your response rate.
12. Validate and evaluate evidence
Calibration Lab
Regardless of their complexity, all cases have to be investigated with the same diligence and have reasonable grounds for taking evidence seriously.

Without evidence, the only choice is to ask a whistleblower for it - otherwise, the case has to be dismissed. Whistleblowers should be able to attach files or upload any other evidence in a suitable format while using the whistleblower's portal.

After getting the evidence, you as a compliance officer have to analyze it and leave only those pieces that are needed for investigation and are reliable (this is also in line with data minimization principles).

What are the steps to work with evidence?
  • Set clear criteria for case materials to be considered as evidence.
  • Differentiate between levels of evidence reliability.
  • Make sure that the case is compiled of reliable evidence.
13. Only substantiated facts with verified evidence are taken into account
Someone writes with a red felt-tip pen
In each report, you will find something to operate further in the case with - facts. Statements of witnesses or general information from the report include multiple points to rely on - use single statements to formulate facts and evaluate them.

Make sure that final conclusion will be drawn on facts with were supported by reliable evidence.

Ethicontrol case management allows you to structure the facts by building a fact tree. The facts appear in the list progressively as you add them - later, you can use only verified facts for making a decision.
14. Standardisation and automation to increase productivity and fairness
White robot
Each professional will see consistency in investigation approach reports and find a typical pattern.

When this happens, you may document repetitive tasks in an investigation program or make a quality checklist. It will ensure the expected quality of your investigations, especially when you operate as geographically distributed teams.

Business rules or automation rules can be used to improve productivity and make sure that your SOPs have adhered to. For example, you can set a standard rule for all the cases related to the same category or coming from the same unit.

Apart from Workflows and Automations, you can also use Procedures and Templates - all the features are available in the Ethicontrol platform and fully standardize your daily work.
15. Case report ready from the first day
A man flips through a notebook (1)
Make it a regular practice to fill in the case details whenever you get updates from the whistleblower or come to a new conclusion.

Not only does it structure your work and leaves nothing forgotten, but it eases your tasks later. Everything you document about the case using the Ethicontrol platform later appears in the case report automatically when the case is registered in the system.

If you need to report on case progress regularly, you can download the report at any stage of the investigation and deliver it to your superiors.
16. Lack of a conclusion is also a conclusion
Document in the hand of a man
The case can be finished only when you have enough information on it - case materials, evidence, facts, involved persons, and responsible persons.

If you struggle to make a conclusion on the case, it might be that the case was not substantiated with facts and has to be dismissed.

The other way to overcome decision-making struggles is to go back and find what was missing in the case and what caused the uncertainty. Use lack of information in your favor - collect more evidence and master your investigation skills.
17. Fair decisions and sanctions
Libra (1)
The investigation should lead to real actions so whistleblowers can report knowing the changes will follow.

Make sure you have a procedure to take action and penalize the wrongdoers - everything has to be documented and in line with the company's standard regulations.

You will need administrative and financial resources for fair sanctions and decisions. Additionally, the process of decision-making should be free from conflict of interest.

The decision has to be communicated to the whistleblower and the wrongdoer with all data protection measures taken. Decisions based on unverified facts may negatively affect a company's reputation and whistleblowers' trust - give this part of the investigation needed attention and precision.
18. Learn from violations
Man doing ceiling screed
Sanctions on the wrongdoers do not necessarily mean that your company learned the lesson. Try to find the real cause of the event that triggered a violation instead of only penalizing the wrongdoers and reporting on the resources used for investigation.

Was it a lack of control or personal retaliation motives? Or was it unfair treatment of employees that triggered harmful actions?

Every time you go deep and find the cause of violations, you increase the trust of your employees and learn more about their needs and weaknesses. Simultaneously, you protect your company from future risks.
19. Report on reports
Typewriter and paper Investigation
Use the knowledge you got from the cases to analyze general trends and predict the outcome of future violations. Analytics and single case reports help you see the general picture. If you want to put conclusions into numbers, period reports can be used to report general trends.

With Ethicontrol, you can store all the reports in a single place and later use them to shape a new strategy for compliance.

Make it a habit to review the reports and find what is missing and what could be improved. Record-keeping is a requirement of all whistleblowing and financial regulations - you can rely on templates and keep your work organized at all levels.