NPT Study: Most Nonprofits Don’t Have Whistleblower Policies
Most Nonprofits Don’t Have Whistleblower Policies

Ripped from news headlines, whistleblower is a phrase you can’t avoid. It is front and center at the impeachment hearings in Washington, D.C. The charitable sector has had a flurry of whistleblower situations the past two years. The Silicon Valley Community Foundation, the American Red Cross, the Humane Society of the United States and Oxfam have all had complaints blow up into headlines.

Whistleblowers are protected under federal law and often cloaked in secrecy. But according to the 2019 Ethics & Compliance Hotline Benchmark Report from NAVEX Global, there has been a “slow but steady decrease in the median rate of anonymous reports” since 2009. In 2018, NAVEX found that 57 percent of reports were anonymous, down from 65 percent in 2009.

A majority of nonprofits still do not have a whistleblower policy. The federal Form 990 asks if a charity has a whistleblower policy. A search of Form 990s in the Internal Revenue Service’s Business Masterfile showed that of the 329,225 Form 990s checked via GuideStar by Candid on behalf of The NonProfit Times, just 41 percent have a whistleblower policy and 1 percent of filers left the box blank. The Form 990 includes instructions regarding whistleblowing in Section VI, Lines 13 and 14. It reads: “A whistleblower policy encourages staff and volunteers to come forward with credible information on illegal practices or violations of adopted policies of the organization, specifies that the organization will protect the individual from retaliation, and identifies those staff or board members or outside parties to whom such information can be reported. A document retention and destruction policy identifies the record retention responsibilities of staff, volunteers, board members, and outsiders for maintaining and documenting the storage and destruction of the organization’s documents and records.”

The National Whistleblower Center in Washington, D.C., defines a whistleblower, in part, as “someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing. A whistleblower typically works inside of the organization where the wrongdoing is taking place; however, being an agency or company ‘insider’ is not essential to serving as a whistleblower. What matters is that the individual discloses information about wrongdoing that otherwise would not be known.”

Dozens of whistleblower laws are now in place at the federal, state and local levels, ranging from the False Claims Act to elements of the Clean Air Act to the Antarctic Conservation Act. Each has unique definitions and procedures, according to information from the National Whistleblower Center.

While an organization’s exempt status does not hinge on checking the box on the Form 990, there are federal laws that include nonprofi ts in whistleblower provisions. Along with internal support for whistleblowers, elements of three federal laws cover business, consumer and the military protect whistleblowers. Those laws are the False Claims Act (1863), The Sarbanes-Oxley Act (2002) and The Dodd-Frank Wall Street Reform and Consumer Protection Act (2010).

In the case of The Sarbanes-Oxley Act, retaliation against employee whistleblowers is prohibited. The act targets accounting practices and document retention. That is why experts suggest any internal policies include how to handle document retention and destruction.

With the False Claims Act, jobs of whistleblowers are protected and complaints must be kept under wraps for 60 days to help ensure the person’s anonymity. This act was written to prevent military procurement fraud but expands to other interactions with the government, such as grants and appropriations.

When it comes to Dodd-Frank, the Securities and Exchange Commission (SEC) can take action against employers that attempt to retaliate against whistleblower employees.

The Silicon Valley Community Foundation (SVCF) has a policy on whistleblowing. And although issues there came to light initially through the media, the policy is monitored through a third-party firm.

“As is true for many organizations that follow best practices in the nonprofi t field, SVCF encourages employees to report potential ethical violations or improper behavior through a thirdparty company that provides confidential reporting. For many years now — and currently — SVCF has contracted with Lighthouse Services for this function,” said Sue McAllister, vice president, marketing and communications at SVCF. “Information about contacting Lighthouse is featured in our new-hire orientations, on the main page of our staff intranet, and in common areas throughout our offices.”

The NonProfit Times contacted several organizations that have made headlines. SVCF was the only organization where leaders were willing to speak about it.

Some providers of directors and officers (D&O) liability insurance do not require a whistleblower policy. “Every insurance carrier has different requirements. As for us, we ask the question and depending on the size of the organization, if they answer no, we may require they adopt a whistleblower policy as a condition of getting the D&O coverage,” said Pamela E. Davis, founder, president and chief executive officer of Nonprofits Insurance Alliance Group (NIAG) in Santa Cruz, Calif. NIAG is a nonprofit and has a whistleblower policy in place.

“I’ve never seen that question (regarding a whistleblower policy) on a D&O application,” said Melanie Herman, executive director of the Nonprofit Risk Management Center in Leesburg, Va. “Keep in mind that underwriters look beyond the application when deciding whether to offer coverage and with what terms, conditions and pricing. They routinely look at an applicant’s website and Form 990. So they can readily determine whether a policy exists without asking the question. But more importantly, the existence of a policy does not necessarily mean that the organization’s culture is one that embraces high standards of ethical conduct, or that stakeholders who report concerns are treated with respect and protected from retaliation,” she said. “It’s also possible that leaders of an organization without a policy would take the proper steps upon receiving information about possible unethical or illegal conduct.”

There is sometimes confusion in defining a whistleblower. Davis explained that a complaint is the substance of what a whistleblower discloses. A whistleblower is the person making the complaint.

“While complaints can be about personal working conditions and other matters that are not of interest to a regulator or law enforcement, a whistleblower is someone who reports a complaint about something they think is illegal or in violation of a law or regulation, or is gross waste, fraud or abuse,” according to Davis.

“Complaints that contain confidential or secret information must be reported via the authorized mechanisms or the whistleblower could lose the protections. The protections they get against retaliation include protection from things like being fired or demoted,” she continued.

Many nonprofit whistleblower protection policies call for board involvement when allegations are made against a member of the C-Suite, including the chief executive officer. In other organizations, there is a process for reporting on active investigations to an oversight committee, such as the Audit Committee or the full board, Herman explained.

“And, of course, some nonprofits have an Internal Audit function that provides periodic updates on allegations or investigations. Another procedure I’ve seen implemented is where a single board member is part of the routing for reports to an ethics hotline,” she said. In that case a board member receives reports implicating any member of the C-Suite and any member of the board except reports that implicate him/her, or reports where the reporter expresses reservations having the report routed to the board member.

Most whistleblower protection policies name at least two, if not three, compliance officers. The human resources director is often one of the compliance officers, Herman said.

“In my experience, employees speak up and express concerns when there is a culture of psychological safety and they believe that the executive team and board hold themselves and others to the highest ethical standards,” said Herman.

In the wake of the leadership crisis that occurred at SVCF in spring 2018, staff and leadership are continually working to improve workplace culture and internal communications, McAllister said. “We formed a Culture Task Force in 2018, reassessed and redefi ned our organizational values, and are finding ways to ensure that we are living our values in our work daily. In addition, our board of directors formed a new Talent and Culture subcommittee in late 2018, whose charter notes that one of its responsibilities is to ‘provide transparent and safe avenues for complaints and supervise related investigation or remedial actions as appropriate,” she said.

10 Whistleblower Policy Resources

Here are 10 resources for establishing and/or strengthening a whistleblower policy at your organization. Sample whistleblower protection policy from the National Council of Nonprofit …


Sample whistleblower/complaint resolution policy from CAPLaw…


Sample policy from the American Institute of Certified Public Accountants …


Legal guidance on whistleblower policies from the Public Counsel law Center…


State whistleblower laws from the U.S. Department of Labor…


Compilation of federal law whistleblower protection for employees from the U.S. Department of Labor…


National Whistleblower Center…


Whistleblower Protections in the Nonprofit Sector from the Nonprofit Risk Management Center…


Whistleblower Protection a Nonprofits from Venable LLP…


Best Practices For Protecting Whistleblowers…