Whistleblower policies for nonprofit boards: a required best practice

Every organization, regardless of its mission or the integrity of its leadership, needs a mechanism for people to report problems without fear of retaliation. Fraud, financial mismanagement, safety violations, and ethical breaches can occur in any workplace. When they do, the people who are closest to the problem -- employees, volunteers, and board members -- are often the first to notice. A whistleblower policy gives those people a safe, structured way to speak up.

For nonprofit boards, a whistleblower policy is not just good practice. It is a governance obligation that the IRS tracks, that state laws may require, and that protects the organization from the catastrophic consequences of undetected misconduct. This guide covers why whistleblower policies matter, what they should contain, how to implement them effectively, and the mistakes that render policies ineffective.

Why Nonprofits Need Whistleblower Policies

Legal Requirements

The Sarbanes-Oxley Act of 2002, while primarily aimed at publicly traded companies, includes two provisions that apply to all organizations, including nonprofits:

1. Whistleblower protections. It is a federal crime to retaliate against anyone who provides truthful information to law enforcement about conduct they reasonably believe constitutes a federal offense.
2. Document destruction. It is a federal crime to knowingly alter, destroy, or conceal documents with the intent to impede a federal investigation.

Beyond Sarbanes-Oxley, many states have their own whistleblower protection laws that apply to nonprofits. These laws vary in scope but generally prohibit retaliation against individuals who report suspected illegal activity or cooperate with government investigations.

IRS Expectations

The IRS Form 990 asks specifically whether the organization has a written whistleblower policy. While not having one does not automatically violate the law, it signals a governance gap. Organizations that answer "no" to this question invite additional scrutiny and may find it harder to demonstrate the governance standards that funders and regulators expect.

Detecting Problems Early

Most major nonprofit scandals -- embezzlement, program fraud, executive misconduct -- start small and escalate over time. The earlier a problem is detected, the less damage it causes. Whistleblower policies create a reporting channel that surfaces problems before they become crises.

Research consistently shows that tips from employees and insiders are the most effective means of detecting organizational fraud. Organizations without a reporting mechanism are more likely to discover fraud through accident or external audit, by which point the damage is often extensive.

Protecting the Organization's Reputation

A nonprofit that discovers and addresses misconduct internally, through a functioning whistleblower process, can often contain the reputational damage. An organization that learns about misconduct through media reports or government investigations faces a much more damaging public narrative.

Fiduciary Duty

Board members have a fiduciary duty to protect the organization's assets and ensure it operates within the law. Establishing a whistleblower policy is part of fulfilling that duty. A board that fails to create a mechanism for reporting misconduct may itself be breaching its duty of care.

What a Whistleblower Policy Should Include

Statement of Purpose

The policy should begin with a clear statement of why it exists: to encourage the reporting of suspected misconduct and to protect those who report in good faith from retaliation. This statement sets the tone and communicates that the organization takes reporting seriously.

Scope of Coverage

The policy should define who is covered and what types of conduct can be reported.

Who can report: At a minimum, the policy should cover employees, volunteers, and board members. Many organizations extend coverage to contractors, vendors, and other third parties who interact with the organization.

What can be reported: The policy should specify the types of concerns that are covered. Typically, this includes:

• Fraud, theft, or embezzlement.
• Financial mismanagement or irregularities in accounting.
• Violations of federal, state, or local law.
• Violations of organizational policies, including the conflict of interest policy.
• Retaliation against anyone who has made a report.
• Misuse of organizational assets.
• Actions that endanger health or safety.
• Violations of donor restrictions or grant terms.

The policy should clarify that it is not intended for general workplace grievances, personality conflicts, or disagreements about organizational strategy. Those issues should be addressed through other channels such as human resources or the board governance process.

Reporting Procedures

The policy must provide clear, accessible instructions for how to make a report. Multiple reporting channels are essential because the most accessible channel depends on the person's relationship to the organization and the nature of the concern.

Internal reporting options:

• Direct supervisor or manager. Appropriate for many concerns but not for situations where the supervisor is involved in the misconduct.
• Executive director or CEO. Appropriate for concerns that involve staff members but not for concerns about the executive director themselves.
• Board chair or designated board member. Essential for concerns about the executive director or senior management.
• Audit committee or governance committee chair. Appropriate for financial irregularities or governance concerns.

External reporting options:

• Hotline or online reporting system. Some organizations use third-party hotline services that allow anonymous reporting. This is particularly important for employees who fear retaliation.
• Legal counsel. The organization's attorney can receive reports, though reporters should understand that the attorney represents the organization, not the individual reporter.

The policy should make clear that reporters can choose any reporting channel and are not required to go through their direct supervisor first.

Anonymity and Confidentiality

The policy should address whether anonymous reports are accepted and how confidentiality will be handled.

Anonymity: Allowing anonymous reports lowers the barrier to reporting and may surface concerns that would otherwise go unreported. However, anonymous reports can be harder to investigate because the investigator cannot ask follow-up questions. The best approach is to accept anonymous reports but encourage identified reporting when possible.

Confidentiality: The policy should commit to keeping the reporter's identity confidential to the extent possible, consistent with the need to conduct a thorough investigation. Complete confidentiality cannot always be guaranteed, particularly if the matter is referred to law enforcement or results in legal proceedings. The policy should be honest about these limitations.

Investigation Procedures

The policy should describe how reports will be investigated:

1. Receipt and acknowledgment. Reports should be acknowledged promptly. The reporter should know that their concern has been received and will be investigated.
2. Initial assessment. The person or committee responsible for the policy (typically the audit committee or a designated board member) should assess the report to determine whether it falls within the policy's scope and what level of investigation is warranted.
3. Investigation. The investigation should be conducted by someone who is independent of the individuals involved in the alleged misconduct. For significant matters, this may require engaging external legal counsel or an independent investigator.
4. Findings and action. The findings of the investigation should be documented and reported to the board or the appropriate committee. If the investigation substantiates the report, the organization should take appropriate corrective action.
5. Communication to the reporter. To the extent consistent with confidentiality and privacy obligations, the reporter should be informed of the outcome of the investigation.

The investigation process should be documented in a manner that can be reviewed by auditors or regulators if necessary. Document retention policies should address how investigation files are maintained.

Non-Retaliation Protections

This is the most critical element of the policy. Without a credible commitment to non-retaliation, no one will use the reporting channel.

The policy should:

• Explicitly prohibit retaliation against anyone who makes a report in good faith.
• Define retaliation broadly to include termination, demotion, reduction in hours, reassignment, harassment, intimidation, and any other adverse action taken because of a report.
• Specify that retaliation itself is a violation of the policy and will result in disciplinary action.
• Provide a mechanism for reporting retaliation.
• Make clear that the non-retaliation protection applies even if the investigation does not substantiate the original report, as long as the report was made in good faith.

The policy should also note that protection does not extend to reports made in bad faith, meaning reports that the reporter knows to be false at the time they make them.

Designated Oversight

Someone must own the policy. The policy should designate a specific individual or committee responsible for:

• Receiving reports.
• Overseeing investigations.
• Tracking the status and resolution of reports.
• Reporting to the board on whistleblower matters.
• Ensuring the policy is communicated and enforced.

The designated individual or committee should have direct access to the board and should not report to anyone who might be the subject of a complaint. The audit committee is often the appropriate body, but smaller organizations may designate a specific board member.

Implementing the Policy Effectively

Board Adoption

The policy should be formally adopted by the board through a recorded vote, documented in the meeting minutes. This creates a clear record that the board has committed to the policy.

Distribution and Training

A policy that nobody knows about cannot work. The policy should be:

• Distributed to all employees, volunteers, and board members.
• Included in the employee handbook.
• Covered during new employee and volunteer orientation.
• Covered during board member onboarding.
• Reviewed annually as part of ongoing training.

Training should cover not just the mechanics of reporting but the organization's genuine commitment to non-retaliation. Employees need to believe that reporting is safe before they will do it.

Annual Acknowledgment

All covered individuals should sign an annual acknowledgment confirming that they have received, read, and understood the whistleblower policy. This can be collected alongside the annual conflict of interest disclosure, streamlining the process. A compliance tracking system can automate the distribution and collection of acknowledgment forms.

Regular Policy Review

The policy should be reviewed at least annually to ensure it remains current with changes in law, organizational structure, and best practices. The review should consider:

• Whether the reporting channels are still appropriate.
• Whether the investigation process has worked effectively for any reports received.
• Whether training and distribution efforts have been adequate.
• Whether any changes in law require updates to the policy.

Add the policy review to the board's annual compliance calendar to ensure it does not get overlooked.

Creating a Culture That Supports Reporting

A policy alone is not sufficient. The organizational culture must support reporting. This means:

• Leadership modeling. The board chair, executive director, and senior staff should openly endorse the policy and reinforce the message that reporting is valued, not punished.
• Responding to reports promptly and seriously. Nothing kills a reporting culture faster than dismissing concerns or failing to investigate.
• Demonstrating accountability. When investigations reveal misconduct, taking appropriate action demonstrates that the policy has teeth.
• Checking in regularly. Ask employees whether they feel comfortable raising concerns. If the answer is no, the policy is not working regardless of how well it is written.

Common Mistakes to Avoid

Making the Policy Too Narrow

A policy that only covers financial fraud misses a wide range of misconduct that the organization needs to know about: harassment, safety violations, conflicts of interest, and misuse of assets. The policy should be broad enough to cover all significant concerns.

Discouraging Anonymous Reporting

Some organizations resist anonymous reporting because it can lead to unsubstantiated or malicious complaints. While this concern is valid, the benefits of anonymous reporting typically outweigh the costs. Many serious issues are reported only because the reporter could remain anonymous.

Failing to Protect Against Retaliation in Practice

A written non-retaliation provision is necessary but not sufficient. If an employee reports misconduct and is subsequently treated differently -- assigned to less desirable duties, excluded from meetings, given a negative performance review -- that treatment may constitute retaliation even if the policy prohibits it.

The designated oversight person or committee should actively monitor for retaliation after a report is made. This includes checking in with the reporter and reviewing any personnel actions that affect them.

Not Following Through on Investigations

Receiving a report and doing nothing with it is worse than having no policy at all. It signals that the organization does not take misconduct seriously and exposes the board to liability for failing to act on information it possessed.

Every report that falls within the policy's scope should be investigated. The level of investigation should be proportional to the severity of the allegation, but even minor concerns deserve a response.

Treating the Policy as a One-Time Exercise

Adopting a policy and forgetting about it is a common failure pattern. The policy must be a living document, supported by ongoing training, regular review, and genuine organizational commitment. Include whistleblower policy status as a standing item on the governance committee's agenda.

Integrating Whistleblower Procedures into Board Operations

The whistleblower policy intersects with several other governance functions:

• Meeting agenda. The board or audit committee should receive regular reports on whistleblower activity, including the number of reports received, their status, and any trends. This should be a standing agenda item.
• Board packs. Investigation summaries (with appropriate confidentiality protections) should be included in board packs for relevant committee or board meetings.
• Minutes. Board deliberations about whistleblower matters should be documented in meeting minutes, noting what was reported, what investigation was conducted, and what action was taken.
• Compliance tracking. Use a compliance module to track policy acknowledgments, training completion, and report status.
• Action tracking. Corrective actions arising from investigations should be tracked through the board's action tracking system to ensure follow-through.

Conclusion

A whistleblower policy is one of the most important governance documents a nonprofit board can adopt. It protects the organization from undetected misconduct, protects individuals who report in good faith from retaliation, and demonstrates to regulators, funders, and the public that the organization takes accountability seriously.

But a policy is only as effective as its implementation. Training, accessible reporting channels, credible non-retaliation protections, prompt investigation, and genuine organizational commitment are what make a whistleblower policy work in practice.

If your organization does not have a whistleblower policy, creating one should be an immediate priority. If you have one but it has not been reviewed recently, schedule a review. And if you have a policy that looks good on paper but has never been tested, consider whether your organization's culture genuinely supports reporting.

For more on the broader compliance landscape, see our essential guide to nonprofit board compliance. To explore tools that support governance and compliance workflows, visit NFPHub.