Principle 4

A charitable organization should establish and implement policies and procedures that enable individuals to come forward with information on illegal practices or violations of organizational policies. This “whistleblower” policy should specify that the organization will not retaliate against, and will seek to protect the confidentiality of,
individuals who make good-faith reports.

Every charitable organization, regardless of size, should have clear policies and procedures that allow staff, volunteers, or clients of the organization to report suspected wrongdoing within the organization without fear of retribution. These policies— sometimes known as “Whistleblower Protection Policies” or “Policies on Reporting of Malfeasance or Misconduct” — generally address suspected incidents of theft; financial reporting that is intentionally misleading; improper or undocumented financial transactions; improper destruction of records; improper use of assets; violations of the organization’s conflict of interest policy; and any other improper occurrences regarding cash, financial procedures, or reporting. If an organization does not have a separate grievance policy with protected reporting procedures to address violations of personnel policies, it should
consider incorporating such procedures in its broader whistleblower policy. Information on these policies should be widely distributed to staff, volunteers, clients, and others (such as vendors and consultants) as appropriate. Discussion of the policy should be incorporated both in new employee orientations and ongoing training programs for employees and volunteers. Some federal and state laws protect individuals working in charitable organizations from retaliation for engaging in specified whistleblowing activities, and states may also require that certain organizations have and enforce whistleblower policies.

A whistleblower policy should be tailored to the nonprofit’s size, structure, and capacity, and it must reflect the laws of the state in which the nonprofit is organized or operates. All policies should specify the individuals within the organization (both board and staff) or outside parties to whom such information can be reported. Small organizations with few or no paid staff may wish to designate an external advisor to whom concerns can be reported without threat of retaliation. This is a particular concern for family foundations whose board members and staff may not feel comfortable sharing concerns about suspected illegal or unethical practices directly with another family member or close associate of the family. Larger organizations should encourage employees and volunteers to share their concerns with a supervisor, the president or executive director, the general counsel, the chief financial officer and/or other senior managers of the organization, and should also provide a method of reporting confidentially to either a board member or an external entity or individual specified by the organization. Some large organizations have set up computerized systems that allow for anonymous reports, and a number of private companies offer anonymous reporting services via a toll-free telephone number, email address, or intranet site.

It is equally important that the organization have clear procedures to investigate all reports and take appropriate action. While steps must be taken to protect the anonymity of reporters as much as possible, reports must include sufficient information to enable an investigation. Reports of certain types of alleged offenses, such as abuse of a client, may require immediate reporting to appropriate legal authorities and suspension, with or without pay, of the accused volunteer or employee, while the matter is being investigated. In other cases, the board or senior management may wish to investigate allegations before reporting to government authorities to protect against or to minimize the risk of unsubstantiated accusations against an innocent individual. Some cases, even those involving substantiated violations, may not require reporting beyond the board and senior management.

Charitable organizations that must file an annual Form 990 information return are required to report whether they have a whistleblower policy, and whether they became aware of a material diversion of the organization’s assets during the year, as well as any corrective actions undertaken to address such issues if they arose. Boards of directors should have a clear process by which they decide whether, how, and when they should report other proven incidents of fraud, theft, or wrong-doing to relevant public and internal audiences, including, but not limited to, the IRS, state regulators, law enforcement, donors, consumers, employees, and volunteers. The process should include a review of legal obligations, implications for the organization’s reputation, and consideration of whether the information may become public through public reports or private communication.