Can whistleblowing also be dangerous for my company?

Yes, whistleblowing can affect companies of all sizes and cause lasting damage. In this article, we will explain the damage that whistleblowing cases can cause to you out of the perspective of a managing director of a small or medium-sized enterprise (SME). But how can the phenomenon of whistleblowing as such be explained and delimited? What different dimensions can the damage take? And what factors are crucial to enable active management of the damage?

Whistleblowing: Not my business?

Pfizer, General Electrics, the NSA, Wuhan Central Hospital. All institutions have one thing in common: they have all been involved, to various extent, in cases of whistleblowing. Probably the most recent incident occurred at Wuhan Central Hospital. The doctor Li Wenliang, who in the meantime has died of COVID-19, warned about the dangers of the virus at an early stage by informing his colleagues via the social network WeChat. The authorities considered his advice to be “untrue statements” and announced criminal prosecution against statements of this kind. Wenliang had to sign a cease-and-desist letter and was able to keep his job – probably an exception in view of the list of international whistleblowers.

Beyond the “Hall of Fame”: Whistleblowing in the SME business sector

While “star whistleblowers” such as Edward Snowden or Chelsea Manning have caused a worldwide sensation with their revelations about the NSA and the US army, respectively, there are a number of cases that only reach the public to a limited extent. The institutions mentioned at the beginning of this article paint a picture of the scope of the phenomenon of whistleblowing, but a distorted one. Apart from Wuhan Hospital, they usually are large organisations, all with at least 20,000 employees (NSA).

But it is a fallacy that the whistleblowing risk is limited to such giants. Cases also occur beyond this whistleblower “hall of fame”, namely in medium-sized companies and on a corresponding scale. According to a survey, almost 28 percent of German companies with 20 to 249 employees have experienced illegal or unethical behaviour at least once in the past year, in some cases several times.

What is Whistleblowing? A working definition

Scholars disagree on the definition and distinction of whistleblowing from other forms of information disclosure. The term was first used in 1963 when US secret documents were passed on to the Committee on Internal Security in the context of the Vietnam War. The term, which translates awkwardly as blowing a whistle, is symbolic for pointing out a wrongdoing. The widely used definition is based on the following three criteria:

  • A whistleblower is therefore firstly a member of the organisation concerned,
  • secondly, he has incriminating information about illegal or unethical activities
  • and thirdly, he discloses it to people in order to correct the wrongdoing.

Did you notice anything? Maybe the first criterion. Since practice shows that whistleblowing is also carried out by people outside the organisation, this has been expanded accordingly in academic discourse so that customers and suppliers can also be whistleblowers (Maume Haffke*). Furthermore, a distinction is made between disclosing information to external versus internal bodies, whereby the first is often considered the only true whistleblowing, with the argument that the process for internal disclosure is fundamentally not comparable (Farrell and Petersen in Near, Miceli²).

Are there any indicators of whistleblowing?

No. That is precisely what makes the phenomenon so difficult to grasp. And it manifests itself not lastly in the wide range of incidents. Attempts to narrow it down to specific company sizes, economic sectors or divisions fail. Although mainly large companies and corporations are the ones in which whistleblowing cases develop the dynamics and social relevance to break through to the public.

However, as shown, grievances also occur in German SMEs. If the limit is raised to 500 employees, the number of affected companies is likely to grow. After all, a good 40 per cent of companies above this threshold experienced one or more wrongdoings.

The situation is similar with the classification into sectors. European and German jurisprudence has identified particularly vulnerable sectors and introduced selective obligations to introduce reporting systems, such as in the case of financial services companies. However, it is obvious that offences such as sexual harassment or mobbing do not stop at any sector.

After all, wrongdoing can take all kinds of forms. From health and environmental hazards to corruption, data manipulation or money laundering: anything can happen and anything does happen, as experience shows. Business areas such as finance and accounting may be primarily associated with such risks, but at most they are more vulnerable than other areas. Ergo: wrongdoing cannot be ruled out or concentrated anywhere.

Further information on how to deal with whistleblowers in an emergency can also be found in our article “Defeated by Whistleblowers?”

Abuses can turn into scandals

The scandals surrounding Cambridge Analytica, the NSA and others have shown one thing beyond doubt: The explosive power of whistleblowing is great. For some, like Cambridge Analytica, too big. Within two months of its dubious business practices being made public, the company filed for bankruptcy in May 2018. Whether insubstantial or not, whistleblowing quickly takes companies out of their usual orbit. The following cascade illustrates the various stages of escalation.

Best Case

In a perfect world, preventive measures would enable the management to prevent malpractices as they arise by sending clear signals. Although this is hardly possible, as described, most SMEs (92 percent) rely on such “signals from management” as a means of prevention. The Code of Conduct follows far behind (67 percent).

Mid Case

Prevention is not successful, but the channelling of cases is. A reporting system ensures that all misconduct is forwarded to previously defined persons of trust in a regulated process. Reports that fall below the compliance threshold, i.e. that do not constitute a violation, are forwarded back to the appropriate addressees. Those above the compliance threshold can be systematically dealt with internally.

Worst Case

Both prevention and channelling fail. The management has not succeeded in managing the grievance internally. The information leaves the internal circles unfiltered and takes the company out of its usual orbit with full impact. Where mechanisms for competent handling of information are lacking, subsequent publication cannot be avoided.

How does damage occur for the company?

All cases falling between the mid and worst case represent a danger for the company. But how can this danger be translated into the business context of SMEs? To answer this question, the following differentiation is helpful:

Financial damage

On the one hand, whistleblowing cases cause quantifiable financial damage. Losses occur both on the cost side and on the turnover side.

Every whistleblowing case causes unbudgeted costs. In almost all cases, fines are imposed, to be covered by the whistleblower, the company, or both, depending on the verdict. The dimensions of such payments vary. In 2009, the pharmaceutical company Pfizer, which had to pay a record amount for the illegal marketing of the painkiller Bextra. The company paid a fine of 2.3 billion US dollars. But even small and medium-sized enterprises in this country are not immune to fines. Although the fines are of a different magnitude, the financial cushion is weaker. In the year of the fine, Pfizer achieved a turnover of a good 50 billion US dollars – so the fine amounted to less than five percent of the annual turnover. By way of comparison: with the best-selling active ingredient Lipitor, the company earned almost five times as much in 2009 (11.4 billion US dollars)³.

SMEs, on the other hand, usually do not have broad portfolios that can easily cushion scandals in one segment. Here, the penalty can quickly pose an existential threat. Experience shows that whistleblowing cases can result in considerable fines, even in SMEs. In the Bottrop pharmacist scandal, which was uncovered through whistleblowing, a damage sum of 17 million euros was caused, to be borne by the pharmacist who has since been sentenced. The full amount of the legal costs must also be covered by the pharmacist. In general, a good 30 per cent of German SMEs stated that they had suffered damages of more than 10,000 euros due to malpractice in 2019, ten per cent even more than 100,000 euros.

The damages for the company are manifold and often not exactly foreseeable on the first day. The financial losses form the anchor for an initial assessment. In addition, damages to turnover also weigh heavily and the losses due to the loss of customers or sales channels must also be taken into account. In order to be able to assess the full extent of the damage, it is therefore necessary to take a holistic view of the damage along the entire value chain of the company.

Non-financial damage

On the contrary, there are damages that cannot be quantified. On the one hand, these are damages to the external perception of the company. Image losses are particularly painful for SMEs with reputations built up over generations. Restructuring or reorientation to new business areas can be financially so resource-intensive that they are not sustainable for SMEs. In particular, businesses with small product lines and customer bases are limited in their ability to compensate for the damage caused to their image.

A company like Pfizer, on the other hand, can regain its clean slate relatively quickly by getting rid of the affected segment. An example, based on the recent whistleblower video from the Tönnies canteen: If this kind of material came to public in non-Covid times from a much smaller company, it would probably have difficulties pulling itself out of the line of fire of public disgust.

On the other hand, whistleblowers can damage the working atmosphere internally, for example when cases of bribery within a department are brought to the surface. In contrast to the external perception, small missteps in internal communication are enough to spread the facts among the staff. In view of the working atmosphere, which is typically based on trust and short lines of communication, this can be particularly painful and become a stress test for employee integrity. Restructuring, position or location changes, which can be considered to ease the climate, are far more difficult to implement in SMEs with monocentric structures than in matrix-structured corporations with numerous locations.

The great danger is to underestimate these damages, which are not quantifiable or are difficult to quantify. In most cases, these are not one-off effects, but rather deeper-rooted factors that attack the image of the company, the brand value or the employer branding profile of the SME. That is why German companies mostly name strengthening their image as a company of integrity and ethics as the reason for introducing whistleblowing systems.

The challenge for executive boards

So where does an SME start if it wants to limit such damage? Simplified, the following three factors can be expressed in an equation:

Total damage = number of cases x severity of the offence x channelling of the incident


Rettungsring als Schutzsymbol

The first two factors are aiming prevention. Remember the escalation levels mentioned above. The best case (successful suppression of offences) is not only unlikely, it is hardly controllable. There is no direct lever for management here. The management of corporate culture and compliance can only counteract grievances, but not nip them in the bud. The NSA could have invested a lot in an improved corporate culture. However, unfair business practices from the past do not disappear from reality.


The third factor is a lever that you can actively manage. It determines whether the grievance becomes a scandal or not. If a reporting system is in place in your SME, this is legally the first point of contact for your employee and becomes your company’s protective shield. SMEs benefit from trust-based employment relationships. Unlike in large companies, where there tends to be less emotional attachment to the company, values, managers and colleagues, reporting systems in SMEs are potentially a valued vehicle for employees to adequately draw attention to a grievance.

From “nice to have” to “need to have

The most frequently named reason for German companies not to have a reporting system is simply the lack of a legal obligation. The EU Whistleblowing Directive changes this for companies with more than 50 employees. However, the motto should be: “Better safe than sorry”. The earlier you use the leverage of channelling, the more effectively you can minimise the risk of damage. The cost of introducing a reporting system is relatively low if you compare the costs mentioned with the non-financial damage caused by uncovered misconduct.

So far, according to the survey, German SMEs have primarily used the low-cost options: E-mail, personal conversation and telephone. Whistleblowing systems, on the other hand, are used by only 21 per cent of the companies surveyed. While e-mails, personal conversations or telephone calls run the risk of being accepted between doorsteps or being lost in day-to-day operations, “always on” whistleblowing systems can be decisively integrated into a process. In this way, SMEs signal that they promote integrity in the company and are receptive to reports of problems. In our article “Which whistleblowing system is the right one for you?“, you will get an overview of the current options on the market.


Whistleblowing is a real danger for every company. Abuses, even with the best preventive measures, are hardly preventable. If there are no internal reporting mechanisms and the information leaves the internal company environment, the milk is spilled. From this point on, the company is exposed to the public and can only limit the damage. Financially high losses can bring SMEs to the very brink of existence. With the addition of reputational damage and a tense working atmosphere, the damage can ultimately neither be quantified nor limited in the short term. Reporting systems can help to minimise these risks. Although no whistleblowing system can offer one hundred percent security, it is certainly a step towards increasing integrity.

As a next step, download our guide How to work How to comply with the EU Whistleblowing Directive? Or contact one of our experts for a personal consultation.

*Maume, Haffke. 2016. Whistleblowing als Teil der Unternehmenscompliance
²Farrell, Petersen in: Near, Miceli. 1985. Organizational Dissidence: The Case of Whistle-Blowing
³Pfizer. 2009

Why wait any longer?

Compliant in 5 minutes

Our solution fits to your clients?

Join our partner program


gültig für Neukunden bis zum 31.7.2024

Wir schenken Ihnen ein Info-Poster für Beschäftigte i.W.v. 249 €! Sprechen Sie uns an!