Whistleblowing protection tested (Speak‑Up)
Verifies the annual testing of whistleblower protections to uphold justice (‘adl), trust (amānah), and the duty of enjoining right and forbidding wrong (Qur’an 3:104). This ensures employees and volunteers can safely report misconduct as a form of sincere counsel (naṣīḥah), safeguarding organizational integrity by proactively addressing ethical risks before they harm stakeholders.
| Metric | Speak-up effectiveness composite |
|---|---|
| Target | Coverage ≥95%, SLA ≥95%, Awareness ≥85% |
| Frequency | Annual |
| Method | Test completion + Metrics (Coverage %, SLA %, Awareness %, Re-test pass rate) |
| Unit | Composite Score |
Level 1: Initial/Ad-hoc
Policy exists; no test plan; 0–1 channels tested; no SLA or DPIA; no governance review.
Level 2: Developing
Ad‑hoc/reactive tests; <50% channel coverage; no formal SLA metrics; no independent oversight.
Level 3: Established
Annual, planned tests with ≥50% channel coverage; at least 2 scenario scripts used; results documented in action log; DPIA completed; reported to oversight role.
Level 4: Advanced
Systematic analysis; ≥80% channel coverage; SLA adherence ≥80%; re-test evidence for failed controls within 60 days; retaliation monitoring log active; independent review by Audit & Risk/Ethics Committee.
Level 5: Optimizing
Integrated with ERM; ≥95% coverage; SLA adherence ≥95%; external benchmarking/assurance (e.g., ISO 37002 alignment) completed; Speak‑Up Culture Index tracked; public lessons‑learned summaries; zero unresolved retaliation.
Organisation Types
By Organisation Size
| Size | Applicability | Notes |
|---|---|---|
| Micro | exempt | Disproportionate for volunteer-run groups; formal testing of reporting channels is not applicable. |
| Small | exempt | Disproportionate; a basic whistleblowing policy is needed, but formal testing plans, scripts, and mystery reporters are unnecessary. |
| Medium | optional | Nice-to-have for basic periodic checks of reporting emails/phones, but formal test scripts and independent reviews are disproportionate. |
| Large | partial | Scaled down to internal testing of dedicated channels (e.g., webforms/emails); independent effectiveness reviews and penetration tests may still be disproportionate. |
| Major | full | Applies fully; complex operations and higher risk profiles require robust testing, third-party hotlines, and independent effectiveness reviews. |
Applicable When
- The organization employs staff or engages volunteers.
- The organization manages funds or resources.
- The organization provides services to the public or specific communities.
Not Applicable When
- The organization is operated by a single individual without any other staff, volunteers, or governing body members.
- The organization is officially dormant, conducting no activities, and has no active staff or volunteers.
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.