Skip to Content
M9-Pro-03 Justice, Trade & Work Fiduciary & Professional Services CORE Excellence v2.9.7

Ethical Compliance & Whistleblowing Framework

This criterion assesses the robustness, operational effectiveness, and spiritual integrity of the organization's ethical compliance and whistleblowing framework. It evaluates the existence of a comprehensive policy suite (Code of Ethics, Speak-Up Policy, Investigation SOP, Retaliation Prevention Standard) that aligns with regulatory mandates (PIDA, FCA, SRA, Charity Commission) and Islamic principles of Justice (`Adl`), Trustworthiness (`Amanah`), and God-consciousness (`Taqwa`). The framework must ensure accessible, multi-channel reporting (including anonymous digital and non-digital routes) for all 'workers' and external stakeholders (suppliers, clients, patients). Crucially, it requires rigorous operational controls: defined Service Level Agreements (SLAs) for triage and investigation, strict independence and conflict-of-interest management, and a formal 'Anti-Retaliation Protocol' that actively monitors reporter welfare. The system must map internal concerns to external regulatory notifications (e.g., Serious Incident Reporting, SARs, ICO breaches) via a clear decision matrix. Islamic ethics are embedded not just in intent but in process—viewing reporting as `Nasiha` (sincere counsel) and `Shahada` (testimony) that must not be concealed (Q2:283), while ensuring investigations uphold `Adl` (due process) and avoid `Zulm` (injustice/harm). Effectiveness is measured through a composite scorecard of timeliness, substantiation, and reporter trust, ensuring the organization proactively blocks means to corruption (`Sadd al-Dharā'iʿ`).

Assessment Questions
  1. Does the organization possess a comprehensive policy suite (Code, Policy, SOP, Retaliation Standard) that explicitly defines PIDA protections and 'public interest'?
  2. Are reporting channels (Web, Phone, Post) tested for accessibility, anonymity, and availability to external stakeholders?
  3. Can you demonstrate the Triage Taxonomy in action, showing how cases are routed to specific leads (MLRO, Safeguarding, H&S) based on severity and type?
  4. What evidence exists of strict investigation independence (e.g., conflict check logs, recusal records, use of external panels)?
  5. Are SLAs for acknowledgement (2 days), triage (5 days), and investigation completion being met? Show the quarterly performance dashboard.
  6. How is the Anti-Retaliation Protocol applied? Show evidence of risk assessments, interim protective measures, and 3/6/12-month welfare checks for recent cases.
  7. Does the data protection framework for whistleblowing include a specific Privacy Notice, DPIA, and secure retention/deletion schedules?
  8. Is there a Regulatory Notification Matrix in place, and can you show logs of decisions regarding reporting to bodies like the Charity Commission, ICO, or FCA?
  9. How does the Board or Audit Committee oversee this function? Provide minutes showing deep-dive reviews of trends, culture, and control failures.
Evidence Requirements
  • Approved Policy Suite: Code of Ethics, Speak-Up Policy, Investigation SOP, Retaliation Prevention Standard.
  • Triage Matrix and Routing Logic documentation.
  • Quarterly Board/Audit Committee Dashboards showing SLA performance and trend analysis.
  • Anonymized Case Logs with fields for: Triage Category, Severity, Conflict Check, SLA tracking, and Outcome.
  • Anti-Retaliation Monitoring Records (Risk assessments, Welfare check logs - redacted).
  • Data Protection Artifacts: Whistleblowing DPIA, Privacy Notice, Retention Schedule.
  • Regulatory Notification Logs (SIR, SARs, ICO reports).
  • Training Records showing role-based completion rates.
  • External/Internal Audit Reports on the whistleblowing function.
Scoring Guidelines
LevelRatingDescription
5 5/5 Optimizing: ISO 37002 aligned. SLAs consistently met (>95%). Proactive anti-retaliation protocol with zero substantiated retaliation. Culture of Nasiha evident; external audit confirms high effectiveness.
4 4/5 Quantitatively Managed: Full policy suite and operational controls (SLAs, Triage, Retaliation checks) effective. Metrics drive improvement. Regulatory notifications robust. Independent governance evidenced.
3 3/5 Defined: Formal policies and multiple channels exist. Basic regulatory compliance (PIDA, GDPR) met. Investigations documented, but SLAs/retaliation monitoring lack consistency.
2 2/5 Managed: Basic policy exists but lacks operational detail (no SOP/SLAs). Reporting channels limited. Confidentiality promised but data controls weak. No formal retaliation monitoring.
1 1/5 Initial: Ad-hoc or non-existent framework. High risk of retaliation, regulatory non-compliance, and suppression of testimony.

Related Criteria

M9-FPS-01 Client Fund Segregation & Protection M9-FPS-09 Fee Transparency & Ethical Justification M9-Pro-02 Adequate Professional Indemnity Insurance Coverage M9-Pro-04 Conflict Disclosure Policy & Practices M9-Pro-05 Robust Client Data Security & Confidentiality
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:08:17.654303

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria