Skip to Content
TS-RDC-02 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

Complaints & whistle-blowing mechanism

Examines the systems for handling complaints (dissatisfaction with service, fundraising, or decisions) and whistleblowing (public interest disclosures of wrongdoing), distinct from personal grievances. Crucial for upholding *Amānah* (trust) and ensuring *Maẓālim* (redress), these mechanisms protect stakeholders from injustice, mitigate operational risk, and build a culture of integrity. The system must include clear routing: safeguarding concerns trigger immediate escalation under the Safeguarding Policy, while employment disputes follow HR grievance procedures unless public-interest wrongdoing is alleged.

Assessment Questions
  1. What triage criteria determine whether an issue is a complaint, whistleblowing disclosure, safeguarding concern, or HR grievance—and how is misclassification corrected?
  2. What are the thresholds and decision-maker(s) for Serious Incident Reporting (SIR) and external escalation (including prescribed persons), and how are decisions documented?
  3. How does the organization ensure that all investigations are conducted with impartiality, fairness (*'Adl*), and verification (*Tabayyun*)?
  4. What specific measures are in place to protect whistle-blowers from retaliation (including defined remedies and monitoring) and guarantee confidentiality?
  5. What lawful basis, retention schedule, and access controls apply to whistleblowing/complaints data, and when is a DPIA undertaken?
  6. How are findings analyzed to identify root causes, and does the Board receive reporting on themes, cycle times, and culture?
Evidence Requirements
  • Documented Complaints & Whistleblowing Policies with Triage Matrix (incl. safeguarding/HR handoffs).
  • Serious Incident Reporting (SIR) decision log (anonymized) and escalation criteria.
  • Whistleblowing privacy notice, retention schedule, and access control list.
  • Communication materials demonstrating accessible channels (e.g., web, phone, third-party).
  • Anonymized case log showing intake, triage, investigation steps, and resolution.
  • Records of channel tests (dates, scenarios, findings) and conflict-of-interest recusal records.
  • Evidence of staff training on speaking up and anti-retaliation.
  • Board reports on complaints/whistleblowing trends, outcomes, and lessons learned.
Scoring Guidelines
LevelRatingDescription
5 5/5 Strategic culture of safety; independent effectiveness reviews; advanced analytics; proactive 'Hisbah' approach.
4 4/5 Effective, monitored system; retaliation tracking; GDPR audits; regular learning loops.
3 3/5 Formal policies with triage matrix; clear channels; staff trained; safeguarding/HR handoffs defined.
2 2/5 Basic policy exists but lacks triage, SIR integration, or awareness; ad-hoc handling.
1 1/5 No effective complaints or whistleblowing mechanisms; informal or reactive only.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-03 Due-diligence on delivery partners TS-RDC-04 Serious-incident reporting & escalation TS-RDC-05 Cyber-security baseline (NCSC Cyber Essentials – UK) TS-RDC-06 GDPR accountability & DPIA log
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:50.474365

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria