casemark/managing-whistleblower-programs
skills/finance/managing-whistleblower-programs/SKILL.md
Structures whistleblower program operations with intake, investigation, and anti-retaliation documentation. Use when managing whistleblower reports, investigating complaints, or documenting anti-retaliation measures.
$ install --global
skillsauthnpx skillsauth add casemark/skills managing-whistleblower-programsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 3:47 AM145.4s1 file scanned
SKILL.md
- name:
- managing-whistleblower-programs
- language:
- en
- description:
- Structures whistleblower program operations with intake, investigation, and anti-retaliation documentation. Use when managing whistleblower reports, investigating complaints, or documenting anti-retaliation measures.
- author:
- casemark
Managing Whistleblower Programs
Structures whistleblower program operations across intake, triage, investigation tracking, and anti-retaliation compliance documentation.
When To Use
- Standing up or overhauling a whistleblower intake and case-management process
- Documenting the lifecycle of a whistleblower complaint from receipt through resolution
- Preparing anti-retaliation monitoring plans for reporters and witnesses
- Generating status reports for the audit committee, board, or regulators on open complaints
- Coordinating between compliance, legal, HR, and internal audit on active investigations
- Responding to regulatory inquiries about program adequacy (e.g., SEC, DOJ, OSHA reviews)
Inputs To Gather
- Program charter or policy: Existing whistleblower policy, hotline vendor contract, and board-approved charter
- Complaint record: Date received, channel (hotline, email, in-person, regulator referral), verbatim summary, reporter identity or anonymity status
- Applicable regulatory framework: Dodd-Frank §922, SOX §806, EU Whistleblower Directive 2019/1937, or sector-specific rules [VERIFY jurisdiction and statute applicability]
- Organizational chart: Reporting lines relevant to the allegation (to identify conflict-of-interest and recusal needs)
- Prior investigations: Related past complaints, audit findings, or enforcement actions
- Anti-retaliation baseline: Reporter's current role, compensation, performance ratings, and reporting chain at time of complaint (for later comparison)
- Investigation resources: Available internal investigators, approved outside counsel or forensic firms, budget constraints
Workflow
-
Intake & Logging
- Assign a unique case ID; log date, channel, anonymity election, and complaint category (fraud, safety, discrimination, retaliation, other)
- Classify urgency: imminent harm → immediate escalation; financial misstatement → expedited; policy violation → standard
- Confirm reporter acknowledgment within required timeframe [VERIFY: Dodd-Frank has no mandated acknowledgment; EU Directive requires acknowledgment within 7 days]
-
Conflict-of-Interest Screen
- Map accused individuals against compliance, legal, HR, and executive leadership
- Recuse any conflicted parties from investigation oversight; document recusal in the case file
- If the allegation involves C-suite or board members, route directly to the audit committee chair or independent outside counsel
-
Investigation Scoping
- Define allegations to be investigated, relevant time period, custodians, and document sources
- Select investigation team: internal compliance, outside counsel, forensic accountants as needed
- Set target milestones: preliminary findings (15–30 days), final report (60–90 days) [VERIFY company policy timelines]
- Issue preservation notices for relevant documents and electronic data
-
Investigation Execution & Tracking
- Maintain an investigation log: interviews conducted, documents reviewed, evidence collected, chain-of-custody records
- Track against milestones; flag delays with root cause and revised target dates
- Brief the audit committee or designated oversight body at agreed intervals (typically biweekly for high-priority cases)
-
Anti-Retaliation Monitoring
- Freeze adverse employment actions for the reporter without documented, pre-existing justification unrelated to the report
- Establish periodic check-ins (30 / 60 / 90 / 180 / 365 days post-report) comparing role, compensation, performance ratings, and workload against baseline
- Document each check-in result; any negative change triggers an independent review before proceeding
- Extend monitoring to witnesses and cooperators identified during the investigation
-
Findings & Remediation
- Prepare a written investigation report: scope, methodology, factual findings, conclusions, and recommended corrective actions
- Classify outcome: substantiated, partially substantiated, unsubstantiated, or inconclusive
- If substantiated, document remediation plan (disciplinary action, process changes, control enhancements) with owners and deadlines
- If financial misstatement found, coordinate with external auditors and evaluate disclosure obligations [VERIFY SEC reporting timelines]
-
Case Closure & Reporting
- Notify the reporter of outcome to the extent permitted by law and policy [VERIFY: EU Directive requires feedback within 3 months]
- Archive the complete case file with access restricted to compliance and legal
- Update aggregate program metrics: complaint volume, category breakdown, time-to-close, substantiation rate, retaliation findings
- Report program metrics to the audit committee quarterly and include in the annual compliance report
Output
The deliverable is a Whistleblower Program Management Report containing:
- Case Register Summary: Table of open and recently closed cases with ID, category, status, days open, and assigned investigator
- Investigation Status Updates: Per-case narrative covering current phase, recent actions, upcoming milestones, and escalation flags
- Anti-Retaliation Monitoring Log: Reporter-by-reporter tracking grid showing baseline vs. current employment status at each check-in interval
- Program Metrics Dashboard: Complaint volume trends, channel utilization, average time-to-close, substantiation rates, and retaliation incident count
- Remediation Tracker: Substantiated-case corrective actions with owners, deadlines, and completion status
- Regulatory Compliance Checklist: Confirmation of adherence to applicable statute requirements (acknowledgment timing, feedback obligations, confidentiality protections)
Quality Checks
- Every complaint has a unique case ID, timestamped intake record, and assigned handler within the documented SLA
- Conflict-of-interest screening is documented for each case, including "no conflict found" entries
- Anti-retaliation baselines are captured before any investigation activity that could alert the accused
- Investigation milestones include specific calendar dates, not just duration ranges
- Aggregate metrics are reconciled against the case register (complaint count matches, no orphaned records)
- Jurisdiction-specific obligations are marked [VERIFY] and confirmed against the applicable statute before finalizing
- Reporter notification timing complies with applicable legal requirements
- Case file access is restricted and access logs are reviewed for unauthorized views
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026