Answers / Risk & Compliance

How would you design a whistleblowing program that meets the EU Whistleblower Directive and actually gets used?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

Meeting the Directive: provide secure internal reporting channels (written and/or oral), acknowledge receipt within seven days and give feedback within three months, allow anonymous reporting where national law permits, and — critically — prohibit and protect against retaliation, with confidentiality of the reporter's identity. Assign impartial, competent persons to follow up. But compliance alone doesn't drive usage; trust does. So I'd add independence (a channel that doesn't route through the implicated line), visible tone-from-the-top that reports are welcomed not punished, clear communication and training on how/what to report, demonstrable follow-through on past cases (without breaching confidentiality), and metrics tracking volume, retaliation complaints, and outcomes. A channel nobody trusts is theater — protection and credible action are what make it real.

WHAT INTERVIEWERS LISTEN FOR

  • Secure channels, 7-day ack, 3-month feedback, anonymity where allowed
  • Anti-retaliation protection + confidentiality of identity
  • Independent follow-up by competent persons
  • Trust via tone-from-top, training, demonstrated action, metrics

COMMON MISTAKES

  • Channel routed through implicated management
  • Ignoring anti-retaliation/confidentiality
  • Treating it as a box-tick with no follow-through

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS