“Why should a company care about confidential reporting if it’s barely enforced?”
That question comes up often — and it’s a fair one.
The short answer: because the risk of not having confidential reporting is very real, even where enforcement looks weak.
Here’s why.

1. Enforcement may be uneven — liability is not
Inspections are still patchy and often reactive.
But enforcement almost always starts after something goes wrong:
a whistleblower goes external, an employee litigates, a supplier escalates.
The first question then is simple:
“Did the company provide a safe internal reporting channel?”
An email inbox is rarely a convincing answer.
2. The real risk isn’t fines — it’s loss of control
Without a trusted internal channel, issues surface externally: regulators, NGOs, media.
At that point, organisations lose timing, context and remediation control.
Regulators are clear about this:
they prefer issues to be identified and fixed internally first.
Confidential reporting is what keeps issues inside.
3. Litigation flips the burden of proof
In whistleblowing and labour cases, once there is a report and a negative decision,
the burden shifts to the employer.
Judges then ask:
– Was reporting confidential?
– Was access restricted?
– Was follow-up documented?
– Were deadlines respected?
Informal handling cannot answer those questions.
4. ESG, investors and customers enforce it for you
Even where authorities are slow, markets are not.
Investors, banks, customers and ESG ratings increasingly expect credible grievance mechanisms.
Confidential reporting has become a commercial hygiene factor.
5. Retaliation risk is underestimated
One badly handled report can trigger a retaliation claim.
At that point, intent no longer matters — process and perception do.
A proper confidential reporting setup protects reporters,
but just as importantly, it protects the organisation.

Bottom line
Companies don’t implement confidential reporting because regulators knock every day.
They do it because being unprepared when something happens is disproportionately costly. 
Confidential reporting is no longer optional risk hygiene —
it’s governance, litigation defence and reputation management combined.