A ‘renewed focus': key whistleblowing considerations for boards and directors - Corporate Governance

With the Australian Securities and Investments Commission (ASIC) set to intensify its regulatory focus on whistleblowing, now more than ever, it is crucial that organisations continue to undertake careful reviews of their whistleblower program to ensure they are compliant.

What are the key elements of an effective whistleblower program, and what should executives and directors keep in mind as they evaluate their organisation's management of whistleblower issues?

Since 2019, there has been a mandated whistleblower regime under Pt 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act). All companies regulated by ASIC are required to comply with the whistleblower protections, and public companies, large proprietary companies and trustees of registrable superannuation entities are expressly required to have a whistleblower policy that meets statutory criteria. ASX-listed entities should also publish their whistleblower policy and meet the governance requirements set out in the ASX Corporate Governance Council's Corporate Governance Principles and Recommendations.

As a matter of good corporate governance, all companies subject to the whistleblower laws should ensure that their board is informed of any material incidents reported under their whistleblower policy and periodically receives sufficient information to form a view about the effectiveness of the company's whistleblower program.

After a period of time for companies to adopt the 2019 reforms, there are also indications that ASIC will intensify its regulatory focus on whistleblowing within its regulated population:

in 2020, ASIC undertook a review of 102 whistleblower policies, finding the majority fell short – incomplete / inaccurate information and out of date policies were identified as the most concerning and widespread deficiencies – ASIC responded with a letter to CEOs in 2021, encouraging organisations to evaluate their policies against the statutory requirements;
in March 2023, ASIC commenced its first enforcement action against a company and senior company employees for breaches of the whistleblower provisions, and has stated that it has current investigations underway;¹ and
ASIC's recent market review in March 2023 has suggested that many whistleblower policies still do not comply with the Corporations Act, and it has published the results of its review of the effectiveness of a selection of whistleblower programs, focusing on:

how disclosures are handled;
how organisations are using information their whistleblower program to address operational issues or misconduct; and
the level of board and executive oversight of the program.

ASIC's expectations of board oversight continue the focus on directors and senior officers as 'gatekeepers' with the responsibility to set the tone and monitor an organisation's response to issues like whistleblowing. Whistleblowing also supports ASIC to perform its role by enabling early identification of harm to consumers and investors and swift intervention to address misconduct. The value of whistleblowing to ASIC's ability to meet its enforcement mandate is evident from the statistics it has reported. In FY 2018/19 (before the protections commenced), ASIC reportedly received 278 whistleblower reports. That rose to 644 reports in FY 2019/20 and 817 in FY 2020/21 (a 194% increase over two years).

Aside from being an important regulatory requirement (and an enforcement risk if not implemented according to legal requirements), a whistleblower program that is operating effectively helps an organisation to identify instances of serious misconduct, systemic issues and areas where corporate culture is not aligned to the entity's purpose, values or strategic objectives. For example, a protected disclosure about unauthorised use of personal or protected information may identify that an entity's cybersecurity controls are lacking, and a failure to identify this issue early could have consequences under cybersecurity or data privacy laws. Further, a breach of confidentiality when handling a whistleblower report could give rise to other legal risks, including under employment, privacy / cybersecurity and other laws, particularly where an organisation does not have adequate processes or systems in place to protect confidential information. It is therefore essential that boards and senior executives have a good understanding of their own obligations within the company's whistleblower framework and their company's internal policies and processes for managing whistleblower disclosures.

An effective whistleblower program will always need to be 'fit for purpose' – there is no one size fits all. ASIC has noted that an effective whistleblower program will incorporate the following elements (in summary):

it has a strong foundation with embedded processes and a culture that supports whistleblowers;
there is information and training provided to those who handle disclosures which addresses how to protect whistleblowers and confidentiality;
the program is monitored and outcomes from whistleblower reports are used to identify continuous improvement opportunities (for the program);
information is used to respond to underlying harms; and
directors and officers have oversight and accountability for the program.

Key elements of an effective whistleblower program

Below are some observations about the key elements of an effective whistleblower program (informed by the matters ASIC has highlighted in its review) to guide executives and directors as they evaluate their organisation's management of whistleblower issues.

1. The policy and operational guidance documents

All companies – irrespective of size, nature or scale – need operational documents to support their whistleblower program, and a formal whistleblower policy that provides strong assurance that the organisation's expectations for whistleblower management are clearly spelled out. It will also instil a degree of confidence amongst employees as to its commitment to effective whistleblower management, whether or not the entity has a statutory requirement to have one.

A whistleblower policy that meets the requirements under the Corporations Act must incorporate a number of specified criteria. It must:²

describe the protections available to whistleblowers;
explain how to make a qualifying disclosure, including to whom;
set out the entity's measures to support and protect whistleblowers;
provide information about how the entity will investigate whistleblower disclosures and ensure fair treatment of individuals named in disclosures (or about whom the disclosure is made); and
state how the policy will be made available to officers and employees.

The appropriate processes beyond a policy will vary depending on the organisation. Operational documents may include workflows or process maps for staff involved, protocols (e.g. for handling and investigating disclosures, assessing / monitoring risk of detriment and storing information), whistleblower conversation guides (e.g. for staff who can receive protected disclosures) and consent forms.

These operational documents mitigate risks that may arise when the process is not fully understood and the firm relies on the skill and experience of a limited number of individuals.

2. Training and communication

ASIC has indicated that best practice should include training, which should be tailored to the audience and aligned with the entity's policy and procedures. At a minimum, training for eligible recipients (including directors) on how to handle disclosures and respond to whistleblowers in line with legal requirements will mitigate the risk of adverse treatment of whistleblowers, such as a breach of confidentiality. Further, ASIC has noted the importance of providing proportionate, specialised training to all staff with specific responsibilities under the firm's whistleblower policy and program, such as those responsible for investigating concerns.

To embed an understanding of the requirements and encourage a strong culture of compliance, policies and procedures should also be promoted within the organisation. This might be achieved through a number of channels such as a staff-wide email campaign reinforcing key messages, intranet posts, town halls about whistleblowing, routine policy updates and the promotion of whistleblower information (e.g. contact details for internal eligible recipients on posters where employees gather and dedicated intranet pages)

3. Reporting

Many companies direct potential whistleblowers to report their concerns via one channel, such as an external hotline. This can be an efficient process for triaging reports and it also lowers the risk of non-compliance with whistleblower laws, as well as the confidentiality requirements and potential victimisation that may apply under other laws when handling and investigating matters. Where other grievance channels exist (e.g. for HR complaints), staff handling or investigating those matters must be able to identify potential protected disclosures and follow a process for passing them on immediately to the whistleblowing function.

To ensure the program is working effectively, monitoring of disclosure volumes and channels used, downloads or page views and rates of employees' self-reported willingness to speak up via employee perception surveys can provide important feedback and a measure of assurance for executives and directors who are responsible for oversight of the program and ensuring that it is operating effectively.

4. Investigations

The program should have a sound but flexible investigation process that can be adapted to the type of disclosure received. A clear definition of the responsibilities for key roles (e.g. for protecting disclosers and assessing / monitoring risk of detriment, for investigating, reporting etc.) are mechanisms to avoid conflicts of interest where staff hold more than one role.

Through its review in 2023, ASIC considered how information from substantiated allegations was being used to address underlying harms and to improve company performance. The kind of remedial actions highlighted included:

improving internal processes and practices;
sharing de-identified information about the matter and outcome with relevant business units;
imposing disciplinary outcomes on those involved in misconduct in line with the firm's consequence management framework;
considering involvement in misconduct raised by whistleblowers when making executive variable pay decisions; and
demonstrating transparency by sharing data on whistleblower trends in annual reports and other publications.

The information received via an organisation's whistleblower program is an important data point for evaluating culture and identifying ongoing or system issues. Implementing a process for collecting data on matters such as the types of allegations or issues raised in disclosures, who made the disclosures (e.g. employees or others), how disclosures were finalised, and the locations, business units, or departments involved is a first step to help organisations identify emerging areas of risk, or opportunities to improve operations.

5. Executive oversight and accountability

Given the valuable insights that can be gained about culture and emerging risks from the results of whistleblower reporting and investigations, it is not surprising that ASIC has emphasised the importance of senior and executive accountability and oversight of the whistleblower program.

ASIC is encouraging companies to have an accountable senior manager (typically holding a legal, compliance or risk-related position, and distinct from the person responsible for the policy) with a direct reporting line to the board committee overseeing the program. The involvement at executive level will inevitably be a factor of the size of the organisation and the volume of reporting received. For example, ASIC has identified executives being involved in complex or sensitive disclosures (e.g. if the matter meets a particular risk threshold), issues relating to the handling of disclosures and structural reviews of the whistleblower program and director engagement.

It is common for an organisation's board risk or audit committee to oversee the whistleblower program and for this oversight function to be described in board charters or terms of reference. As a matter of good practice, the kind of information that may be shared with the board could include periodic information about how the program is working, statistical analysis of disclosures and outcomes to inform directors about emerging risks or themes, reporting on disciplinary outcomes for substantiated allegations as well as ongoing training on directors' obligations in relation to whistleblowing.

***

ASIC has a renewed focus on whistleblower programs. Now more than ever, it is crucial that organisations continue to undertake careful reviews of their whistleblower program to ensure that they are compliant, are implementing good practices and have appropriate oversight mechanisms to identify and manage emerging risks, both in terms of potential detriment to whistleblowers, and within the organisation more broadly.

Footnotes

¹Speech by ASIC Commissioner Sean Hughes at the 3rd Australian National Whistleblowing Symposium, 'Whistleblower policies and the compliance gap', 11 November 2021.

² Section 1017AI of the Corporations Act 2001 (Cth).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.