Earlier this month, the Australian Securities and Investments Commission (ASIC) released a report outlining the dos and don'ts for handling whistleblower investigations.

Since the new whistleblower regime commenced in 2019, ASIC has issued extensive guidance on the requirements for a compliant whistleblower policy (see our earlier articles on ASIC Regulatory Guide 270 and its whistleblower policy review). However, regulated entities have so far received little guidance on how they should handle a whistleblower disclosure or the subsequent investigations.

The penalties applicable to mismanagement of a whistleblower investigation are significant - for example, disclosure of a whistleblower's identity without their consent can attract a criminal penalty of six months imprisonment or, for a company, a civil penalty equivalent to the greater of:

  • $13,750,000;
  • three times the benefit or detriment caused by the disclosure; or
  • 10 per cent of the entity's annual turnover (up to a maximum of $687,500,000).

Given the stakes, we expect ASIC's new guidance to be welcome news for directors and officers of regulated entities.

So, what are ASIC's tips? We set out four key recommendations below.

1. Be consistent: Create a formal whistleblower action plan

It's important to ensure that your organisation takes a consistent approach when responding to whistleblower complaints.

This is helpful from an organisational perspective and helps avoid allegations that one whistleblower complaint is being treated unfairly or less seriously compared to others.

By thinking ahead and formalising key procedures for responding to whistleblower reports, organisations can ensure their practices outlast any one key employee. ASIC warns against the risk of relying "solely on the skill and experience of one or two individuals involved in the processes."

2. Train your eligible recipients

An organisation's directors, officers and senior managers are, by law, "eligible recipients" of a whistleblower disclosure. This means that a disclosure about reportable conduct made by an eligible whistleblower to any of those persons will qualify for protection under the whistleblower regime.

Organisations should train their eligible recipients to know:

  • what their obligations are under the whistleblower regime
  • how to respond to a whistleblower report under the organisation's whistleblower action plan.

This could be achieved by:

  • periodic training by subject matter experts or attendance at external conferences
  • developing quick reference guides to teach eligible recipients how to identify and respond to a whistleblower disclosure
  • a list of follow-up questions for eligible recipients to ask when receiving a complaint.

3. Promote and monitor your whistleblower program

ASIC has long emphasised the importance of creating a culture in which employees and other eligible whistleblowers are encouraged to speak up about their concerns.

In ASIC's new guidance, they also suggest some mechanisms for measuring the success of your whistleblower program. For example:

  • do you receive low rates of anonymous disclosures (compared with identifiable whistleblowers)? This might show that your employees feel confident that they will be supported (and not victimised) when speaking up
  • are whistleblower disclosures typically handled within a short timeframe? This points to an efficient investigation process
  • are there no (or a low proportion of) allegations that a whistleblower has experienced detriment or the unauthorised disclosure of their confidential information?
  • is the prevalence of reports about a specific issue (for example, sexual harassment) equivalent to the prevalence of the issue in the general population?
  • is there a high rate of substantiation of allegations raised in whistleblower reports? This might indicate that other employees feel comfortable participating in your investigations
  • if a whistleblower report is substantiated, are the disciplinary outcomes imposed proportionately to the gravity of the relevant misconduct? This signals to employees and other whistleblowers that misconduct is not tolerated in your organisation.

4. Learn from whistleblower reports

ASIC encourages organisations to use whistleblower reports as an opportunity to improve. You can do this by:

  • analysing trends in whistleblower reports to identify any underlying or systemic issues
  • improving internal practices to respond to systemic issues
  • if a report is too broad or systemic to be properly investigated, employ specialist staff to conduct a cultural review.

Next steps

If your organisation has had a number of complaints, it might be worth considering how you are learning from the whistleblower reports. If you have not yet had this experience, then training your eligible recipients might be a good starting point. Research has shown that successfully triaging a complaint consistently generates better outcomes for all parties, giving you a more timely and cost-efficient process.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.