Why whistleblowing policies need to go beyond ticking boxes

Originally published in The Australian 18 December 2019.

The corporate and not-for-profit sector is rushing to meet the 1 January 2020 deadline for new corporate whistleblowing regulations. The current state of frenzied activity is a result of enhancements to the whistleblower provisions laid out in the Australian Corporations Act 2001. As such, it’s now a requirement that public companies, large proprietary companies, and corporate trustees of APRA regulated superannuation entities have whistleblower policies in place from 1 January 2020 as part of a whistleblower program supported by processes and staff training. ASIC has already advised it will be conducting audits from New Year’s Day and merely having a policy in place without the supporting systems could result in breach notices.x

The new regulations aim to encourage and protect whistleblowers and discourage corporate fraud and misconduct by overhauling previously fragmented, inconsistent and confusing legislation. The expanded corporate whistleblower scheme incorporates a wider range of reportable misconduct, protects a larger group of people, allows anonymous disclosures, creates more avenues for redress and increases potential penalties for employers.

The response to the new regulations has been largely positive, with many interpreting the expanded protections for whistleblowers as a reflection of broader social expectations for increased accountability of company directors.

Attracting the attention of corporate Australia is the dramatically increased penalty framework, which includes individual fines of up to $1 million for determent to whistleblowers and confidentiality breaches (mistakes included), jail sentences of up to two years and corporate fines up to $525 million.

With ASIC’s deadline fast approaching, the true test for companies isn’t merely having a policy in place by 1 January, rather it’s what happens in the ensuing weeks, months and years as disclosures are made. Companies need to think beyond compliance to be truly effective in their whistleblowing program, as simply ticking all of ASIC’s checkboxes won’t necessarily mean they know what to do when a report is filed, potentially putting the organisation and its people at risk.

A key reform in the new legislation is expanding who can receive a disclosure or be an ‘eligible recipient’, with the definition now extending to senior managers, directors and auditors. Given these roles can comprise hundreds of people in an organisation, properly identifying and regularly educating these individuals on their responsibilities is critical. Without proper processes and training in place to support a whistleblower program, there is a significantly increased risk to individuals and companies for mishandling a whistleblower report, including the penalties outlined above as well as reputational damage which can be career ending and catastrophic to company share prices.

Companies with robust whistleblowing policies will ensure that their board and risk committee have adequate oversight and reporting channels, and that the systems and procedures that underpin their policy can be enacted when a disclosure is made.

And once a company’s policy is in place, what then? Beyond ensuring the policy complies with the law, how does it intersect with adjacent policies like the Code of Conduct, the Child Safety and Wellbeing Act or mandatory data breach notifications? Testing the policy’s procedures is critical, and given the potential risks and penalties are so high, companies that do their due diligence and go beyond the minimum requirements will conduct external auditing as well. Organisations that produce their policies in isolation or outsource the writing and consider it done will be seriously tested when a disclosure is made.

The expanded corporate whistleblowing regulations have the potential to bring accountability and transparency to the fore in the private sector, which given the number of Royal Commissions we’ve seen in recent years can only be positive. It also presents an opportunity for companies to improve trust and ‘foster whistleblowing cultures’ (outlined in ASIC’s regulatory guidance) where employees feel safe reporting misconduct and confident that they’ll be heard, protected and that due process will take place.

Best practice organisations will imprint ‘speak-up’ cultures into their DNA. This requires that executives practice what they preach, policies are inclusive and provide a broad range of ways to speak up, and regular training and education takes place. Given a strong whistleblowing policy is dependent on trust, regularly requesting and integrating employee’s feedback is critical as well.

While it’s true that some companies won’t ever receive a disclosure, many will, and it will be immediately obvious if their policy is inadequate, with hefty penalties and reputational damage to follow. It simply isn’t a risk worth taking.

By Nathan Luker – Executive Director