It's time to reset: what you should be thinking about when refreshing your whistleblowing systems and policies

1 January 2022 marks the second anniversary of the introduction of whistleblowing policy requirements under the Corporations Act 2001 (Cth), and momentum is gathering for entities to take a fresh look at their whistleblowing policies and procedures, with ASIC recently penning an open letter to CEOs of Australian public and large proprietary companies, and corporate trustees of registrable superannuation entities, urging them to review their whistleblowing policies and the International Organization for Standardization (ISO) releasing international guidelines on whistleblowing systems in July 2021.

In light of ASIC's comments that the majority of policies it has reviewed for compliance with the Corporations Act would not encourage whistleblowers to come forward, and its advice that entities should review other parts of their whistleblowing systems to see if their arrangements to handle disclosures and protect whistleblowers reflect the strengthened whistleblower protection regime under the Corporations Act, this presents a chance for entities to consider whether they are, in practice, supporting whistleblowers to come forward with critical business intel that can be fundamental to identifying and addressing potential misconduct.

The ISO "Whistleblowing management systems" standard (ISO Standard) encourages entities in the public, private and not for profit sectors to take a holistic view of their organisation and context when developing whistleblowing systems, having regard to factors such as the locations and sectors in which the entity operates; the nature, culture, scale and complexity of its activities and operations; its business model; the entities over which it has control and which exercise control over it; and its business associates. This recognises that each organisational context will be different, including the levers which may encourage or deter whistleblowers from coming forward.

ASIC has stated it will continue to monitor compliance with whistleblower policy requirements and entities' handling of whistleblower disclosures and, where it identifies non-compliance, will consider the full range of regulatory tools available including enforcement action. ASIC's 2020-21 annual report notes it received $59 million for enforcement activities which provides ASIC with the means to take enforcement action where it identifies a lack of compliance.

In this context, it is opportune to consider whether your organisation's whistleblowing policy is operating effectively and in line with evolving best practice. We set out below the eight key considerations to guide this exercise, influenced by the latest whistleblowing guidance released this year from ASIC and the ISO.

Quick refresh: What are the legal requirements under Australian whistleblowing laws?

Since 1 July 2019, the Corporations Act has contained strengthened protections for eligible whistleblowers that restrict the disclosure of their identity and prohibit victimisation. These laws apply to a broad range of entities, including companies registered in Australia and foreign corporations in a range of circumstances. Under these laws, Australian public companies and large proprietary companies have been required since 1 January 2020 to implement a whistleblowing policy that complies with the Corporations Act. In November 2019, ASIC released "Regulatory Guide 270 - Whistleblower policies" (ASIC Reg Guide), which provides comprehensive guidance on the mandatory matters it considers ought be addressed in a whistleblowing policy to ensure compliance with the Corporations Act.

The new ISO Standard is not mandatory for Australian entities and does not supersede the requirements under the Corporations Act, but rather contains guidelines for establishing, implementing and maintaining an effective whistleblowing management system, based on principles of trust, impartiality and protection. The ISO Standard takes a broader view of whistleblowing systems, as opposed to focusing solely on a whistleblower policy, and provides guidance on receiving, assessing, addressing and concluding whistleblower reports. It states that entities should separately document the information recommended by the ISO Standard, which would typically form part of a comprehensive procedures manual noting a whistleblower policy is more appropriately limited in terms of content. The ISO Standard is generally complementary to Australian whistleblowing laws, though there are some aspects of the Standard that are inconsistent with these laws (including how it defines wrongdoing, whistleblowers and confidential whistleblowing).

The key factors to consider when refreshing whistleblowing systems and policies

Taking into account the matters set out in ASIC's open letter to CEOs, the ISO Standard, and our extensive experience in advising a range of listed, public and private companies on their whistleblowing systems and policies, we set out below the key areas for consideration when undertaking a refresh of whistleblowing systems and policies.

1. Triaging and responding to reports

A key area that entities are grappling with is the extent to which whistleblower reports containing a personal work-related grievance can be triaged out of the whistleblower system. This is complicated by ASIC's comments in the ASIC Reg Guide that bullying and harassment can amount to a protected whistleblowing disclosure in certain circumstances (including where such behaviours may indicate underlying misconduct or broader culture concerns), which appears at odds with ASIC and APRA's corporate/financial and prudential remits respectively under the Corporations Act.

The whistleblowing protections under the Corporations Act expressly carve-out personal work-related grievances from amounting to a protected disclosure, however such grievances are defined in relatively narrow terms - being that they must have or tend to have implications for the discloser personally in respect of their current or former employment. The moment a grievance is alleged to involve other personnel on the receiving end of inappropriate behaviour or broader systemic issues, it is difficult to confidently apply the carve-out to those grievances. What then?

To create further complexity, the ISO Standard classifies bullying and harassment as wrongdoing. This is a broader approach than the Australian legislative position, though it concurrently acknowledges that personnel and workplace grievances should be raised via other organisational systems and processes.

There is currently no case law that provides meaningful guidance on this issue and, as such, it will be important to traverse the scope of a whistleblower system carefully. A key step is to make fulsome inquiries upfront about the extent of matters being reported by a whistleblower in order to have comfort as to the parameters of the conduct alleged and to avoid a situation where a report that initially appears to concern a personal work-related grievance later morphs into a protected disclosure. As a procedural matter, each entity will need to develop its own approach in determining how it will deal with personal work-related grievances - for example, will the grievance stay in the whistleblower system if raised through whistleblower reporting channels, triaged out of the whistleblower system but with the whistleblower confidentiality/victimisation protections still applied, or triaged out and dealt with entirely through other HR processes? How will mixed reports (being those which contain a personal work-related grievance, in addition to a potentially protected disclosure) be treated? Once an approach has been formulated, there will be a need to assess each disclosure on its own merits with the relevant framework, to ensure a protected disclosure is not inadvertently triaged out of the whistleblowing system and its protections.

2. Risk assessment

Another key area for consideration is whether whistleblowers are effectively protected under the entity's whistleblowing system. To date, most entities have been focused on complying with the confidentiality protections that apply under the Corporations Act, with the victimisation protections only typically considered at the point at which when a person comes forward with a complaint. However, without careful thought being given to the risks that can present to a whistleblower and others persons in connection with a whistleblowing report at various stages of the process, there is ample opportunity for detriment to be suffered by a whistleblower, whether or not intended. This can not only expose the entity to a successful compensation claim (noting an entity can be vicariously liable for victimising conduct on the part of an employee, where it does not take all reasonable steps to prevent such conduct), but also deter whistleblowers more generally from coming forward which has deleterious effects on the company's culture and ability to address issues festering in the business.

We are now seeing an emphasis on the importance of undertaking proactive and regular risk assessment in order to mitigate against victimisation risks. For example, assessing early, including thorough discussion with a whistleblower, the full extent of any issues allegedly suffered by them, any risks to the confidentiality of their identity, and what actual or perceived risks of detrimental action may exist having regard to the matters they have reported and any workplace dynamics.

The ISO Standard recommends that this risk assessment be undertaken at multiple stages, including when a report is assessed, during an investigation, after an investigation is closed and when any remedial actions are taken. This approach is consistent with the ASIC Reg Guide which recommends that entities establish processes to assess and control the risk of detriment on a continuous basis. In this regard, once an initial risk assessment has been undertaken, ongoing consideration should be given to any adjustments that are required to support a whistleblower as a matter proceeds. This is not just to protect a whistleblower from obvious risks like dismissal, but also less obvious risks such as performance management, exclusion in the workplace, stress arising from the process and denial of opportunities to further their careers.

Finally, it is worth noting that both the ASIC Reg Guide and ISO Standard provide that the investigation and protection functions within a whistleblowing system should be delivered independently to minimise any conflict of interest that can impact adversely on a whistleblower. The ASIC Reg Guide notes that where there may be a conflict, the entity should create new roles and responsibilities to ensure independence throughout the investigation process and so that matters can be escalated to the entity's board if required.

3. Role of the Board and management

Leadership plays a vital role in implementing and maintaining an effective whistleblowing system and policy. Without "buy in" from the top, staff and other stakeholders are less likely to feel safe in coming forward about issues affecting the business. In this regard, the ASIC Reg Guide and ISO Standard outline that both the board and management are responsible for the creation and preservation of a positive and open organisational culture that fosters disclosure. Without this support, whistleblowing systems and policies are unlikely to be effective or sustainable.

At a high level, the board's role is concerned with exercising adequate oversight and setting objectives and expectations for the entity's whistleblower system, ensuring it is receiving qualitative information regarding whistleblower reports and the effectiveness of the entity's whistleblowing system, and holding management to account in ensuring the effectiveness of the policy and responding to any emerging themes and trends. The board should also approve the entity's whistleblowing policy and communicate its support and endorsement of that policy. Conversely, management is responsible for ensuring the entity's whistleblowing system and policy are implemented in practice, leading by example and openly committing to a "speak up" culture, providing the board with qualitative information regarding whistleblower reports and the effectiveness of the whistleblower system, as well as supporting whistleblowers. These responsibilities are not exhaustive.

In creating a clear and robust policy for their organisation, the ISO Standard suggests that the board needs to engage with not only the applicable laws (being, relevantly in Australia, the Corporations Act for private sector entities), but also how the entity's whistleblower policy itself relates and interacts with the organisation's values, objectives, strategic direction and business processes. The ASIC Reg Guide also emphasises that an entity's whistleblower policy ultimately forms part of its broader risk management and corporate governance framework and, as part of this, it is important for the board to ensure that the broader trends, themes and/or emerging risks highlighted by whistleblower reports are addressed and mitigated by the entity as part of its risk management and corporate governance work plans.

4. Confidentiality

Under the Corporations Act, it is a criminal offence to disclose the identity of a whistleblower, including information that is likely to lead to their identification, without their consent (unless a limited exception applies). Simply redacting a whistleblower's name on a report they have made, or otherwise not revealing it, will usually not be enough to satisfy these confidentiality requirements. For example, a person who the disclosure is ultimately revealed to may be able to join the dots based on the information contained in the disclosure or the whistleblower may have advised other people of the subject matter of their report, which can later oust them as the person behind a whistleblower report. The ISO Standard sets out a range of ways in which confidentiality of a whistleblower's identity can potentially be gleaned after they have made a report, including in the course of an investigation, having regard to the whistleblower's identifying characteristics, the circumstances surrounding the misconduct, the report itself and the way in which data is collected or an investigation is undertaken.

The Corporations Act permits the disclosure of identifying information, provided this is not the actual identity of the whistleblower, where it is reasonably necessary to undertaken an investigation and all reasonable steps are taken to reduce the risk that the whistleblower will be identified. While ASIC has released some guidance on what will amount to all reasonable steps, this is by no means exhaustive. Where a whistleblower does not consent to the disclosure of identifying information, this may mean that an investigation is not possible where there is a risk that a whistleblower's identity may be disclosed on the basis of their report. This is likely to be the case where the report concerns interactions with other personnel or conduct that is known to a limited number of people. The ISO Standard acknowledges the natural limitations that can prevent an investigation into a whistleblower report, including in the context of confidential and anonymous reporting, as does the ASIC Reg Guide in circumstances where a whistleblower cannot be contacted for further information. Whistleblower policies should note these limitations in order to manage expectations.

5. Regular whistleblower feedback

In order to engender trust and confidence in whistleblower systems, it is critical to provide regular updates to whistleblowers on the progress of their report (for example, at least once a fortnight or more frequently if appropriate). Even where there is not a meaningful update to provide, communicating regularly with a whistleblower indicates that their report has not been overlooked and reduces the risk they seek to raise the subject of their concern through other channels.

The ASIC Reg Guide states it is a requirement that a whistleblower be provided with regular updates if they can be contacted. The ISO Standard similarly recommends communicating updates at each step of the whistleblowing process and outlines in detail the type of updates that can be provided, which broadly touch on reassurance, updates on the process and next steps, information available on support and the measures taken for their protection, and establishing channels for further communication.

In our experience, providing regular whistleblower feedback is important to support a 'speak up' culture and a perception that the organisation takes action in response to reports from whistleblowers. Although not required by any legislation or regulation in Australia, establishing the relevant resources and roles to provide feedback to whistleblowers is a key part of every whistleblowing management system.

6. Training and awareness measures

Training plays an important role in supporting an effective whistleblower system, both so that whistleblowers understand how they can make reports and the process and protections that will apply in that circumstance, and so that personnel responding to whistleblower reports understand how to maintain and uphold the confidentiality and victimisation protections.

The fourth edition of the ASX Corporate Governance Principles and Recommendations suggests that listed entities should provide training to both employees, as well as for managers and others who may receive whistleblowing reports, however the Corporations Act whistleblower provisions are silent on training.

The ASIC Reg Guide suggests that upfront and ongoing training should be provided to all staff regarding the entity's whistleblower policy, processes and procedures, and that management as well as staff with specific responsibilities under a whistleblowing policy should receive appropriate training on how to effectively deal with disclosures. ASIC also suggests that Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations are also trained, noting protected disclosures can be made to overseas-based participants or otherwise concern overseas-based entities and their officers and employees. The ISO Standard takes a similar approach in recommending that training be carried out with all staff, as well as leaders and those with specific roles under a whistleblowing system.

In our experience, the provision of practical training to eligible recipients of whistleblowing reports under the Corporations Act is particularly vital, as there is real potential for whistleblowers to bypass nominated whistleblowing reporting channels and proceed to raise a matter directly with an eligible recipient at law, such as a director or senior manager of the organisation. In this circumstance, it is critical that the eligible recipient is aware of their legal obligations in how they handle potential disclosures, noting significant civil and criminal penalties can apply where they fail to uphold the whistleblower protections in dealing with those disclosures.

Finally, the ASIC Reg Guide and ISO Standard each recommend that the entity's whistleblower policy is incorporated into employee induction packs and training for new starters, as well as on a regular basis at planned intervals. The ISO Standard further recommends that where any policy updates are undertaken, staff are notified of the key changes and a personalised communication is sent from the board or management to add credibility to the relaunch and demonstrate leadership.

7. Engagement with policies and management systems

An important message that both the ISO Standard and ASIC Reg Guide highlight is that whistleblowing policies and systems are ongoing protection measures that should be regularly engaged with and reviewed to ensure their effectiveness. A whistleblowing policy and management system is not something an entity can simply 'set and forget'. They require evaluation, continual improvement and a proactive commitment from leadership to ensure whistleblowers feel comfortable to report wrongdoings without fear of detriment.

Importantly, the ISO Standard outlines a range of steps that should be taken when concluding a whistleblowing case which, in addition to actioning any response to recommendations, also includes identifying any protection measures required on an ongoing basis, gathering feedback from the whistleblower and other interested parties, identifying lessons learnt and developing organisational case studies based on reports that are made (which should be de-identified as appropriate). The ISO Standard suggests that the organisation gives consideration on how to acknowledge and recognise whistleblowers publicly with their consent (including to express gratitude and public commendation by management).

The ISO Standard also sets out a range of indicators that an entity should evaluate in order to monitor and measure its whistleblowing systems, including the number of reports received (and noting the absence of reports should raise questions about the effectiveness of the whistleblowing program), the time taken in each step in the process, the proportion of reports received via various reporting systems, feedback from whistleblowers and other personnel, employment outcomes for whistleblowers and assessing the effectiveness and value of corrective actions taken, amongst other things. Internal audits are also suggested with a view to ensuring the whistleblowing system is effectively implemented and maintained.

As a best practice measure, the ASIC Reg Guide separately suggests that organisations establish oversight arrangements for ensuring its board or audit or risk committee are kept informed about the effectiveness of the entity's policy, processes and procedures, and for there to be regular periodic reports on the nature and outcome of each disclosure including how an investigation was handled. To maximise effectiveness and compliance, ASIC recommends monitoring and measuring its employees' understanding of the whistleblower policy, processes and procedures through surveys and interviews. As noted further above, ASIC also advises that these policies, processes and procedures are reviewed on a periodic basis, for example every two years, to ensure that any hiccups are resolved in a timely manner.

8. Privacy

The ASIC Reg Guide and ISO Standard both address aspects of privacy and data protection that arise with respect to an entity's whistleblowing system. For example, the ASIC Reg Guide addresses the requirement for entities to have appropriate IT and organisational measures in place to secure personal information they receive, handle and record through whistleblowing channels.

The ISO Standard shed some further light on additional measures entities should be considering in this context, including considering who has access to personal information data and who approves such access, the settings and protections under data management systems, the data protection rights of interested parties, privacy collection notices and conducting due diligence on third party provider compliance with data protection requirements.

The consequences of not having robust frameworks in place, including leaks of information or unauthorised disclosure, can have wide-ranging and detrimental consequences for both disclosers and entities.

Entities should also be mindful that there are limitations on the 'employee record exemption' under the Privacy Act 1988 (Cth), which applies to private sector organisations with an annual turnover of more than $3 million, including in the context of the collection of personal information of employees and dealing with any personal information of non-employee whistleblowers through the whistleblowing system. The imminent review of the Privacy Act includes consideration of the current scope of the employee records exemption and whether enhanced protections will be needed in this space, so we anticipate more to come in this space.

Implications for your business

Businesses should take a more holistic approach to assessing and refreshing their whistleblowing policies and management systems and regularly engage with their effectiveness. Encouraging a culture of openness and having robust systems in place will not only minimise any legal risks but protect against reputational damage and ensure that the organisation is able to identify and address any wrongdoing at the earliest opportunity.