If you work in a listed or large private company then chances are that you are aware that your organisation needs to have a Whistleblower Policy that complies with the current whistleblower legislation. The current whistleblower laws came into effect on 1st July 2019. Since 1st January 2020, all listed and large private companies have to be compliant with the legislation.
Recently, the corporate regulator ASIC conducted a covert review of company whistleblower policies for compliance and had some interesting findings.
Don’t have a Whistleblower Policy or want to review your existing one? Download our free Whistleblower Policy Template.
What did ASIC find with their covert review?
ASIC found that close to 50% of the policies they reviewed didn’t fully explain how staff could report misconduct and how they can qualify for protection. More worrying was that 21% of the policies reviewed were out of date and still referenced provisions under the previous whistleblower regime where they stated that you didn’t qualify for protection if you were anonymous.
This review highlights that despite having over 12 months to be compliant, a large percentage of companies either had policies that required further enhancement or were outright non-compliant.
In light of these findings, here is a list of things that you should be checking your Whistleblower Policy for:
7 things your whistleblower must have to be compliant
1. Define who is an eligible whistleblower
Sounds simple enough but it’s vital that you outline who qualifies as being an eligible whistleblower. The updated legislation has expanded the range of people that qualify as eligible whistleblowers. It now includes current and former employees, suppliers and their employees as well as spouses and relatives of current and former employees.
2. Outline what reportable conduct is
This is perhaps the most technical aspect of your policy and you would be well served to read ASIC’s guidance on this. One particular area to articulate properly is the topic of personal work-related grievances. The legislation is designed for organisations to be able to effectively manage simple work-related and interpersonal grievances without them being deemed a protected disclosure. The complexity arises with serious and systemic bullying, harassment and discrimination and whether those issues may constitute a contravention or breach of some law making it qualify as reportable conduct.
3. Detail how your people can make a report
Surprisingly, this was a common omission found in ASIC’s review which I find quite worrying, to be honest. It’s perhaps the easiest thing to define and articulate in a policy so it begs the question – do those companies who haven’t outlined how to make a report in their policy have something to hide? Make sure you clearly outline the reporting channels that exist both internally and externally. If you want to achieve best practice in this area you should be using the services of an experienced whistleblower hotline provider like Core Integrity and you should be providing a range of both traditional reporting channels (phone, email, mail) and secure online reporting that promotes two-way communications with anonymous whistleblowers. Ask your whistleblower hotline provider whether they use a secure, cloud-based platform like the one we use: ClearviewConnects.
4. Who can a report be made to – eligible recipients
I believe this is an area that needs quite a bit of attention from a practical perspective. Organisations need to understand who is classified as an eligible recipient and this should be clearly articulated in your policy. Eligible recipients can be a range of people including Officers of the company (e.g. Directors), Senior Managers of the company (e.g. CEO and other executives) but it also extends to others including auditors, those performing key roles like a Whistleblower Protection Officer (WPO) or Whistleblower Investigation Officer (WPI) and an externally managed hotline provider like Core Integrity. The practical challenges arise in ensuring that your eligible recipients can identify what might constitute as a protected disclosure of reportable conduct and what to do next.
5. The protections available to them
This is important. Make it clear to your people that you are serious about protecting them. Outline that you treat all matters in the strictest of confidence, that you won’t disclose their identity without their consent, and explain they can remain anonymous and most importantly – that your organisation won’t take detrimental action against them as a result of their disclosure.
6. How your organisation will respond to protected disclosures
This can be as detailed or simple as you want, but the key is to give some thought to how your organisation will respond. Who will receive the disclosure? Who will assess it? Once assessed who will investigate the report if it requires further investigation? Do you investigate internally or externally or both? What is the process for communicating and updating the discloser? You get the idea. In my experience, this is where a lot of organisations really struggle. They may outline what they say they will do, but often they don’t have the right capability or capacity to then follow through on this as promised.
7. Key roles and responsibilities – WPO & WIO
It’s not uncommon for policies to outline roles and responsibilities. A good policy should outline who owns the policy, how often it is reviewed/updated and the key roles for performing the obligations outlined in the policy. A big area for improvement in the area of whistleblowing in my opinion is for organisations to identify and appoint two key roles of Whistleblower Protection Officer (WPO) and Whistleblower Investigation Officer (WIO). It’s one thing to identify and appoint those two roles but you also need to outline what their role is (and isn’t) and then support them with training to build their capability to perform those roles effectively.
Is your Whistleblower Policy compliant? Take action now.
So there you have it. There are the 7 ‘must haves’ for your whistleblower policy. As you go through the process of developing your whistleblower policy you will likely realise there is a big difference between writing what you will do to be compliant and then following the policy to remain compliant.
Serious consideration needs to be given to who will perform key roles in your whistleblower program. Eligible recipients need to be identified and trained on how to receive a protected disclosure. It also needs to include how your organisation will respond to each report that qualifies as a protected disclosure of reportable conduct.