The 7.5 Million Wake-Up Call: Why the TerraCom Case Should Scare Complacent Boards

TerraCom's $7.5 million penalty after the Federal Court found breaches of whistleblower protection laws is a clear warning for complacent boards. This article explains why a policy is not a program, what a compliant whistleblower setup looks like, and the questions executives should be asking now.

Last month, TerraCom Limited was hit with a $7.5 million penalty after the Federal Court found it breached whistleblower protection laws under the Corporations Act. It's not just a slap on the wrist. It's the first successful prosecution of its kind since the strengthened laws came into effect in 2019.

This decision isn't just legal history. It's a message - loud and clear - to every company in Australia: you can no longer afford to treat whistleblower protections as a box-ticking exercise.

Key takeaways

• TerraCom's penalty shows that a whistleblower policy on its own is not enough.
• Regulators are looking at what happens in practice when someone speaks up, not just what is written on paper.
• Organisations need clear triage, investigation, support and confidentiality processes.
• Boards and executives should stress-test the program, not just the policy, before a problem escalates.

Here's what actually happened

A former employee of TerraCom raised serious concerns internally. Instead of treating the disclosure with the confidentiality and care required under the law, the company sacked the employee before embarking on a PR campaign to publicly discredit him. ASIC took action. The Federal Court agreed.

That $7.5 million penalty? It's not just about the money. It's about the precedent.

This is the regulator flexing - and rightly so. Because when organisations retaliate against people who speak up, they don't just break the law. They break trust.

A policy isn't a program

This is the part that should make every CEO, CPO, GC and CRO pause.

Most organisations do have a whistleblower policy. Some have even rolled out mandatory training or updated their codes of conduct.

But when the rubber hits the road - when someone actually raises a serious concern and one that qualifies as a protected disclosure - the cracks start to show.

• Disclosures aren't properly assessed to determine if they qualify as a protected disclosure of reportable conduct under the Act.
• Investigations aren't conducted appropriately or thoroughly enough given the seriousness of the issue - they can be rushed, biased, or worse, led by the very people implicated in the complaint (yes, this does happen!).
• Confidentiality gets compromised through careless internal chatter or clumsy handling. Such a simple concept, yet hard to get right.
• Whistleblowers are left isolated, unsupported and exposed.

Sound familiar?

Here's the thing: having a policy is a start. But it's the system around it that really matters.

Most policies are overly complex, wordy and prescriptive. Worse still, too few organisations have gone to the next level of creating a whistleblower procedure for how matters will be assessed, investigated and managed.

The TerraCom case proves that regulators are no longer interested in what's written in your policy. They're looking at how you act when the stakes are high.

What does 'good' actually look like?

It's not complicated. But it does require intent.

A well-run whistleblower program should include:

• Internal and external reporting channels including the ability for people to make anonymous disclosures and engage in two-way communications with investigators.
• Clearly identified key roles such as a Whistleblower Protection Officer (WPO), Whistleblower Investigations Officer (WIO) or simply a Whistleblower Officer (WO).
• Clear triage and assessment protocols to determine if a report is a qualifying protected disclosure, tight SLAs for making an assessment and a risk assessment to ensure the whistleblower is supported and that any potential or actual conflicts are identified and managed in advance.
• Independent investigations, free from bias or conflicts of interest and performed by a suitably experienced and capable professional.
• Ongoing support mechanisms for whistleblowers - before, during and after the process. Think Whistleblower Protection Officer (WPO) and your Employee Assistance Program (EAP) for starters.
• Rigorous confidentiality protections, not just lip service.
• And most importantly, leaders who walk the talk - creating a culture where raising concerns is seen as a strength, not a threat.

Because at the end of the day, whistleblowers are not the problem and shouldn't be seen as the problem.

They're your early warning system. They flag potential risks and issues before they become full-blown crises. But only if they feel safe enough to come forward.

Too often I hear resistance from senior executives or boards about a rise in complaints from whistleblowers if they lean into this process, but the thing is, whilst you may receive some unfounded complaints or even vexatious complaints from time to time, so what? If you have a robust whistleblower and investigations system in place, you will easily be able to identify and deal with those.

The better question executives and boards should be asking themselves is: "What are we not hearing about?" by not prioritising a more robust speak up program that is supported with frequent and clear messaging from the leadership team.

Doing nothing is not an option

The TerraCom judgment is already being talked about in boardrooms and legal teams across the country. But talk is not enough.

Now is the time to look under the hood of your current whistleblower setup and ask the hard questions:

• Do we actually know what happens when someone speaks up? Beyond simply taking the report and assessing it as a protected disclosure, do we actually have confidence that the organisation will respond the right way, the first time?
• Are we confident our processes stack up if regulators came knocking? Can we show a regulator our documented triage and assessment process, our risk assessment process and underlying investigation manual or procedure for how we deal with protected disclosures?
• Are key executives across the business aware of our processes? Have we established a dedicated Whistleblower or Speak Up Committee that is responsible for, and has oversight of, how the organisation manages protected disclosures, the timeliness of whistleblower investigations and the application of sanctions, monitors trends and insights, cross-checks other organisational initiatives to ensure there is no conflict (such as planned redundancies)?
• Have we stress-tested our program (not just the policy) end to end? When was the last time you had an expert come in and perform an end-to-end review of your whistleblower program, not just your policy?

If you're not sure, that's a risk. A real one.

FAQ

What does the TerraCom case mean for boards?

It shows that a whistleblower policy alone is not enough. Boards need to know what happens when someone speaks up, how disclosures are assessed, who handles them and whether the organisation can prove its process stands up if regulators ask questions.

Why is a policy not the same as a program?

A policy is a document. A program is the operating system around that document: reporting channels, triage, assessment, investigations, confidentiality, support and leadership oversight. TerraCom shows regulators care about what actually happens, not just what is written down.

What should a compliant whistleblower program include?

It should include internal and external reporting channels, anonymous reporting, clear roles, triage protocols, independent investigations, support mechanisms, confidentiality protections and leaders who model the right behaviour. Those elements turn policy into practice.

What should boards do now?

Boards should review the full whistleblower program, not just the policy. That means asking hard questions, checking whether the business knows what happens after a report is made, and stress-testing the process end to end before a regulator does it for them.