Whistleblowing in Australia is still a work in progress - part 1

This time last year many Governance Risk and Compliance (“GRC”) professionals were preparing for the new whistleblowing laws to come into force. Six months ago, many of those same professionals were hastily drafting whistleblowing policies to meet the 1 January 2020 deadline. Given that this deadline has past, it is not surprising that this activity has gone quiet. COVID-19 may also have had something to do with this, but the question we have asked is whether corporate Australia has whistleblowing under control?

Earlier this year, PKF Integrity conducted research to understand the state of whistleblowing in Australia. This research included informal discussions, surveys and interviews with business and government organisations as well as reviews of whistleblowing policies. The results of this research and our experience advising Australian organisations about whistleblowing, demonstrates that corporate Australia still has a long way to go.

The true state of whistleblowing policies

Although some companies seem to feel a whistleblowing policy is all they need, the regulatory approach taken here and in Europe[1] is that a policy is at least an essential element to an effective whistleblowing system. To assist with the mandatory requirement for most[2] companies to have a whistleblowing policy, ASIC issued very prescriptive guidance[3] in October 2019 (“the Guidance”) on what needs to be included in a whistleblowing policy.

PKF Integrity reviewed the policy position of 50 companies (that were required to have one) and found that only 33 (66%) had policies. Of these, 25 policies (76%) did not meet all the key requirements of the Guidance. 40% of the 25 policies were not publicly available on the companies’ websites.

PKF Integrity also found that some of the basic requirements of the Guidance were not adequately articulated, including:

• who is an eligible whistleblower (48%)
• who is an eligible recipient (56%)
• what types of misconduct should be reported under a whistleblower policy (80%). Examples included:
  • omitting that disclosures could be made about the improper tax affairs of a company
  • not providing a definition or examples of a “personal work-related grievance” and/or explaining that disclosures about them are not afforded legal protection
  • other inconsistency with the legislation regarding what was disclosable under the policy.

Policies also inadequately detailed procedural steps:

• 60% of policies contained insufficient information about how to raise concerns e.g. not nominating specific contacts or providing communication channels such as phone and email
• 64% of policies contained insufficient information about how the company will handle the investigation of disclosures e.g. by who, how, timeframes for completion and keeping the whistleblower informed of progress
• Many policies did not provide either an effective, independent process for raising concerns about alleged senior management misconduct or provide for disclosures to be made to an independent third party or “hotline”
• Importantly, even with the potential for significant fines and criminal charges, 72% of policies reviewed did not provide sufficient information about the practical steps that would be taken to protect confidentiality or the legal protections available for eligible whistleblowers; a key objective of the new legislation.

Our experience and the findings of our research suggests that pockets of corporate Australia still lack an appreciation of the value of an effective whistleblowing system and have a tendency to take a tick box approach to compliance. Based on feedback from some companies, this has produced policies that are lengthy, legalistic and operationally impractical. This not only works counter to the legislative intent of whistleblowing provisions of the Corporations Act, it also indicates that once policies are in place, their effective implementation, or operationalisation will be compromised.

It is fair to say that the Guidance is prescriptive and several policies reviewed appear to have replicated the legislation without any apparent thought for operational considerations, in particular how easy it is for a potential whistleblower to understand how and to whom a disclosure can be made. Smaller organisations have also expressed concerns about their ability to meet the confidentiality requirements of the Guidance and about potential conflict of interest issues due to the requirement for the separation of roles and responsibilities when managing whistleblowing disclosures.