Review your whistleblower program now to meet ASIC's new good practice guidance
ASIC's Report 758 details the findings of its review into good practices for handling whistleblower disclosures, and calls on entities who are required to apply the whistleblower protections under the Corporations Act 2001 (Cth) to reconsider the current state of their whistleblower regimes.
The regulator's guidance will support entities in handling whistleblowing disclosures in line with its expectations, mitigating against costly enforcement action (with ASIC commencing its first proceedings under these laws on 1 March 2023), and allow them to reap the commercial rewards of a positive whistleblower culture.
The whistleblower laws and ASIC's actions to date
Since 1 July 2019, the Corporations Act has contained strengthened protections for eligible whistleblowers that restrict the disclosure of their identity and prohibit victimisation. These laws apply to a broad range of entities, including companies registered in Australia and foreign corporations in a range of circumstances, which ASIC describes as "firms" in its Report.
Under these laws, Australian public companies and large proprietary companies have been required since 1 January 2020 (or within 6 months of the first financial year in which a company first became a large proprietary company, if after 1 January 2020) to implement a whistleblowing policy that complies with the Corporations Act.
ASIC has regularly engaged with entities in relation to whistleblower regimes on a number of occasions since these laws were passed to support compliance and good practices:
- In November 2019, ASIC released Regulatory Guide 270 Whistleblower policies which contained guidance and good practice tips on establishing and implementing a whistleblower policy and program;
- On 30 June 2020, ASIC released Information Sheet 247 Company officer obligations under the whistleblower protection provisions to give further guidance for companies on complying with the whistleblower protections;
- Throughout 2020, ASIC reviewed 102 sample whistleblower policies to improve ASIC's understanding of how firms were responding to the whistleblower policy requirements; and
- In October 2021, ASIC released an open letter to CEOs following its review of the abovementioned policies, urging them to review their whistleblower policies and included guidance to help relevant firms establish, implement, and maintain a policy that complies with the legal obligations.
Where these good practices for whistleblowing programs came from
ASIC's targeted review of seven selected firms' whistleblower programs, selected because of their similar attributes and the likelihood that these firms had developed whistleblower programs, was intended to identify scalable good practices to share with other firms.
The review focused on arrangements for handling and using information collected from whistleblower disclosures and the level of executive and board oversight of those arrangements. It involved detailed analysis of internal documents about the firms' programs, as well as interviews with officers and employees responsible for implementing and overseeing the whistleblower programs.
Good practices for whistleblowing programs
ASIC's Report identifies seven themes and associated good practices and questions for firms to consider.
Strong foundation for the program
- Document whistleblower policies, including with information required under s1317AI if relevant.
- Define and allocate roles and responsibilities for a whistleblower program.
- Design and establish supporting procedures or guidelines to manage whistleblowing in line with the Corporations Act.
- Ensure the whistleblower program has adequate information technology resources and organisational measures to keep whistleblowers’ personal information secure.
Questions for firms to consider
- Have we established a strong foundation for our program?
- How is our program equipped to handle disclosures?
Whistleblowing culture
- Consider how to actively promote whistleblowing (e.g. communications to all employees, training of all employees about when and how to make disclosures, etc).
- Consider authorising any pre-existing and well-used ‘speak-up’ platforms to also receive disclosures from whistleblowers.
- Clearly differentiate between their different channels to receive reports, complaints or feedback, and promote the whistleblowing channel as being relevant for disclosures and the whistleblower protections.
- Consider if there are adequate measures and processes to actively protect and support whistleblowers who make disclosures, including whether they have processes for assessing and controlling the risk of detriment to whistleblowers.
- Ensure that when firms enter settlements with whistleblowers, the terms of any confidentiality provisions do not attempt to limit the whistleblower’s ability to voluntarily raise any potential disclosable matters with a relevant regulator or agency.
Questions for firms to consider
- Are whistleblowers using our program to provide valuable information?
- If not, what needs to be done to actively promote and grow trust in the program and ensure whistleblowers are protected?
Resources and training
Provide training for:
- the firm’s internal eligible recipients on how to handle disclosures and respond to whistleblowers in line with the legal requirements; and
- the employees involved in all aspects of the firm’s program on how to manage disclosures and support whistleblowers in line with the legal requirements.
Questions for firms to consider
- How have we prepared people involved in the program to protect whistleblowers and treat disclosures confidentially?
Monitoring and review
- Schedule periodic reviews of whistleblower policies and associated procedures and practices.
- Consider the objectives of their policy and program and identify corresponding indicators and metrics to monitor their program’s effectiveness.
Questions for firms to consider
- How are we ensuring that our program is up to date and that we detect issues with its operation?
- How are we measuring its effectiveness?
Use of information
- Take steps to address the issues raised by whistleblowers;
- Analyse and use the information received from their programs; and
- Consider whether and how they can strengthen the visibility of emerging areas of risk and improve operations by sharing insights from their program.
Questions for firms to consider
How are we using and sharing information from disclosures to improve our operations?
Senior executive accountability
Consider:
- whether and how executive accountability for the program can be embedded, including through the designation of an accountable senior manager; and
- whether a mechanism for broader executive oversight of the program may be beneficial to the firm.
- Encourage accountable executives to reflect on whether they receive sufficient information about the program to discharge their accountability.
Questions for firms to consider
- Who is accountable for our program and how do they discharge this responsibility?
- Do they have access to the right information for this purpose?
Director oversight
Consider:
- formalising arrangements for board or board committee oversight of the policy and program, including considering which board committee is most appropriate; and
- the frequency, type and level of information that management should provide to board committees so that they can discharge their oversight responsibilities.
- Encourage boards and board committees to reflect on whether they receive sufficient information to perform their oversight function and are providing informed oversight over the policy and program.
Questions for firms to consider
- How are our directors overseeing the program?
- Do they have access to the right information for this purpose?
ASIC's next steps
While ASIC has allowed entities time to implement the strengthened whistleblower protections in a compliant manner, on 1 March 2023, ASIC announced that it was taking legal action against TerraCom Limited, its managing director, chief commercial officer, former Chair and a former director, for the first time under these laws. In this case, ASIC is alleging that:
- TerraCom and several of these individual respondents engaged in detrimental conduct to a whistleblower by allowing false and misleading ASX announcements to be published regarding the whistleblower's allegations; and
- all individual respondents breached their duty to exercise reasonable care and skill in the discharge of their duties as directors and officers of TerraCom, by failing to take reasonable steps upon receipt of the independent investigator’s report into the issues raised by the whistleblower.
In its Report, ASIC has confirmed that it will continue to review firms' whistleblower policies and arrangements for handling disclosures, including when it receives reports from whistleblowers alleging breaches of the whistleblower protections, and that it will consider the full range of regulatory tools available (including, where appropriate, civil or criminal enforcement action) where it identifies serious harm.
Your next steps
ASIC Commissioner Danielle Press has stated that:
"ASIC’s report reiterates the important role that whistleblower programs play in alerting entities and boards to changes necessary to help improve overall corporate performance and governance."
With these comments in mind, entities should reconsider their current whistleblower regimes to:
- ensure that they incorporate evolving best practice, including having regard to ASIC's guidance;
- support compliance and mitigate against the potential consequences of costly and lengthy enforcement action, in circumstances where we expect ASIC to take further action in this space having made its expectations clear; and
- reap the commercial benefits of a strong whistleblowing culture.
If you would like help on developing a compliant and good practice whistleblower regime for your organisation please contact us.