With the recent introduction of the whistleblower amendments to the Corporations Act 2001, many Australian companies are considering how best to comply with the new requirements. But is strict compliance with the amended whistleblower provisions all that they should aspire to? This article discusses what Australian corporations could and should be doing over and above strict compliance with the Corporations Act whistleblower regime and also considers the business case for implementing an effective whistleblower program.
The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 became law on 1 July 2019 and, in doing so, amended the existing whistleblower provisions of the Corporations Act 2001 which had which had been in force since 2004. The new provisions impose compliance obligations on all Australian corporations with additional obligations for publicly listed and large proprietary companies. The amended Corporations Act has a range of innovative features which gives Australia one of the most far-reaching whistleblower protection regimes in the world.1
Is compliance with the Corporations Act whistleblower provisions enough?
Notwithstanding the cutting-edge features of Australia’s new whistleblower regime, a serious question remains — should strict compliance with the new legislative provisions be considered sufficient? A feature of governance in Australian corporations in recent years has been a disciplined focus on legislative compliance. Clearly, legislative compliance is vital but too many corporations regard governance-linked legislation as a blueprint for what to do rather than as a foundation for a program that will deliver against the underlying legislative objectives. Corporate Australia’s response to the new whistleblower provisions risks falling into this same ‘opportunity lost’ trap.
There is a strong argument that Australian corporations should look beyond strict compliance with the legislation and consider the business benefits of building a robust whistleblower program. One example of how a purpose-built whistleblower program can transcend mere compliance with the Corporations Act is the way in which a whistleblower policy is communicated internally. Section 1317AI of the Corporations Act stipulates that public and large proprietary companies, from 1 January 2020, must have a whistleblower policy and ‘make that policy available to officers and employees of the company’ — this requirement stops short of the better practice principle of effectively communicating the policy to the corporation’s workforce but also the idea of making the policy available to other stakeholders and the company’s business partners. In relation to this issue, and other elements of the new legislation, strict compliance, arguably, is not sufficient to deliver the benefits of a bespoke whistleblower protection program designed and implemented for the corporation concerned.
What are the benefits of an effective whistleblower program?
Benefits available to corporations from implementing and maintaining an effective whistleblower protection program (one that complies with the Corporations Act but that also goes beyond strict compliance) include:
- encouraging the corporation’s workforce to come forward with reports of wrongdoing in circumstances where they would not have come forward or would have come forward much later — studies and experience over many years show that a corporation’s workforce is a significant source of wrongdoing reporting many of which involve matters that would have caused severe financial distress and reputational damage to the corporation
- sending a strong signal to regulators, markets, the corporation’s owners and other stakeholders that the company is committed to sound governance practice and to protecting the corporation’s assets and reputation
- encouraging ethical business practice within the corporation and between the corporation and its external business partners
- helping the corporation to attract and retain personnel committed to its values and cultures and helping to deter and exit people are not committed to those values and cultures.
What are the extra-legislative sources of guidance?
In addition to implementing the core whistleblower provisions of the Corporations Act, a corporation should also implement a range of existing and emerging better practice guidance. ASIC2 released a draft regulatory guide for public comment ahead of its release in November.3 The regulatory guide will be aimed at assisting Australian corporations to comply with the new legislative provisions but also to implement a whistleblower program that goes beyond mere compliance. On the basis of the draft version, the regulatory guide as issued, is likely to recommend:
- overt demonstration of executive level commitment to whistleblower protection
- fostering a culture of ethical conduct and whistleblowing where wrongdoing is found or suspected
- linking whistleblower protection systems to principles of good governance and risk management
- endorsing the aims of the legislation to encourage more disclosures of wrongdoing with the anticipated effect of deterring wrongdoing
- aligning the whistleblower policy with the entity’s business (i.e. that the corporation should not merely adopt a generic or proforma policy document) and, in developing the policy, that the corporation will interact with its workforce and other stakeholders
- ensuring fair treatment of people named in a whistleblower report.
In developing a whistleblower program, Australian corporations should ensure that they consider the ASIC regulatory guide once issued in final form. In addition to the ASIC regulatory guide, Australian corporations should also consider the now withdrawn Australian standard AS 8004 Whistleblower Protection Systems for Entities. In spite of its withdrawn status, the standard has much to offer in terms of building an effective whistleblower program. Looking forward, Australian corporations will be able to consider ISO 37002 Whistleblower Management Systems to be issued by the International Organization for Standardization (ISO) and due for release in June of 2021.
What does an effective whistleblower program look like?
An effective whistleblower program should combine the legislative requirements of the Corporations Act with available better practice guidance. A robust and effective whistleblower policy should feature the following.
A strong statement of purpose
The Corporations Act whistleblower provisions do not require that a corporation make a statement of purpose about whistleblower protection. Such a suggestion is however included in the draft ASIC regulatory guide (and likely therefore to be included in the guide as finally issued). A corporation should make strong statements about:
- the linkage between the corporation’s values to the whistleblower policy
- the business benefits of an effective whistleblower policy
- encouragement to report wrongdoing giving relevant examples
- its commitment to whistleblower protection.
The 2004 iteration of the Corporations Act provided for whistleblower protection only if the whistleblower provided his or her identity. This requirement is likely to have had the effect of deterring whistleblowers from coming forward. The new Corporations Act provision removes the requirement for a whistleblower to give their identity in order to be protected. A whistleblower policy should make a clear statement that reconfirms the Corporations Act provisions affording whistleblower protection for anonymous reporters.
A statement as to the types of conduct that are contemplated by the whistleblower policy
The categories of reportable conduct that will trigger whistleblower protection as specified in the Corporations Act are very broad.4 An effective whistleblower policy should include examples of the types of misconduct contemplated by the policy.
While the new legislative provisions require publicly listed and large proprietary corporations5 to ‘make available’ the company’s whistleblower policy they stop short of requiring that the policy be effectively communicated.
Regardless of any legislative obligation to implement and ‘make available’ a whistleblower policy, all Australian corporations should ensure that all personnel (officers, senior managers and employees) are aware of their options for raising concerns about misconduct and of the repercussions of failing to comply with the new whistleblower provisions. All personnel should be aware that subjecting an eligible whistleblower to detrimental conduct or unauthorised disclosure of their identity are offences under the Corporations Act.
An awareness raising program should be clear about procedures for making a qualifying disclosure internally to the corporation which is specified under s 1317AAC(1) as ‘an officer or senior manager of the body corporate or a related body corporate’. It should ensure also that the corporation’s personnel in those categories fully understand their legal obligations in the event that an eligible whistleblower approaches them with a qualifying disclosure.
An awareness-raising program should be delivered by way of regular communication appropriate to the nature and geographic spread of the organisation and its operations.
Alternative reporting channels
The new whistleblower provisions do not specify any requirement as to the channels by which a qualifying disclosure can be made to an eligible recipient other than in the framework for a whistleblower policy at s 1317AI which stipulates such a policy must include ‘information about to whom disclosures that qualify for protection under this Part may be made, and how they may be made’. Better practice would say that an effective whistleblower reporting program should have a range of alternative reporting options including:
- internal reporting through the normal organisational structure in the ordinary course
- one or more alternative internal reporting channels (eg to Legal, Internal Audit, HR or Compliance)
- an external reporting channel(s).
Requirement to provide feedback to reporters who come forward
The new Corporations Act whistleblower provisions make no mention of providing feedback to whistleblowers. Experience has shown that many whistleblowers become disenchanted with the misconduct reporting process if they form a view that no action has been taken on their report. Experience also shows that whistleblowers who are not fed back the outcome of investigations into their report are likely to share their negative perception with other members of the workforce, which tends to deter others from coming forward. In addition, whistleblowers who feel they have not been listened to are more inclined to take the matter external to the organisation (as they are entitled to do subject to certain conditions as set out in the public interest disclosure provisions of s 1317AAD). Sometimes whistleblowers will take a matter outside of the corporation on the basis of their belief that no action has been taken when action has in fact been taken by the corporation but has not been fed-back to the whistleblower.
A statement about the need to regularly review the whistleblower program and the whistleblower protection policy
The legislation does not stipulate a requirement for a whistleblower policy to be reviewed. Better practice would require that a whistleblower policy be reviewed regularly (say every two years).
A policy statement requiring active protection of ‘legal entities’
The main themes of protection and compensation set out in the amended Corporations Act relate to whistleblowers who are individuals. Better practice considerations would include the concept of protecting legal entities in addition to individuals (for example a supplier that is a legal entity which suffers detrimental conduct because of the actions of one of its officers or employees in reporting misconduct to a customer).
The stakes are high for Australian corporations who fail to implement an effective whistleblower protection program. They may find that their workforce fails to come forward with reports of wrongdoing which could result in significant unchecked financial losses and detrimental reputational outcomes. A corporation can also be exposed to potential losses associated with compensating whistleblowers who are subjected to detrimental conduct.
It makes sound business sense for all Australian corporations regardless of size6 to implement a whistleblower policy that goes beyond the compliance imperative and that looks instead at the business case for implementing a sound whistleblower program.