The corporate and not-for-profit sector is rushing to meet the January 1 deadline for new whistleblowing regulations. This activity is a result of enhancements to the whistleblower provisions laid out in the Australian Corporations Act 2001. It’s now a requirement that public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority-regulated superannuation entities have whistleblower policies in place next year as part of a whistleblower program supported by processes and staff training.
The Australian Securities & Investments Commission already has advised it will be conducting audits from New Year’s Day, and merely having a policy in place without the supporting systems could result in breach notices.
The new regulations overhaul previously fragmented, inconsistent and confusing legislation, and aim to encourage and protect whistleblowers and discourage corporate fraud and misconduct. The expanded corporate scheme involves a wider range of reportable misconduct, protects a larger group of people, allows anonymous disclosures, creates more avenues for redress and increases potential penalties for employers.
The response to the new regulations has been largely positive, with many interpreting them as a reflection of social expectations for more accountability of company directors. Attracting the attention of corporate Australia are dramatically increased penalties, with individual fines of up to $1m, jail sentences of up to two years and corporate fines up to $525m. Companies need to think beyond compliance. Simply ticking ASIC’s checkboxes won’t necessarily mean they know what to do when a report is filed, potentially putting people at risk.
A key reform in the new legislation is the increase in the number of people who can receive a disclosure or be an “eligible recipient”. The definition now extends to senior managers, directors and auditors. Given these roles can comprise hundreds of people in an organisation, properly identifying and regularly educating them on their responsibilities is critical.
Companies with robust whistleblowing policies will ensure their board and risk committee have adequate oversight and reporting channels, and that the systems and procedures underpinning their policy can be enacted when a disclosure is made.
And once a company’s policy is in place, what then? Beyond ensuring the policy complies with the law, how does it intersect with the Code of Conduct, the Child Wellbeing and Safety Act or mandatory data breach notifications?
Testing the policy’s procedures is critical, and given the potential risks and penalties are high, companies that do their due diligence and go beyond minimum requirements will conduct external auditing as well. Organisations that produce their policies in isolation or outsource the writing and consider it done will be seriously tested when a disclosure is made.
The new whistleblowing regulations have the potential to bring transparency to the fore in the private sector, which given the number of royal commissions in recent years can only be positive. It also presents an opportunity for companies to improve trust and “foster whistleblowing cultures” (outlined in ASIC’s regulatory guidance) where employees feel safe reporting misconduct and confident that they’ll be heard, protected and that due process will take place.
Best-practice organisations will imprint “speak up” cultures into their DNA. This requires that executives practise what they preach, policies offering a broad range of ways to speak up, as well as training and education. Given a strong whistleblowing policy is dependent on trust, regularly requesting and integrating employees’ feedback is critical as well.
While it’s true some companies won’t ever receive a disclosure, many will, and it will be immediately obvious if their policy is inadequate, with hefty penalties and reputational damage to follow.
Nathan Luker is chief executive of Your Call.
Originally printed in The Australian newspaper on 18 December 2019. Click here to read original.