Corporate governance: ASIC ramps up focus on whistleblower programs
Many companies have whistleblower policies because they are required to do so under the Corporations Act2001 (Cth), because their parent may be required to have such a policy under foreign law, or because it is good corporate governance to do so. ASIC has been actively involved in promoting understanding of, and compliance with, the law on whistleblowers, issuing Regulatory Guide 270 Whistleblower Policies and info sheets 238 and 239, and writing to CEOs in October 2021 to remind them of their whistleblower obligations and the strengthened protection regime that started in July 2019. Whistleblower policies are topical at the moment because ASIC has now released its REP 758 Good practices for handling whistleblower disclosures.
ASIC Report 758: Good Practices for handling whistleblower disclosures
Regulatory Guide 270 set out ASIC’s views and guidance on good practice for whistleblower polices including a number of tips and action items. ASIC has since sampled 102 whistleblower policies in 2020 and later conducted reviews of ANZ Bank, AussieSuper, BHP, CBA, Netwealth Group, Treasury Wine Estates and Woolworths to understand what good practice looked like in the real world.
From a governance perspective, 2 key areas explored were Board oversight of whistleblowing programmes and Senior Executive Accountability for such programmes.
Board oversight: While the Corporations Act does not impose specific responsibility on a board for whistleblower policies, the board is ultimately responsible as part of the business’ corporate governance and risk management framework. While most companies may structure oversight of whistleblower policies as part of the remit of the audit or risk committee with that committee on-reporting to the board, ASIC recommends clearly formalising such arrangements. An example is setting these arrangements out in the committee’s charter or terms of reference. ASIC considers that specifying the kinds of reporting that the committee may review would allow directors to more easily consider whether they are receiving the right information or sufficient information to discharge their duties.
Further, committees or the board receiving de-identified information about all disclosures (for low volume disclosures) or information and updates on progress and resolution of issues (for higher volumes of disclosures) provides key insights and is seen as good practice.
In ASIC’s view a board must ask itself: how are our directors overseeing the whistleblowing program? Do they have access to the right information for this purpose? The board must then consider the answers to these questions and revise its internal processes if necessary.
Executive Accountability: ASIC considers that good practice requires embedding executive accountability for the whistleblowing policy and procedures. It found that the role of senior executives accountable for the policy depended on whether there was a low or high volume of disclosures. Higher volumes dictated a stronger oversight role for executives (rather than being active in assessment/resolution). Also, ASIC recommended that boards consider whether some form of broader executive team oversight above the accountable executive (as well as a Board committee) may be useful.
In ASIC’s view a board must ask itself: who is accountable for our program and how do they discharge this responsibility? Do they have access to the right information for this purpose? Again the board must then consider the answers to these questions and revise its internal processes if necessary.
What to do to build a good whistleblower program?
Moving beyond having a policy and process to comply with the law or a parent company’s requirements and having an effective program requires analysis and creating appropriate supporting structures within the company. There are many aspects to creating an effective program. ASIC identified that companies with stronger whistleblower programs:
- embedded processes and procedures to create a strong foundation for the program;
- supported whistleblowers via their culture and practices;
- embedded training in receiving or handling disclosures and protecting whistleblowers;
- monitored and reviewed the program, even seeking feedback from whistleblowers; and
- embedded senior executive accountability and entrenched effective director oversight of the program.
Further ASIC considered that companies using substantiated information from disclosures to address underlying harms or remediate issues can improve company performance.
Whistleblower processes will not be effective unless employees have trust in the anonymity and confidentiality of such processes, and that whistleblowers will be protected from adverse action. ASIC’s Report and Reg Guide 270 referred to fostering a “whistleblowing culture”. While we can quibble about whether “whistleblowing culture” is the right term to use, the underlying sentiment that organisational culture does not impede or prohibit whistleblowing, and encourages and protects whistleblowers is surely correct. Culture is led by the “tone from the top” and the board and senior management must ensure that internal processes support whistleblowers. Further, to ensure trust in the process, the board and senior management need to visibly show that there is rectification of any legitimate issues identified, and if necessary, there is disciplinary action for genuine misconduct.
Future ASIC action
ASIC has given its guidance on how to build a good whistleblower program and avoid the potential for adverse action. Companies should take heed of this guidance as we expect ASIC will continue to review companies’ whistleblower policies and their effectiveness. ASIC has clearly stated:
We will continue to review firms’ whistleblower policies and arrangements for handling disclosures, including when we receive reports from whistleblowers alleging breaches of the whistleblower protections. Where we identify serious harm, we will consider the full range of regulatory tools available including, where appropriate, civil or criminal enforcement action.
Good governance starts at the top. Embedding board oversight and executive accountability for the whistleblower program is an important action item. Training board members, executives and those authorised to receive whistleblower reports and educating them about whistleblowing processes is a good first step in that process.