The amended whistleblowing laws come into effect on 1 July 2019. Who will be eligible for protection? How should HR prepare? And what should an adequate policy look like?

The Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019 received Royal Assent on 12 March 2019, providing a single, strengthened whistleblower protection regime covering corporate Australia.

What does this mean for organisations, in particular HR professionals, from a practical standpoint?

Overview of the changes

In a nutshell, the new laws are designed to encourage whistleblowers to speak up without fear. The legislation will enable whistleblowers to make “protected disclosures” – including anonymous disclosures – about a broad range of misconduct such as: fraud, bribery, corruption and money laundering.

While the amended laws will take effect from 1 July 2019, and will apply to disclosures made on or after this date, they could also relate to conduct that occurred before this date. 

Disclosures are protected if the whistleblower has reasonable grounds to suspect “misconduct” or an “improper state of affairs”. Whistleblowers will be protected through measures that focus on confidentiality (protecting their identity) and discouraging victimisation or reprisal, including significant penalties for breaching the new laws.

According to Corrs Chambers Westgarth, contravention of the law can be heavily punished. For breaching the confidentiality of a whistleblower’s identity, or for victimising or threatening them, a body corporate could be forced to pay 5,000 penalty units ($10.5 million), three times the benefit derived or detriment avoided, or 10 per cent of annual turnover (up to 2.5 million penalty units, or $525 million).

The legislation also introduces a mandatory requirement for all public companies and most large private companies to have a whistleblower policy. For not having one, they can be fined 60 penalty units ($12,600) under the Corporations Act.

Who is eligible?

A key change under the new legislation is the inclusion of third parties. Whistleblowers who will be eligible for protection include officers and employees of the organisation, as well as individuals who supply goods or services to the organisation (and their employees), associates of the organisation and relatives/dependents of these people. Former employees may also be eligible for protection provided the disclosure is in relation to the organisation.

What should a good policy look like?

While the new legislation is effective from 1 July 2019, public and large private companies have until 1 January 2020 to ensure they have a compliant whistleblower policy in place.

Ignition Training has a Whistleblowing Reporting short course that provides HR professionals with an overview of the new changes and requirements. Check out Ignition Training to learn more.

However organisations should aim to have a compliant whistleblower policy in place earlier, if possible, to allow enough time for the integration of the policy into their existing governance policies and practices, as well as to minimise any risk of breaching the amended laws.

While some organisations may already have a whistleblower policy in place, it will likely need to be reviewed and updated to ensure it is compliant with the new laws. It’s important the content and style of the policy is appropriately tailored to the organisation’s business, operations and culture.

While a detailed analysis of what a whistleblower policy should include is beyond the scope of this article, broadly speaking the policy should provide information about how and to whom protected disclosures can be made, the support that the organisation will provide to whistleblowers, how investigations into whistleblower disclosures will be conducted, how employees mentioned in protected disclosures will be treated, and how the policy is made available.

Developing or updating a whistleblower policy will require careful thought about who in the organisation is responsible for receiving, investigating and making decisions on protected  disclosures, as well as clear processes for disclosures to be reported, assessed, investigated and resolved.

For companies listed on the ASX, the recently revised ASX Corporate Governance Principles and Recommendations include a new recommendation that a listed entity should have and disclose a whistleblower policy and ensure  the board, or a relevant board committee, is informed of any material incidents reported under that policy.

What protected disclosures” mean under the new law

“Protected disclosures” cover a wide range of “misconduct” or an “improper state of affairs” but do not include personal work-related grievances. In practice, it is often difficult to distinguish between protected disclosures and work-related grievances, for example when disclosures cover a range of issues, including misconduct and grievances. Advice should be sought in the event of any uncertainty to avoid any inadvertent breach of the law.

Protected disclosures are required to be made to designated “eligible recipients”, which can include senior managers, auditors, actuaries or other persons authorised to receive disclosures on behalf of an organisation. Careful consideration should be given to those designated as ‘eligible recipients’. More focus should be placed on their training, experience and capability than their functional area. They should be provided with practical, scenario-based training, to help them to deal with protected disclosures and whistleblowers.

An important consideration for all organisations is whether they have adequate and effective processes or facilities in place to enable whistleblowers to make protected disclosures. It is generally regarded as better practice to have both internal and external reporting avenues, and organisations will need to make sure  both are able to comply with the new requirements.

A good external whistleblower service will not only comply, but also include process controls to minimise the risk of the organisation running into confidentiality issues once it receives the disclosure. For example, obtaining comprehensive consent from the whistleblower and ensuring that anonymous disclosures are appropriately reviewed for information that may inadvertently identify the whistleblower.

An example of good reporting practices

Lauren Witherdin, director at KPMG Australia – who oversees the provision of the firm’s FairCall whistleblower reporting service – makes the point that whistleblowers often prefer talking to an independent external party. The reasons are many and varied, but generally come down to a fear of potential negative consequences for speaking up, whether real or perceived.

“The majority of whistleblowers who contact our KPMG FairCall service choose to do so by telephone. This enables us to build rapport with the whistleblower and help them feel comfortable by explaining the process to them,” says Witherdin.

Compared with other reporting facilities that do not provide for verbal communication telephone hotlines are particularly effective, as they enable the operator to ask questions, discuss the whistleblower’s concerns, and generally obtain a higher quality of information from the whistleblower.

“In my experience, whistleblowers are often comfortable in providing their contact information to the operator, which facilitates ongoing communication and follow up questions that can be very helpful in addressing the concerns,” says Witherdin.

An analysis of concerns reported through the FairCall service shows there has been a substantial increase in the number of matters reported over the last 12 months, possibly because of the imminent new laws which have been widely publicised.  A significant number of these matters involve HR issues such as bullying, harassment or discrimination.

Training and awareness

The new legislation provides organisations with an ideal opportunity to promote a culture where their employees feel comfortable speaking up. Whether the organisation is implementing a whistleblower policy for the first time or updating their existing policy, communication across the organisation will be required to make sure employees and relevant third parties are aware of any changes and know what to do in the event they wish to make a disclosure.

Similarly, the board of directors and senior management need to understand the new requirements and the organisation’s whistleblower program.

It will be particularly important for recipients of disclosures and those who will be involved in investigating them to understand their roles.  Organisations will need to provide guidance and tailored training to these people to ensure they know how to identify a whistleblower disclosure, what to do if they receive one and how to investigate the disclosure.

Investigation of whistleblower disclosures

Investigations of whistleblower disclosures are often difficult, particularly when the whistleblower chooses to remain anonymous. In many cases, there is no opportunity to talk to the whistleblower and this makes it difficult to understand their concern or allegation, or to seek additional information.

The new laws carry significant penalties for identifying whistleblowers who wish to remain anonymous, and for victimisation of/reprisal against whistleblowers. Investigative procedures need to factor in this heightened risk. For example, interviews of employees or reviews of email records as part of an investigation may inadvertently identify the whistleblower. Awareness of this risk, taking precautions to minimise it and knowing what to do if a whistleblower’s identity is compromised, will be particularly important.

It’s always worth considering whether the person who will undertake an investigation into a whistleblower disclosure is appropriately qualified and experienced, to avoid any breaches of the new laws.

Gary Gill is a director of Sapere Forensic and Head of investigations, with more than twenty-five years’ experience as a forensic accountant. He has led numerous investigations into matters involving fraud, bribery, corruption, money laundering, cyber-crime and other related misconduct for corporates, financial institutions and government.