By David Morgan, Wayne Gilbert & David Lehmann – PKF Integrity
This time last year many governance risk and compliance (GRC) professionals were preparing for the new whistleblowing laws to come into force in Australia.
Given that the 1 January 2020 deadline for having corporate whistleblowing policies in place has now passed, it’s not surprising that this activity has gone quiet. Covid-19 may also have had something to do with this, but the question we have asked is whether corporate Australia has whistleblowing under control?
Earlier this year, PKF Integrity conducted research to understand the state of whistleblowing in Australia. This research included informal discussions, surveys and interviews with business and government organisations, as well as reviews of whistleblowing policies. The results of this research and our experience advising Australian organisations about whistleblowing, demonstrates that corporate Australia still has a long way to go.
The true state of whistleblowing policies
Although some companies seem to feel a whistleblowing policy is all they need, the regulatory approach taken here and in Europe is that a policy is at least an essential element to an effective whistleblowing system. To assist with the mandatory requirement for most companies to have a whistleblowing policy, ASIC, Australia’s corporate, markets and financial services regulator, issued very prescriptive guidance in October 2019 on what needs to be included in a whistleblowing policy.
PKF Integrity reviewed the policy position of 50 companies (that were required to have one) and found that only 33 (66 per cent) had policies. Of these, 25 policies (76 per cent) did not meet all the key requirements of the guidance. Forty per cent of the 25 policies were not publicly available on the companies’ websites.
PKF Integrity also found that some of the basic requirements of the guidance were not adequately articulated, including:
- Who is an eligible whistleblower (48 per cent)
- Who is an eligible recipient (56 per cent)
- What types of misconduct should be reported under a whistleblower policy (80 per cent)
- Omitting that disclosures could be made about the improper tax affairs of a company
- Not providing a definition or examples of a ‘personal work-related grievance’ and/or explaining that disclosures about them are not afforded legal protection
- Other inconsistency with the legislation regarding what was disclosable under the policy
Policies also inadequately detailed procedural steps. For example:
■ 60 per cent of policies contained insufficient information about how to raise concerns e.g. not nominating specific contacts or providing communication channels, such as phone and email
■ 64 per cent of policies contained insufficient information about how the company will handle the investigation of disclosures, e.g. by whom, how, timeframes for completion and keeping the whistleblower informed of progress
■ Many policies did not provide either an effective, independent process for raising concerns about alleged senior management misconduct, or provide for disclosures to be made to an independent third party or ‘hotline’
■ Importantly, even with the potential for significant fines and criminal charges, 72 per cent of policies reviewed did not provide sufficient information about the practical steps that would be taken to protect confidentiality or the legal protections available for eligible whistleblowers – a key objective of the new legislation
Our experience and the findings of our research suggests that pockets of corporate Australia still lack an appreciation of the value of an effective whistleblowing system and have a tendency to take a tick box approach to compliance. Based on feedback from some companies, this has produced policies that are lengthy, legalistic and operationally impractical. This not only works counter to the legislative intent of whistleblowing provisions of the Corporations Act but it also indicates that once policies are in place, their effective implementation or operationalisation will be compromised.
It is fair to say that the guidance is prescriptive and several policies reviewed appear to have replicated the legislation without any apparent thought for operational considerations, in particular how easy it is for a potential whistleblower to understand how and to whom a disclosure can be made. Smaller organisations have also expressed concerns about their ability to meet the confidentiality requirements of the guidance and about potential conflict of interest issues due to the requirement for the separation of roles and responsibilities when managing whistleblowing disclosures.
The challenges faced
PKF surveyed 41 organisations and held in-depth interviews with representatives from 10 large organisations. Of the 41 organisations who responded to our survey, 80 per cent indicated they received 25 or less disclosures per year from their whistleblowing channels (internal and external). This is consistent with the results of the Navex Global 2019 Benchmark Report which showed an average rate of disclosure of 0.8 (for all channel disclosures) per 100 employees for the APAC region. However, this rate is low compared to rates for other regions and is expected to increase as stakeholders gain greater trust in their organisations to clearly exhibit that they will support a culture of speaking up and when they do, do something about the matters disclosed.
Of the organisations we interviewed, the following observations and challenges were noted:
■ Whistleblowing is managed by different functions across organisations, including risk, audit, integrity, governance, company secretariat, compliance or legal departments, with no clarity about who is ultimately responsible
■ Organisations can receive multiple allegations from one discloser, disclosures about non-whistleblowing matters, e.g. workplace grievances, and disclosures from non-eligible whistleblowers. Where how to handle these scenarios are not articulated in written procedures, confusion about what is required often occurs
■ Whistleblowing arrangements are not well understood by staff and those running the whistleblowing function are unsure of how best to handle whistleblowing matters and advise whistleblowers. Consequently, organisations indicated they would be willing to outsource whistleblowing training and the independent assessment and investigation of whistleblowing disclosures
‘Management should not wait until directors, concerned about their individual accountability, begin to challenge them about conduct, culture and compliance issues and the quality of the whistleblowing data provided’
■ Organisations found it difficult to identify whether the subject of a whistleblowing disclosure had been involved in some other misconduct. This was often brought about by internal departments holding relevant information in disparate systems, e.g. information held in a human resources system may be relevant but not accessible to those assessing a whistleblowing disclosure
■ Disclosures often need to be handled by different people or via different processes due to the subject matter of the disclosure. This can give rise to inconsistency in the process used and protections made available. As such, organisations need to ensure adequate training for all relevant staff and secure systems that facilitate the sharing of information relevant to whistleblowing whilst maintaining confidentiality
■ There was a growing demand for useful management reporting on whistleblowing and conduct matters generally. Often disparate and manually maintained data sources add to the challenge of collecting and using this data effectively for decision-making
The wake-up call
As the first anniversary of the legislation approaches, our research provides a timely reflection of the state of whistleblowing. The results show that there needs to be improved awareness of the regulatory requirements on whistleblowing and, in order to progress from the tick box mentality, a greater appreciation of the value of whistleblowing as a best practice corporate governance mechanism. Management should not wait until directors, concerned about their individual accountability, begin to challenge them about conduct, culture and compliance issues and the quality of the whistleblowing data provided.
Practically, significant work is still required to design effective whistleblowing systems. Organisations must take the time to adequately consider the operational requirements that make whistleblowing systems effective. This includes the implementation of user-friendly policy and complementary training and awareness activity.
In our view, not addressing these issues increases the risk of non-compliance with the whistleblowing legislation, and more importantly, undermines stakeholder trust. Getting on the front foot to implement effective systems that are adequately articulated in policies builds trust and reduces the risk of regulatory intervention.
About The Authors:
David Morgan is based in the Brisbane office and is head of the National Forensic and Risk Services team (PKF Integrity). David has over 15 years’ investigation, fraud, corruption and misconduct-related experience. Prior to joining PKF, David worked at Deloitte and PwC and also has a background as a Detective in the Metropolitan Police Service, London. His extensive experience covers financial and non-financial investigations, integrity due diligence reviews and whistle blowing incident management and reporting. David also provides advice on how to improve internal control environments and delivers a range of education programs on fraud, corruption, misconduct and investigation skills.
Wayne Gilbert is a Principal in the Sydney office of PKF and also provides leadership and guidance across our national PKF Integrity team (previously Forensic and Risk Services). Wayne has over 30 years’ experience as a leading risk and investigation professional, including six years in EY’s forensic practice. Directly prior to joining PKF, Wayne was the Director of Risk and Forensic Services for RISQ Group providing advice to boards and senior management in relation to best practice, governance and compliance. Wayne has extensive expertise in leading and conducting major investigations in relation to both serious criminal conduct and misconduct in the workplace.
David Lehmann is a Principal in the PKF Integrity services business, based in Melbourne. He has 15 years’ experience delivering forensic and integrity risk advisory services. David has provided these services across a wide range of industry sectors in Australia and overseas, including Southeast Asia where he established and managed the forensic practice of a Big 4 firm in Kuala Lumpur, Malaysia, for over five years.
1.EU Whistleblowing Directive adopted in April 2019
2.All public companies and large proprietary companies and proprietary companies that are trustees of registrable superannuation entities
4.Navex Global, 2019 Regional Whistleblowing Hotline Benchmark Report
5.Navex has the 2018 median rate of disclosures for 100 employees in North America at 1.5, South America at 1.9 and Europe at 0.5. Note the Navex Europe rate is much lower than reported by the EQS survey, which had an average volume of disclosures at 52 for companies in Switzerland, UK, France and Germany between 250 and 1,000 employees. (Whistleblowing Report 2019, EQS Group. which surveyed a total of 331 British, 352 German, 344 French and 365 Swiss companies. https://medium.com/ecajournal/whistleblowing-in-the-private-sector-the-how-matters-1efc8aee8f9e)