There's never been a better time for all not-for-profits to review their whistleblower policies and procedures - but if your organisation is incorporated under the Corporations Act, a review is crucial.
The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 took effect on July 1 this year, amending the Corporations Act 2001 so that a single, strengthened whistleblower regime covers the corporate, financial and credit sectors.
And the Act is about to show its teeth, with the Australian Securities and Investments Commission (ASIC) indicating it will commence compliance audits in January 2020.
Criminal and civil penalties for non-compliance with the Corporations Act include fines of up to $1 million for individuals and $525 million for organisations.
A new guide published by ASIC last month, Regulatory Guide 270: Whistleblower Policies, outlines the changes, which include an exemption from the requirement to have a whistleblower policy for not-for-profits and charities with annual revenue of less than $1 million.
All incorporated companies remain bound by the whistleblower protection provisions in the Act, regardless of whether they are required to have a whistleblower policy.
The ASIC guide includes best-practice tips covering everything from encouraging whistleblowers to speak up, to focusing on the substance of whistleblower disclosures rather than on the motive of the whistleblower.
If your organisation's whistleblower policy was drafted before November this year, you should review it before January 1 to ensure it takes ASIC's new guidance into account.
Actions for not-for-profit directors
- Understand the consequences of non-compliance
Breaches of the whistleblowing protection provisions attract serious penalties. These include fines of up to $1 million and jail sentences of up to two years for individuals, and fines of up to $525 million for organisations.
- Demonstrate active and tangible leadership
Provide active leadership and support for disclosers in your organisation. Ensure management provides the board with regular reports on the whistleblowing program.
- Conduct a risk assessment
Ensure a risk assessment is conducted for your organisation's whistleblower program, and allocate appropriate resources to ensure compliance.
- Ensure your policy is legally compliant by 1 January 2020, and provide associated training
By 1 January 2020, you should have in place a whistleblowing policy that is legally compliant and also in line with the guidance issued last month by ASIC. If your organisation is listed on the ASX or is a large private company, you must also a) issue the policy and guidelines to everyone to whom the policy applies, and b) provide training to all staff (ASIC has provided specific guidance on this).
- Establish key roles and accountabilities
Establish key roles responsible for protecting or safeguarding disclosers and witnesses from victimisation or detrimental action, and key roles for investigating reports.
- Establish "eligible recipient" internal reporting pathways
Designate and train specific staff members as "eligible recipients" for receiving disclosures internally and directly from disclosers.
- Establish additional reporting pathways for disclosers
Provide alternative means for disclosers to make disclosures, including a secure and safe means which allows disclosers to remain anonymous if they wish. These should include an external independent channel to receive reports of misconduct.
- Implement continuous review processes
Allocate senior personnel responsible for periodically reviewing the effectiveness of the policy and procedures, and updating them accordingly.
- Understand that breaches of confidentiality will lead to significant penalties and reputational risk
If a whistleblower makes a disclosure, ensure confidentiality is maintained throughout the process that follows.
- Ensure timely and effective management of whistleblowing reports
Ensure that disclosures are managed, assessed, investigated and progressed and finalised within a reasonable timeframe and in accordance with the policy and new laws, including providing effective and timely communication with the whistleblower.
Does the new law require your organisation to have a whistleblower policy?
You can use this flow chart to check whether your organisation is required by law to have a whistleblower policy.
But even if the law doesn't insist on it, why wouldn't you have such a policy?
Thousands of crimes targeting Australia's not-for-profits are going unreported, the ICDA Spotlight Report: Fraud & Cybercrime reveals. According to the study, asset theft and cyberhacking are the most common crimes suffered, followed by credit card fraud and cash thefts. In about a quarter of asset theft cases, the perpetrator was a staffer or a volunteer.
Whistleblowing plays a crucial role in managing risk and cultivating an ethical culture in your not-for-profit organisation. It's an essential and effective tool in your good governance toolkit.
Research conducted in 2014 by BDO Australia found that tip-offs from whistleblowers were more effective in uncovering fraud within a not-for-profit organisation than any other method, including strong internal controls, internal audits and external audits.
Download our free template Whistleblowing Policy
Together with our partner Moores, we've done the heavy lifting and created a template policy to help Not-for-Profits implement Whistleblowing policies that comply with overhauled national legislation.