How to review your whistleblower policy
It’s good practice for an organisation to review its whistleblower policy periodically – at minimum biannually. In this article, Your Call Whistleblowing Solutions highlights the importance of keeping the document up-to-date and shares a checklist for reviewing your company's policy.
Whistleblowing refers to the disclosure of information by an employee or other agent of a company about a perceived wrongdoing within the organisation. A whistleblowing policy is a company statement that protects those individuals from retaliation or repercussion if they bring to attention any negligence or wrongdoing within the company. Whistleblowing policies also relate to the UN Sustainable Development Goal (SDG) 16: Peace, justice, and strong institutions.
Why review your policy?
B Corps are committed to good governance, which includes a strong Code of Ethics, transparency, and pathways for individuals to report wrongdoing. Reviewing and updating your whistleblowing policies regularly ensures that these pathways remain open, and demonstrates to employees that they are supported to raise concerns. Not only are there legal obligations for businesses under the Corporations Act, but there is also a strong business case for maintaining an effective whistleblowing policy to detect fraud.
Periodic reviews include associated processes and procedures, disclosure handling checklists, resolution flowcharts, and decision trees. Organisations can establish a review timeline as part of their document control process in their Whistleblower Management System.
An effective, yet underutilised method, to gaining insight into your Whistleblower Policy is to seek feedback from stakeholders This can be done via an anonymous survey to discover: Did you witness wrongdoing, and if so, did you tell us? What worked and what didn’t work? How could things be improved? Are there reasons people are not using the policy? The questions can also aid in tracking the effectiveness of ASIC training based on RG270.
Policy reviews might be more frequent depending on the nature and frequency of disclosures at your organisation.
If your organisation is creating its first whistleblower policy, as well as local regulatory guidance, we advise following the ISO37002 guideline which recommends (Section 5.2) to involve stakeholders in creating the policy. Accordingly, management could establish a Whistleblower Policy Work Group which includes these stakeholders, as well as use survey tools to gain broad stakeholder input. Using a policy template which aligns to your jurisdiction’s legislation is also vital.
To assist the policy review process, we’ve created a checklist of things to reflect on, based on our commonly witnessed document gaps.
Whistleblower Policy Review Checklist
Update changes to any department, team, or job titles.
Check for broken or dead hyperlinks, and links to other documents which have version control.
If specific personal are identified by their names and/or contact details, ensure the information is correct.
Ensure the content aligns to local, regional, and national legislation as sometimes these are revised (e.g., financial penalty amounts, revised definitions, new exclusions/inclusions).
If you have added or revised support tools for whistleblowers, ensure this is updated. Support must be provided.
Ensure your policy mentions your corporate values and Code of Conduct.
Ensure your whistleblower policy clearly explains the “investigation defence” (it does not give permission to outright disclose whistleblower identity).
Provide clarity about when bullying, harassment, and discrimination matters are classified as “protected disclosures” (e.g., in the setting of a pattern of these behaviours, a systemic problem with these behaviours, or when the behaviours coexist with legal breach, misconduct, or an improper state of affairs).
In Australia, the “good faith clause” is no longer applicable to whistleblowing, so ensure it is not part of your documents, but rather “reasonable grounds” is the principle that must be followed.
Ensure the organisation’s Whistleblower Policy is written in lay language and is visible internally and externally. Housing it on the corporate intranet alone is unsuitable because externals such as suppliers and employee spouses also need access as they are eligible to make protected disclosures.
If you’re aiming to be compliant with the new ISO standard (ISO 37002 Whistleblowing management systems – Guidelines) you will need to review your documents with an eye to those requirements. It is estimated that ISO 37002 will become effective in June 2021. Your Call can assist you with that compliance pathway.
While a standard two-year review process is suggested, it is important to remember that policy reviews might be more frequent depending on the nature and frequency of disclosures at your organisation and the feedback received during those events. There should be regular, privacy protected feedback to the Board that keeps them informed of the organisation’s whistleblower management system as they are the group responsible for the whistleblower policy, and ultimately any changes to it.