New guidelines for whistleblower management systems have been recently released by ISO (the International Organisation for Standardisation) (ISO 37002:2021).
The release is timely, with many businesses continuing to adapt to the focus on whistleblowing in Australia and globally. For businesses operating in Australia, it has been just over two years since changes to private sector whistleblowing laws came into force. Many businesses have significantly revamped their whistleblowing policies and processes to take account of those changes, and ASIC’s Regulatory Guide 270 on whistleblowing policies, and are now looking at what learnings have emerged to date.
So how, if at all, do the new ISO guidelines add to existing requirements, and what do businesses need to do now?
This briefing outlines some key observations on the guidelines.
1. Complementary to but not a substitute for local whistleblowing laws
At the outset, it’s important to call out that the guidelines are not generally inconsistent with local Australian requirements, and the guiding principles of trust, impartiality and protection are a helpful synthesis of the policy objectives underpinning whistleblower laws.
Equally, however, the guidelines are not a substitute for ensuring processes meet local whistleblowing laws, in Australia or elsewhere. As a global standard, the guidelines set out broad parameters that can frame how businesses manage whistleblower matters, and recognise that the systems put in place need to be adapted to each organisations’ own business and regulatory environment.
However, the strict requirements to protect whistleblower confidentiality under Australian laws will require businesses to have and maintain more stringent processes for obtaining consent and restricting the sharing of disclosures beyond what is contemplated in the guidelines. In that sense, the guidelines work alongside existing legal and regulatory requirements under local laws. The work that Australian businesses have done to review and uplift their policies and processes to comply with Australian whistleblowing laws remains necessary and relevant.
2. An emphasis on systems, functions and resources
With the above in mind, the guidelines do usefully add to the framework businesses can draw upon as they design how they will respond to whistleblower matters.
An important addition (at least from an Australian perspective) is the emphasis on whistleblower management systems, not merely legal protections or a whistleblower policy.
While Australian businesses have implemented or refreshed whistleblower policies in response to the amended laws, there is often ongoing work to do to develop underlying systems to support new or refreshed policies. Importantly, the guidelines specifically endorse the need for a robust whistleblowing management function. While some of the language in the guidelines fits more neatly in larger organisations, the guidelines appropriately emphasise that every organisation (regardless of size) needs personnel managing whistleblower matters with authority, independence, competence, integrity and adequate resourcing to undertake this function.
The guidelines also point out the need to consider resourcing in all its dimensions, including, but not limited to, financial and human resources, IT solutions, specialised skills, organisational infrastructure, investigators, reference material, legal expertise, professional development and training.
3. A resource to equip whistleblowing teams, with some caveats
The guidelines include helpful elements that businesses can use to equip their whistleblowing management function:
There are useful lists covering topics like responding to an initial whistleblower report, as well as guidance on questions to ask reporters.
At the intake and triage stage, the guidelines reinforce the idea of prioritising reports based on risk, and set out a starting list of questions that organisations can adapt to their circumstances.
The suggested outline of topics to cover in training for personnel and leaders is also helpfully detailed.
The commitment in the guidelines to feedback, evaluation and continuous improvement are also good touchpoints for organisations to build into their whistleblower management system.
Of course, no guidelines are perfectly complete. One area where the guidelines are overly simplified is in the three-tier approach to confidentiality. The guidelines refer to open whistleblowing (where the reporter does not withhold their identity or require it to be kept secret), confidential whistleblowing (where the reporter’s identity and identifying information is only disclosed beyond the initial recipient on a need to know basis without the reporter’s consent, unless required by law) and anonymous whistleblowing (where the reporter’s identity is not disclosed). Organisations subject to Australian whistleblowing laws will recognise that confidential whistleblowing (in the sense used in the guidelines) is not consistent with the confidentiality protections under those laws. In practice, many organisations will commonly adopt a fourth approach (and which is consistent with Australian whistleblower protections), which is for a reporter to provide consent for their identity and identifying information to be disclosed on a need to know basis, or for the purpose of an investigation, but not to be generally or openly disclosed.
4. Proactive focus on risk of detriment
A further area that is highlighted in the guidelines is the requirement to protect reporters from detrimental conduct.
Processes for ensuring compliance with at least Australian whistleblowing laws have tended to focused on upholding confidentiality requirements, with the protection against detriment being left to more generalised commitments not to victimise or retaliate against reporters.
By contrast, the guidelines give prominence to the need to proactively address the risk of detriment. In defining “detrimental conduct”, the guidelines embed the idea that it includes a failure to prevent or minimise harm to by fulfilling a reasonable standard of care at any step of the whistleblowing process. This places the onus squarely on organisations to identify and address risk, not merely to respond once a concern about victimisation has been raised. Consistent with this, the guidelines emphasise that the triage and assessment of reports should involve a two track process, considering not only the response to the report itself, but also considering the risk of detrimental conduct to the reporter.
In this way, the guidelines bring a good balance to the practical considerations that can inform an organisation’s approach to whistleblower protection.
5. The challenge of what’s within scope remains
Finally, the guidelines point to some limitations with Australia’s whistleblower laws, and the challenge businesses face in responding to reports that might fall outside of the whistleblower protections legal framework.
The definition of a “whistleblower” in the guidelines is significantly wider than the class of persons who are entitled to protected under Australian private sector whistleblower laws in the Corporations and Tax Administration Acts. In particular:
The guidelines recognise a much wider range of external parties as potential whistleblowers, namely all individuals and legal entities having a business relationship with the organisation (not just suppliers, employees of suppliers or associates, as is currently recognised under Australian law) including clients, customers, investors and union representatives.
The guidelines also recognise prospective officers, employees and suppliers as potential whistleblowers (not just persons who are currently or formerly in those positions).
In that sense, the guidelines better recognise that there can be a wider range of persons who may have knowledge of potential issues of concern within an organisation, and that all such reports are (in theory) capable of being dealt with through a whistleblower management system.
The decision for businesses is to whether to limit their whistleblower management systems to address only matters raised by persons entitled to legal protection under Australian or other local laws, or whether to design their systems to capture and respond to a wider range of reports. This is a core challenge that many businesses continue to consider as they refine and implement their systems, and to address where such reports should be directed if not captured within a whistleblower management system.
In this regard, the guidelines appropriately leave it to organisations to determine the ultimate scope of their whistleblower management system. However, in doing so, one area that is not well addressed in the guidelines is how the scope of whistleblower management systems sits alongside other processes organisations have for dealing with complaints and concerns.
The guidelines refer at times to a “speaking up” and “listen up” culture. Yet there is no detailed consideration of whistleblower management systems being only one way in which individuals raise concerns, or that there can be other processes that are better adapted to dealing with particular issues. For instance, customer and client compliant management processes, community grievance processes, and workplace health and safety reporting processes all potentially exist alongside whistleblower processes within most organisations.
By adopting a very wide definition of “wrongdoing”, as any action(s) or omission(s) that can cause harm, the guidelines unfortunately do not tackle one of the central issues that arise in practice for many organisations in the design of their whistleblower management system: defining the nature of reports that should be captured, and those reports that are better addressed through other channels.
In all, the guidelines provide a complementary additional resource for businesses in designing and evaluating their whistleblower management systems. While there is much to take from these guidelines, businesses still need to pay close attention to local whistleblowing laws and consider how their systems address compliance with those requirements, in Australia or other applicable jurisdictions. Businesses will also need to be deliberate in how their whistleblower management system (what ever its scope) fits within their broader processes and systems for identifying concerns of wrongdoing, misconduct and any other forms of harm, as well as feedback, learning and continuous improvement.