Overview of ASIC’s review

This report reviews whistleblower programmes across seven large firms, assessing how disclosures are handled, used, and overseen. It focuses on compliance with the Corporations Act and ASIC guidance (e.g. RG 270). The review draws on document analysis and interviews, identifying scalable practices applicable across different organisational sizes and complexities.

Establishing a strong foundation for the program

Effective programmes rely on clear policies aligned with legal requirements, supported by defined roles, responsibilities, and operational procedures. Firms used structured workflows, templates, and investigation protocols to ensure consistency. Secure IT systems and third-party intake platforms were commonly adopted to protect confidentiality and manage disclosures, reducing reliance on individuals and mitigating operational risk.

Fostering a whistleblowing culture and supporting whistleblowers

Firms actively promoted whistleblowing through internal communications, training, and accessible reporting channels. Integration of ‘speak-up’ platforms increased disclosure volumes. Strong programmes differentiated whistleblowing from other reporting channels and implemented measures to protect whistleblowers, including risk assessments and dedicated support roles. Firms also avoided restricting disclosures to regulators, reinforcing trust and legal protections.

Resources and training for relevant officers and employees

Targeted training ensured compliance with legal obligations and effective handling of disclosures. Eligible recipients and programme staff received guidance on confidentiality, investigation processes, and engagement with whistleblowers. Delivery methods included e-learning, in-person sessions, and practical tools such as checklists and process maps. Ongoing training and external benchmarking supported capability development.

Monitoring, reviewing, and improving the program

Firms conducted periodic reviews of policies, ranging from six-monthly to every three years, incorporating regulatory updates, benchmarking, and stakeholder feedback. Effectiveness was measured using indicators such as reporting volumes, investigation timeframes, employee willingness to speak up, and rates of substantiated allegations. Firms tracked trends and used internal reporting to identify areas for improvement.

Using information from disclosures

Disclosures were used to investigate misconduct, address systemic issues, and improve performance. Actions included process improvements, disciplinary measures, and consideration of misconduct in remuneration decisions. Firms analysed data to identify trends in allegations, reporting channels, and affected business units. Some integrated whistleblowing data with other complaint channels to generate broader risk insights while preserving confidentiality.

Embedding executive accountability for the program

Most firms designated a senior manager accountable for the programme, often within risk or compliance functions. Accountability structures varied depending on disclosure volumes, with some executives involved in operational decisions and others focused on oversight. Cross-functional executive committees enhanced governance by providing diverse perspectives on risks, trends, and programme effectiveness.

Effective director oversight

Boards, typically through risk committees, oversaw whistleblower programmes as part of broader governance frameworks. Directors received de-identified disclosure data, trend analysis, and updates on investigations and policy changes. Effective oversight depended on the quality and frequency of reporting, enabling directors to assess risks, monitor performance, and ensure programmes were adequately resourced and aligned with regulatory expectations.