Whistleblowing back in focus: guidance on whistleblowing policies

Whistleblowing Returns to the Foreground - Policy Guidelines

Whistleblower Protections imposed new obligations on public companies, large proprietary companies, and trustees of registrable superannuation entities.

We analyzed some of the key components of the guidelines as well as some of the issues companies should consider when determining whether their policies are compliant.

A whistleblowing policy must include the following, according to the guidelines:

  • The purpose of the policy;
  • Who is covered by the policy (including identifying individuals both inside and outside the organization who can make a disclosure that qualifies for protection;
  • The categories of areas covered by the policy, as well as the types of matters that are not covered by the policy (in addition, the policy must declare that disclosures which are not related to disclosable matters do not qualify for protection under the corporation’s act);
  • Who can receive a disclosure, as well as information on how a discloser can get more information (for example, by calling the whistle-blower protection officer or an independent legal counsel);
  • How to make a disclosure, including the many alternatives and directions for doing so (even through anonymous means);
  • The legal protections provided to the discloser;
  • Support and practical protection for those who disclose;
  • How the entity will manage and investigate disclosures, including how it will keep the discloser informed and how it will document, report, and convey the investigation's results to the discloser;
  • Ensuring that the policy is accessible to everyone, including external whistle-blowers.

In several ways, the guidelines are different from the preceding draft version. The following are some of the main changes:

  1. A hardening of terminology about those issues that are considered mandatory for a policy to address in order to comply with legislation.
  2. The requirement according to which a policy should contain a variety of internal and external disclosure choices.
  3. New obligations to spell out the specific processes for maintaining anonymity and confidentiality, as well as safeguarding disclosers against harm.
  4. A restriction on how much an entity can rely on policy connections to other policies and processes.
  5. The necessity that a discloser comprehends the requirements for making a public interest or emergency disclosure, as well as the requirement that a discloser consults with an independent legal adviser before making such a disclosure.
  6. As part of an overall duty to offer transparency about how investigations are conducted, including a requirement to indicate the timeframes for handling and investigating the disclosure.
  1.  Making it a policy requirement that the entity sends regular updates on the investigation to a discloser, even (if necessary) through anonymous means.
  1. Revisions to the law relating to confidential information and the concept of personal grievances at work. The guidelines clarify that an entity may choose to implement a policy that applies to a broader range of disclosures as part of a "speak up" culture and offer businesses more flexibility in defining and identifying personal work-related concerns that are exempt from the policy's operation.
  2. Change the section on 'Roles and Responsibilities' and remove the requirement according to which the policy mentions the names of the internal reporting points.
  3. Additional 'best practice' advice on subjects such as using independent whistleblowing services to act as an eligible receiver and offer direction on how an employee can make a disclosure outside of the company.


Organizations should now evaluate if they need to revisit their whistleblowing policies in light of the changes made to the final guidelines to ensure they are meeting expectations. Short and simple policies with links to other policies and guidelines are not going to match those objectives.

The rules are comprehensive and, in some cases, prescriptive. This is especially true when it comes to providing details on things like the length and manner in which investigations will be performed (even if these are stated to be subject to fluctuation). Whistleblowing investigations, in our experience, are frequently complex and administratively demanding, necessitating variations in the investigative technique depending on the issue. This makes adhering to any prescriptive method or timeframe challenging.

Adopting the guidelines in their entirety without regard for internal competence, resources, or structure may result in an organization being burdened with a complex and bulky policy that is difficult to understand and implement for policy participants. This could lead to policy violations, a loss of trust among participants in the process, and, in the worst-case scenario, potential violations of the confidentiality and other legal standards governing how whistleblowing disclosures should be handled.

The difficulty for businesses will be to create a policy that is not only clear, practical, and tailored to their needs, but also meets the regulator's expectations as outlined in the guidelines.

Key tips for organizations:

  1. As a starting point, make sure your policy complies with the guidelines' mandatory standards.
  2. Consider if the 'best practice' parts of the guidelines are relevant and appropriate for your organization. If any sections of your policy are not appropriate for inclusion, figure out the reason and document it.
  3. Consider if there is an immediate need to amend your policy in light of the finalized guidelines, especially if you have already finalized your policy based on the previous guidelines.
  4. Take care while developing policy adjustments and do not rush them through. If your whistleblowing policy was only recently implemented, a new version could cause employee misunderstanding and version control mistakes.