Whistleblowing culture: ASIC’s illuminating report on good practices

On 2 March 2023, ASIC published a report which aims to help entities improve their arrangements for handling whistleblowers and ensure people are encouraged to speak up if and when they identify misconduct or an improper state of affairs (Good Practices Report).


The Good Practices Report found that regulated entities who implemented thoughtful and well-publicised arrangements for protecting whistleblowers and handling disclosures received useful reports about concerns and issues in the workplace. As a result, these workplaces were in a more advantageous position to address these issues at an early stage.


Whistleblowing is an integral part of a transparent, accountable and safe work culture. To cultivate and encourage whistleblowing in the corporate sector, whistleblowers need to know that they will be protected if and when they decide to come forward with their concerns.

In 2022, ASIC reviewed the whistleblower programs of seven entities which were selected on the basis of their “similar attributes” and “likelihood to have developed whistleblower programs in place”. ASIC examined those programs to assist with identifying scalable good practices to share with other regulated entities.

The sample regulated entities considered in the review were:

  • Australia and New Zealand Banking Group Ltd;
  • AustralianSuper Pty Ltd;
  • BHP Group Ltd;
  • Commonwealth Bank of Australia;
  • Netwealth Group Ltd;
  • Treasury Wine Estates Ltd; and
  • Woolworths group Ltd.

The Good Practices Report highlights the importance whistleblower programs in alerting entities and boards to the changes necessary to improve overall corporate performance and governance.

ASIC’s key findings

In the Good Practices Report, ASIC identifies a number of practices regulated entities should adopt when dealing with whistleblower disclosures, including:

  • establishing a strong foundation for the program – to achieve this, ASIC advises entities to document their policies, define the roles and responsibilities for the program, develop clear operation procedures or guidelines and use adequate IT resources and organisation measure to secure personal information from the program;
  • fostering a whistleblowing culture and supporting whistleblowers – widely promoting whistleblowing helps to foster a whistleblowing culture and support whistleblowers (i.e., such promotion can be achieved through means such as all-staff emails or intranet posts, training employees about when and how to make disclosures etc);
  • providing appropriate resources and training for officers and employees involved in receiving whistleblower disclosures;
  • monitoring reviewing and improving the policies, procedures and practices associated with whistleblowing – regulated entities should consider the objectives of their policy and program and identify corresponding indicators and metrics to monitor their programs effectiveness;
  • using information from disclosures to address issues raised by whistleblowers – regulated entities should analyse the data collected by their programs and consider whether and how they can improve internal processes in cases where gaps or deficiencies in internal practices were identified as part of the underlying cause of an issue strengthen the visibility surrounding emerging areas of risk and improve operations by sharing insights from their programs;
  • embedding executive accountability for the program – ASIC suggested that dedicating a ‘senior manager’ to the policy was a persuasive and visible way for entities to signal their commitment to fostering a whistleblowing culture; and
  • creating methods to facilitate effective director oversight – regulated entities are encouraged to consider formalising arrangements for board and board committee oversight of the policy and program, and the type and level of information that management should provide to board committees to ensure they can discharge their oversight responsibilities.

What you need to do

According to ASIC, regulated entities should consider the good practices identified above (and further detailed in the Good Practices Report) and ask themselves:

  • Have we established a strong foundation for our program? How is our program equipped to handle disclosures?
  • Whistleblowers using our program to provide valuable information? If not, what needs to be done to actively promote and grow trust in the program and ensure whistleblowers are protected?
  • How have we prepared people involved in the program to protect whistleblowers and treat disclosures confidentially?
  • How are we ensuring that our program is up to date and that we detect issues with its operation? How are we measuring its effectiveness?
  • How are we using and sharing information from disclosures to improve our operations?
  • Who is accountable for our program and how do they discharge this responsibility? Do they have access to the right information for this purpose?
  • How are our directors overseeing the program? Do they have access to the right information for this purpose?

You can access the Good Practices Report by clicking here.



If you have any questions about this article, please get in touch with an author or any member of our Corporate & Commercial team.


This information and the contents of this publication, current as at the date of publication, is general in nature to offer assistance to Cornwalls’ clients, prospective clients and stakeholders, and is for reference purposes only. It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.