Blowing the whistle: Protecting yourself and your organisation
This week ASIC provided a spotlight on shortcomings of the Australian funds management industry's compliance framework, highlighting results that showed less than one third of 28 responsible entities, managing over $49 billion in managed investment schemes, had an adequate whistleblowing framework in place. Industry Moves caught up with an expert in the field, Robert Somerville, director of risk advisory at Deloitte , who spoke of Australia's maturing process around whistleblowing, the best way to protect a whistleblower's anonymity, and the importance of training to benefit both employees and organisations.
Q&A with Robert Somerville
A recent report from ASIC revealed that only half of the 28 responsible entities that were reviewed were found to have an effective framework to address an employee's right to report an issue and less than one third had a whistleblowing framework in place. Why do you think this is?
It's probably fair to say that whistleblowing in Australia has been on a maturing process around not only how it functions, but also around employees reporting issues. Whistleblowing started out purely focusing on fraud and financial controls, identifying financial mismanagement within an organisation. However that has changed over the years. Now whistleblowing covers areas like health and safety, environmental and HR issues such as bullying and harassment. Organisations need to be able to offer the ability for reporting across a broad nature of reports.
Can you tell us about the services that Deloitte offers?
Deloitte has a whistle-blowers service for clients, which we have been delivering to market for the best part of 13-14 years. It's a holistic managed service, which means that the whistleblower makes contact with Deloitte, and we then act as the intermediary between the whistle-blower and the client. This serves a number of key elements in an effective whistleblower program and allows greater anonymity. Whistleblowers have the option to reveal their identity just to Deloitte and not to the client if they so wish, thereby enhancing the communication that Deloitte can provide the client and at the same time protecting the anonymity of the whistleblower.
What kind of clients do you offer this service to?
We have about 110 clients currently on the service. A third of those clients are in the top ASX 200. We also work with smaller organisations including some SMEs and not-for-profits.
In your expert opinion, what is the best way to protect a whistle-blower's anonymity?
Anonymity is a very important aspect of the whistleblowing process. Protecting anonymity goes beyond just the whistleblower's personal details within the report, but also the report itself and what they choose to tell the client through our service. For instance, if you have a female working in an all male environment, clearly that is going to identify the whistleblower whether or not they reveal their name and contact details.
Work is done with the whistleblower during initial contact so they understand the process and where the report will go. In this way they can determine not only what information they give, but the detail they choose to provide. The other aspect is that not all whistleblowers are aware of self-incrimination. In telling their story, it is important that someone assists them to get both the information that the client will want and express the detail in a way that protects them.
Deloitte works with the whistleblower to ensure that the report always goes to someone who is senior to them and independent of the location and the people that they are reporting about. This gives the whistleblower a sense of comfort, so they can provide better detail and better information.
Do you think it's more effective to have a third party managing this process as opposed to having an internal framework?
Absolutely. Best practice has it that there needs to be three independent elements within the organisation for the service. There is an independent senior decision maker or committee in the organisation which has ultimate oversight for the whistleblowing service and is responsible for the matters that come through it, the person responsible for the investigation itself, and a third independent person who is the protection officer, and looks after the whistleblower.
If you look at a report coming directly to an organisation, it would always come to one individual person. That person might be involved in the report in some way, or the issue could be in reference to someone senior to them, or contain information which impairs the independence of that individual. This shows the importance of having a third party to do the initial triage.
"It's probably fair to say that whistleblowing in Australia has been on a maturing process."
In what ways does the service reduce the costs and risks associated with workplace misconduct?
We'd like to think that the service plays a great part in that. Certainly the effectiveness of the service is not always dependent on what Deloitte can provide but how the client manages the service. There are some key elements to the process that are all very important: transparency of the investigation, feedback to the whistle-blowers and the process behind the initial treatment of disclosures coming to the organisation. By having a managed process by Deloitte, we are able to assist the organisation in managing those three important elements.
ASIC suggested that responsible entities should also set up training for all staff, what would you say are the key elements that should be relayed to staff members?
Training for staff members is very important. A service is only effective if your people know about it. There's got to be initial training so everyone is aware the service is available and how it works. There should also be training around what the service will mean for them as individuals and the organisation.
Employees need to be aware of the red flags: the issues, risks and vulnerabilities within the organisation. They should know what they should report and how to report it so they can get the best out of a whistleblower service.
Do you think boards need to be more involved in having oversight of a company's whistleblowing policy?
The message, standards and ethics that are driven from the top down are very important. It's important that the board is involved and that policies reflect a strong ethical culture within the organisation and are committed to, ensuring all matters are dealt appropriately.
What are some of the challenges that you face at Deloitte when dealing with a whistleblower?
There is a lot of criticism in the marketplace about how whistleblowers are treated. One of the most difficult things to manage are personal reports provided by whistleblowers. These are not necessarily seen as a detriment to the organisation, but are important where the employee feels aggrieved. The organisation needs to be mindful of their responsibilities to a person who has reported wrong doings and their need to be protected.
You can read the full ASIC report here.
