What follow-through really looks like in whistleblower programs

Most organisations spend a lot of time writing policy, appointing officers, and setting up channels. Those things matter. But employees learn what the system is really like from follow-through. Not from the document, and not from the training slide.

ASIC’s benchmarking makes this distinction clearer. Access affects whether someone reports. Follow-through affects whether anyone reports again, and whether others will report after watching what happens to the last person who spoke up.

Whistleblowing programs are judged by what happens after the report. Not by the policy. Not by the hotline vendor. Not by the training slide.

ASIC’s benchmarking hints at a trade-off many organisations do not talk about openly, speed without depth can look tidy on paper, but hollow in practice.

Investigation and substantiation rates vary widely

Companies reported, on average, 49 days to complete an investigation. For companies with at least five in-scope disclosures, the average was 55 days, with a median of 50 days.

On average, 24% of in-scope disclosures that were investigated were substantiated. But some companies substantiated 10% or less of their in-scope cases.

There are a few plausible readings here, and each leads to different levels of competence.

Strong triage assessment: Fast closure might mean the organisation is good at filtering out out-of-scope reports early, so investigations begin only when needed.

Underpowered investigation capability: Fast closure might mean investigators are stretched, not rigorous, or lack specialist capability.

Confidence in reporting: Low substantiation rates can also reflect low-quality information, which sometimes happens when people share hints instead of details because they fear consequences.

The point is that “time to close” is a weak headline metric on its own. Leaders learn more when they pair it with other signals like themes, channel use, and whether investigators can recontact anonymous reporters to pursue lines of inquiry.

Outcomes skew toward internal discipline, not external referral

The most common outcome of substantiated disclosures was disciplinary action (42% of companies), followed by staff education or training (37%), then policy or process change (30%).

Only 11 companies, 8% overall, reported any referrals to a regulator or law enforcement in the period. ASIC explicitly said they were surprised, especially given the presence of regulated industries in the sample.

This invites a sharper conversation about escalation and accountability:

Many issues may genuinely be internal conduct matters, not breaches requiring referral.

Organisations may be uncertain about referral thresholds.

Leaders may be managing reputational risk by keeping matters internal.

Either way, it highlights a maturity marker. Organisations that are clear on thresholds and differing levels of severity tend to handle escalation more consistently.

Training and communication are not “nice-to-have”, they show up in the numbers

Training and comms are often treated as box-ticking. The report suggests they are closer to infrastructure. They shape whether employees understand what counts, what protection means, and what to expect.

Regular training correlates with higher disclosure rates

Three-quarters of companies provided recurring training, but 25% did not provide regular training to staff, and 8% provided none at all. Where training was recurring, disclosure rates were higher across company sizes.

In large companies (5,000+ employees), those with recurring training had a median disclosure rate of 0.45. That compares to 0.19 for induction-only training, and 0.05 for no training.

Training is often treated as compliance content. This report suggests it should focus more on confidence-building. If people believe the system works, they use it.

Ongoing reminders help, especially simple ones

Companies using periodic emails or articles, and posters in the office, reported higher disclosure rates.

This matters because whistleblowing is rarely top of mind. People remember the channel when something happens, not when onboarding tells them once a year.

Reviews, feedback loops, and governance are where many programs stall

Many review the policy, fewer review effectiveness

Most companies review policy periodically, but a significant portion do not review the program’s effectiveness. Policy review tends to happen because it is mandated. Effectiveness review tends to happen only when leaders are willing to face uncomfortable signals.

Employee feedback is underused, and it correlates with higher reporting

Only 42% of companies sought employee feedback on the whistleblower program or speak-up culture in the last year. Those that did had higher disclosure rates.

Who owns the program shapes how it behaves

Legal was the most common owner (32%), with compliance and HR both at 18%. ASIC observed less mature practices when HR owned the policy, including lower disclosure rates, lower adoption of dedicated webpages, and lower adoption of fully anonymous disclosures.

This does not mean HR cannot own the program. It suggests the risks of treating whistleblowing as an employee relations workflow, rather than a governance system.

A constructive governance prompt is:

If HR owns this, what legal, compliance, and investigation capability is formally embedded?

If legal owns this, how do we ensure the employee experience is safe and supportive?

A mature setup borrows strengths from each. It treats the program as a governance system with a human experience, not as a legal risk artefact.

Protection and support are visible signals, not just safeguards

Most companies assigned whistleblower protection officer duties to someone as part of another role, but 14% had no designated role responsible for protecting and supporting whistleblowers.

This matters because protection is not just a safeguard. It is a signal. People watch what happens to the last person who spoke up, then decide whether they will be next.

Industry and ownership differences hint at where to look first

ASIC’s industry view showed meaningful differences. Mining stood out with higher practice scores and higher disclosure rates. Healthcare and professional services were lower on both.

Rather than treating this as “good industries versus bad industries,” it is more useful as a starting point for reflection:

Some sectors have more mature safety and incident reporting norms, which makes speak-up behaviour more normal.

Some sectors have more dispersed workforces, higher casualisation, and higher power distance, which makes reporting harder.

Some organisations have stronger governance expectations from investors or group HQ, which pushes program maturity.

Benchmarking is valuable here, not to imitate another industry, but to notice what your own operating environment makes easier or harder.

A practical self-check, five questions to benchmark your program

If you want a quick way to use ASIC’s report without overengineering it, these questions align with the strongest patterns in the findings:

• Access: Do we offer a dedicated webpage and hotline, and are they easy to find and use?
• Confidence: Do staff get recurring training, and do we reinforce awareness through ongoing comms?
• Signal quality: Do we triage well so in-scope matters get protections fast, and out-of-scope matters still get handled appropriately?
• Follow-through: Are our investigation timelines credible, and do we balance speed with thoroughness?
• Feedback and oversight: Do we review effectiveness, seek employee feedback, and report meaningful insights to leaders, not just a set of numbers?

Credibility is built case by case

The most mature programs do not treat whistleblowing as a policy artifact. They treat it as a working system. One that has to be findable, usable, and credible when tested. Over time, that credibility becomes the real driver of whether people speak up.

Speak with our consultants

If you would like an outside view on follow-through and governance, speak with our consultants for a complimentary consultation.

{{whistleblowing-cta="/components"}}

‍