ACSI critical of ASX 200 codes of conduct and whistleblowing – a checklist to meet likely incorporation into ASX Corporate Governance Council guidelines

The Australian Council of Superannuation Investors have published a report critical of ASX 200 companies’ whistleblowing policies and codes of conduct.

The council’s review found that all of the ASX 200 had a code of conduct bar one.

However, ACSI concluded that not all codes of conduct are equal. In its view, codes of conduct need to be:

  • comprehensive;
  • frequently reviewed (at least every two years);
  • use Q&As; case studies or vignettes; and
  • have leadership endorsement or promotion.

Only eleven ASX 200 companies met all of these criteria.

ASCI will advocate for the addition of new code of conduct and whistleblowing requirements to the review of ASX Corporate Governance Principles and Recommendations to be completed this year, including recommendations that companies:

  • Review codes of conduct regularly
  • Include practical case studies, Q&As and FAQs and a framework for ethical decision-making in the code of conduct
  • Implement independent testing of the implementation of codes of conduct (including communication and training effectiveness) and whistleblowing systems.
  • Encourage the inclusion of questions in engagement surveys which test companies’ ethical climate
  • Adopt whistleblowing systems that allow users to remain anonymous and are available 24 hours a day.
  • Protect staff who report wrongdoing against retaliation and support their contribution.
  • Establish and implement a whistleblower remediation policy where retaliation, reprisal or other detrimental impacts occur
  • Provide hotlines for code of conduct questions and whistleblowing

Key topics for inclusion in a Code of Conduct

The Council had reference to the ASX Corporate Governance Council Principles and Recommendations and a Harvard Business School analysis to come up with 13 key risk areas it considered should be included in a code of conduct.

The risk areas were:

  • Equal employment opportunity/non-discrimination
  • Safety
  • Gifts
  • Environment
  • Bribery
  • Fraud/corruption
  • Conflicts of interest
  • Bullying
  • Human rights
  • Anti-competition/anti-trust
  • Anti-money laundering/Counter-Terrorism Financing
  • Data protection/cybercrime
  • Fair dealing/product responsibility

The council then researched existing ASX 200 company codes to discover the extent to which they covered those risk areas.

Within the ASX 50, fair dealing and product responsibility was covered by the fewest companies in codes of conduct (12%), followed by data protection/cybercrime (20%), anti-money laundering/counter-terrorism financing (20%), anti-competition/antitrust (22%) and human rights. The low cybercrime count contrasts with the high frequency it is mentioned in annual reports.

Equal Employment Opportunity (92%), Safety (90%), Gifts (90%), Environment (88%) and Bribery (84%) were covered by the most companies.

Within the ASX 51-200, there was less mention of key topics in codes of conduct. The lowest number of companies dealt with data-protection/cybercrime (9%), anti-money laundering/counter-terrorism funding (10%), anti-competition/antitrust (11%), fair dealing/product responsibility (23%), and human rights (31%).

The largest number of companies mentioned equal opportunity/non-discrimination (84%), gifts (83%), environment (81%), conflict of interest (81%) and safety (75%).


ACSI’s research found that 19% of the ASX 200 company codes of conduct made no mention of whistleblowing.

Of the ASX 200, 55% had anonymous systems, 52% offered 24-hour availability, 65% expressed a commitment that retaliation was not acceptable and 29% extended availability of the system to contractors and suppliers.

A Code of Conduct Checklist

Boards may be well placed to ensure their inclusion of ACSI’s 13 key risk areas mentioned above in a code of conduct. However, some may consider the Harvard Business School’s a higher level categorisation simpler and more long-lived as a basis for a checklist.

The summary of the eight HBR principles is as follows:

Principle Concept Behavioural standards
Fiduciary The responsibility to act in the best interest of shareholders Conflicts of interest, gifts and hospitality, insider trading and using company resources only for company purposes
Property Respect property and the rights of those who own it Fraud, theft (including intellectual property), other misappropriation, and the avoidance of waste
Reliability Fulfilling explicit and implicit obligations Pay suppliers and partners on time and on agreed terms, deliver products and service promised to customers
Transparency Conducting business in a truthful and open manner Make timely disclosures of material information while respecting obligations of confidentiality and privacy
Dignity Respect employees, contractors and customers Health, safety and human rights
Fairness Engage in free and fair competition, deal with all parties fairly and equitably and practice non-discrimination in employment and contracting Non-discrimination, fair compensation, preference for suppliers that respect international labour practices; require suppliers and partners to refrain from bribery and improper payments
Citizenship Be responsible by respecting the law, protecting public goods, avoiding improper political involvement and contribute to community betterment. Respect the spirit and the letter of tax and environmental laws; do not launder money or finance terrorism.
Responsiveness Be responsive to stakeholders that are affected by company actions Respect shareholders’ views. Respond to employee and customer complaints and collaborate with community groups to promote economic and social development.

ACSI Questions for Directors and Management

Based on its research, ACSI has also published a series questions for investors to ask boards and senior management (and boards and senior management to ask themselves) on codes of conduct and whistleblowing.

Codes of conduct

  • Does the code of conduct reflect the company’s values framework so that users are encouraged to make decisions based on company values rather than a narrow set of rules?
  • Does the code of conduct provide a framework for ethical decision-making?
  • Is the code of conduct written and designed so that it has universal application to employees and relevant others irrespective of status or hierarchy (including, where relevant, contractors, suppliers, agents)?
  • Does the code of conduct include guidance on expected behaviours for all relevant ethical risks given the company’s size, structure and sector?
  • When was the code of conduct last revised and is it sufficiently up-to-date for the current scope of the business and ethical risk environment?
  • Is code of conduct training regularly undertaken, refreshed and tailored to the types of ethical risks that different roles and groups are exposed to?
  • How is the code communicated and implemented? For example, are local and other leaders involved in delivering regular messages about the importance of value-aligned behaviours (e.g. in setting the tone from the top) and are they approachable and effective as role models?
  • Do engagement surveys ask if employees observe consistency of behaviour between actual and proscribed values in their teams and among leaders? What actions are taken if inconsistencies are found?
  • Does the code of conduct (and related training) make clear what behaviours are appropriate or inappropriate and what to do when uncertain?


  • Does the system offer anonymity, confidentiality with multiple access points, and is it available 24 hours a day?
  • Can all relevant parties (including, where relevant, contractors, suppliers) use the system?
  • Does the system offer advice on questions that users may have (a helpline) in addition to providing a service to report potential wrongdoing (a hotline)?
  • Does it prohibit retaliation, have a designated support system for whistleblowers and have remediation policies for reporters who suffer reprisals or other detrimental impacts?
  • Do senior management and the board receive regular reports of whistleblowing data? This should include the type of issues raised, where they arise, how they are resolved, and the number of warnings or dismissals.
  • Is the system regularly tested and audited to ensure that it is working as intended?

ACSI’s research would be a valuable input into any ASX 200 company’s review of its code of conduct and whistleblowing processes. It can be found HERE.

The earlier HBR article can be found HERE. In particular, we suggest you click on their suggested Global Business Standards Codex. This is a roundup of widely endorsed conduct guidelines for companies around the world, according to eight underlying ethical principles.


© Guerdon Associates 2024
read more Back to all articles