Assessing the risk of reprisal

This guide has been prepared for officers who undertake risk management processes associated with public interest disclosures (PIDs).

Relevant law and standards

One of the main purposes of the Public Interest Disclosure Act 2010 is to provide people who make PIDs with protection from reprisal.

The Queensland Ombudsman’s Public Interest Disclosure Standard No. 1 (the PID standard) requires a public sector entity chief executive officer to conduct an assessment of the risk of reprisal to the discloser, and others associated with the matter, when a disclosure is received.  The standard also requires protective measures to be proportionate to the risk of reprisal.  If the risk is sufficiently high, an entity must prepare a protection plan.

The PID Act also:

  • requires public officers be given support and offered protection from reprisals (s.28)
  • prevents referral of disclosure to another public entity if there is an ‘unacceptable risk of reprisal’ (s.31).

The PID standard recommends the use of the Australian Standard for Risk Management - Principles and Guidelines (ISO 31000:2009) but leaves it open to an organisation to use any reasonable risk assessment strategy.

ISO 31000 states: ‘a risk is the effect of uncertainty on objectives’. In the case of a PID, the objective is to manage the risk of reprisal against the discloser and others associated with the disclosure.

The risk management process includes:

  1. establishing the context
  2. assessing risk (identification, analysis and evaluation)
  3. treating the risk 
  4. monitoring and reviewing actions.

Communication and consultation feeds into each step of the process.

Identify, assess and evaluate the risk of reprisal

To identify and assess the risk of reprisal, you will need to consider the specific circumstances that apply to the PID. We have developed a table that provides general guidance (PDF 118.2KB) on issues that could be considered in determining the risk of reprisal.

Every organisation is different and risk management should be considered within the local context. Research and experience indicate some risk factors. Content in this guide has been derived from Whistling While They Work: A good-practice guide for managing internal reporting of wrongdoing in public sector organisations and the NSW Ombudsman’s guideline for ‘Managing risk of reprisals and conflict’.

Risk management resources

  • Australian Standard for Risk Management (AS/NZS ISO 31000:2009)
  • A Guide to Risk Management (2011), Queensland Government
  • Risk Management Toolkit for NSW Public Sector Agencies (2012), NSW Treasury

Your organisation’s risk management policy and procedures will also be useful resources when considering how to assess and manage PID reprisal risk.

Your organisation’s risk management unit or officer may be able to provide you with further information and support.

Risk assessment process

Identify the risks

Given what is known about the disclosure, the discloser and the subject officer, consider the potential risks.

A reprisal causes detriment to another person. The PID Act defines detriment to include:

  • personal injury or prejudice to safety
  • property damage or loss
  • intimidation or harassment
  • adverse discrimination, disadvantage or adverse treatment about career, profession, employment, trade or business
  • financial loss
  • damage to reputation, including, for example, personal, professional or business reputation.

Analyse the risks

Given the identified risks, what are the consequences and likelihood of reprisal? What factors may make reprisal more likely or less likely?  

For example, a junior officer makes a corrupt conduct allegation about their immediate supervisor, who is a senior officer in the organisation, and it seems likely confidentiality will not be maintained in the investigative process. The research indicates this kind of situation presents a higher risk.

Consider the consequences of reprisal. What impact could it have on the discloser, the work unit and the organisation?  How serious would these outcomes be? For example, would it be a relatively minor impact that could be relatively easily rectified or corrected? Or is it more likely to have significant resource and reputational impacts?

What controls do you already have in place to manage this risk?  

Evaluate the risks

Weigh up the risks and make a determination about what action is needed.

Risk treatment and monitoring

After assessment, the next step is to move on to treating the risks to provide appropriate protection that is proportionate to the risk of reprisal.  A risk treatment plan can be used to record the risk, the action to be taken (including timing and frequency, if relevant), who is responsible for action and the arrangements for reporting and monitoring.

The implementation of risk treatment needs to be monitored to ensure the planned action has been implemented and is having the expected effect. Risk treatments should be reviewed at critical stages in the investigation.

Other issues to watch

  • Have you appropriately documented the risk assessment process?
  • Have you considered risks to others, such as someone who helps with the investigation or could be mistakenly assumed to be the discloser?
  • Can you demonstrate your reasoning that the action taken was proportionate to the risk?
  • Can you use the findings of risk assessments to inform and improve your organisation’s PID management practice?

Our PID Assessment Guide (PDF 52.1KB) can assist you to determine whether a matter is a PID.