Nine years, no answer
In 2017, Ally Naylor filed a formal written complaint about Xero co-founder and then-CEO Sir Rod Drury on her last day of employment. Xero investigated. Then nothing happened, at least not for Naylor. She was never told the outcome. She never received the investigation report. And according to journalist Paula Penfold’s account, she was exposed to the executive she had accused, the single most fundamental confidentiality failure an employer can commit.
Drury stepped down as CEO in March 2018, four days after Naylor requested the investigation report. Nearly a decade later, after Drury was knighted and named Kiwibank New Zealander of the Year, Naylor laid a complaint with police. It was, by her account, the only avenue left.
The misconduct allegations themselves are serious. But for every business owner and board member reading this, the more urgent lesson is procedural. Xero is not a startup operating out of a garage. It is an ASX and NZX-listed company with dedicated legal counsel, a board of directors, and global HR infrastructure. And it still managed to run an internal complaints process that left the complainant in the dark, breached her confidentiality, and produced no resolution.
If Xero could not get this right, what chance does your business have?
The law has caught up
The Protected Disclosures (Protection of Whistleblowers) Act 2022 came into force on 1 July 2022 and applies to every employer in New Zealand, public and private sector alike. It codifies exactly the obligations Xero failed on.
Section 17 requires receivers of protected disclosures to use best endeavours to keep confidential any information that might identify the person making the complaint. Section 21 prohibits retaliation. The Act also requires acknowledgement of a complaint within 20 working days.
Xero’s 2017 complaint predated this legislation. That is precisely the point. The failures that destroyed Naylor’s trust in the process are now statutory obligations. An employer who repeats them today is not just making an administrative error. They are breaking the law.
Founder worship makes the process decorative
A previous B2B News analysis of the Xero saga noted that when the person who built the company regards governance as a burden, the entire organisation absorbs that signal. Employees learn what gets rewarded. Directors learn what gets tolerated. The accountability function that is supposed to surface problems before they metastasise becomes decorative.
That cultural dimension matters. Former staff have described an awareness of concerns about Drury’s conduct, with one senior manager reportedly calling it an “in joke” that the CEO had “favourites”. When a complaint process exists on paper but the culture signals that certain people are untouchable, the process is theatre.
Xero has appointed external King’s Counsel Maria Dew to review its handling of the 2017 complaint. The company said it is “limited in what we can say” given the matters relate to historical events and confidential matters. That is a reasonable legal position. It is also exactly the kind of non-answer that allowed the problem to fester for nine years.
The questions every employer should be asking right now
Most New Zealand businesses do not have a written whistleblower policy. Many have no formal complaints process at all beyond “talk to your manager,” which is useless when the manager is the problem, or when the accused person is the founder.
The Xero case provides a practical checklist by negative example. Does your business have a written policy that meets the 2022 Act’s requirements? Does the person receiving complaints have a conflict of interest with anyone likely to be complained about? Is there an independent escalation path? Are you required to acknowledge complaints within 20 working days, and do you actually do it? Does the complainant receive the outcome?
Every one of those questions maps to a specific failure in the Xero case.
The bill always comes due
The cost of not having a functional process is never zero. In Xero’s case, the company is now managing a police complaint, an external KC review, sustained media scrutiny, and reputational damage to a brand that trades on trust. The previous B2B News analysis linked Xero’s broader governance failures to a $126.4 million write-down and 800 job losses.
A proper complaints process in 2017 would have cost a fraction of what Xero is paying now. That equation holds for every business in New Zealand. The process you build when nobody is watching is the one that saves you when everyone is.
Sources
- RNZ: Ex-Xero staffer Ally Naylor lays complaint with police over Sir Rod Drury (2026-04-15)
- RNZ: Xero launches review over misconduct allegations about co-founder, former CEO Sir Rod Drury (2026-04-15)
- Paula Penfold: Behind the investigation into New Zealander of the Year Sir Rod Drury (2026-04-18)
- B2B News: Rod Drury and Xero show founder worship is a governance risk
- HCAmag: Xero launches probe into alleged misconduct of former CEO