Categories
Blog

The Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2023 ECCP, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel—How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

Investigation Response—Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

Resources and Tracking of Results––Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations including: Did management, the Board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation Jay Martin, former Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Director, Relationship Manager at True Office Learning, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.

Opening and categorizing the case. This is the first step to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This step should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Planning the investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented, with an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. This step should be accomplished within another one to three days.

Executing the investigation plan. Under this step, the investigation should be completed. I would urge that the interviews not be affected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued, and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product ruminations. This step should be accomplished in one to two weeks.

Determining appropriate follow-up. At this step, the preliminary investigation should be complete, and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete, and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This step should be completed in under a week. (Note that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward.)

Closing the case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form. The case report should be completed. This step should be completed in under a week.

Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – The Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly, and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:
 Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?
 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

In a presentation, Jay Martin, and Jacki Trevino discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.
Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – What Is Your Board’s Investigation Protocol

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises. However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic because if a Board of Directors does not get an investigation, which it handles right, the consequences to the company, its reputation, and value can all be quite severe.

In an article in the Corporate Board magazine, entitled “Successful Board Investigations”; David Bayless and Tammy Albarrán, wrote about five key goals that any investigation led by a Board of Directors must meet.

They are:

    • Thoroughness – The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without hav­ing to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insuf­ficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.
    • Objectivity – Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the conse­quences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity required in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high-volume client of the law firm involved, either in dollar amounts or in several matters handled by the firm.
    • Accuracy – As in any part of, a best practices anti-corruption compliance program, the three most important things are Document, Document, and Document. This means that the factual findings of an investiga­tion must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its investigation of the same issues.” This is never good and your company may well lose what little credibility and goodwill that it may have engendered by self-reporting or self-investigating.
    • Timeliness – Certainly in the world of FCPA enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
    • Credibility – One of the realities of any FCPA investigation is that a Board of Directors-led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post-event analysis. So the authors believe that any Board of Directors-led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.”

    Three Key Takeaways

    1. The Board should have a written protocol for investigations prepared in advance.
    2. This gives cover to a Board when regulators come knocking or other third parties seek review.
    3. Remember the 5 goals of any Board led investigation.

     

Categories
31 Days to More Effective Compliance Programs

The Investigation protocol


Under Part 1, Section D. Confidential Reporting Structure and Investigation Process, it stated in part, Properly Scoped Investigation by Qualified Personnel –What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved.
You can make the decision on whether or not to investigate with consultation with other groups such as the Compliance Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows compliance to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
31 Days to More Effective Compliance Programs

Day 19 | The investigation protocol


After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
 Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.