Corporate Investigations Policy
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Fraud and misconduct by employees and third parties pose a significant risk to many organisations. Corporate investigations policies are an essential component of an organisation’s corporate governance and risk management programme and are critical in enabling an organisation to comply with national and international regulations and laws. They are also the basis for the prevention or detection of misconduct, and for undertaking corrective or improvement measures to address any risks. Global agencies provide guidelines for the establishment of investigations teams and standards for conducting investigations. These are useful tools to inform corporate investigations policies.
The investigation policy is complementary to and reinforced by other key policies in the organisation such as the business and financial compliance policy, employee code of conduct, whistleblowing policies, disciplinary procedures, employment contracts, privacy and records management policy and anti-bribery and corruption or anti-money laundering policies. It affirms the organisation’s commitment to upholding high standards of conduct and fostering an ethical culture, providing a safe and respectful working environment, and accordingly fairness to all employees. It defines the standards as to how and when a corporate investigation is triggered, conducted, and resolved. The policy also sets out the expectations of employees in reporting concerns, complying with investigations and protections afforded to whistleblowers. The following are the key elements of a policy:
- Mission statement
- Grounds and mandate for investigation
- Employee responsibilities
- Disclosures and remediation
The mission statement outlines the purpose or purposes of the investigations policy, and it is usually aligned to the organisation’s overarching motto or values. It serves to explain why the policy is needed in the organisation, some examples of which are:
- promoting good, lawful, and ethical conduct;
- enabling independent, effective, professional and lawful investigations;
- supporting informed decisions to ensure equitable and responsible staff accountability for violations of company policies and standards of conduct;
- adhering to regulations and laws; and
- managing risks.
The policy outlines the minimum or expected standards of both internal and externally supported investigations, and it may be modelled after generally accepted investigations standards, such as the Quality Standards for Investigations (QSI), the uniform principles and guidelines for investigations, or the investigation standards of relevant government authorities like the attorney, inspector or auditor general offices.
The policy should state its scope and applicability, which may include non-employed persons such as agents, contractors and consultants for whose acts the organisation may be held responsible, or third parties like vendors or customers. The policy should be applicable across the organisation’s global operations, with country-specific addendums to be defined where relevant. The policy should also cover the various investigating functions in the organisation, which may include specialist investigation teams like employee relations, financial crime, tax, and audit, or generalist investigators like line management or senior leaders.
Grounds and mandate for investigation
The grounds for an investigation should be defined in the investigation policy and should clearly set out who can refer a matter for investigation and the types of matters that the relevant investigating team will investigate. While an organisation may endeavour to review or investigate all violations of company policy, allegations of misconduct, suspicions, or concerns raised both internally and/or by external complaints or reports, it is not feasible to commit limited investigative resources nor proportionate to conduct full investigations into each concern or matter. Risk materiality considerations comprising legal, regulatory, reputational and financial risks, should guide the triaging of matters to an appropriate investigating party with sufficient capacity and capability. Other considerations may include technical subject matter expertise required and independence of the investigating team, which may determine whether an investigation should be conducted internally or externally.
Investigations policies need to address situations where external regulators or law enforcement agencies require notification or may otherwise become involved. In these situations, consideration needs to be given to the potential risks of parallel internal and external investigations. Internal investigations may interfere or undermine external investigations.
Where an external regulator is already involved it may be appropriate for the organisation to instruct external lawyers to conduct an independent investigation; before doing so organisations should be mindful that many regulators will expect disclosure and a waiver of privilege over any investigation reports prepared in such circumstances and this may affect to what extent an organisation wants to commission its own report. On the other hand, conducting a thorough investigation and disclosing the findings to the authorities may assist an organisation to demonstrate cooperation with a regulator which in turn may lead to reduced sanctions.
For matters of lower severity and complexity, consideration can be given to delegate the investigations to line management. Where they are not conflicted, i.e. where the line management were complicit in or condoned the conduct issue or were responsible for systemic issues indicative of supervisory failure. This provides the relevant leaders invaluable insights into the sentiment or morale of their team and gives them the opportunity to demonstrate their leadership in resolving performance or conduct issues. However, oversight of these line management conducted investigations by the investigation function may be required to ensure consistency and quality. For example, line managers without investigation experience may have their objectivity compromised due to existing relationships with those being investigated. This may affect the quality of evidence they gather, particularly during interviews. Consideration should be given to providing investigations training and guidance to relevant parties.
Whistleblowing policies will generally require robust and defensible investigations into all whistleblowing complaints. There may be additional regulatory requirements to consider. For example, regulated firms in the UK must have procedures in place in order to receive and respond to ‘reportable concerns’ and ‘protected disclosures’, as defined in the FCA Handbook. This requirement should be considered in the designation of the appropriate investigating team responsible for investigating into the whistleblowing reports and the appropriate documentation to support the investigation work done. The definitions may vary in different jurisdictions, and the investigator should refer to the relevant legislation for consideration on the matters to investigate and the applicable type of investigations. The Financial Conduct Authority, (FCA), who is the financial regulator in the United Kingdom, defines a reportable concern as:
‘a concern held by any person in relation to the activities of a firm, including:
- anything that would be the subject-matter of a protected disclosure, including breaches of rules.
- a breach of the firm’s policies and procedures; and
- behaviour that harms or is likely to harm the reputation or financial well-being of the firm.
It defines a Protected Disclosure as:
- “qualifying disclosure” as defined in section 43B of the Employment Rights Act 1996 (and summarised in (b) below) made by a worker in accordance with sections 43C to 43H of the Employment Rights Act 1996.
- a qualifying disclosure is, in summary, a disclosure, made in the public interest, of information which, in the reasonable belief of the worker making the disclosure, tends to show that one or more of the following (a “failure”) has been, is being, or is likely to be, committed:
- a criminal offence; or
- a failure to comply with any legal obligation; or
- a miscarriage of justice; or
- the putting of the health and safety of an individual in danger; or
- damage to the environment; or
- deliberate concealment relating to any of (i) to (v);
it is immaterial whether the failure occurred, occurs or would occur in the United Kingdom or elsewhere, and whether the law applying to it is that of the United Kingdom or of any other country or territory.
The mandate defines the authority of the investigator in accessing information required in an investigation and in obtaining cooperation from the relevant employees in interviews. It empowers investigators to execute their responsibilities and enable an effective investigation. As the internal investigator does not have the powers of the police, their access or authority is not carte blanche. Some key considerations include:
- Personal data privacy, which will be applicable for sensitive or personally identifiable information, such as medical information, contact details, identification references, financial information, and CCTV footage. Access to such information may require additional governance or supported by a police information report. Where personal data may be relevant, for example when there is a need to review employee detail, specialist advice should always be sought. It is usually necessary to provide a justification for why personal data must be reviewed, note that it is often not sufficient to rely on employee consent to review their data. Examples of this could include the requirement for additional authorisation from a senior leader or a formal data production request from a law enforcement agency. These requirements may escalate depending on the increased sensitivity of the data being requested.
- Access to employee’s personal assets, such as lockers, bags, residential premises, personal mobile devices, or personal emails, may not be allowed without a police warrant, subpoena, court order, or regulatory information request. Particularly, in organisations where use of personal devices for work under Bring Your Own Devices, (BYOD), programmes are allowed, the relevant policies should support the company’s access to work information residing on these personal devices for the purposes of a formal investigation.
- Banking secrecy laws of some countries may not permit offshore or non-resident or non-citizen investigators to access customer information of the company. Globally or regionally organised investigation teams may need to coordinate the investigation with local teams or engage local consultants or vendors.
- External data such as IP logs, call logs, web-based chats, turnstile logs, or location information reside with external third parties, e.g. internet service provider, building landlord, telco operator or technology company and may not be obtainable without a police report, warrant or regulatory information request.
- Seniority of the subject employee or employees, where the investigator should be of an appropriate or commensurate seniority, to manage access to sensitive personal information of their superiors. In such scenarios it may be worth appointing an external investigator to ensure independence.
The responsibilities of the key parties, investigator, investigation supervisor, subject employee, line management, all employees and any involved third party, should be clearly defined in the investigation policy, with minimum standards and consequences of non-compliance outlined. Key responsibilities and obligations include:
- Investigators are expected to conduct investigations in accordance with the investigation policy. This should include maintaining proper records, upholding confidentiality of the investigation and disclosing any potential conflicts of interest. The various investigating functions by which investigators are empowered by the investigation policy with the defined mandate to conduct the investigation as required. All investigations should be kept confidential. In cases involving whistleblowing reports, the investigator also has a particular responsibility for ensuring compliance with specific whistleblower legislation.
- Investigation supervisors are responsible for the scope, timeliness and quality of the investigations, resolving any potential conflicts of interests or challenges and communicating clear, defensible, and accurate findings.
- Employees are expected to cooperate with the investigation, as required under the code of conduct, the investigation policy, and in most instances, under their employment contract. The cooperation extends to the employee being open and honest, in providing requested information or in responding to interview questions. It should be stated that the employee’s failure to cooperate with, or actions to undermine the investigation, influencing witnesses, tampering with or destroying evidence and threatening behaviour may result in disciplinary measures.
- Line managers are expected to support or conduct the investigation as appropriate and conduct the recommended actions arising from the investigation. As stipulated in the grounds for investigation, line management are expected to conduct certain investigations into the conduct of their staff when requested by the investigations function. Line management may also be requested to support investigations by availing their staff for interviews, or by managing the continuity of their business operations should subject employees be put on administrative leave to facilitate the investigation.
- All employees have an obligation to report suspicions, allegations, or known violations of company policy in a timely manner, and they should be informed on how and where to report their concerns. The various reporting channels should be clearly listed, with options for anonymity and native language supported. The appropriateness or purposes of the various channels can also be distinguished, to inform employees on who to report what type of concerns to, e.g. grievances or dissatisfaction with performance assessments should be reported to Human Resources (HR). The duty to report exists even if the reporting employee is involved in the misconduct or violating act. It should be clearly stated that there shall be no immunity against disciplinary action for the employee who self-reported.
Protocols should be defined for each investigation where relevant. These protocols should not dictate every investigative action to be conducted but provides a standardised and fair process for all stakeholders. It should be noted that protocols will also differ across different teams and these should be documented in supplementary policies.
Protocols should dictate the process followed during any investigation and are informed by the relevant policies or legal frameworks. However, it is acknowledged that protocols may not be applicable to every scenario or situation and there will be exceptions. As such, guidelines are required to allow investigators to make informed judgements in these circumstances that are still consistent with the underlying principles of any policy or legal framework.
An investigation Terms of Reference, (ToR’s), should be drafted at the start of any new investigation setting out the issue that is to be investigated and scope of the investigation, relevant individuals, stakeholders etc. this can be updated as the investigation develops. This is separate to the various protocols on privilege, data protection, document preservation and reporting which should be standard and should apply to all investigations
The following are important factors to be addressed.
Methodologies and scope
The methodology and scope of any investigation should be proportionate to the materiality of the matter. There is always a need for balance between conducting an effective investigation while trying to minimise business disruption and the impact on employees and related parties. If investigation protocols are not transparent and do not account for this need for balance it can undermine faith and engagement with future investigations.
Data preservation and collection
The collection and preservation of data, particularly in a digital format, should be conducted by someone with the relevant expertise and in compliance with the relevant national and international privacy laws. The composition of any investigation team should take in to account the need for both in-house and external capabilities depending on the requirements of the situation. Protocols must also cover the chain of custody of any devices or items retained as part of an investigation and how long such items or related data will be stored. Document preservation notices should be sent to all employees with potentially relevant data at the outset of an investigation, in particular where an external regulator is, or is likely to become involved, or where the matter may lead to litigation. IT teams should also be instructed to implement data holds of server data. A detailed record should be kept of all data preservation steps taken by the organisation. This should include a copy of all notices, memos, and communications with employees in relation to the collection and preservation of data. Any protocols need to be compatible with local and international laws and company records retention and data privacy policies. Where an organisation may have data stored on an employee’s personal device, the organisation may also take action to preserve and collect that data in accordance with the organisation’s BYOD policy.
Consent and legal approval
It is good practice to receive jurisdiction specific legal approval before conducting any eDiscovery or related activity. In some jurisdictions, consent of the data subject may be required regardless although note, as set out above, employee consent is often not considered freely given and can therefore be insufficient. Consider commissioning or maintaining a database of country specific legislation to inform investigation protocols. Responsibility for this could be with the operations function within an investigations team, Centres of Excellence, (CoEs), privacy teams or other relevant functions.
Specific protocols should be created for the consideration, authorisation, and deployment of any covert tactics. Such techniques can carry an increased risk to those conducting them and can be a significant privacy concern. As such, authority for such methods should come from a senior level in the organisation and local legal advice on any proposed techniques should be sought in advance.
Interim action in relation to employees and directors
A protocol should be in place to set out when any interim action, for example suspension, should be taken against any employee or director whose conduct is under consideration. Legal and HR should be involved in any such decisions and any action will need to comply with the legislative framework in the employee or director’s jurisdiction.
A standard process for interviews and obtaining statements should be established to ensure fairness and a professional approach across the organisation. Any interview protocols must consider:
- the composition of interview teams;
- how interviews are recorded whether written, audio or video; and
- what content is shared with the interview subject in advance of the interview, taking into account privacy, fairness and legal privilege and any relevant third party such as external legal representatives.
Protocols may need to be amended when dealing with third parties such as vendors, customers and ex-employees. Protocols should also address the right of interview subjects to be accompanied, for example by their own legal representative, in their interviews.
Investigation records must be accurate and readily accessible when required for internal or external regulator and law enforcement purposes. The process by which investigators record each stage of an investigation should be set out in as much detail as possible to ensure consistency. To underpin this process, organisations should make use of a case management system, either created in-house or provided by bespoke third-party vendors. When preparing investigation records, organisations should however be mindful of the steps that need to be taken to ensure that any records maintain legal privilege, e.g. ensuring the records are maintained by internal or external legal counsel and contain legal advice rather than purely administrative steps.
There should be a standardised process for reporting the findings of an investigation. This can include timescales for reporting, who is notified of the findings and who decides outcomes. Report templates can vary depending on the area of the organisation, the type of investigation being conducted, the complexity of the matter, and the purpose of the investigation. Consideration may be given to the form of reporting, to maximise legal privilege. For example, if reports must be given in certain jurisdictions where privilege protections are weak, e.g. China, it may be prudent for periodical reporting to be made orally only, or via non-recorded screen shares, from a jurisdiction where the report will be considered privileged.
Confidentiality and the need to know
Protocols should set out the stakeholders in any investigation who are to be notified that it is taking place and who should be updated on the outcome of the investigation. This includes those actively involved in investigative actions and decision makers. This group should be clearly defined in the investigation of ToR’s from the outset and this will assist in maintaining privilege over communications with this group. Whistleblower legislation is a very important factor when considering this process. Any investigative actions that potentially put the anonymity of whistleblowers at risk must be carefully considered. Any employee who is informed of the investigation should be informed that the investigation is strictly confidential and should not be discussed with anyone externally or internally, other than those in the defined investigation group.
A communications protocol should be put in place and circulated to all investigators and stakeholders in the investigation to ensure that the investigation remains confidential and to ensure that parties follow the necessary processes in order to maintain privilege in the investigation. It is important that all involved in the investigation are mindful of the need to avoid creating unhelpful and potentially inaccurate documents that you are later obliged to disclose to regulators, authorities or parties to a claim. The protocol should remind employees and stakeholders of the limits and requirements of privilege doctrine when creating documents and communicating in writing, including by email, text, and instant messaging services. All privileged communications should be clearly labelled and not circulated outside the defined investigation group, which should be defined in the investigation’s ToR’s and should include legal advisors.
Disclosures and remediation
The disclosure of findings following an investigation and carrying out remedial steps can be one of the more challenging phases of the investigative process. Corporate investigators may be making findings or recommendations against fellow employees, and this can have a significant impact on all those involved.
Investigations policies should define the processes to be followed at the conclusion of an investigation, the key stakeholders, their roles and responsibilities and enable any investigations program to evolve and improve. Important considerations include:
- Defining roles of the key stakeholders such as investigators and lead investigators, investigation supervisors, subject employees, findings decision makers and those responsible for managing third party disclosures. Consider whether investigators can draw conclusions, make recommendations or whether they are limited to fact finding. Consideration may be given to defining and publishing these role profiles within organisational policies and procedures to ensure clarity and transparency.
- Policies should set out the range of disciplinary sanctions appropriate at the conclusion of any investigation and the process by which recommendations can be made fairly and consistently. This should be in line with any employee codes of conduct and disciplinary policies. Similarly, there must be a defined procedure for identifying potential process and policy improvements identified during an investigation. Root cause analysis is best practice for any large organisation and corporate investigations policies should set out how such analysis is captured and acted upon. As with role profiles, consideration may be given to defining and publishing the potential range of outcomes to ensure transparency and consistency.
- A clearly defined process for the management of external referrals to law enforcement agencies and regulatory bodies. This process should include timely consultation with relevant governance stakeholders such as legal and compliance. This can include methods for making complaints of criminal behaviour on behalf of the organisation, responding to law enforcement requests and making voluntary or mandatory reports of potential breaches of the law, such as the UK Bribery Act and US Foreign Corrupt Practices Act, or the Fraud Act 2006. Consideration should also be given to whether reporting should be done on an interim basis before the investigation is concluded. In some jurisdictions, credit will be given for early self-reporting
- Consideration should also be given to whether any disclosures should be made to the organisation’s insurers. As above, it may be necessary to provide insurers with an update at the outset of an investigation and with interim updates.
- Complaints and feedback: Consideration should be given to implementing a process by which those who are involved in an investigation, including subjects, can provide good faith feedback about how it was conducted. This fosters belief in the investigations process and can help teams reflect and improve.
Legally reviewed by Andrew Reeves (Norton Rose Fulbright).